Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto/Ransomware attack


  • This topic is locked This topic is locked
9 replies to this topic

#1 ElectronZA

ElectronZA

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 10 February 2015 - 12:34 AM

Hi All

I have a server 2003 machine that has been attacked by what appears to be a new variant of encryption ransomware. I have searched the forum, there are 1 or 2 other similar reports but nothing conclusive. I have run Kaspersky Virus removal tool (which did not find anything) and Malwarebytes that found some registry entries I have attached the Malwarebytes log. I have run FRST and attached the log files as well.

 

All data files in local and mapped drives have been encrypted and renamed  starting with error_

Every folder has a text file READ_ME.TXT and some have a READ__ME.TXT (extra _)

Upon login a READ_ME.TXT message is displayed. We have restored data from backup and disconnected this server from the network. It is not being rebuilt, however if this infection/hack is of interest I will work with you as it may be useful for others that have the same problem.

We suspect that the server was hacked directly as there were regular logon attempts every 5 seconds for at least a day with different usernames and passwords. The server was unfortunately exposed to the internet on port 3389. This vulnerability was pointed out previously but ignored.

 

The message in the text file is below (I have renamed the email address and unique identifier in the message to xxxxx)

 

Hello people. Your files were encrypted by RSA1024 and AES256 (two strong algo)

Encrypted files now starting with _error

Only we can decrypt your files (becouse only we have your unique private RSA key)

But dont worry, you can buy our program, that will restore all your files

For buying this program you need send us your Personal_ID on xxxxx@ruggedinbox.com

After that we will send you instructions of payment

Also you can attach to letter one small file (100..300 kb or smaller) and we will decrypt it.

 

If we didnt answer you more than 1 day, it means that we didnt get your letter (For example letters from @outlook.com to @ruggedinbox.com are blocked).

So, register your e-mail on www.ruggedinbox.com (it is very simple and takes 1-2 minutes) and send your letter again.

And be faster. After 3 weeks we will not answer you.

Your Personal_ID: xxxxxx

 

Malwarebytes log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 03/02/2015
Scan Time: 05:03:33 PM
Logfile: hijack.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.03.05
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Server 2003 Service Pack 2
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 871953
Time Elapsed: 1 hr, 9 min, 30 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 35
PUM.Hijack.Run, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun, 1, Good: (0), Bad: (1),,[d83915056624ab8bce5be4c749bc2cd4]
PUM.Hijack.ExpNoClose, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoClose, 1, Good: (0), Bad: (1),,[db363fdb3852d95df5754768da2b3dc3]
PUM.Hijack.StartMenu, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms, 1, Good: (0), Bad: (1),,[80911efc3258d066180506a6a95cab55]
PUM.Hijack.Explorer, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders, 1, Good: (0), Bad: (1),,[987945d55931c4723bb5f3b6c243b54b]
PUM.Hijack.Find, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind, 1, Good: (0), Bad: (1),,[a170190182088da922a38f1b7194b34d]
PUM.Hijack.Help, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp, 1, Good: (0), Bad: (1),,[25ec66b4ef9b1c1af7d149610005ca36]
PUM.Hijack.DisplayProperties, HKU\S-1-5-21-3309001590-4249468244-678730067-1140-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL, 1, Good: (0), Bad: (1),,[cf42db3fe0aa0c2aa109fcae85805aa6]
PUM.Hijack.Run, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun, 1, Good: (0), Bad: (1),,[3ad7f228d4b64beb77b2ecbf030227d9]
PUM.Hijack.ExpNoClose, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoClose, 1, Good: (0), Bad: (1),,[5db470aad5b5b680b4b62d82af56629e]
PUM.Hijack.StartMenu, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms, 1, Good: (0), Bad: (1),,[b958d4460b7f59dd79a459536b9ace32]
PUM.Hijack.Explorer, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders, 1, Good: (0), Bad: (1),,[9a7742d8cbbf6bcb12de1990759006fa]
PUM.Hijack.Find, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind, 1, Good: (0), Bad: (1),,[22efc6549ded84b2b90cfdadc243738d]
PUM.Hijack.Help, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp, 1, Good: (0), Bad: (1),,[45cc3ddd810901355375901a53b24db3]
PUM.Hijack.DisplayProperties, HKU\S-1-5-21-3309001590-4249468244-678730067-1610-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL, 1, Good: (0), Bad: (1),,[0b065bbf1971f83e189247637d883cc4]
PUM.Hijack.Run, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun, 1, Good: (0), Bad: (1),,[68a9e1392763ff37ff2ab9f2c2436b95]
PUM.Hijack.ExpNoClose, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoClose, 1, Good: (0), Bad: (1),,[00110317c8c262d45d0deec1c045dd23]
PUM.Hijack.StartMenu, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms, 1, Good: (0), Bad: (1),,[f918f2283b4ff73f8f8ed4d8fe0726da]
PUM.Hijack.Explorer, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders, 1, Good: (0), Bad: (1),,[f81918027b0fb68057995752a75ed42c]
PUM.Hijack.Find, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind, 1, Good: (0), Bad: (1),,[5ab7dd3d325843f3c20394166b9af30d]
PUM.Hijack.Help, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp, 1, Good: (0), Bad: (1),,[060bf822800aec4a3b8d2585f70e758b]
PUM.Hijack.DisplayProperties, HKU\S-1-5-21-3309001590-4249468244-678730067-1611-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL, 1, Good: (0), Bad: (1),,[8b86c8521f6bf2441991298154b17090]
PUM.Hijack.Run, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun, 1, Good: (0), Bad: (1),,[d63b8b8ffc8e3ff79e8bfbb0749145bb]
PUM.Hijack.ExpNoClose, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoClose, 1, Good: (0), Bad: (1),,[d23f1a00404a999db6b41d92a46154ac]
PUM.Hijack.StartMenu, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms, 1, Good: (0), Bad: (1),,[5ab7100abdcd6dc93ae3e2cae61f8a76]
PUM.Hijack.Explorer, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders, 1, Good: (0), Bad: (1),,[f61bf1298efccd69b73953565ca908f8]
PUM.Hijack.Find, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind, 1, Good: (0), Bad: (1),,[3bd6f2283f4b41f5477e2189ae577c84]
PUM.Hijack.Help, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp, 1, Good: (0), Bad: (1),,[be530119f8923ff7bd0bb5f5ac599c64]
PUM.Hijack.DisplayProperties, HKU\S-1-5-21-3309001590-4249468244-678730067-1612-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL, 1, Good: (0), Bad: (1),,[58b973a7a1e96ec8406a644616ef649c]
PUM.Hijack.Run, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun, 1, Good: (0), Bad: (1),,[6ea384960486bc7a2603e2c936cfaa56]
PUM.Hijack.ExpNoClose, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoClose, 1, Good: (0), Bad: (1),,[a66b41d9d3b7dc5acd9d1d9228dd7b85]
PUM.Hijack.StartMenu, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms, 1, Good: (0), Bad: (1),,[7b96a476503aa19529f439738382946c]
PUM.Hijack.Explorer, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders, 1, Good: (0), Bad: (1),,[e72a8e8c6e1c6bcbca262e7b93728d73]
PUM.Hijack.Find, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind, 1, Good: (0), Bad: (1),,[91802af093f7a690f6cfe5c537ce926e]
PUM.Hijack.Help, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp, 1, Good: (0), Bad: (1),,[7e938b8fc3c7de588e3a0f9bdc29f50b]
PUM.Hijack.DisplayProperties, HKU\S-1-5-21-3309001590-4249468244-678730067-1613-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL, 1, Good: (0), Bad: (1),,[51c031e96129d165d8d28822ca3bac54]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 


