Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Necurs rootkit and Cryptowall 3.0


  • This topic is locked This topic is locked
18 replies to this topic

#1 loveleeyoungae

loveleeyoungae

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 29 January 2015 - 08:52 PM

Hi,

 

Sorry for my long post, but I hope the more details I list, the more you know about the situation to offer the best solution :)

 

Last week, I got some strange popups. So, I don't know why, but I chose to run TDSSKiller first. The tool asked me to reboot to install its special drivers if I wanted to do a deeper scan. After reboot, Windows poped out some error messages about "registering server proc32...". TDSSKiller noticed me about new version before running the scan. So I downloaded the new one which still asked me to reboot again to install its special drivers. After this second reboot, Windows started and responded very slowly, the mouse took ages to move. But as I saw the TDSSKIller was open and ready to run, I still patiently waited and tried to move the mouse to click the "Start Scan". After a quick scan, TDSSKiller listed a threat (sorry, I didn't notice the name at that time). I chose to "Delete" it and reboot the finish the clean. After this third reboot, I realized some files were encrypted, so I knew there was something malicious running, so I decided to shut down the PC immediately by unplugging the electric cord.

 

Attaching the hdd to another PC, and did some quick search on Google, I realized that I got infected with the Cryptowall 3.0 which was recently released on 13 Jan. And you may not like it, but I decided to pay the ransom to get the decrypter tool. The decrypter could run on another OS and I got the files I need back.

 

However, I still want to get back to my OS with all my setup, and also to do some kind of "complete decryption".

- At first, I just deleted the virus folder (random string name) on the root/OS partition and unplugged the Ethernet cable. My infected-Windows7 didn't let me in but always ran its "Startup Repair" wizard instead. I managed to disable the automatic wizard by disabling it via BCDedit. So, the infected OS booted up, I ran the decrypter tool to let it decrypt the whole system.

- Next, I manually found some virus folder in AppData and deleted them. I installed Malwarebytes, but the database is old and I haven't managed to find a way to update it manually, so Malwarebytes haven't noticed anything. I ran the TDSSKiller again, it detected the "Necurs", and I chose to "Delete" it. After that, Windows got in a reboot loop.

- I attached the hdd to the non-infected PC, and I realized that I couldn't access the root/OS partition. It turned out that the partition was set to deny the access (even on another OS?). So I just used the Take Ownership tool to get back the full control on the partition.

- I ran RogueKiller on the non-infected PC, and it managed to find out and delete some things related to Necurs.

- Attaching the hdd back to the infected PC, Windows successfully booted up. I ran RougeKiller again, it listed many things and gave a link about "kerner filter rootkit". (Please be noted that the infected PC was still being disconnected from network. I read the link on another system).

- Reading about the "kernel filter rootkit" on RougeKiller site, I was worried about BSOD error, so I thought I had to stop trying to remove the nasty things myself and I should ask for advice from professionals instead. That's why I'm posting here :)

- But final note: Unfortunately, I still mistakenly press the "Delete" button on RougeKiller. Hence, I still let the PC running.

 

So, sorry again for my long post. And hope that you don't mind my "trying to be smart" and could help me get my PC back :) Thanks.

 

=========================

Here are the logs

==========================

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by VRJ (administrator) on VRJ-PC on 29-01-2015 20:04:11
Running from D:\VRJ\Desktop
Loaded Profiles: VRJ (Available profiles: VRJ)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Liebert Corporation) C:\MultiLink\bin\LiebertM.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(Bkav Corporation) C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\TokenManagerAgent.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
() D:\VRJ\Downloads\Unikey64\UniKeyNT.exe
(Bkav Corporation) C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\BkavCATokenManager.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
() D:\VRJ\Desktop\RogueKillerX64.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-04-24] (IDT, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Bonus.SSR.FR11] => C:\Program Files (x86)\ABBYY FineReader 11\Bonus.ScreenshotReader.exe [933640 2012-01-19] (ABBYY.)
HKLM-x32\...\Run: [vmware-tray] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-10-29] (VMware, Inc.)
HKLM-x32\...\Run: [vmware-tray.exe] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-10-29] (VMware, Inc.)
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: bcdedit.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [UniKey] => D:\VRJ\Downloads\Unikey64\UniKeyNT.exe [316928 2009-11-02] ()
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [BkavCA Token Manager] => C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\BkavCATokenManager.exe [2225152 2014-12-09] (Bkav Corporation)
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [cf7746] => C:\cf77466\cf77466.exe [275456 2015-01-28] (JetBrains s.r.o.)
ShellIconOverlayIdentifiers: [HardLinkMenu] -> {0A479751-02BC-11d3-A855-0004AC2568AA} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IconOverlayHardLink] -> {0A479751-02BC-11d3-A855-0004AC2568DD} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IconOverlaySymbolicLink] -> {0A479751-02BC-11d3-A855-0004AC2568EE} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers-x32: [HardLinkMenu] -> {0A479751-02BC-11d3-A855-0004AC2568AA} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers-x32: [IconOverlayHardLink] -> {0A479751-02BC-11d3-A855-0004AC2568DD} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers-x32: [IconOverlaySymbolicLink] -> {0A479751-02BC-11d3-A855-0004AC2568EE} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2894121479-214908594-1536770163-1000 -> DefaultScope {9E867C61-EA5B-40B7-AE04-FDA45E0E11E4} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2894121479-214908594-1536770163-1000 -> {9E867C61-EA5B-40B7-AE04-FDA45E0E11E4} URL = https://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
 
FireFox:
========
FF ProfilePath: C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_45 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\5giay.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\baambootratuav.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\muare.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\zing-mp3.xml
FF Extension: HTML filter - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C} [2014-12-20]
FF Extension: leethax.net extension - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\leethax@leethax.net.xpi [2013-06-20]
FF Extension: Session Manager - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-01-15]
FF Extension: Mozilla Archive Format - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2013-05-30]
FF Extension: Tab Mix Plus - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2013-06-17]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-08-12]
FF HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5 [2013-05-29]
FF HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5
 
Chrome: 
=======
CHR Profile: C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Awesome Screenshot: Capture & Annotate) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce [2013-05-29]
CHR Extension: (Google Docs) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-18]
CHR Extension: (Google Drive) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-04-18]
CHR Extension: (YouTube) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-18]
CHR Extension: (Adblock Plus) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-05-29]
CHR Extension: (Google Search) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-18]
CHR Extension: (IDM Integration) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm [2013-05-29]
CHR Extension: (Google Wallet) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-28]
CHR Extension: (Gmail) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-18]
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2013-05-27]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LiebertM; C:\MultiLink\bin\LiebertM.exe [93696 2013-01-24] (Liebert Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-03-25] (Nitro PDF Software)
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [14407384 2014-10-29] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
U0 88060968; C:\Windows\System32\drivers\13446387.sys [248728 2015-01-29] (Kaspersky Lab, Yury Parshin)
R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115448 2013-11-21] (EZB Systems, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-01-29] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-02] ()
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-02-22] (VMware, Inc.)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64.sys [14464 2008-05-06] (Western Digital Technologies) [File not signed]
S0 36721518; system32\drivers\47399196.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
========================== Drivers MD5 =======================
 
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\13446387.sys EB2290ED2AFEA6D9C9773B818F2C1EA3
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys ==> MD5 is legit
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\drivers\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys 91CE0D3DC57DD377E690A2D324022B08
C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\drivers\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\dmvsc.sys 5DB085A8A6600BE6401F2B24EECB5415
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\system32\drivers\evbda.sys ==> MD5 is legit
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fvevol.sys ==> MD5 is legit
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcmon.sys BDDBCFF870442B3C24C158CD53079132
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\System32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys CCFA835960E35F30D28A868E0B3B8722
C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\idmwfp.sys 5801BB0B48B9D66A7462D7B807599A81
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys E489D12FF435AEEF4A5474C47D329590
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecpkg.sys ==> MD5 is legit
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mbam.sys CA43F8904E24BBE49982E4C0B29E6579
C:\Windows\system32\drivers\mwac.sys A646C2DDB8C46E9B20A326FAF566646C
C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit
C:\Windows\system32\drivers\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECIx64.sys 6B01B7414A105B9E51652089A03027CF
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\TVMonitor.sys 95314C3A08589471983C2C8173F23CDA
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys FAF015B07E3A2874A790A39B7D2C579F
C:\Windows\System32\DRIVERS\mrxsmb10.sys 08E2345DF129082BCDFFDC1440F9C00D
C:\Windows\System32\DRIVERS\mrxsmb20.sys 108D87409C5812EF47D81E22843E8C9D
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\drivers\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netr28x.sys 3B7DE4C730202F6F5B0CB202990AA6EF
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\System32\drivers\nvhda64v.sys 1F07B814C0BB5AABA703ABFF1F31F2E8
C:\Windows\System32\DRIVERS\nvlddmkm.sys FCBA1C22727939E7CFF9EB08FE9692AB
C:\Windows\system32\drivers\nvraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\drivers\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpvideominiport.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt64win7.sys 81FE3CDBA210F2DCFB451F2C24258780
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\serenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 2098B8556D1CEC2ACA9A29CD479E3692
C:\Windows\System32\DRIVERS\srv2.sys D0F73A42040F21F92FD314B42AC5C9E7
C:\Windows\System32\DRIVERS\srvnet.sys 2BA8F3250828CCDB4204ECF2C6F40B6A
C:\Windows\system32\drivers\stexstor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\stwrt64.sys 5709F6AEECC9C43AD9D550FB1D882209
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\synth3dvsc.sys C3A39C4079305480972D29C44B868C78
C:\Windows\System32\drivers\tcpip.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tcpip.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpipreg.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\teamviewervpn.sys F5520DBB47C60EE83024B38720ABDA24
C:\Windows\System32\DRIVERS\termdd.sys ==> MD5 is legit
C:\Windows\system32\drivers\terminpt.sys 2B5BDFF688EC9871D7EC5837833374E9
C:\Windows\System32\DRIVERS\tihub3.sys 14786EE19BEE529A4FEC729A8B26EE81
C:\Windows\System32\DRIVERS\tixhci.sys 8833AF2FC5640B683B8A778941ECDE8D
C:\Windows\System32\drivers\TrueSight.sys 531121E7ED50084B493A69F8F8A7A927
C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\system32\drivers\TsUsbGD.sys 9CC2CCAE8A84820EAECB886D477CBCB8
C:\Windows\System32\drivers\tsusbhub.sys E1748D04AE40118B62BC18AC86032192
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbhub.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbohci.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS ==> MD5 is legit
C:\Windows\system32\drivers\usbuhci.sys ==> MD5 is legit
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\system32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vmci.sys BE8E5E5D53ACF71D4E8E686B68C99B04
C:\Windows\system32\drivers\VMkbd.sys A088B197747CE99FB91ED12C1B8DD60F
C:\Windows\System32\DRIVERS\vmnetadapter.sys 18AA5F4A3B1204AD00045EE5AD39BCDB
C:\Windows\System32\DRIVERS\vmnetbridge.sys 04CD4347CD9E8C40F78AD51F7FF426D0
C:\Windows\system32\drivers\vmnetuserif.sys 0554C979222692C8DB07AF39279EC67D
C:\Windows\System32\DRIVERS\vmusb.sys 5E6B64631689382413131EF2E959E35D
C:\Windows\system32\drivers\vmx86.sys 3459BF60AA9B66E308A3D1656AEFD6C3
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vsock.sys CB4D2E3C5E8BFA3CF6AFFF6DDC6CC70D
C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys E7CE8988B98202A5CF429CA358D26CC5
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\drivers\wd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wdcsam64.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUSB.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WUDFRd.sys ==> MD5 is legit
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-29 20:03 - 2015-01-29 20:04 - 00000000 ____D () C:\FRST
2015-01-29 19:36 - 2015-01-29 19:36 - 00053248 _____ () C:\Windows\SysWOW64\zlib.dll
2015-01-29 19:36 - 2015-01-29 19:36 - 00001212 _____ () C:\Users\Public\Desktop\CryptoPrevent.lnk
2015-01-29 19:36 - 2015-01-29 19:36 - 00001212 _____ () C:\ProgramData\Desktop\CryptoPrevent.lnk
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foolish IT
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\ProgramData\Foolish IT
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\Program Files (x86)\Foolish IT
2015-01-29 19:16 - 2015-01-29 19:16 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-29 19:16 - 2015-01-29 19:16 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-01-29 19:15 - 2015-01-29 19:15 - 00248728 _____ (Kaspersky Lab, Yury Parshin) C:\Windows\system32\Drivers\13446387.sys
2015-01-29 19:06 - 2015-01-29 19:06 - 00275456 _____ (JetBrains s.r.o.) C:\Users\VRJ\AppData\Roaming\cf77466.exe
2015-01-29 15:19 - 2015-01-29 15:22 - 00000000 ____D () C:\AdwCleaner
2015-01-29 07:19 - 2015-01-29 19:12 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-29 07:19 - 2015-01-29 07:19 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-29 07:19 - 2015-01-29 07:19 - 00001102 _____ () C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-29 07:19 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-29 07:19 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-29 07:19 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-28 18:06 - 2015-01-28 18:06 - 00000000 ___HD () C:\cf77466
2015-01-20 09:57 - 2015-01-29 19:15 - 00000000 ____D () C:\TDSSKiller_Quarantine
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\HELP_DECRYPT.URL
2015-01-20 09:12 - 2015-01-20 09:12 - 00008542 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.HTML
2015-01-20 09:12 - 2015-01-20 09:12 - 00004214 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.TXT
2015-01-20 09:12 - 2015-01-20 09:12 - 00000272 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.URL
2015-01-20 09:11 - 2015-01-20 09:11 - 00008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-20 09:11 - 2015-01-20 09:11 - 00004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-20 09:11 - 2015-01-20 09:11 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-20 09:10 - 2015-01-26 18:53 - 00000000 ___HD () C:\zzzz
2015-01-20 09:06 - 2015-01-20 09:06 - 00049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
2015-01-20 09:02 - 2015-01-20 10:08 - 00000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-30 08:23 - 2013-04-18 11:14 - 00000000 ____D () C:\Temp
2015-01-29 19:59 - 2013-04-18 09:54 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-29 19:18 - 2009-07-14 12:13 - 00789514 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-29 19:17 - 2009-07-14 11:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-29 19:17 - 2009-07-14 11:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-29 19:12 - 2014-06-17 10:09 - 00003574 _____ () C:\Windows\System32\Tasks\certreg Agent Application
2015-01-29 19:12 - 2013-04-18 09:54 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-29 19:12 - 2013-04-15 16:46 - 00003484 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-01-29 19:11 - 2013-04-26 18:20 - 00000000 ____D () C:\ProgramData\VMware
2015-01-29 19:11 - 2013-04-18 12:11 - 00038237 _____ () C:\Windows\setupact.log
2015-01-29 19:11 - 2013-04-12 20:26 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-29 19:11 - 2009-07-14 12:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-29 17:27 - 2013-04-18 12:11 - 00015460 _____ () C:\Windows\PFRO.log
2015-01-29 15:16 - 2014-12-20 12:28 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Oqkqics
2015-01-28 21:25 - 2013-04-15 16:52 - 00000000 ____D () C:\Vision5
2015-01-28 18:57 - 2013-04-18 11:39 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\TeamViewer
2015-01-28 18:28 - 2014-06-06 21:57 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\FileZilla
2015-01-28 18:28 - 2013-05-29 22:43 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\IDM
2015-01-28 18:19 - 2014-09-12 10:09 - 00000000 ____D () C:\MultiLink
2015-01-20 09:43 - 2013-05-29 22:43 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\DMCache
2015-01-20 09:13 - 2013-04-15 17:04 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\VisionLasata
2015-01-20 09:13 - 2013-04-11 14:04 - 00000000 ____D () C:\Users\VRJ
2015-01-20 09:12 - 2013-04-18 11:24 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Nitro PDF
2015-01-20 09:12 - 2013-04-18 10:32 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Nitro
2015-01-20 09:12 - 2013-04-18 10:32 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\FileOpen
2015-01-20 09:12 - 2013-04-18 10:21 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Adobe
2015-01-20 09:12 - 2013-04-18 10:18 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Notepad++
2015-01-20 09:12 - 2013-04-18 09:52 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Mozilla
2015-01-20 09:12 - 2013-04-18 09:52 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Mozilla
2015-01-20 09:11 - 2013-04-18 10:32 - 00000000 ____D () C:\ProgramData\Nitro
2015-01-20 09:11 - 2013-04-18 09:54 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Google
2015-01-19 15:43 - 2013-05-02 16:26 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\PrimoPDF
2015-01-17 03:00 - 2013-04-18 09:54 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-17 03:00 - 2013-04-18 09:54 - 00002179 _____ () C:\ProgramData\Desktop\Google Chrome.lnk
2015-01-15 20:14 - 2013-04-26 18:23 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\VMware
2015-01-15 20:14 - 2013-04-26 18:23 - 00000000 ____D () C:\Users\VRJ\AppData\Local\VMware
2014-12-31 16:51 - 2013-05-29 21:20 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\uTorrent
 
==================== Files in the root of some directories =======
 
2015-01-20 09:06 - 2015-01-20 09:06 - 0049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
2015-01-29 19:06 - 2015-01-29 19:06 - 0275456 _____ (JetBrains s.r.o.) C:\Users\VRJ\AppData\Roaming\cf77466.exe
2015-01-20 09:13 - 2015-01-20 09:13 - 0008542 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 0045507 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-20 09:13 - 2015-01-20 09:13 - 0004214 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 0000272 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.URL
2015-01-20 09:02 - 2015-01-20 10:08 - 0000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css
2015-01-20 09:12 - 2015-01-20 09:12 - 0008542 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.HTML
2015-01-20 09:12 - 2015-01-20 09:12 - 0045507 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.PNG
2015-01-20 09:12 - 2015-01-20 09:12 - 0004214 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.TXT
2015-01-20 09:12 - 2015-01-20 09:12 - 0000272 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.URL
2014-08-18 18:40 - 2014-08-21 16:07 - 0000600 _____ () C:\Users\VRJ\AppData\Local\PUTTY.RND
2015-01-20 09:11 - 2015-01-20 09:11 - 0008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-20 09:11 - 2015-01-20 09:11 - 0045507 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-20 09:11 - 2015-01-20 09:11 - 0004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-20 09:11 - 2015-01-20 09:11 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
 
Some content of TEMP:
====================
C:\Users\VRJ\AppData\Local\Temp\bassmod.dll
C:\Users\VRJ\AppData\Local\Temp\BTM_update.exe
C:\Users\VRJ\AppData\Local\Temp\converter.exe
C:\Users\VRJ\AppData\Local\Temp\dllnt_dump.dll
C:\Users\VRJ\AppData\Local\Temp\FMT_update.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\Quarantine.exe
C:\Users\VRJ\AppData\Local\Temp\sqlite3.dll
C:\Users\VRJ\AppData\Local\Temp\stuprt.exe
C:\Users\VRJ\AppData\Local\Temp\xmlUpdater.exe
C:\Users\VRJ\AppData\Local\Temp\{1DB4128E-7CA8-43E3-9036-A80AAB199CD6}.exe
 
 
Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\vssadmin.exe
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
==================== BCD ================================
This program is blocked by group policy. For more information, contact your system administrator.
 
 
 
LastRegBack: 2015-01-29 03:15
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-01-2015
Ran by VRJ at 2015-01-29 20:04:30
Running from D:\VRJ\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKLM-x32\...\uTorrent) (Version: 2.2.1 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ABBYY FineReader 11 Corporate Edition (HKLM-x32\...\{F1100000-0010-0000-0000-074957833700}) (Version: 11.0.460 - ABBYY)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\{676E4C31-0CD1-454E-BE3A-70D3AC93F915}) (Version: 11.7.700.169 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.7.700.224 - Adobe Systems Incorporated)
BkavCA Token Manager 2.5.1.7 (HKLM\...\{D802E60A-D432-4489-9483-E86C13E45E31}_is1) (Version: 2.5.1.7 - Bkav Corporation)
BkavCA Token Manager 2.5.2.4 (HKLM-x32\...\{D802E60A-D432-4489-9483-E86C13E45E31}_is1) (Version: 2.5.2.4 - Bkav Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.00 - Piriform)
Cheat Engine 6.2 (HKLM-x32\...\Cheat Engine 6.2_is1) (Version:  - Dark Byte)
CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version:  - Foolish IT LLC)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - CutePDF.com)
Daum PotPlayer 1.5.36205 (HKLM-x32\...\PotPlayer) (Version:  - )
FileMenu Tools (HKLM\...\FileMenu Tools_is1) (Version: 6.6 - LopeSoft)
FileZilla Client 3.7.1.1 (HKLM-x32\...\FileZilla Client) (Version: 3.7.1.1 - Tim Kosse)
GetDataBack Simple (HKLM-x32\...\{D06B8000-52B4-4D0B-A003-DA83ED982B51}) (Version: 1.00.001 - Runtime Software)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.99 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HTKK (HKLM-x32\...\{0563EB26-9299-4330-8AB9-A44282276390}) (Version: 3.0.0 - TCT)
HTKK (HKLM-x32\...\{C3A9344A-8048-466D-9CD5-A40D1B94FEE0}) (Version: 3.2.0 - TCT)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
Java™ 6 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416045FF}) (Version: 6.0.450 - Oracle)
Java™ 6 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
Liebert MultiLink (HKLM-x32\...\Liebert MultiLink) (Version: 4.2.4 - Liebert Corporation)
Link Shell Extension (HKLM\...\HardlinkShellExt) (Version: 3.7.4.7 - Hermann Schinagl)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visio 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-0057-0000-0000-0000000FF1CE}_Office14.VISIO_{01D8AE4B-A04D-47E5-81BF-E3F98B81B8C3}) (Version:  - Microsoft)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIO) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Mozilla Firefox 31.0 (x86 vi) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 vi)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Nitro Pro 8 (HKLM\...\{47B42E7A-57E9-407B-8DBB-017B86D7B13F}) (Version: 8.5.2.10 - Nitro)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.2.3 - )
NVIDIA 3D Vision Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
PrimoPDF -- brought to you by Nitro PDF Software (HKLM-x32\...\PrimoPDF) (Version: 5 - Nitro PDF Software)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
TeraCopy 2.3 (HKLM\...\TeraCopy_is1) (Version:  - Code Sector)
UBitMenu UK (HKLM-x32\...\{C8748FFB-1713-4e95-B3DF-4F1622D96F93}_is1) (Version: 01.04 - UBit Schweiz AG)
UltraISO Premium V9.62 (HKLM-x32\...\UltraISO_is1) (Version:  - )
Unlocker 1.9.1-x64 (HKLM\...\Unlocker) (Version: 1.9.1 - Cedrick Collomb)
Visual BCD (HKLM-x32\...\{436D50FF-8FA1-4FDD-A9C9-48B52A990F57}) (Version: 0.9.3.1 - BoYans)
VMware Workstation (HKLM-x32\...\VMware_Workstation) (Version: 10.0.4 - VMware, Inc)
VMware Workstation (Version: 10.0.4 - VMware, Inc.) Hidden
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-2894121479-214908594-1536770163-1000_Classes\CLSID\{383A8FE9-9FEE-7A3B-2971-4ED8B3007106}\InprocServer32 -> C:\Windows\system32\ole32.dll (Microsoft Corporation)
 