Edited by hamluis, 10 February 2015 - 07:08 AM.
Moved from AII to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 ElectronZA

ElectronZA
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 10 February 2015 - 12:35 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-02-2015
Ran by Administrator (administrator) on TERMSERV on 04-02-2015 14:04:56
Running from C:\Backup
Loaded Profiles: Administrator (Available profiles: User1 & User2 & User3 & User4 & User5 & User6 & User7 & User8 & User9 & User10 & User11 & User12 & Administrator)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SunJavaUpdateSched] => "C:\Program Files\Java\jre6\bin\jusched.exe"
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [Act.Outlook.Service] => C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe [28672 2011-08-18] (Sage Software, Inc.)
HKLM\...\Run: [Act! Preloader] => C:\Program Files\ACT\Act for Windows\ActSage.exe [337224 2011-08-18] (Sage Software, Inc.)
Winlogon\Notify\SEP: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-21-3309001590-4249468244-678730067-500\...\Run: [] => [X]
HKU\S-1-5-21-3309001590-4249468244-678730067-500\...\Run: [Pastel IronTree SE] => C:\Program Files\Pastel IronTree SE\SERunner.exe [1232384 2009-11-06] (Attix5)
HKU\S-1-5-21-3309001590-4249468244-678730067-500\...\Run: [Payroll Notification Service] => C:\Documents and Settings\Administrator\Local Settings\Application Data\Sage Connected Services\SageCSClient.exe [960600 2014-06-02] (Sage South Africa (Pty) Ltd)
HKU\S-1-5-21-3309001590-4249468244-678730067-500\...\MountPoints2: ##Datasrv#D - D:\Autorun.exe
HKU\S-1-5-18\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [Pastel IronTree SE] => C:\Program Files\Pastel IronTree SE\SERunner.exe [1232384 2009-11-06] (Attix5)
HKU\S-1-5-18\...\Run: [Payroll Notification Service] => C:\Documents and Settings\Administrator\Local Settings\Application Data\Sage Connected Services\SageCSClient.exe [960600 2014-06-02] (Sage South Africa (Pty) Ltd)
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2007-02-18] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [] => [X]
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User7\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dyn Updater Tray Icon.lnk
ShortcutTarget: Dyn Updater Tray Icon.lnk -> C:\Program Files\DynDNS Updater\DynTray.exe (Dyn, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk
ShortcutTarget: Pervasive.SQL Workgroup Engine.lnk -> C:\PVSW\bin\w3dbsmgr.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sage ACT! Integration.lnk
ShortcutTarget: Sage ACT! Integration.lnk -> C:\Program Files\ACT\Act for Windows\Sage.ACT.Integration.exe (Sage Software, Inc)
Startup: C:\Documents and Settings\User1\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User11\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User8\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\User8\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User9\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User10\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User5\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User6\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User12\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User3\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\User3\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User2\Start Menu\Programs\Startup\READ_ME.txt ()
Startup: C:\Documents and Settings\User4\Start Menu\Programs\Startup\READ_ME.txt ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3309001590-4249468244-678730067-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile -> {D5233FCD-D258-4903-89B8-FB1568E7413D} -> C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{84AD0A95-AD65-4A9A-9E27-D162711A182C}: [NameServer] 192.168.0.2,196.14.239.2,196.25.1.11