==================== Restore Points  =========================
 
ATTENTION: System Restore is disabled.
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 09:34 - 2009-06-11 04:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {065621AC-C5FC-4E4C-95FE-21F9E7E3B09C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-03-26] (Piriform Ltd)
Task: {8C887164-16C7-4E8B-9231-FEBA48FCA4F9} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {9FF2E9EF-75F1-4983-A2D8-C19834AEB62A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-04-18] (Google Inc.)
Task: {A036E29D-9BE0-4048-981A-639DD3A6F9D6} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2013-04-15] ()
Task: {A4E77E3B-8439-488E-8D51-57049107E491} - System32\Tasks\certreg Agent Application => cmd.exe /c start "TokenManagerAgent.exe" /d "C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager" "C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\TokenManagerAgent.exe"
Task: {B4283C58-DE66-4DA8-9550-C43475AE36D3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-04-18] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2013-04-12 20:24 - 2013-01-18 22:00 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-05-02 16:28 - 2012-10-04 19:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll
2013-05-02 16:25 - 2011-03-01 05:37 - 00095008 _____ () C:\Windows\System32\Primomonnt.dll
2014-08-11 21:11 - 2014-09-11 13:06 - 00020240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\TeamViewer_PrintProcessor.dll
2011-03-17 00:07 - 2011-03-17 00:07 - 04297568 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2004-10-01 01:15 - 2004-10-01 01:15 - 00192000 _____ () C:\Program Files\LinkShellExtension\RockallDLL.dll
2013-04-24 19:18 - 2009-11-02 00:43 - 00296960 _____ () D:\VRJ\Downloads\Unikey64\UKHook40.dll
2010-01-02 21:42 - 2010-01-02 21:42 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2010-07-15 11:44 - 2010-07-15 11:44 - 00020032 _____ () C:\Program Files\Unlocker\UnlockerCOM.dll
2013-07-02 07:50 - 2012-01-20 14:55 - 00678400 _____ () C:\Program Files\TeraCopy\TeraCopyExt64.dll
2012-06-18 22:24 - 2012-06-18 22:24 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_05.dll
2014-10-29 14:27 - 2014-10-29 14:27 - 14407384 _____ () C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
2013-04-24 19:18 - 2009-11-02 00:43 - 00316928 _____ () D:\VRJ\Downloads\Unikey64\UniKeyNT.exe
2015-01-29 15:29 - 2015-01-29 15:29 - 18570328 _____ () D:\VRJ\Desktop\RogueKillerX64.exe
2014-10-29 15:01 - 2014-10-29 15:01 - 01261272 _____ () C:\Program Files (x86)\VMware\VMware Workstation\libxml2.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Windows:nlsPreferences
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\36721518.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\41321832.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\53064853.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\59010049.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\88060968.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\94089475.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\99847260.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\36721518.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\41321832.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\53064853.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\59010049.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\88060968.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\94089475.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\99847260.sys => ""="Driver"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
HKLM\...\.exe: CryptoPreventEXE => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" /"%1" %* <===== ATTENTION!
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-2894121479-214908594-1536770163-500 - Administrator - Disabled)
Guest (S-1-5-21-2894121479-214908594-1536770163-501 - Limited - Disabled)
UpdatusUser (S-1-5-21-2894121479-214908594-1536770163-1002 - Limited - Enabled)
VRJ (S-1-5-21-2894121479-214908594-1536770163-1000 - Administrator - Enabled) => C:\Users\VRJ
 
==================== Faulty Device Manager Devices =============
 
Name: F:\
Description: Patriot Memory  
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer:         
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 
 
Name: Realtek PCIe GBE Family Controller
Description: Realtek PCIe GBE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: RTL8167
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: U:\
Description: Card  Reader    
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Multiple
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 
 
Name: Ralink RT5390R 802.11bgn Wi-Fi Adapter
Description: Ralink RT5390R 802.11bgn Wi-Fi Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Ralink Technology, Corp.
Service: netr28x
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: VRJ-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: VRJ-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
 
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: VRJ-PC)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\UpdatusUser\ntuser.dat
 
Error: (01/29/2015 07:13:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/29/2015 07:12:13 PM) (Source: Liebert MultiLink) (EventID: 1) (User: )
Description: UPS Communication Loss: Occurred on 29-Jan-2015 7:12:13 PM at device "[192.168.157.1]VRJ-PC/New Device".
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: VRJ-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: VRJ-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: VRJ-PC)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\UpdatusUser\ntuser.dat
 
 
System errors:
=============
Error: (01/29/2015 07:12:07 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
36721518
cdrom
 
Error: (01/29/2015 07:05:36 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
36721518
cdrom
 
Error: (01/29/2015 07:05:07 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume E:.
 
Error: (01/29/2015 07:04:30 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume D:.
 
Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Update Service Daemon service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Office Software Protection Platform service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The VMware USB Arbitration Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The VMware DHCP Service service terminated unexpectedly.  It has done this 1 time(s).
 
 
Microsoft Office Sessions:
=========================
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: VRJ-PC)
Description: 
 
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: VRJ-PC)
Description: 
 
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: VRJ-PC)
Description: The process cannot access the file because it is being used by another process.
 
Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: The process cannot access the file because it is being used by another process.
C:\Users\UpdatusUser\ntuser.dat
 
Error: (01/29/2015 07:13:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (01/29/2015 07:12:13 PM) (Source: Liebert MultiLink) (EventID: 1) (User: )
Description: UPS Communication Loss: Occurred on 29-Jan-2015 7:12:13 PM at device "[192.168.157.1]VRJ-PC/New Device".
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: VRJ-PC)
Description: 
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: VRJ-PC)
Description: 
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: VRJ-PC)
Description: The process cannot access the file because it is being used by another process.
 
Error: (01/29/2015 07:07:36 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: The process cannot access the file because it is being used by another process.
C:\Users\UpdatusUser\ntuser.dat
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-12-18 16:20:42.160
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\47e4b8fb.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-18 16:20:42.145
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\47e4b8fb.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-25 23:38:03.399
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 47%
Total physical RAM: 4050.66 MB
Available physical RAM: 2108.93 MB
Total Pagefile: 8099.51 MB
Available Pagefile: 6781.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.79 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:50 GB) (Free:21.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: () (Fixed) (Total:400 GB) (Free:110.62 GB) NTFS
Drive e: () (Fixed) (Total:481.51 GB) (Free:343.59 GB) NTFS
Drive f: () (Removable) (Total:13.78 GB) (Free:13.48 GB) NTFS
 
==================== MBR & Partition Table ==================
 
==================== End Of Log ============================

Attached Files


Edited by xXToffeeXx, 01 February 2015 - 09:25 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:12 PM

Posted 03 February 2015 - 08:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/565047 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 04 February 2015 - 02:04 AM

I posted the details about my situation in the 1st post. I have the original Windows 7 DVD. Here are the new logs as requested by the Bot:

 

 

===============================

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by VRJ (administrator) on VRJ-PC on 04-02-2015 13:56:51
Running from D:\VRJ\Desktop
Loaded Profiles: VRJ (Available profiles: VRJ)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Liebert Corporation) C:\MultiLink\bin\LiebertM.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(Bkav Corporation) C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\TokenManagerAgent.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
() D:\VRJ\Downloads\Unikey64\UniKeyNT.exe
(Bkav Corporation) C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\BkavCATokenManager.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
() D:\VRJ\Desktop\RogueKillerX64.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-04-24] (IDT, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Bonus.SSR.FR11] => C:\Program Files (x86)\ABBYY FineReader 11\Bonus.ScreenshotReader.exe [933640 2012-01-19] (ABBYY.)
HKLM-x32\...\Run: [vmware-tray] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-10-29] (VMware, Inc.)
HKLM-x32\...\Run: [vmware-tray.exe] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-10-29] (VMware, Inc.)
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: bcdedit.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [UniKey] => D:\VRJ\Downloads\Unikey64\UniKeyNT.exe [316928 2009-11-02] ()
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [BkavCA Token Manager] => C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\BkavCATokenManager.exe [2225152 2014-12-09] (Bkav Corporation)
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [cf7746] => C:\cf77466\cf77466.exe [275456 2015-01-28] (JetBrains s.r.o.)
ShellIconOverlayIdentifiers: [HardLinkMenu] -> {0A479751-02BC-11d3-A855-0004AC2568AA} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IconOverlayHardLink] -> {0A479751-02BC-11d3-A855-0004AC2568DD} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IconOverlaySymbolicLink] -> {0A479751-02BC-11d3-A855-0004AC2568EE} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers-x32: [HardLinkMenu] -> {0A479751-02BC-11d3-A855-0004AC2568AA} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers-x32: [IconOverlayHardLink] -> {0A479751-02BC-11d3-A855-0004AC2568DD} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers-x32: [IconOverlaySymbolicLink] -> {0A479751-02BC-11d3-A855-0004AC2568EE} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2894121479-214908594-1536770163-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2894121479-214908594-1536770163-1000 -> DefaultScope {9E867C61-EA5B-40B7-AE04-FDA45E0E11E4} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2894121479-214908594-1536770163-1000 -> {9E867C61-EA5B-40B7-AE04-FDA45E0E11E4} URL = https://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_45 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\5giay.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\baambootratuav.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\muare.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\zing-mp3.xml
FF Extension: HTML filter - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C} [2014-12-20]
FF Extension: leethax.net extension - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\leethax@leethax.net.xpi [2013-06-20]
FF Extension: Session Manager - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-01-15]
FF Extension: Mozilla Archive Format - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2013-05-30]
FF Extension: Tab Mix Plus - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2013-06-17]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-08-12]
FF HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5 [2013-05-29]
FF HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5

Chrome:
=======
CHR Profile: C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Awesome Screenshot: Capture & Annotate) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce [2013-05-29]
CHR Extension: (Google Docs) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-18]
CHR Extension: (Google Drive) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-04-18]
CHR Extension: (YouTube) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-18]
CHR Extension: (Adblock Plus) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-05-29]
CHR Extension: (Google Search) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-18]
CHR Extension: (IDM Integration) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm [2013-05-29]
CHR Extension: (Google Wallet) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-28]
CHR Extension: (Gmail) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-18]
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2013-05-27]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 LiebertM; C:\MultiLink\bin\LiebertM.exe [93696 2013-01-24] (Liebert Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-03-25] (Nitro PDF Software)
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [14407384 2014-10-29] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U0 88060968; C:\Windows\System32\drivers\13446387.sys [248728 2015-01-29] (Kaspersky Lab, Yury Parshin)
R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115448 2013-11-21] (EZB Systems, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-01-29] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-02] ()
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-02-22] (VMware, Inc.)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64.sys [14464 2008-05-06] (Western Digital Technologies) [File not signed]
S0 36721518; system32\drivers\47399196.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 aswMBR; \??\C:\Users\VRJ\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\VRJ\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 20:03 - 2015-02-04 13:56 - 00000000 ____D () C:\FRST
2015-01-29 19:36 - 2015-01-29 19:36 - 00053248 _____ () C:\Windows\SysWOW64\zlib.dll
2015-01-29 19:36 - 2015-01-29 19:36 - 00001212 _____ () C:\Users\Public\Desktop\CryptoPrevent.lnk
2015-01-29 19:36 - 2015-01-29 19:36 - 00001212 _____ () C:\ProgramData\Desktop\CryptoPrevent.lnk
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foolish IT
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\ProgramData\Foolish IT
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\Program Files (x86)\Foolish IT
2015-01-29 19:16 - 2015-01-29 19:16 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-29 19:16 - 2015-01-29 19:16 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-01-29 19:15 - 2015-01-29 19:15 - 00248728 _____ (Kaspersky Lab, Yury Parshin) C:\Windows\system32\Drivers\13446387.sys
2015-01-29 19:06 - 2015-01-29 19:06 - 00275456 _____ (JetBrains s.r.o.) C:\Users\VRJ\AppData\Roaming\cf77466.exe
2015-01-29 15:19 - 2015-01-29 15:22 - 00000000 ____D () C:\AdwCleaner
2015-01-29 07:19 - 2015-01-29 19:12 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-29 07:19 - 2015-01-29 07:19 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-29 07:19 - 2015-01-29 07:19 - 00001102 _____ () C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-29 07:19 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-29 07:19 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-29 07:19 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-28 18:06 - 2015-01-28 18:06 - 00000000 ___HD () C:\cf77466
2015-01-20 09:57 - 2015-01-29 19:15 - 00000000 ____D () C:\TDSSKiller_Quarantine
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\HELP_DECRYPT.URL
2015-01-20 09:12 - 2015-01-20 09:12 - 00008542 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.HTML
2015-01-20 09:12 - 2015-01-20 09:12 - 00004214 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.TXT
2015-01-20 09:12 - 2015-01-20 09:12 - 00000272 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.URL
2015-01-20 09:11 - 2015-01-20 09:11 - 00008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-20 09:11 - 2015-01-20 09:11 - 00004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-20 09:11 - 2015-01-20 09:11 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-20 09:10 - 2015-01-26 18:53 - 00000000 ___HD () C:\zzzz
2015-01-20 09:06 - 2015-01-20 09:06 - 00049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
2015-01-20 09:02 - 2015-01-20 10:08 - 00000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-04 13:00 - 2013-04-18 09:54 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-04 11:59 - 2013-04-18 09:54 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-03 19:19 - 2009-07-14 11:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-03 19:19 - 2009-07-14 11:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-03 19:14 - 2013-04-15 16:46 - 00003486 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-01-30 08:23 - 2013-04-18 11:14 - 00000000 ____D () C:\Temp
2015-01-29 19:18 - 2009-07-14 12:13 - 00789514 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-29 19:12 - 2014-06-17 10:09 - 00003574 _____ () C:\Windows\System32\Tasks\certreg Agent Application
2015-01-29 19:11 - 2013-04-26 18:20 - 00000000 ____D () C:\ProgramData\VMware
2015-01-29 19:11 - 2013-04-18 12:11 - 00038237 _____ () C:\Windows\setupact.log
2015-01-29 19:11 - 2013-04-12 20:26 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-29 19:11 - 2009-07-14 12:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-29 17:27 - 2013-04-18 12:11 - 00015460 _____ () C:\Windows\PFRO.log
2015-01-29 15:16 - 2014-12-20 12:28 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Oqkqics
2015-01-28 21:25 - 2013-04-15 16:52 - 00000000 ____D () C:\Vision5
2015-01-28 18:57 - 2013-04-18 11:39 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\TeamViewer
2015-01-28 18:28 - 2014-06-06 21:57 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\FileZilla
2015-01-28 18:28 - 2013-05-29 22:43 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\IDM
2015-01-28 18:19 - 2014-09-12 10:09 - 00000000 ____D () C:\MultiLink
2015-01-20 09:43 - 2013-05-29 22:43 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\DMCache
2015-01-20 09:13 - 2013-04-15 17:04 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\VisionLasata
2015-01-20 09:13 - 2013-04-11 14:04 - 00000000 ____D () C:\Users\VRJ
2015-01-20 09:12 - 2013-04-18 11:24 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Nitro PDF
2015-01-20 09:12 - 2013-04-18 10:32 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Nitro
2015-01-20 09:12 - 2013-04-18 10:32 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\FileOpen
2015-01-20 09:12 - 2013-04-18 10:21 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Adobe
2015-01-20 09:12 - 2013-04-18 10:18 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Notepad++
2015-01-20 09:12 - 2013-04-18 09:52 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Mozilla
2015-01-20 09:12 - 2013-04-18 09:52 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Mozilla
2015-01-20 09:11 - 2013-04-18 10:32 - 00000000 ____D () C:\ProgramData\Nitro
2015-01-20 09:11 - 2013-04-18 09:54 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Google
2015-01-19 15:43 - 2013-05-02 16:26 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\PrimoPDF
2015-01-17 03:00 - 2013-04-18 09:54 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-17 03:00 - 2013-04-18 09:54 - 00002179 _____ () C:\ProgramData\Desktop\Google Chrome.lnk
2015-01-15 20:14 - 2013-04-26 18:23 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\VMware
2015-01-15 20:14 - 2013-04-26 18:23 - 00000000 ____D () C:\Users\VRJ\AppData\Local\VMware

==================== Files in the root of some directories =======

2015-01-20 09:06 - 2015-01-20 09:06 - 0049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
2015-01-29 19:06 - 2015-01-29 19:06 - 0275456 _____ (JetBrains s.r.o.) C:\Users\VRJ\AppData\Roaming\cf77466.exe
2015-01-20 09:13 - 2015-01-20 09:13 - 0008542 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 0045507 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-20 09:13 - 2015-01-20 09:13 - 0004214 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 0000272 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.URL
2015-01-20 09:02 - 2015-01-20 10:08 - 0000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css
2015-01-20 09:12 - 2015-01-20 09:12 - 0008542 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.HTML
2015-01-20 09:12 - 2015-01-20 09:12 - 0045507 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.PNG
2015-01-20 09:12 - 2015-01-20 09:12 - 0004214 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.TXT
2015-01-20 09:12 - 2015-01-20 09:12 - 0000272 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.URL
2014-08-18 18:40 - 2014-08-21 16:07 - 0000600 _____ () C:\Users\VRJ\AppData\Local\PUTTY.RND
2015-01-20 09:11 - 2015-01-20 09:11 - 0008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-20 09:11 - 2015-01-20 09:11 - 0045507 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-20 09:11 - 2015-01-20 09:11 - 0004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-20 09:11 - 2015-01-20 09:11 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Users\VRJ\AppData\Local\Temp\bassmod.dll
C:\Users\VRJ\AppData\Local\Temp\BTM_update.exe
C:\Users\VRJ\AppData\Local\Temp\converter.exe
C:\Users\VRJ\AppData\Local\Temp\dllnt_dump.dll
C:\Users\VRJ\AppData\Local\Temp\FMT_update.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\Quarantine.exe
C:\Users\VRJ\AppData\Local\Temp\sqlite3.dll
C:\Users\VRJ\AppData\Local\Temp\stuprt.exe
C:\Users\VRJ\AppData\Local\Temp\xmlUpdater.exe
C:\Users\VRJ\AppData\Local\Temp\{1DB4128E-7CA8-43E3-9036-A80AAB199CD6}.exe

Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\vssadmin.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-03 00:22

==================== End Of Log ============================

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,442 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:12 PM

Posted 04 February 2015 - 08:42 PM

Greetings loveleeyoungae and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I know you have run FRST a couple of times but I would really like to have you post one more. Please make sure to place a check mark in Addition.txt and copy/paste both logs in your reply.

Could you briefly detail what you are experiencing today.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 04 February 2015 - 08:59 PM

Thanks for your response, Oh My!

I haven't touched the computer since I started the thread, so the state is still as it was 5 days ago. It seems that I can use the PC normally. But as I said, I'm just afraid that my deletion of some "kernel driver" might prevent the PC from booting if I restart it.

 

I'm reposting the logs generated today.

 

 

********************************************* 1. FRST LOG *****************************

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by VRJ (administrator) on VRJ-PC on 05-02-2015 08:49:41
Running from D:\VRJ\Desktop
Loaded Profiles: VRJ (Available profiles: VRJ)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Liebert Corporation) C:\MultiLink\bin\LiebertM.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(Bkav Corporation) C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\TokenManagerAgent.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
() D:\VRJ\Downloads\Unikey64\UniKeyNT.exe
(Bkav Corporation) C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\BkavCATokenManager.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
() D:\VRJ\Desktop\RogueKillerX64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-04-24] (IDT, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Bonus.SSR.FR11] => C:\Program Files (x86)\ABBYY FineReader 11\Bonus.ScreenshotReader.exe [933640 2012-01-19] (ABBYY.)
HKLM-x32\...\Run: [vmware-tray] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-10-29] (VMware, Inc.)
HKLM-x32\...\Run: [vmware-tray.exe] => C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe [112856 2014-10-29] (VMware, Inc.)
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: bcdedit.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [UniKey] => D:\VRJ\Downloads\Unikey64\UniKeyNT.exe [316928 2009-11-02] ()
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [BkavCA Token Manager] => C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\BkavCATokenManager.exe [2225152 2014-12-09] (Bkav Corporation)
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Run: [cf7746] => C:\cf77466\cf77466.exe [275456 2015-01-28] (JetBrains s.r.o.)
ShellIconOverlayIdentifiers: [HardLinkMenu] -> {0A479751-02BC-11d3-A855-0004AC2568AA} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IconOverlayHardLink] -> {0A479751-02BC-11d3-A855-0004AC2568DD} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IconOverlaySymbolicLink] -> {0A479751-02BC-11d3-A855-0004AC2568EE} => C:\Program Files\LinkShellExtension\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll (Tonec Inc.)
ShellIconOverlayIdentifiers-x32: [HardLinkMenu] -> {0A479751-02BC-11d3-A855-0004AC2568AA} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers-x32: [IconOverlayHardLink] -> {0A479751-02BC-11d3-A855-0004AC2568DD} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)
ShellIconOverlayIdentifiers-x32: [IconOverlaySymbolicLink] -> {0A479751-02BC-11d3-A855-0004AC2568EE} => C:\Program Files\LinkShellExtension\32\HardlinkShellExt.dll (Hermann Schinagl)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2894121479-214908594-1536770163-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKU\S-1-5-21-2894121479-214908594-1536770163-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2894121479-214908594-1536770163-1000 -> DefaultScope {9E867C61-EA5B-40B7-AE04-FDA45E0E11E4} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2894121479-214908594-1536770163-1000 -> {9E867C61-EA5B-40B7-AE04-FDA45E0E11E4} URL = https://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_45 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\5giay.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\baambootratuav.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\muare.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\zing-mp3.xml
FF Extension: HTML filter - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C} [2014-12-20]
FF Extension: leethax.net extension - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\leethax@leethax.net.xpi [2013-06-20]
FF Extension: Session Manager - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-01-15]
FF Extension: Mozilla Archive Format - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2013-05-30]
FF Extension: Tab Mix Plus - C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2013-06-17]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-08-12]
FF HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5
FF Extension: IDM CC - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5 [2013-05-29]
FF HKU\S-1-5-21-2894121479-214908594-1536770163-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\VRJ\AppData\Roaming\IDM\idmmzcc5