FireFox:
========
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010-03-05]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-05-10]
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFF
FF Extension: Symantec Intrusion Prevention - C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFF [2013-10-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ActService; C:\Program Files\ACT\Act for Windows\Act.Server.Host.exe [18432 2011-08-18] (Microsoft) [File not signed]
S2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-18] (Microsoft Corporation)
S2 Dyn Updater; C:\Program Files\DynDNS Updater\DynUpSvc.exe [95608 2011-11-15] (Dyn, Inc.)
S2 IronTreeSE; C:\Program Files\Pastel IronTree SE\a5backup.exe [163840 2010-03-02] (Attix5 Development (Pty) Ltd) [File not signed]
S2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-18] (Microsoft Corporation)
S2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2010-04-12] (Sun Microsystems, Inc.)
S2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2007-02-18] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S2 MSSQL$ACT7; C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\sqlservr.exe [42884448 2010-05-06] (Microsoft Corporation)
S2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-18] (Microsoft Corporation)
S2 Pervasive.SQL (relational); C:\PVSW\BIN\W3SQLMGR.EXE [34384 2007-04-15] (Pervasive Software Inc.)
S2 PSI_SVC_2; C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [251832 2010-12-03] (arvato digital services llc)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-18] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2007-02-18] (Microsoft Corporation)
S2 Sage ACT! Scheduler; C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe [81920 2011-08-18] (Sage Software, Inc.) [File not signed]
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [137224 2011-06-15] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe [1664744 2011-06-18] (Symantec Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe [280496 2011-06-18] (Symantec Corporation)
S4 SQLAgent$ACT7; C:\Program Files\Microsoft SQL Server\MSSQL10_50.ACT7\MSSQL\Binn\SQLAGENT.EXE [367456 2010-05-06] (Microsoft Corporation)
S2 TermServLicensing; C:\WINDOWS\system32\lserver.exe [349696 2007-02-18] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2007-02-18] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-18] (Microsoft Corporation)
S2 upsMonitor; C:\Program Files\ViewPower2.11\upsMonitor.exe [116224 2013-09-18] (Acresso) [File not signed]
S3 upsTomcat; C:\Program Files\ViewPower2.11\tomcat\bin\tomcat6.exe [57344 2011-04-15] (Apache Software Foundation) [File not signed]
R2 Eventlog;  [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20150106.011\BHDrvx86.sys [1137368 2014-09-13] (Symantec Corporation)
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-18] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-18] (Microsoft Corporation)
R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [171416 2007-03-25] (Intel Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-11] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-11] (Symantec Corporation)
R3 IBSMUTIL; C:\WINDOWS\System32\DRIVERS\IBSMUTIL.sys [31232 2013-08-16] (Intel Corporation)
S3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20150130.001\IDSxpx86.sys [453264 2014-11-18] (Symantec Corporation)
R2 imbdrv; C:\WINDOWS\System32\drivers\imbdrv.sys [42496 2013-08-16] (Intel Corporation)
R3 int0800; C:\WINDOWS\System32\DRIVERS\flashud.sys [42496 2013-08-16] (Intel Corporation)
S3 NAVENG; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20150202.002\NAVENG.SYS [95704 2015-01-28] (Symantec Corporation)
S3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20150202.002\NAVEX15.SYS [1636696 2015-01-28] (Symantec Corporation)
S4 RsFx0150; C:\WINDOWS\System32\DRIVERS\RsFx0150.sys [240608 2010-04-03] (Microsoft Corporation)
S1 SRTSP; C:\WINDOWS\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS [516216 2011-05-28] (Symantec Corporation)
S1 SRTSPX; C:\WINDOWS\System32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS [50168 2011-05-28] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys [23984 2011-06-18] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS [340088 2011-05-03] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS [756856 2011-05-18] (Symantec Corporation)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [127096 2012-05-11] (Symantec Corporation)
S1 SymIRON; C:\WINDOWS\System32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS [136312 2011-05-11] (Symantec Corporation)
S1 SYMTDI; C:\WINDOWS\System32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDI.SYS [369784 2011-04-21] (Symantec Corporation)
S1 SysPlant; C:\WINDOWS\System32\Drivers\SysPlant.sys [92080 2012-05-11] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer.sys [118960 2011-05-21] (Symantec Corporation)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-18] (Microsoft Corporation)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 AmdIde; No ImagePath
S4 arc; No ImagePath
S4 cpqarry2; No ImagePath
S4 cpqcissm; No ImagePath
S4 cpqfcalm; No ImagePath
S4 dellcerc; No ImagePath
S4 elxstor; No ImagePath
S4 hpcisss; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S4 IntelIde; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-18] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-18] (Microsoft Corporation)
S4 symmpi; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-04 14:04 - 2015-02-04 14:05 - 00000000 ____D () C:\FRST
2015-02-03 16:51 - 2015-02-03 16:55 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 16:03 - 2015-02-03 16:03 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-03 16:02 - 2015-02-03 16:03 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-03 16:02 - 2015-02-03 16:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-02-03 16:02 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-03 16:02 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-03 12:27 - 2015-02-03 12:28 - 00000000 ____D () C:\WINDOWS\LastGood