Chrome:
=======
CHR Profile: C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Awesome Screenshot: Capture & Annotate) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce [2013-05-29]
CHR Extension: (Google Docs) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-18]
CHR Extension: (Google Drive) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-04-18]
CHR Extension: (YouTube) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-18]
CHR Extension: (Adblock Plus) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-05-29]
CHR Extension: (Google Search) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-18]
CHR Extension: (IDM Integration) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm [2013-05-29]
CHR Extension: (Google Wallet) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-28]
CHR Extension: (Gmail) - C:\Users\VRJ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-18]
CHR HKLM-x32\...\Chrome\Extension: [jmolcgpienlcieaajfkkdamlngancncm] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2013-05-27]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 LiebertM; C:\MultiLink\bin\LiebertM.exe [93696 2013-01-24] (Liebert Corporation) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-03-25] (Nitro PDF Software)
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [14407384 2014-10-29] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U0 88060968; C:\Windows\System32\drivers\13446387.sys [248728 2015-01-29] (Kaspersky Lab, Yury Parshin)
R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115448 2013-11-21] (EZB Systems, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-01-29] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-02] ()
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-02-22] (VMware, Inc.)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64.sys [14464 2008-05-06] (Western Digital Technologies) [File not signed]
S0 36721518; system32\drivers\47399196.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 aswMBR; \??\C:\Users\VRJ\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\VRJ\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 20:03 - 2015-02-05 08:49 - 00000000 ____D () C:\FRST
2015-01-29 19:36 - 2015-01-29 19:36 - 00053248 _____ () C:\Windows\SysWOW64\zlib.dll
2015-01-29 19:36 - 2015-01-29 19:36 - 00001212 _____ () C:\Users\Public\Desktop\CryptoPrevent.lnk
2015-01-29 19:36 - 2015-01-29 19:36 - 00001212 _____ () C:\ProgramData\Desktop\CryptoPrevent.lnk
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foolish IT
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\ProgramData\Foolish IT
2015-01-29 19:36 - 2015-01-29 19:36 - 00000000 ____D () C:\Program Files (x86)\Foolish IT
2015-01-29 19:16 - 2015-01-29 19:16 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-29 19:16 - 2015-01-29 19:16 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-01-29 19:15 - 2015-01-29 19:15 - 00248728 _____ (Kaspersky Lab, Yury Parshin) C:\Windows\system32\Drivers\13446387.sys
2015-01-29 19:06 - 2015-01-29 19:06 - 00275456 _____ (JetBrains s.r.o.) C:\Users\VRJ\AppData\Roaming\cf77466.exe
2015-01-29 15:19 - 2015-01-29 15:22 - 00000000 ____D () C:\AdwCleaner
2015-01-29 07:19 - 2015-01-29 19:12 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-29 07:19 - 2015-01-29 07:19 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-29 07:19 - 2015-01-29 07:19 - 00001102 _____ () C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-29 07:19 - 2015-01-29 07:19 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-29 07:19 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-29 07:19 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-29 07:19 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-28 18:06 - 2015-01-28 18:06 - 00000000 ___HD () C:\cf77466
2015-01-20 09:57 - 2015-01-29 19:15 - 00000000 ____D () C:\TDSSKiller_Quarantine
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\Users\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00008542 _____ () C:\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\Users\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00004214 _____ () C:\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\VRJ\AppData\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\Users\HELP_DECRYPT.URL
2015-01-20 09:13 - 2015-01-20 09:13 - 00000272 _____ () C:\HELP_DECRYPT.URL
2015-01-20 09:12 - 2015-01-20 09:12 - 00008542 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.HTML
2015-01-20 09:12 - 2015-01-20 09:12 - 00004214 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.TXT
2015-01-20 09:12 - 2015-01-20 09:12 - 00000272 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.URL
2015-01-20 09:11 - 2015-01-20 09:11 - 00008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-20 09:11 - 2015-01-20 09:11 - 00004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-20 09:11 - 2015-01-20 09:11 - 00000272 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-20 09:10 - 2015-01-26 18:53 - 00000000 ___HD () C:\zzzz
2015-01-20 09:06 - 2015-01-20 09:06 - 00049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
2015-01-20 09:02 - 2015-01-20 10:08 - 00000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 08:00 - 2013-04-18 09:54 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-04 19:19 - 2009-07-14 11:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-04 19:19 - 2009-07-14 11:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-04 19:14 - 2013-04-15 16:46 - 00003486 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-02-04 11:59 - 2013-04-18 09:54 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-30 08:23 - 2013-04-18 11:14 - 00000000 ____D () C:\Temp
2015-01-29 19:18 - 2009-07-14 12:13 - 00789514 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-29 19:12 - 2014-06-17 10:09 - 00003574 _____ () C:\Windows\System32\Tasks\certreg Agent Application
2015-01-29 19:11 - 2013-04-26 18:20 - 00000000 ____D () C:\ProgramData\VMware
2015-01-29 19:11 - 2013-04-18 12:11 - 00038237 _____ () C:\Windows\setupact.log
2015-01-29 19:11 - 2013-04-12 20:26 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-29 19:11 - 2009-07-14 12:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-29 17:27 - 2013-04-18 12:11 - 00015460 _____ () C:\Windows\PFRO.log
2015-01-29 15:16 - 2014-12-20 12:28 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Oqkqics
2015-01-28 21:25 - 2013-04-15 16:52 - 00000000 ____D () C:\Vision5
2015-01-28 18:57 - 2013-04-18 11:39 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\TeamViewer
2015-01-28 18:28 - 2014-06-06 21:57 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\FileZilla
2015-01-28 18:28 - 2013-05-29 22:43 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\IDM
2015-01-28 18:19 - 2014-09-12 10:09 - 00000000 ____D () C:\MultiLink
2015-01-20 09:43 - 2013-05-29 22:43 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\DMCache
2015-01-20 09:13 - 2013-04-15 17:04 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\VisionLasata
2015-01-20 09:13 - 2013-04-11 14:04 - 00000000 ____D () C:\Users\VRJ
2015-01-20 09:12 - 2013-04-18 11:24 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Nitro PDF
2015-01-20 09:12 - 2013-04-18 10:32 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Nitro
2015-01-20 09:12 - 2013-04-18 10:32 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\FileOpen
2015-01-20 09:12 - 2013-04-18 10:21 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Adobe
2015-01-20 09:12 - 2013-04-18 10:18 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Notepad++
2015-01-20 09:12 - 2013-04-18 09:52 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\Mozilla
2015-01-20 09:12 - 2013-04-18 09:52 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Mozilla
2015-01-20 09:11 - 2013-04-18 10:32 - 00000000 ____D () C:\ProgramData\Nitro
2015-01-20 09:11 - 2013-04-18 09:54 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Google
2015-01-19 15:43 - 2013-05-02 16:26 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\PrimoPDF
2015-01-17 03:00 - 2013-04-18 09:54 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-17 03:00 - 2013-04-18 09:54 - 00002179 _____ () C:\ProgramData\Desktop\Google Chrome.lnk
2015-01-15 20:14 - 2013-04-26 18:23 - 00000000 ____D () C:\Users\VRJ\AppData\Roaming\VMware
2015-01-15 20:14 - 2013-04-26 18:23 - 00000000 ____D () C:\Users\VRJ\AppData\Local\VMware

==================== Files in the root of some directories =======

2015-01-20 09:06 - 2015-01-20 09:06 - 0049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
2015-01-29 19:06 - 2015-01-29 19:06 - 0275456 _____ (JetBrains s.r.o.) C:\Users\VRJ\AppData\Roaming\cf77466.exe
2015-01-20 09:13 - 2015-01-20 09:13 - 0008542 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-20 09:13 - 2015-01-20 09:13 - 0045507 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-20 09:13 - 2015-01-20 09:13 - 0004214 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.TXT
2015-01-20 09:13 - 2015-01-20 09:13 - 0000272 _____ () C:\Users\VRJ\AppData\Roaming\HELP_DECRYPT.URL
2015-01-20 09:02 - 2015-01-20 10:08 - 0000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css
2015-01-20 09:12 - 2015-01-20 09:12 - 0008542 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.HTML
2015-01-20 09:12 - 2015-01-20 09:12 - 0045507 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.PNG
2015-01-20 09:12 - 2015-01-20 09:12 - 0004214 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.TXT
2015-01-20 09:12 - 2015-01-20 09:12 - 0000272 _____ () C:\Users\VRJ\AppData\Local\HELP_DECRYPT.URL
2014-08-18 18:40 - 2014-08-21 16:07 - 0000600 _____ () C:\Users\VRJ\AppData\Local\PUTTY.RND
2015-01-20 09:11 - 2015-01-20 09:11 - 0008542 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-20 09:11 - 2015-01-20 09:11 - 0045507 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-20 09:11 - 2015-01-20 09:11 - 0004214 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-01-20 09:11 - 2015-01-20 09:11 - 0000272 _____ () C:\ProgramData\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Users\VRJ\AppData\Local\Temp\bassmod.dll
C:\Users\VRJ\AppData\Local\Temp\BTM_update.exe
C:\Users\VRJ\AppData\Local\Temp\converter.exe
C:\Users\VRJ\AppData\Local\Temp\dllnt_dump.dll
C:\Users\VRJ\AppData\Local\Temp\FMT_update.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\Quarantine.exe
C:\Users\VRJ\AppData\Local\Temp\sqlite3.dll
C:\Users\VRJ\AppData\Local\Temp\stuprt.exe
C:\Users\VRJ\AppData\Local\Temp\xmlUpdater.exe
C:\Users\VRJ\AppData\Local\Temp\{1DB4128E-7CA8-43E3-9036-A80AAB199CD6}.exe

Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\vssadmin.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-03 00:22

==================== End Of Log ============================

 

 

***********************2. Addition.txt Log*******************************************

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-02-2015
Ran by VRJ at 2015-02-05 08:49:54
Running from D:\VRJ\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM-x32\...\uTorrent) (Version: 2.2.1 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ABBYY FineReader 11 Corporate Edition (HKLM-x32\...\{F1100000-0010-0000-0000-074957833700}) (Version: 11.0.460 - ABBYY)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\{676E4C31-0CD1-454E-BE3A-70D3AC93F915}) (Version: 11.7.700.169 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.7.700.224 - Adobe Systems Incorporated)
BkavCA Token Manager 2.5.1.7 (HKLM\...\{D802E60A-D432-4489-9483-E86C13E45E31}_is1) (Version: 2.5.1.7 - Bkav Corporation)
BkavCA Token Manager 2.5.2.4 (HKLM-x32\...\{D802E60A-D432-4489-9483-E86C13E45E31}_is1) (Version: 2.5.2.4 - Bkav Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.00 - Piriform)
Cheat Engine 6.2 (HKLM-x32\...\Cheat Engine 6.2_is1) (Version:  - Dark Byte)
CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version:  - Foolish IT LLC)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - CutePDF.com)
Daum PotPlayer 1.5.36205 (HKLM-x32\...\PotPlayer) (Version:  - )
FileMenu Tools (HKLM\...\FileMenu Tools_is1) (Version: 6.6 - LopeSoft)
FileZilla Client 3.7.1.1 (HKLM-x32\...\FileZilla Client) (Version: 3.7.1.1 - Tim Kosse)
GetDataBack Simple (HKLM-x32\...\{D06B8000-52B4-4D0B-A003-DA83ED982B51}) (Version: 1.00.001 - Runtime Software)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.99 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HTKK (HKLM-x32\...\{0563EB26-9299-4330-8AB9-A44282276390}) (Version: 3.0.0 - TCT)
HTKK (HKLM-x32\...\{C3A9344A-8048-466D-9CD5-A40D1B94FEE0}) (Version: 3.2.0 - TCT)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
Java™ 6 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416045FF}) (Version: 6.0.450 - Oracle)
Java™ 6 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
Liebert MultiLink (HKLM-x32\...\Liebert MultiLink) (Version: 4.2.4 - Liebert Corporation)
Link Shell Extension (HKLM\...\HardlinkShellExt) (Version: 3.7.4.7 - Hermann Schinagl)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visio 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-0057-0000-0000-0000000FF1CE}_Office14.VISIO_{01D8AE4B-A04D-47E5-81BF-E3F98B81B8C3}) (Version:  - Microsoft)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIO) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Mozilla Firefox 31.0 (x86 vi) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 vi)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Nitro Pro 8 (HKLM\...\{47B42E7A-57E9-407B-8DBB-017B86D7B13F}) (Version: 8.5.2.10 - Nitro)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.2.3 - )
NVIDIA 3D Vision Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
PrimoPDF -- brought to you by Nitro PDF Software (HKLM-x32\...\PrimoPDF) (Version: 5 - Nitro PDF Software)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
TeraCopy 2.3 (HKLM\...\TeraCopy_is1) (Version:  - Code Sector)
UBitMenu UK (HKLM-x32\...\{C8748FFB-1713-4e95-B3DF-4F1622D96F93}_is1) (Version: 01.04 - UBit Schweiz AG)
UltraISO Premium V9.62 (HKLM-x32\...\UltraISO_is1) (Version:  - )
Unlocker 1.9.1-x64 (HKLM\...\Unlocker) (Version: 1.9.1 - Cedrick Collomb)
Visual BCD (HKLM-x32\...\{436D50FF-8FA1-4FDD-A9C9-48B52A990F57}) (Version: 0.9.3.1 - BoYans)
VMware Workstation (HKLM-x32\...\VMware_Workstation) (Version: 10.0.4 - VMware, Inc)
VMware Workstation (Version: 10.0.4 - VMware, Inc.) Hidden
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2894121479-214908594-1536770163-1000_Classes\CLSID\{383A8FE9-9FEE-7A3B-2971-4ED8B3007106}\InprocServer32 -> C:\Windows\system32\ole32.dll (Microsoft Corporation)

==================== Restore Points  =========================

ATTENTION: System Restore is disabled.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 09:34 - 2009-06-11 04:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {065621AC-C5FC-4E4C-95FE-21F9E7E3B09C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-03-26] (Piriform Ltd)
Task: {8C887164-16C7-4E8B-9231-FEBA48FCA4F9} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {9FF2E9EF-75F1-4983-A2D8-C19834AEB62A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-04-18] (Google Inc.)
Task: {A036E29D-9BE0-4048-981A-639DD3A6F9D6} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2013-04-15] ()
Task: {A4E77E3B-8439-488E-8D51-57049107E491} - System32\Tasks\certreg Agent Application => cmd.exe /c start "TokenManagerAgent.exe" /d "C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager" "C:\Program Files (x86)\Bkav Corporation\BkavCA Token Manager\TokenManagerAgent.exe"
Task: {B4283C58-DE66-4DA8-9550-C43475AE36D3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-04-18] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-04-12 20:24 - 2013-01-18 22:00 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-05-02 16:28 - 2012-10-04 19:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll
2013-05-02 16:25 - 2011-03-01 05:37 - 00095008 _____ () C:\Windows\System32\Primomonnt.dll
2014-08-11 21:11 - 2014-09-11 13:06 - 00020240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\TeamViewer_PrintProcessor.dll
2011-03-17 00:07 - 2011-03-17 00:07 - 04297568 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2004-10-01 01:15 - 2004-10-01 01:15 - 00192000 _____ () C:\Program Files\LinkShellExtension\RockallDLL.dll
2013-04-24 19:18 - 2009-11-02 00:43 - 00296960 _____ () D:\VRJ\Downloads\Unikey64\UKHook40.dll
2010-01-02 21:42 - 2010-01-02 21:42 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2013-07-02 07:50 - 2012-01-29 16:55 - 00657920 _____ () C:\Program Files\TeraCopy\TeraCopy64.dll
2014-10-29 14:27 - 2014-10-29 14:27 - 14407384 _____ () C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
2013-04-24 19:18 - 2009-11-02 00:43 - 00316928 _____ () D:\VRJ\Downloads\Unikey64\UniKeyNT.exe
2015-01-29 15:29 - 2015-01-29 15:29 - 18570328 _____ () D:\VRJ\Desktop\RogueKillerX64.exe
2014-10-29 15:01 - 2014-10-29 15:01 - 01261272 _____ () C:\Program Files (x86)\VMware\VMware Workstation\libxml2.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\36721518.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\41321832.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\53064853.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\59010049.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\88060968.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\94089475.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\99847260.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\36721518.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\41321832.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\53064853.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\59010049.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\88060968.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\94089475.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\99847260.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

HKLM\...\.exe: CryptoPreventEXE => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" /"%1" %* <===== ATTENTION!