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\WINDOWS\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Program Files\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\Start Menu\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\Start Menu\Programs\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\My Documents\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\Desktop\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User4\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\NetworkService\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\NetworkService\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\NetworkService\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\NetworkService\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\Start Menu\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\Start Menu\Programs\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\My Documents\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\Desktop\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User2\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\LocalService\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\LocalService\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\LocalService\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\Start Menu\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\Start Menu\Programs\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\My Documents\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\Desktop\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User3\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\Start Menu\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\Start Menu\Programs\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\My Documents\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\Desktop\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\Default User\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\Start Menu\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\Start Menu\Programs\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\My Documents\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\Desktop\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User12\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User6\Start Menu\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User6\Start Menu\Programs\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User6\My Documents\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User6\Local Settings\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User6\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:47 - 2015-02-03 09:47 - 00000866 _____ () C:\Documents and Settings\User6\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User6\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User6\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User5\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User10\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User9\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User8\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User11\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User1\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\All Users\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\All Users\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\User7\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\Administrator\Start Menu\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\Administrator\My Documents\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\Administrator\Local Settings\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\Administrator\Desktop\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 00000866 _____ () C:\Documents and Settings\ADMINI~1~HAN\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Start Menu\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\My Documents\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Local Settings\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Desktop\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Application Data\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\READ_ME.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 00000866 _____ () C:\Documents and Settings\Administrator\Application Data\READ_ME.txt
2015-02-03 09:43 - 2015-02-03 09:43 - 00068456 _____ () C:\Documents and Settings\User9\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-02-03 09:01 - 2015-02-03 09:47 - 00000000 ____D () C:\Documents and Settings\User2\Application Data\temp
2015-01-14 03:08 - 2015-01-14 03:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB3021674$
2015-01-14 03:01 - 2015-01-14 03:01 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB3020393$
2015-01-14 03:01 - 2015-01-14 03:01 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB3014029$
2015-01-14 03:00 - 2015-01-14 03:01 - 00004322 _____ () C:\WINDOWS\KB3019215.log
2015-01-14 03:00 - 2015-01-14 03:00 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB3019215$
2015-01-14 00:21 - 2015-01-14 03:08 - 00008441 _____ () C:\WINDOWS\KB3021674.log
2015-01-14 00:21 - 2015-01-14 03:02 - 00007818 _____ () C:\WINDOWS\KB3014029.log
2015-01-14 00:20 - 2015-01-14 03:01 - 00007878 _____ () C:\WINDOWS\KB3020393.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-04 14:06 - 2009-06-01 11:51 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-02-04 14:04 - 2010-03-04 20:36 - 00000000 ____D () C:\Backup
2015-02-03 12:45 - 2009-06-01 11:50 - 00001432 _____ () C:\WINDOWS\system32\config\netlogon.dnb
2015-02-03 12:45 - 2009-06-01 11:50 - 00001357 _____ () C:\WINDOWS\system32\config\netlogon.dns
2015-02-03 12:32 - 2009-06-01 11:44 - 00000000 ____D () C:\WINDOWS\NTDS
2015-02-03 12:29 - 2014-01-15 15:32 - 00524288 _____ () C:\WINDOWS\system32\config\SageCSClient.evt
2015-02-03 12:29 - 2009-06-03 10:43 - 00000000 ____D () C:\WINDOWS\system32\LServer
2015-02-03 12:29 - 2009-06-01 11:51 - 00000278 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-02-03 12:29 - 2009-06-01 11:45 - 00524288 _____ () C:\WINDOWS\system32\config\NTDS.Evt
2015-02-03 12:29 - 2009-06-01 11:33 - 00458752 _____ () C:\WINDOWS\system32\config\NtFrs.Evt
2015-02-03 12:29 - 2009-05-28 16:10 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-03 12:29 - 2009-05-28 16:04 - 01392851 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-03 12:28 - 2009-06-01 11:51 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-02-03 12:27 - 2013-07-11 05:19 - 00812706 _____ () C:\WINDOWS\setupapi.log
2015-02-03 12:27 - 2009-06-01 11:51 - 00000000 ____D () C:\Documents and Settings\Administrator\WINDOWS
2015-02-03 12:22 - 2011-10-13 12:20 - 00000000 ____D () C:\temp
2015-02-03 12:00 - 2010-03-04 20:51 - 00000894 _____ () C:\WINDOWS\Tasks\Pastel Backup.job
2015-02-03 11:49 - 2013-09-18 13:55 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-03 10:44 - 2009-05-28 17:30 - 00000000 ____D () C:\WINDOWS\security
2015-02-03 10:38 - 2009-06-01 11:49 - 00065536 _____ () C:\WINDOWS\NETLOGON.CHG