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-2894121479-214908594-1536770163-500 - Administrator - Disabled)
Guest (S-1-5-21-2894121479-214908594-1536770163-501 - Limited - Disabled)
UpdatusUser (S-1-5-21-2894121479-214908594-1536770163-1002 - Limited - Enabled)
VRJ (S-1-5-21-2894121479-214908594-1536770163-1000 - Administrator - Enabled) => C:\Users\VRJ

==================== Faulty Device Manager Devices =============

Name: F:\
Description: Patriot Memory 
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer:        
Service: WUDFRd
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Realtek PCIe GBE Family Controller
Description: Realtek PCIe GBE Family Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Realtek
Service: RTL8167
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: U:\
Description: Card  Reader   
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Multiple
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: Ralink RT5390R 802.11bgn Wi-Fi Adapter
Description: Ralink RT5390R 802.11bgn Wi-Fi Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Ralink Technology, Corp.
Service: netr28x
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/05/2015 00:30:30 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.

Error: (02/05/2015 00:30:14 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.

Error: (01/30/2015 00:31:31 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.

Error: (01/30/2015 00:30:32 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: VRJ-PC)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: VRJ-PC)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: VRJ-PC)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.

 DETAIL - The process cannot access the file because it is being used by another process.

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\UpdatusUser\ntuser.dat

Error: (01/29/2015 07:13:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/29/2015 07:12:13 PM) (Source: Liebert MultiLink) (EventID: 1) (User: )
Description: UPS Communication Loss: Occurred on 29-Jan-2015 7:12:13 PM at device "[192.168.157.1]VRJ-PC/New Device".

System errors:
=============
Error: (01/29/2015 07:12:07 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
36721518
cdrom

Error: (01/29/2015 07:05:36 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
36721518
cdrom

Error: (01/29/2015 07:05:07 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume E:.

Error: (01/29/2015 07:04:30 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume D:.

Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Update Service Daemon service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Office Software Protection Platform service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The VMware USB Arbitration Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (01/29/2015 03:22:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The VMware DHCP Service service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (02/05/2015 00:30:30 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestc:\program files (x86)\bkav corporation\bkavca token manager\RemoteInstaller.exe

Error: (02/05/2015 00:30:14 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestc:\program files\bkav corporation\bkavca token manager\RemoteInstaller.exe

Error: (01/30/2015 00:31:31 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestc:\program files (x86)\bkav corporation\bkavca token manager\RemoteInstaller.exe

Error: (01/30/2015 00:30:32 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestc:\program files\bkav corporation\bkavca token manager\RemoteInstaller.exe

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: VRJ-PC)
Description:

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: VRJ-PC)
Description:

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: VRJ-PC)
Description: The process cannot access the file because it is being used by another process.

Error: (01/29/2015 07:14:07 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: The process cannot access the file because it is being used by another process.
C:\Users\UpdatusUser\ntuser.dat

Error: (01/29/2015 07:13:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/29/2015 07:12:13 PM) (Source: Liebert MultiLink) (EventID: 1) (User: )
Description: UPS Communication Loss: Occurred on 29-Jan-2015 7:12:13 PM at device "[192.168.157.1]VRJ-PC/New Device".

CodeIntegrity Errors:
===================================
  Date: 2014-12-18 16:20:42.160
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\47e4b8fb.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-12-18 16:20:42.145
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\47e4b8fb.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-09-25 23:38:03.399
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel® Core™ i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 48%
Total physical RAM: 4050.66 MB
Available physical RAM: 2078.14 MB
Total Pagefile: 8099.51 MB
Available Pagefile: 6661.46 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:50 GB) (Free:21.46 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: () (Fixed) (Total:400 GB) (Free:110.62 GB) NTFS
Drive e: () (Fixed) (Total:481.51 GB) (Free:343.59 GB) NTFS
Drive f: () (Removable) (Total:13.78 GB) (Free:13.43 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 14.8 GB) (Disk ID: DCD0FFF1)
Partition 1: (Active) - (Size=13.8 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=999 MB) - (Type=0C)

==================== End Of Log ============================

 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,442 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:12 PM

Posted 04 February 2015 - 09:30 PM

Greetings,

Can you attempt to create a Restore Point please.

===================================================

Enabling System Restore in Windows 7/Vista and Setting a Restore Point

--------------------
  • Click Start, right click on Computer, then select Properties
  • Click on System Protection in the left-hand task list.
  • Under Protection settings verify Local Disk (C:) System is On
  • If not, left click on the Local Disk (C:) System entry, then click Configure
  • Under Restore Settings select Restore system setting and previous versions of files, then select OK
  • Once back in the System Properties screen click Create, enter a Restore Point name of your choosing, then click Create
  • System Restore is now enabled on your computer and a Restore Point has been created
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Was a Restore Point successfully set?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 04 February 2015 - 09:35 PM

Yes, I've created a Restore Point successfully.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,442 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:12 PM

Posted 04 February 2015 - 10:02 PM

Great, thanks. We have some work to do but at this point I don't see anything software related that should prevent a successful reboot.

Please consider and do this.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
S0 36721518; system32\drivers\47399196.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 aswMBR; \??\C:\Users\VRJ\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\VRJ\AppData\Local\Temp\aswVmm.sys [X]
2015-01-29 15:16 - 2014-12-20 12:28 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Oqkqics
2015-01-20 09:06 - 2015-01-20 09:06 - 0049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
C:\Users\VRJ\AppData\Local\Temp\bassmod.dll
C:\Users\VRJ\AppData\Local\Temp\BTM_update.exe
C:\Users\VRJ\AppData\Local\Temp\converter.exe
C:\Users\VRJ\AppData\Local\Temp\dllnt_dump.dll
C:\Users\VRJ\AppData\Local\Temp\FMT_update.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\Quarantine.exe
C:\Users\VRJ\AppData\Local\Temp\sqlite3.dll
C:\Users\VRJ\AppData\Local\Temp\stuprt.exe
C:\Users\VRJ\AppData\Local\Temp\xmlUpdater.exe
C:\Users\VRJ\AppData\Local\Temp\{1DB4128E-7CA8-43E3-9036-A80AAB199CD6}.exe
2015-02-04 19:14 - 2013-04-15 16:46 - 00003486 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-01-20 09:02 - 2015-01-20 10:08 - 0000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css
Task: {A036E29D-9BE0-4048-981A-639DD3A6F9D6} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2013-04-15] ()
cmd: dir C:\cf77466 /s
cmd: dir C:\zzzz /s
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Copy/paste the following in the Search Field
*decrypt*
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Search.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#9 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 04 February 2015 - 11:04 PM

Search.txt is too big, BC didn't let me post it (I tried three times), so I compressed it and am attaching it here.

 

Here is fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by VRJ at 2015-02-05 10:33:55 Run:1
Running from D:\VRJ\Desktop
Loaded Profiles: VRJ (Available profiles: VRJ)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
S0 36721518; system32\drivers\47399196.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 aswMBR; \??\C:\Users\VRJ\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\VRJ\AppData\Local\Temp\aswVmm.sys [X]
2015-01-29 15:16 - 2014-12-20 12:28 - 00000000 ____D () C:\Users\VRJ\AppData\Local\Oqkqics
2015-01-20 09:06 - 2015-01-20 09:06 - 0049159 _____ () C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml
C:\Users\VRJ\AppData\Local\Temp\bassmod.dll
C:\Users\VRJ\AppData\Local\Temp\BTM_update.exe
C:\Users\VRJ\AppData\Local\Temp\converter.exe
C:\Users\VRJ\AppData\Local\Temp\dllnt_dump.dll
C:\Users\VRJ\AppData\Local\Temp\FMT_update.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\VRJ\AppData\Local\Temp\Quarantine.exe
C:\Users\VRJ\AppData\Local\Temp\sqlite3.dll
C:\Users\VRJ\AppData\Local\Temp\stuprt.exe
C:\Users\VRJ\AppData\Local\Temp\xmlUpdater.exe
C:\Users\VRJ\AppData\Local\Temp\{1DB4128E-7CA8-43E3-9036-A80AAB199CD6}.exe
2015-02-04 19:14 - 2013-04-15 16:46 - 00003486 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-01-20 09:02 - 2015-01-20 10:08 - 0000224 _____ () C:\Users\VRJ\AppData\Roaming\template.css
Task: {A036E29D-9BE0-4048-981A-639DD3A6F9D6} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2013-04-15] ()
cmd: dir C:\cf77466 /s
cmd: dir C:\zzzz /s
*****************

36721518 => Service deleted successfully.
VGPU => Service deleted successfully.
aswMBR => Service deleted successfully.
aswVmm => Service deleted successfully.
C:\Users\VRJ\AppData\Local\Oqkqics => Moved successfully.
C:\Users\VRJ\AppData\Roaming\6201c0551d203b.xml => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\bassmod.dll => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\BTM_update.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\converter.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\FMT_update.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\stuprt.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\xmlUpdater.exe => Moved successfully.
C:\Users\VRJ\AppData\Local\Temp\{1DB4128E-7CA8-43E3-9036-A80AAB199CD6}.exe => Moved successfully.
C:\Windows\System32\Tasks\AutoKMS => Moved successfully.
C:\Users\VRJ\AppData\Roaming\template.css => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{A036E29D-9BE0-4048-981A-639DD3A6F9D6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A036E29D-9BE0-4048-981A-639DD3A6F9D6}" => Key deleted successfully.
C:\Windows\System32\Tasks\AutoKMS not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => Key deleted successfully.

=========  dir C:\cf77466 /s =========

 Volume in drive C has no label.
 Volume Serial Number is 988A-B2B0

 Directory of C:\cf77466

01/28/2015  06:06 PM           275,456 cf77466.exe
               1 File(s)        275,456 bytes

     Total Files Listed:
               1 File(s)        275,456 bytes
               0 Dir(s)  22,731,517,952 bytes free

========= End of CMD: =========

=========  dir C:\zzzz /s =========

 Volume in drive C has no label.
 Volume Serial Number is 988A-B2B0
File Not Found

========= End of CMD: =========

==== End of Fixlog 10:33:56 ====

 

 

Attached Files



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,442 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:12 PM

Posted 04 February 2015 - 11:20 PM

Thank you.
  • Right click on Search.txt, click Rename and rename the file fixlist.txt.
  • Open fixlist.txt and delete the below quoted information from the file (everything but the last line is at the top and the last line is at the bottom) and save it as fixlist.txt.
  • Launch FRST then click Fix.
  • Zip and attach the file to your reply.
  • Type *decrypt* in the search field and click Search File(s). Copy and paste the contents of the Search.txt file in your reply.

Farbar Recovery Scan Tool (x64) Version: 01-02-2015
Ran by VRJ at 2015-02-05 10:35:38
Running from D:\VRJ\Desktop
Boot Mode: Normal

================== Search Files: "*decrypt*" =============

====== End Of Search ======


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#11 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 04 February 2015 - 11:32 PM

Here are the logs...