2015-02-03 10:27 - 2012-04-19 13:35 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-03 10:20 - 2010-10-20 16:30 - 00053568 _____ () C:\WINDOWS\pvsw.log
2015-02-03 10:19 - 2007-02-18 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-03 10:03 - 2014-05-19 11:25 - 00000558 _____ () C:\Documents and Settings\User7\Local Settings\Application Data\error_BICPartnerV12.log
2015-02-03 10:03 - 2014-05-19 11:24 - 00000000 ____D () C:\Documents and Settings\User7\WINDOWS
2015-02-03 10:03 - 2012-04-19 09:05 - 00000178 ___SH () C:\Documents and Settings\User2\ntuser.ini
2015-02-03 10:03 - 2009-06-01 11:57 - 00001374 ____H () C:\Documents and Settings\Administrator\My Documents\error_Default.rdp
2015-02-03 09:59 - 2013-01-28 11:44 - 00013502 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\error_BICPartnerV12.log
2015-02-03 09:59 - 2012-04-17 09:46 - 00003566 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\error_BICPartnerV11.log
2015-02-03 09:58 - 2012-09-08 10:14 - 00000000 ____D () C:\Binaries
2015-02-03 09:58 - 2010-10-21 15:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\TeamViewer
2015-02-03 09:58 - 2010-05-06 14:06 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\ACT
2015-02-03 09:47 - 2014-11-12 17:21 - 00000000 ____D () C:\Documents and Settings\User3\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:47 - 2014-11-12 13:12 - 00000000 ____D () C:\Pastel14
2015-02-03 09:47 - 2014-05-03 21:35 - 00000000 __SHD () C:\Documents and Settings\User2\PrivacIE
2015-02-03 09:47 - 2014-05-03 21:35 - 00000000 ____D () C:\Documents and Settings\User2\Application Data\Adobe
2015-02-03 09:47 - 2014-05-03 19:08 - 00000000 ____D () C:\Documents and Settings\User2\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:47 - 2014-05-03 19:08 - 00000000 ____D () C:\Documents and Settings\User2\Application Data\IsolatedStorage
2015-02-03 09:47 - 2014-05-03 19:08 - 00000000 ____D () C:\Documents and Settings\User2\Application Data\ACT
2015-02-03 09:47 - 2013-08-16 08:57 - 00000000 ____D () C:\var
2015-02-03 09:47 - 2013-06-26 09:16 - 00000000 ____D () C:\Documents and Settings\User3\Local Settings\Application Data\Profusion
2015-02-03 09:47 - 2013-05-16 03:59 - 00000000 ____D () C:\Documents and Settings\Default User\My Documents\Visual Studio 2008
2015-02-03 09:47 - 2013-05-13 10:01 - 00000000 ____D () C:\inetpub
2015-02-03 09:47 - 2013-01-29 16:02 - 00000000 ____D () C:\Documents and Settings\User3\Local Settings\Application Data\Sage_Pastel
2015-02-03 09:47 - 2013-01-28 08:30 - 00000000 ____D () C:\Pastel12
2015-02-03 09:47 - 2012-10-29 16:50 - 00000000 ____D () C:\Documents and Settings\User6\My Documents\ACT
2015-02-03 09:47 - 2012-10-29 16:09 - 00000000 ____D () C:\Documents and Settings\User6\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:47 - 2012-10-29 16:08 - 00000000 __SHD () C:\Documents and Settings\User6\IETldCache
2015-02-03 09:47 - 2012-10-29 16:08 - 00000000 ___RD () C:\Documents and Settings\User6\Start Menu\Programs\Accessories
2015-02-03 09:47 - 2012-10-29 16:08 - 00000000 ____D () C:\Documents and Settings\User6\WINDOWS
2015-02-03 09:47 - 2012-10-29 16:08 - 00000000 ____D () C:\Documents and Settings\User6\Local Settings\Temp
2015-02-03 09:47 - 2012-10-29 16:08 - 00000000 ____D () C:\Documents and Settings\User6\Local Settings\Application Data\Microsoft Help
2015-02-03 09:47 - 2012-07-24 14:55 - 00000000 ____D () C:\Documents and Settings\User3\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:47 - 2012-06-24 11:53 - 00000000 ____D () C:\Documents and Settings\User2\WINDOWS
2015-02-03 09:47 - 2012-04-19 09:05 - 00000000 __SHD () C:\Documents and Settings\User2\IETldCache
2015-02-03 09:47 - 2012-04-19 09:05 - 00000000 ___RD () C:\Documents and Settings\User2\Start Menu\Programs\Accessories
2015-02-03 09:47 - 2012-04-19 09:05 - 00000000 ____D () C:\Documents and Settings\User2\Local Settings\Temp
2015-02-03 09:47 - 2012-04-19 09:05 - 00000000 ____D () C:\Documents and Settings\User2\Local Settings\Application Data\Microsoft Help
2015-02-03 09:47 - 2012-04-19 09:05 - 00000000 ____D () C:\Documents and Settings\User2
2015-02-03 09:47 - 2012-02-09 09:39 - 00000000 __SHD () C:\Documents and Settings\User4\PrivacIE
2015-02-03 09:47 - 2011-06-20 10:16 - 00000000 ____D () C:\Documents and Settings\User4\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:47 - 2011-06-20 10:15 - 00000000 ____D () C:\Documents and Settings\User4\My Documents\ACT
2015-02-03 09:47 - 2011-02-25 09:13 - 00000000 ____D () C:\Documents and Settings\User4\Application Data\IsolatedStorage
2015-02-03 09:47 - 2011-02-02 10:00 - 00000000 ____D () C:\Documents and Settings\User4\Application Data\ACT
2015-02-03 09:47 - 2011-02-02 09:59 - 00000000 __SHD () C:\Documents and Settings\User4\IETldCache
2015-02-03 09:47 - 2011-02-02 09:59 - 00000000 ___RD () C:\Documents and Settings\User4\Start Menu\Programs\Accessories
2015-02-03 09:47 - 2011-02-02 09:59 - 00000000 ____D () C:\Documents and Settings\User4\WINDOWS
2015-02-03 09:47 - 2011-02-02 09:59 - 00000000 ____D () C:\Documents and Settings\User4\Local Settings\Temp
2015-02-03 09:47 - 2011-02-02 09:59 - 00000000 ____D () C:\Documents and Settings\User4\Local Settings\Application Data\Microsoft Help
2015-02-03 09:47 - 2010-09-06 12:31 - 00000000 ____D () C:\Pastel11
2015-02-03 09:47 - 2010-05-13 17:34 - 00000000 ____D () C:\Documents and Settings\User3\My Documents\OneNote Notebooks
2015-02-03 09:47 - 2010-05-06 16:53 - 00000000 ____D () C:\Documents and Settings\User3\Application Data\ACT
2015-02-03 09:47 - 2010-03-15 11:10 - 00000000 __SHD () C:\Documents and Settings\User3\PrivacIE
2015-02-03 09:47 - 2010-03-11 03:00 - 00000000 __SHD () C:\Documents and Settings\Default User\IETldCache
2015-02-03 09:47 - 2010-03-08 12:46 - 00000000 __SHD () C:\Documents and Settings\User3\IETldCache
2015-02-03 09:47 - 2010-03-06 03:04 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft Help
2015-02-03 09:47 - 2010-03-04 12:25 - 00000000 ____D () C:\Microsoft Office
2015-02-03 09:47 - 2010-03-04 12:02 - 00000000 __RHD () C:\MSOCache
2015-02-03 09:47 - 2009-07-29 12:06 - 00000000 ____D () C:\usr
2015-02-03 09:47 - 2009-06-03 16:15 - 00000000 ___RD () C:\Documents and Settings\User3\Start Menu\Programs\Accessories
2015-02-03 09:47 - 2009-06-03 16:15 - 00000000 ____D () C:\Documents and Settings\User3\WINDOWS
2015-02-03 09:47 - 2009-06-03 16:15 - 00000000 ____D () C:\Documents and Settings\User3\Local Settings\Temp
2015-02-03 09:47 - 2009-06-03 16:15 - 00000000 ____D () C:\Documents and Settings\User3