 

 

Farbar Recovery Scan Tool (x64) Version: 01-02-2015
Ran by VRJ at 2015-02-05 11:30:02
Running from D:\VRJ\Desktop
Boot Mode: Normal

================== Search Files: "*decrypt*" =============

C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
[][] 0000000 _____ ()

C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
[][] 0000000 _____ ()

C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
[][] 0000000 _____ ()

C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
[][] 0000000 _____ ()

C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
[][] 0000000 _____ ()

C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
[][] 0000000 _____ ()

C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
[][] 0000000 _____ ()

C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
[][] 0000000 _____ ()

C:\FRST\Quarantine\C\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\Training\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\Training\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\Training\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\Training\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\Settings\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\Settings\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\Settings\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\Settings\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\Demo\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\Demo\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\Demo\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\Demo\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun5\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun5\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun5\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun5\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun4\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun4\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun4\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\Demo\XL Sun4\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Vision5\Demo\Exec\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Vision5\Demo\Exec\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Vision5\Demo\Exec\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Vision5\Demo\Exec\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\OfflineCache\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\OfflineCache\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\OfflineCache\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\OfflineCache\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\12.0\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\12.0\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\12.0\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\12.0\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Outlook\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Outlook\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Outlook\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Outlook\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\UnsavedFiles\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\UnsavedFiles\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\UnsavedFiles\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\UnsavedFiles\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Internet Explorer\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Internet Explorer\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Internet Explorer\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Internet Explorer\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Device Metadata\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Device Metadata\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Device Metadata\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Device Metadata\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\Settings\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\Settings\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\Settings\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\Settings\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\TeamViewer\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\TeamViewer\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\TeamViewer\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\TeamViewer\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\Config\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\Config\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\Config\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\Config\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\Professional\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\Professional\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\Professional\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\Professional\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\idb\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\idb\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\idb\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\idb\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\idb\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\idb\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\idb\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\idb\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\idb\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\idb\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\idb\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\idb\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\submitted\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\submitted\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\submitted\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\submitted\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\STARTUP\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\STARTUP\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\STARTUP\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\STARTUP\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Templates\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Templates\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Templates\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Templates\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\XLSTART\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\XLSTART\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\XLSTART\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\XLSTART\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\BUSTRIPALLO304219603422352207\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\BUSTRIPALLO304219603422352207\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\BUSTRIPALLO304219603422352207\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\BUSTRIPALLO304219603422352207\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\14\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\14\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\14\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\14\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\AddIns\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\AddIns\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\AddIns\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\AddIns\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\IDM\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\IDM\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\IDM\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\IDM\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileZilla\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileZilla\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileZilla\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileZilla\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileOpen\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileOpen\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileOpen\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileOpen\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\DMCache\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\DMCache\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\DMCache\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\DMCache\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\M2X5U98T\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\M2X5U98T\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\M2X5U98T\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\M2X5U98T\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:13][2015-01-20 09:13] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:12][2015-01-20 09:12] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\VMware\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\VMware\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\VMware\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\VMware\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\Uninstaller\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\Uninstaller\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\Uninstaller\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\Uninstaller\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\VMware\SSL\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\VMware\SSL\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\VMware\SSL\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\VMware\SSL\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Nitro\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Nitro\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Nitro\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Nitro\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Microsoft\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Microsoft\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Microsoft\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Microsoft\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\StateData\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\StateData\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\StateData\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\StateData\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\PublishedData\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\PublishedData\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\PublishedData\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\PublishedData\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\hoster\KeezMoviesCom$BouncyCastleAESCounterModeDecrypt.class.xBAD
[2013-07-17 09:14][2013-07-17 09:14] 0003328 ____A () CE27D9705C9DD819F8DC4ECD709D07BE

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\hoster\PornHubCom$BouncyCastleAESCounterModeDecrypt.class.xBAD
[2013-07-17 09:14][2013-07-17 09:14] 0003301 ____A () ED206F9F1B31585299D7FDDB0F58FE70

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\hoster\TapeTv$Decrypt.class.xBAD
[2013-07-17 09:07][2013-07-17 09:07] 0002954 ____A () 3A349575D86FEF1B73265B7FF7937D0A

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\hoster\Tube8Com$BouncyCastleAESCounterModeDecrypt.class.xBAD
[2013-07-17 09:15][2013-07-17 09:15] 0003283 ____A () 6AFA508F5BD036583BDA4C35574A1DB0

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\hoster\VeohCom$BouncyCastleAESdecrypt.class.xBAD
[2013-07-17 09:15][2013-07-17 09:15] 0001784 ____A () E7FA1F03C47D63D906E08C39E27CB0EE

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\BadJoJoComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:01] 0010386 ____A () 7F7C6DE5EEB2D49BFDB9E536FFB9B6A5

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\BandCampComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0003335 ____A () F81FC2420D1D46EA5E11491514086BC9

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\BitBonusComDecrypt.class.xBAD
[2013-07-17 09:00][2013-07-17 09:06] 0006096 ____A () 952AC1242CDD7B86D4421589AD6D70F0

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\BreakComDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0002352 ____A () CB6F6A64706826656A9C2384AAC6B303

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ClipHunterComDecrypt.class.xBAD
[2013-07-17 09:02][2013-07-17 09:02] 0008076 ____A () 59369B06334BABEA7ED9736AD54D46A2

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ClipsAndPicsOrgDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0003031 ____A () 423581020910F52977B7B62150407C6C

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\DailyMotionComDecrypter.class.xBAD
[2013-07-17 09:05][2013-07-17 09:05] 0010881 ____A () AC1C0A23A5150F0536E29EA739CA91DC

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\DecrypterForRedirectServicesWithoutDirectRedirects$1.class.xBAD
[2013-07-17 09:00][2012-05-22 09:43] 0001105 ____A () CAE33BFF3B7FBFEEE21D9DFB43FE9D34

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\DecrypterForRedirectServicesWithoutDirectRedirects.class.xBAD
[2013-07-17 09:00][2013-07-17 09:03] 0039244 ____A () 279D2F7816F6D33C83E0724644CDD758

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\DiziPortComDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0003166 ____A () 3ED737C155174B4ADECD1077E9C63C88

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\DTemplateDecrypter.class.xBAD
[2013-07-17 09:05][2013-07-17 09:05] 0003786 ____A () 27F4D2D4CEA98C7FAE600893EE2812A5

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\FileCondoComDecrypter.class.xBAD
[2013-07-17 09:00][2012-05-22 09:43] 0003679 ____A () 9ED1DAB24220327643BBD1387ADAC9C0

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\FileHippoComDecrypter.class.xBAD
[2013-07-17 09:02][2013-07-17 09:02] 0003522 ____A () B684D7E372A3FD71F2E74C3E29F86818

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\FileKareliaRuDecrypter.class.xBAD
[2013-07-17 09:04][2013-07-17 09:04] 0004712 ____A () 88D328DA0CB71FB8B2543F762610BD81

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\FilesMonsterDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:04] 0006154 ____A () BD9EC8C2A4F4AFD3CD6CA122BAD6FB8F

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\FreeWayMeContainerDecrypter.class.xBAD
[2013-07-17 09:01][2013-07-17 09:01] 0003995 ____A () 84D8D12F3DA67E60ECBF44FBF7FD8C6C

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\FunVidsOrgDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:06] 0002990 ____A () 607F339FFC92A3168BDCDED3D2517962

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\GeneralMultiuploadDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:04] 0008677 ____A () E737FB0FC8816A75DD913D2EDDBB468C

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\GeneralOtrDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:06] 0005780 ____A () 71B2A859448729E53D1D2FE88D828D29

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\GeTtDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:01] 0003773 ____A () 42B903C1A7A2FFBEFA494984D7ADE651

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\GigaFoundationDeDecrypter.class.xBAD
[2013-07-17 09:00][2012-05-22 09:43] 0002114 ____A () C715699ED5E671437F003A9B8E73843B

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\Heaven666OrgDecrypter.class.xBAD
[2013-07-17 09:04][2013-07-17 09:04] 0003546 ____A () 6AC2176F8599095BF14792A8F9B10438

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\IFilezComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0003662 ____A () 69CCCF6F958F34FCDB45DF209E6B0E76

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ImageHosterDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:06] 0012048 ____A () A4A52ACDFA897B1DE61F7A27E997E519

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\JustinTvDecrypt.class.xBAD
[2013-07-17 09:00][2013-07-17 09:04] 0006359 ____A () F58DF70AB1B765EC23037896E4268376

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\LiveLeakComDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0005113 ____A () 0056DBCD6372B493A4475FCDAF9BE2F6

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\MinUsComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0006152 ____A () 51E1BB7E81F779A9FC0C9FE7426DC1E3

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ModDbComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:04] 0003544 ____A () 312DC91E4B9BE54A8ADE7950C32EF2A6

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\MyGirlfriendsVidsNetDecrypt.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0002288 ____A () DEC0E9742A095B09120AAB8A15136D84

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\MystereTvComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:02] 0004015 ____A () 30DFD3B9948E56F92FCAE77E78F7E2E9

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\PornRabbitComDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0007743 ____A () 02A5143223F128395A4D1911870FF816

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\PornUpMeDecrypter.class.xBAD
[2013-07-17 09:01][2013-07-17 09:01] 0002594 ____A () 7187911E75F81DB3A8DCC9865505EAB0

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\PurevolumeComDecrypter.class.xBAD
[2013-07-17 09:02][2013-07-17 09:02] 0004670 ____A () DDB198D5320A36C515DD19B4E93FDCB1

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\PWProtectedRedirectorsDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:02] 0004396 ____A () ED2F834829A8A8E5C600445908830A95

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\QqComDecrypter.class.xBAD
[2013-07-17 09:05][2013-07-17 09:05] 0004054 ____A () BEB6C31F84BF22D61FEAC85443F210BC

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\RealTgfPornComDecrypt.class.xBAD
[2013-07-17 09:00][2013-07-17 09:01] 0003379 ____A () 72513223FE6BDD7A65AA7B2FD8D52B8C

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\RuTubeRuDecrypter.class.xBAD
[2013-07-17 09:05][2013-07-17 09:05] 0002581 ____A () 7A1E3479A9C3DD4B0A6247E9DC5AEEBA

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ShaHidMbcNetDecrypter$Quality.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0001946 ____A () 513C07800E2A2E6ED599EED61A74DBA5

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ShaHidMbcNetDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:03] 0011222 ____A () BC476B0303A032DC670011788B61748D

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\SndSnapDecrypt.class.xBAD
[2013-07-17 09:00][2013-07-17 09:06] 0002635 ____A () 14F6DA794D7AB12DB3C573F1F3BB2025

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\SoundCloudComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:03] 0007612 ____A () 4CDB0A4AE38983CCBD6B6EDB1FE3947F

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\Srnnks$DecryptRunnable.class.xBAD
[2013-07-17 09:00][2013-07-17 09:03] 0002119 ____A () 9C368F4E7B40FCE896726E06451648E9

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\SuperLoadCzDecrypter.class.xBAD
[2013-07-17 09:03][2013-07-17 09:03] 0003961 ____A () 628F734EEC1C2FACBDE85DCD41E0E339

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\TeleFiveDeDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0006192 ____A () F04FFFC9F19C015582FA660D46DB44BB

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\TopAmateurPornComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:03] 0003526 ____A () 469A0B0ECA957CF4650D45B6403376BC

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\TumblrComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:05] 0007174 ____A () 782CF5F4B1FA220133442C1BD6AFB46B

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\TwitVidComDecrypter.class.xBAD
[2013-07-17 09:04][2013-07-17 09:04] 0002984 ____A () 8A1483805D6ECBDEA37610F4F2143238

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\Up4ShareVnFolderdecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:01] 0002733 ____A () AF8E7A098ED3A8A13F16667EAC2AE144

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\VeohComDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0002351 ____A () 29A8B328B9C6F0A4AF8D6D27598BEABA

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\VidEarnDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:06] 0003083 ____A () 11FE0BB5CDA349CD7F3D11EDF144357E

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\VideoBashComDecrypter.class.xBAD
[2013-07-17 09:05][2013-07-17 09:05] 0002793 ____A () 61745FA38D3AB490D97E4413B543AFA9

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\VideoBoxComDecrypter.class.xBAD
[2013-07-17 09:06][2013-07-17 09:06] 0007566 ____A () 7600D7AA20C5E58B642C81DD3E2C726E