2015-02-03 09:47 - 2009-06-03 11:35 - 00000000 ___SD () C:\Documents and Settings\User12\UserData
2015-02-03 09:47 - 2009-06-03 11:16 - 00000000 ___RD () C:\Documents and Settings\User12\Start Menu\Programs\Accessories
2015-02-03 09:47 - 2009-06-03 11:16 - 00000000 ____D () C:\Documents and Settings\User12\WINDOWS
2015-02-03 09:47 - 2009-06-03 11:16 - 00000000 ____D () C:\Documents and Settings\User12\Local Settings\Temp
2015-02-03 09:47 - 2009-06-03 11:16 - 00000000 ____D () C:\Documents and Settings\User12
2015-02-03 09:47 - 2009-06-01 12:07 - 00000000 ____D () C:\Pastel09
2015-02-03 09:47 - 2009-06-01 12:04 - 00000000 ____D () C:\pvswarch
2015-02-03 09:47 - 2009-06-01 12:04 - 00000000 ____D () C:\PVSW
2015-02-03 09:47 - 2009-05-28 17:35 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\Temp
2015-02-03 09:47 - 2009-05-28 16:45 - 00000000 ____D () C:\Intel
2015-02-03 09:47 - 2009-05-28 16:28 - 00000000 ____D () C:\ServerCDs
2015-02-03 09:47 - 2009-05-28 16:10 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-02-03 09:47 - 2009-05-28 16:10 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-02-03 09:47 - 2009-05-28 16:10 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2015-02-03 09:47 - 2009-05-28 16:10 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2015-02-03 09:47 - 2009-05-28 16:06 - 00000000 ____D () C:\wmpub
2015-02-03 09:47 - 2009-05-28 16:04 - 00000000 ___RD () C:\Documents and Settings\Default User\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2014-11-24 09:49 - 00000000 ____D () C:\Documents and Settings\User9\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 __SHD () C:\Documents and Settings\User9\IETldCache
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ___RD () C:\Documents and Settings\User9\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\WINDOWS
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\My Documents\Visual Studio 2008
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\Local Settings\Temp
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\Application Data\IsolatedStorage
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9\Application Data\ACT
2015-02-03 09:46 - 2014-11-24 09:43 - 00000000 ____D () C:\Documents and Settings\User9
2015-02-03 09:46 - 2014-11-13 15:29 - 00000000 ____D () C:\Documents and Settings\User11\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:46 - 2014-11-12 13:13 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Sage Pastel
2015-02-03 09:46 - 2014-11-12 13:03 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Sage Connected Services
2015-02-03 09:46 - 2014-11-12 12:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Sage Installations
2015-02-03 09:46 - 2014-05-19 11:25 - 00000000 ____D () C:\Documents and Settings\User7\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:46 - 2014-05-19 11:25 - 00000000 ____D () C:\Documents and Settings\User7\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2014-05-19 11:25 - 00000000 ____D () C:\Documents and Settings\User7\Application Data\IsolatedStorage
2015-02-03 09:46 - 2014-05-19 11:25 - 00000000 ____D () C:\Documents and Settings\User7\Application Data\ACT
2015-02-03 09:46 - 2014-05-19 11:24 - 00000000 __SHD () C:\Documents and Settings\User7\IETldCache
2015-02-03 09:46 - 2014-05-19 11:24 - 00000000 ___RD () C:\Documents and Settings\User7\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2014-05-19 11:24 - 00000000 ____D () C:\Documents and Settings\User7\My Documents\Visual Studio 2008
2015-02-03 09:46 - 2014-05-19 11:24 - 00000000 ____D () C:\Documents and Settings\User7\Local Settings\Temp
2015-02-03 09:46 - 2014-05-19 11:24 - 00000000 ____D () C:\Documents and Settings\User7\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2014-05-19 11:24 - 00000000 ____D () C:\Documents and Settings\User7
2015-02-03 09:46 - 2014-01-15 15:32 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Connected Services
2015-02-03 09:46 - 2013-11-19 11:30 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Sage Connected Services
2015-02-03 09:46 - 2013-09-18 13:52 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2015-02-03 09:46 - 2013-09-18 13:42 - 00000000 ____D () C:\Documents and Settings\Administrator\Start Menu\Programs\ViewPower2.11
2015-02-03 09:46 - 2013-09-18 13:38 - 00000000 ___HD () C:\Documents and Settings\Administrator\InstallAnywhere
2015-02-03 09:46 - 2013-09-10 12:44 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\Sage Connected Services
2015-02-03 09:46 - 2013-06-26 12:28 - 00000000 ____D () C:\Documents and Settings\User10\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:46 - 2013-06-26 12:27 - 00000000 ____D () C:\Documents and Settings\User10\Local Settings\Application Data\Profusion
2015-02-03 09:46 - 2013-06-26 11:07 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\Profusion
2015-02-03 09:46 - 2013-05-15 08:31 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Visual Studio 2005
2015-02-03 09:46 - 2013-05-15 08:27 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Integration Services Script Component
2015-02-03 09:46 - 2013-05-15 08:25 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Integration Services Script Task
2015-02-03 09:46 - 2013-05-15 08:21 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\SQL Server Management Studio
2015-02-03 09:46 - 2013-05-15 08:01 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Visual Studio 2008
2015-02-03 09:46 - 2013-05-15 07:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
2015-02-03 09:46 - 2013-05-13 11:53 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:46 - 2013-05-13 10:29 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft_Corporation
2015-02-03 09:46 - 2013-05-13 10:10 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Profusion
2015-02-03 09:46 - 2013-05-10 16:41 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Sage_South_Africa
2015-02-03 09:46 - 2013-02-20 15:44 - 00000000 ____D () C:\Documents and Settings\User8\Desktop\Canon Driver IRC2025i
2015-02-03 09:46 - 2013-02-20 15:30 - 00000000 __SHD () C:\Documents and Settings\User8\IECompatCache
2015-02-03 09:46 - 2013-01-28 17:48 - 00000000 ____D () C:\Documents and Settings\User5\Local Settings\Application Data\Sage_Pastel
2015-02-03 09:46 - 2013-01-28 17:34 - 00000000 ____D () C:\Documents and Settings\User10\Local Settings\Application Data\Sage_Pastel
2015-02-03 09:46 - 2013-01-28 11:56 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\Sage_Pastel
2015-02-03 09:46 - 2013-01-28 11:49 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Sage_Pastel