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\VidobuComDecrypter.class.xBAD
[2013-07-17 09:02][2013-07-17 09:02] 0002845 ____A () F48C5D40F59DBC2D6DA9212BA334B768

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\VimeoComDecrypter.class.xBAD
[2013-07-17 09:03][2013-07-17 09:03] 0009729 ____A () 6DA2EC29ADD724FDF3CD8052F6A3A52E

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\WorldStarHipHopComDecrypter.class.xBAD
[2013-07-17 09:03][2013-07-17 09:03] 0002531 ____A () 8319395C3D85736F4D61948FD138686B

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\XunleiComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:02] 0008047 ____A () ECC50C1B5CEA55D05E9FF8628D9F6D5D

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\XXXAPornComDecrypter.class.xBAD
[2013-07-17 09:00][2013-07-17 09:04] 0002967 ____A () BB6F93C0FE6FB5555F1EC483C8816B0D

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\ZDFMediathekDecrypter.class.xBAD
[2013-07-17 09:04][2013-07-17 09:04] 0009649 ____A () 61F27ED869DE2BA473756B88D246CEE2

C:\FRST\Quarantine\C\Program Files (x86)\JDownloader\jd\plugins\decrypter\Zro10BasicDecrypt.class.xBAD
[2013-07-17 09:00][2013-07-17 09:02] 0004122 ____A () 948CE51C7168FC0F89646FCA6D9B0D3C

C:\FRST\Quarantine\C\Program Files (x86)\GPLGS\decrypt.ps.xBAD
[2013-05-02 16:28][2002-02-22 18:49] 0000369 ____A () 047D1C852A3F7A1EEAE35E62FE5EAEEE

C:\FRST\Quarantine\C\MultiLink\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\log\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\log\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\log\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\log\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\licenses\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\licenses\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\licenses\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\licenses\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\lib\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\lib\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\lib\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\lib\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\jre\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\jre\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\jre\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\jre\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\jre\lib\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\jre\lib\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\jre\lib\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\jre\lib\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\jre\bin\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\jre\bin\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\jre\bin\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\jre\bin\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\jre\bin\client\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\jre\bin\client\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\jre\bin\client\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\jre\bin\client\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\install\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\install\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\install\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\install\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:11][2015-01-20 09:11] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\MultiLink\cfg\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\MultiLink\cfg\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\MultiLink\cfg\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\MultiLink\cfg\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\6_10_6224\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\6_10_6224\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\6_10_6224\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\6_10_6224\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6393\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6393\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6393\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6393\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\Dell\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\Dell\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\Dell\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\Dell\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\Dell\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\Dell\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\Dell\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\Dell\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\FRST\Quarantine\C\$Recycle.Bin\HELP_DECRYPT.HTML.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0008542 ____A () 74982F821A5A4439785E75EAC7DE96C8

C:\FRST\Quarantine\C\$Recycle.Bin\HELP_DECRYPT.PNG.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0045507 ____A () FC5AC5F2D636802A019732FDC20989B7

C:\FRST\Quarantine\C\$Recycle.Bin\HELP_DECRYPT.TXT.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0004214 ____A () 976120DAF09DC250B6354E028A5F6E6E

C:\FRST\Quarantine\C\$Recycle.Bin\HELP_DECRYPT.URL.xBAD
[2015-01-20 09:10][2015-01-20 09:10] 0000272 ____A () E1D7F1F690E8EBD4DFB079A523BB063B

C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
[2015-01-20 09:10][2015-01-20 09:10] 0000000 _____ ()

====== End Of Search ======

Attached Files



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,442 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:12 PM

Posted 04 February 2015 - 11:36 PM

Thank you, and finally (hopefully) this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#13 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 05 February 2015 - 01:57 AM

It turned out that FRST seemed not to be able to parse the Unicode-named paths. So I deleted those files manually.

I paste the fixlog here fyi:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by VRJ at 2015-02-05 13:52:48 Run:3
Running from D:\VRJ\Desktop
Loaded Profiles: VRJ (Available profiles: VRJ)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT
C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL
*****************

"C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Users\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\VRJ\Application Data\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL" => File/Directory not found.
"C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.HTML" => File/Directory not found.
"C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.PNG" => File/Directory not found.
"C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.TXT" => File/Directory not found.
"C:\Documents and Settings\VRJ\AppData\Roaming\Microsoft\Excel\Công%20n?%20VRJ%2031.12.2014304211592052810076\HELP_DECRYPT.URL" => File/Directory not found.

==== End of Fixlog 13:52:48 ====



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,442 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:12 PM

Posted 05 February 2015 - 09:24 AM

Thanks for adapting. :thumbsup2:

Please do this now.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click Run ESET Online Scanner.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Click Enable detection of potentially unwanted applications
  • Accept any security warnings from your browser.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Check Uninstall application on close and Delete quarantined files
  • Click the Finish button.
  • Close the ESET window and reboot your computer
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message attempt to run the program in Safe Mode
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#15 loveleeyoungae

loveleeyoungae
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 05 February 2015 - 10:18 PM

My computer is running fine. I don't notice anything strange.

 

*********************ESET Log*****************************

C:\cf77466\cf77466.exe a variant of Win32/Kryptik.CVQJ trojan 
C:\Documents and Settings\All Users\Application Data\RogueKiller\Quarantine\62E97FE91A694BEA.vir a variant of Win32/Kryptik.CVQJ trojan 
C:\Documents and Settings\All Users\RogueKiller\Quarantine\62E97FE91A694BEA.vir a variant of Win32/Kryptik.CVQJ trojan 
C:\Documents and Settings\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C}\components\HTMLfilter.js Win32/Boaxxe.BU trojan 
C:\Documents and Settings\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C}\components\HTMLfilter.js Win32/Boaxxe.BU trojan 
C:\FRST\Quarantine\C\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\$Recycle.Bin\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\$Recycle.Bin\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\Dell\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6341\OEM\Dell\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\Dell\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6359\OEM\Dell\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6393\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\IDT\Dell_6393\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\6_10_6224\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Drivers\Audio\Sigmatel(IDT)\Sigmatel\6_10_6224\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\cfg\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\cfg\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\install\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\install\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\bin\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\bin\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\bin\client\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\bin\client\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\lib\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\jre\lib\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\lib\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\lib\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\licenses\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\licenses\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\log\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\MultiLink\log\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\PublishedData\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\PublishedData\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\StateData\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Microsoft\RAC\StateData\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\SSL\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\SSL\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\Uninstaller\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\All Users\VMware\VMware Workstation\Uninstaller\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\Local\Temp\FMT_update.exe.xBAD Win32/InstallMonetizer.AF potentially unwanted application 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\M2X5U98T\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Adobe\Flash Player\AssetCache\M2X5U98T\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\DMCache\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\DMCache\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileOpen\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileOpen\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileZilla\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\FileZilla\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\IDM\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\IDM\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\AddIns\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\AddIns\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\14\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Document Building Blocks\1033\14\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\BUSTRIPALLO304219603422352207\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\BUSTRIPALLO304219603422352207\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\XLSTART\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Excel\XLSTART\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Templates\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Templates\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\STARTUP\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Microsoft\Word\STARTUP\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\submitted\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Crash Reports\submitted\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\idb\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\chrome\idb\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\idb\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\https+++drive.google.com\idb\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\idb\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\storage\persistent\moz-safe-about+home\idb\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro\Pro\8.0\Stamps\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\Professional\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Nitro PDF\Professional\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\Config\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\Notepad++\plugins\Config\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\TeamViewer\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\TeamViewer\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\Settings\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Application Data\VisionLasata\SunSys\Settings\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\databases\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Google\Chrome\User Data\Default\Storage\ext\chrome-signin\def\databases\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Device Metadata\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Device Metadata\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Internet Explorer\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Internet Explorer\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\UnsavedFiles\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Office\UnsavedFiles\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Outlook\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Outlook\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\12.0\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Microsoft\Windows Media\12.0\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\OfflineCache\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Users\VRJ\Local Settings\Mozilla\Firefox\Profiles\lh9eqgi9.default\OfflineCache\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\Exec\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\Exec\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\XL Sun4\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\XL Sun4\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\XL Sun5\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Demo\XL Sun5\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Settings\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Settings\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Training\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan 
C:\FRST\Quarantine\C\Vision5\Training\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan 
C:\ProgramData\RogueKiller\Quarantine\62E97FE91A694BEA.vir a variant of Win32/Kryptik.CVQJ trojan 
C:\TDSSKiller_Quarantine\20.01.2015_09.44.55\necurs0000\svc0000\tsk0000.dta a variant of Win64/Rootkit.Kryptik.AG trojan 
C:\TDSSKiller_Quarantine\20.01.2015_10.04.54\uds0000\svc0000\tsk0000.dta a variant of Win32/Kryptik.CTIP trojan 
C:\TDSSKiller_Quarantine\20.01.2015_10.04.54\uds0001\file0000\tsk0000.dta Win32/Boaxxe.BR trojan 
C:\TDSSKiller_Quarantine\20.01.2015_10.04.54\uds0002\file0000\tsk0000.dta a variant of Win32/Kryptik.CVQJ trojan 
C:\TDSSKiller_Quarantine\20.01.2015_10.04.54\uds0003\file0000\tsk0000.dta a variant of Win32/Kryptik.CVQJ trojan 
C:\TDSSKiller_Quarantine\29.01.2015_15.24.21\necurs0000\svc0000\tsk0000.dta a variant of Win64/Rootkit.Kryptik.AJ trojan 
C:\TDSSKiller_Quarantine\29.01.2015_19.12.19\susp0000\file0000\tsk0000.dta a variant of Win32/Kryptik.CVQJ trojan 
C:\TDSSKiller_Quarantine\29.01.2015_19.12.19\susp0001\file0000\tsk0000.dta a variant of Win32/Kryptik.CVQJ trojan 
C:\Users\All Users\Application Data\RogueKiller\Quarantine\62E97FE91A694BEA.vir a variant of Win32/Kryptik.CVQJ trojan 
C:\Users\All Users\RogueKiller\Quarantine\62E97FE91A694BEA.vir a variant of Win32/Kryptik.CVQJ trojan 
C:\Users\VRJ\AppData\Roaming\Mozilla\Firefox\Profiles\lh9eqgi9.default\extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C}\components\HTMLfilter.js Win32/Boaxxe.BU trojan 
C:\Users\VRJ\Application Data\Mozilla\Firefox\Profiles\lh9eqgi9.default\extensions\{E0B509E9-86D3-844B-6418-712DFEF88F3C}\components\HTMLfilter.js Win32/Boaxxe.BU trojan 
C:\Windows\Temp\1206196672.bat BAT/Small.NAN trojan 
C:\Windows\Temp\140510.exe a variant of Win32/Injector.BTEB trojan 
C:\Windows\Temp\146999.exe a variant of Win32/Injector.BTEB trojan 
C:\Windows\Temp\155127.exe a variant of Win32/Injector.BTEB trojan 
C:\Windows\Temp\156890.exe a variant of Win32/Injector.BTEB trojan 
C:\Windows\Temp\158843119.exe Win32/Boaxxe.BR trojan 
D:\GEGeek Toolkit\AV Uninstallers\AV Uninstall Tools\Tools\ZoneAlarm Removal Tool\Secruity toolbar uninstaller\Uninstaller.exe Win32/Toolbar.Conduit potentially unwanted application 
D:\GEGeek Toolkit\Windows Updates\AllMyApps\Allmyapps_TSV46Y6BY.exe a variant of Win32/ClientConnect.A potentially unwanted application 
D:\VRJ\Downloads\FileZilla_3.7.1.1_win32-setup.exe a variant of Win32/InstallCore.VW potentially unwanted application 
E:\$RECYCLE.BIN\S-1-5-21-2894121479-214908594-1536770163-1000\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan 
E:\$RECYCLE.BIN\S-1-5-21-2894121479-214908594-1536770163-1000\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan 

 

 

*************************Security Check log****************************

 Results of screen317's Security Check version 0.99.96 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
 Windows Firewall Disabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 45 
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31 
  Adobe Flash Player 11.7.700.224 Flash Player out of Date! 
 Mozilla Firefox 31.0 Firefox out of Date! 
 Google Chrome 39.0.2171.99 Google Chrome out of date! 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users