2015-02-03 09:46 - 2013-01-28 08:24 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Softline Pastel
2015-02-03 09:46 - 2013-01-28 08:17 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Downloaded Installations
2015-02-03 09:46 - 2013-01-28 08:12 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2015-02-03 09:46 - 2012-11-28 14:47 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2015-02-03 09:46 - 2012-10-29 16:47 - 00000000 ____D () C:\Documents and Settings\User5\My Documents\ACT
2015-02-03 09:46 - 2012-10-29 16:30 - 00000000 __SHD () C:\Documents and Settings\User5\PrivacIE
2015-02-03 09:46 - 2012-10-29 16:09 - 00000000 ____D () C:\Documents and Settings\User6\Application Data\IsolatedStorage
2015-02-03 09:46 - 2012-10-29 16:09 - 00000000 ____D () C:\Documents and Settings\User6\Application Data\ACT
2015-02-03 09:46 - 2012-10-29 16:08 - 00000000 ____D () C:\Documents and Settings\User6
2015-02-03 09:46 - 2012-10-29 16:07 - 00000000 ____D () C:\Documents and Settings\User5\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2012-10-29 16:06 - 00000000 ____D () C:\Documents and Settings\User5\Application Data\IsolatedStorage
2015-02-03 09:46 - 2012-10-29 16:06 - 00000000 ____D () C:\Documents and Settings\User5\Application Data\ACT
2015-02-03 09:46 - 2012-10-29 16:05 - 00000000 ____D () C:\Documents and Settings\User5\WINDOWS
2015-02-03 09:46 - 2012-10-29 16:04 - 00000000 __SHD () C:\Documents and Settings\User5\IETldCache
2015-02-03 09:46 - 2012-10-29 16:04 - 00000000 ___RD () C:\Documents and Settings\User5\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2012-10-29 16:04 - 00000000 ____D () C:\Documents and Settings\User5\Local Settings\Temp
2015-02-03 09:46 - 2012-10-29 16:04 - 00000000 ____D () C:\Documents and Settings\User5\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2012-10-29 16:04 - 00000000 ____D () C:\Documents and Settings\User5
2015-02-03 09:46 - 2012-09-08 10:08 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Pastel IronTree
2015-02-03 09:46 - 2012-08-27 10:03 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Sage_Software,_Inc
2015-02-03 09:46 - 2012-08-24 12:42 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\PCHealth
2015-02-03 09:46 - 2012-08-24 10:45 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Protexis
2015-02-03 09:46 - 2012-07-24 16:51 - 00000000 ____D () C:\Documents and Settings\User11\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2012-07-24 12:23 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Sage ACT! Premium 2012
2015-02-03 09:46 - 2012-07-24 12:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Sage Software, Inc
2015-02-03 09:46 - 2012-07-24 11:40 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft SQL Server 2008
2015-02-03 09:46 - 2012-07-24 11:34 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft SQL Server 2008 R2
2015-02-03 09:46 - 2012-06-14 11:34 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Hand ACT V14
2015-02-03 09:46 - 2012-06-14 11:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 7
2015-02-03 09:46 - 2012-05-09 15:51 - 00000000 ____D () C:\Documents and Settings\User11\My Documents\New Folder
2015-02-03 09:46 - 2012-04-24 13:15 - 00000000 __SHD () C:\Documents and Settings\User11\PrivacIE
2015-02-03 09:46 - 2012-04-19 16:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2015-02-03 09:46 - 2012-04-19 12:44 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\CanonBJ
2015-02-03 09:46 - 2012-03-19 18:55 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Dyn Updater
2015-02-03 09:46 - 2012-03-19 18:55 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Dyn
2015-02-03 09:46 - 2011-08-01 12:26 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2011-03-10 09:56 - 00000000 ____D () C:\Documents and Settings\User8\My Documents\OneNote Notebooks
2015-02-03 09:46 - 2011-02-25 09:24 - 00000000 __SHD () C:\Documents and Settings\User1\PrivacIE
2015-02-03 09:46 - 2011-02-25 09:24 - 00000000 ____D () C:\Documents and Settings\User1\Application Data\IsolatedStorage
2015-02-03 09:46 - 2011-02-02 10:01 - 00000000 ____D () C:\Documents and Settings\User1\Application Data\ACT
2015-02-03 09:46 - 2011-02-02 10:00 - 00000000 __SHD () C:\Documents and Settings\User1\IETldCache
2015-02-03 09:46 - 2011-02-02 10:00 - 00000000 ___RD () C:\Documents and Settings\User1\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2011-02-02 10:00 - 00000000 ____D () C:\Documents and Settings\User1\WINDOWS
2015-02-03 09:46 - 2011-02-02 10:00 - 00000000 ____D () C:\Documents and Settings\User1\Local Settings\Temp
2015-02-03 09:46 - 2011-02-02 10:00 - 00000000 ____D () C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2011-02-02 10:00 - 00000000 ____D () C:\Documents and Settings\User1
2015-02-03 09:46 - 2010-10-25 14:15 - 00000000 ____D () C:\Documents and Settings\User10\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2010-10-13 08:33 - 00000000 ____D () C:\Documents and Settings\User10\My Documents\ACT
2015-02-03 09:46 - 2010-10-05 12:51 - 00000000 ____D () C:\Documents and Settings\User10\Application Data\IsolatedStorage
2015-02-03 09:46 - 2010-08-13 08:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Help
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 __SHD () C:\Documents and Settings\User10\IETldCache
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 ___RD () C:\Documents and Settings\User10\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 ____D () C:\Documents and Settings\User10\WINDOWS
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 ____D () C:\Documents and Settings\User10\Local Settings\Temp
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 ____D () C:\Documents and Settings\User10\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 ____D () C:\Documents and Settings\User10\Application Data\ACT
2015-02-03 09:46 - 2010-07-21 06:57 - 00000000 ____D () C:\Documents and Settings\User10
2015-02-03 09:46 - 2010-07-21 06:51 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\DynDNS
2015-02-03 09:46 - 2010-06-22 10:08 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2010-05-06 17:56 - 00000000 ____D () C:\Documents and Settings\User11\Application Data\ACT
2015-02-03 09:46 - 2010-05-06 14:48 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Application Data\IsolatedStorage
2015-02-03 09:46 - 2010-05-06 14:43 - 00000000 ____D () C:\Documents and Settings\User8\My Documents\ACT
2015-02-03 09:46 - 2010-05-06 14:28 - 00000000 ____D () C:\Documents and Settings\User8\Application Data\IsolatedStorage
2015-02-03 09:46 - 2010-05-06 14:28 - 00000000 ____D () C:\Documents and Settings\User8\Application Data\ACT
2015-02-03 09:46 - 2010-05-06 14:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Act
2015-02-03 09:46 - 2010-05-06 14:14 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\ACT
2015-02-03 09:46 - 2010-05-06 14:14 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode
2015-02-03 09:46 - 2010-05-06 14:06 - 00000000 ____D () C:\Documents and Settings\ADMINI~1~HAN\LOCALS~1
2015-02-03 09:46 - 2010-05-06 14:06 - 00000000 ____D () C:\Documents and Settings\ADMINI~1~HAN
2015-02-03 09:46 - 2010-03-24 14:16 - 00000000 __SHD () C:\Documents and Settings\User8\PrivacIE
2015-02-03 09:46 - 2010-03-19 08:44 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\PCHealth
2015-02-03 09:46 - 2010-03-10 11:27 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\U3
2015-02-03 09:46 - 2010-03-08 17:34 - 00000000 __SHD () C:\Documents and Settings\User11\IETldCache
2015-02-03 09:46 - 2010-03-08 14:30 - 00000000 ____D () C:\Documents and Settings\User8\Application Data\Sun
2015-02-03 09:46 - 2010-03-08 11:41 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE
2015-02-03 09:46 - 2010-03-08 11:41 - 00000000 __SHD () C:\Documents and Settings\Administrator\IECompatCache
2015-02-03 09:46 - 2010-03-08 10:35 - 00000000 __SHD () C:\Documents and Settings\User8\IETldCache
2015-02-03 09:46 - 2010-03-08 08:44 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2015-02-03 09:46 - 2010-03-04 12:16 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
2015-02-03 09:46 - 2009-06-04 18:48 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Canon
2015-02-03 09:46 - 2009-06-03 10:58 - 00000000 __SHD () C:\Documents and Settings\Administrator\UserData
2015-02-03 09:46 - 2009-06-03 10:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-02-03 09:46 - 2009-06-03 10:34 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
2015-02-03 09:46 - 2009-06-01 20:11 - 00000000 ___RD () C:\Documents and Settings\User11\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2009-06-01 20:11 - 00000000 ____D () C:\Documents and Settings\User11\WINDOWS
2015-02-03 09:46 - 2009-06-01 20:11 - 00000000 ____D () C:\Documents and Settings\User11\Local Settings\Temp
2015-02-03 09:46 - 2009-06-01 20:11 - 00000000 ____D () C:\Documents and Settings\User11
2015-02-03 09:46 - 2009-06-01 19:36 - 00000000 ___RD () C:\Documents and Settings\User8\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2009-06-01 19:36 - 00000000 ____D () C:\Documents and Settings\User8\WINDOWS
2015-02-03 09:46 - 2009-06-01 19:36 - 00000000 ____D () C:\Documents and Settings\User8\Local Settings\Temp
2015-02-03 09:46 - 2009-06-01 19:36 - 00000000 ____D () C:\Documents and Settings\User8
2015-02-03 09:46 - 2009-06-01 12:08 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Softline Pastel
2015-02-03 09:46 - 2009-06-01 12:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Pervasive
2015-02-03 09:46 - 2009-06-01 12:02 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Sun
2015-02-03 09:46 - 2009-06-01 11:51 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-02-03 09:46 - 2009-06-01 11:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Windows Support Tools
2015-02-03 09:46 - 2009-05-28 16:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Kodak
2015-02-03 09:46 - 2009-05-28 16:01 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2015-02-03 09:45 - 2014-11-24 09:43 - 00000178 ___SH () C:\Documents and Settings\User9\ntuser.ini
2015-02-03 09:45 - 2013-05-13 11:59 - 00000000 ____D () C:\2986a648f74f82f21a6c
2015-02-03 09:45 - 2013-01-28 08:12 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Adobe
2015-02-03 09:45 - 2010-08-13 08:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Help
2015-02-03 09:45 - 2010-05-10 03:05 - 00000000 ____D () C:\16f372fd742a3c31bce1e8c221e229
2015-02-03 09:45 - 2010-05-06 14:19 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\IsolatedStorage
2015-02-03 09:45 - 2009-09-15 17:06 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2015-02-03 09:45 - 2009-07-10 06:49 - 00000000 ____D () C:\User13 Printer
2015-02-03 09:45 - 2009-06-03 10:43 - 00000000 ____D () C:\ADFS
2015-02-03 09:45 - 2009-05-28 16:28 - 00000000 ____D () C:\Documents and Settings\Administrator\WINDOWS
2015-02-03 09:45 - 2009-05-28 16:13 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-02-03 09:45 - 2009-05-28 16:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-02-03 09:45 - 2009-05-28 16:13 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-02-03 09:43 - 2014-11-24 09:44 - 00002129 _____ () C:\Documents and Settings\User9\Desktop\Accounting Partner V14.lnk
2015-02-03 09:43 - 2014-11-24 09:43 - 00001324 _____ () C:\Documents and Settings\User9\Local Settings\Application Data\d3d9caps.tmp
2015-02-03 09:42 - 2014-11-26 15:59 - 00268974 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\error_WPFFontCache_v0400-System.dat
2015-02-03 09:42 - 2014-11-26 15:59 - 00268974 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\error_WPFFontCache_v0400-S-1-5-21-3309001590-4249468244-678730067-500-0.dat
2015-02-03 09:42 - 2014-11-24 09:43 - 00068622 _____ () C:\Documents and Settings\User9\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2014-05-03 19:08 - 00008398 _____ () C:\Documents and Settings\User2\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2013-05-13 10:10 - 00000190 _____ () C:\Documents and Settings\All Users\Application Data\error_system42.dat
2015-02-03 09:42 - 2013-02-11 15:50 - 00000830 _____ () C:\Documents and Settings\User3\Local Settings\Application Data\error_d3d9caps.dat
2015-02-03 09:42 - 2012-10-29 16:05 - 00068622 _____ () C:\Documents and Settings\User5\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2012-07-24 12:23 - 00068622 _____ () C:\Documents and Settings\Default User\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2011-02-02 10:00 - 00068622 _____ () C:\Documents and Settings\User4\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2010-07-21 06:57 - 00068622 _____ () C:\Documents and Settings\User10\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2010-05-06 17:56 - 00068622 _____ () C:\Documents and Settings\User11\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2010-05-06 16:53 - 00068622 _____ () C:\Documents and Settings\User3\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:42 - 2010-05-06 14:28 - 00068622 _____ () C:\Documents and Settings\User8\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:41 - 2014-05-19 11:24 - 00068622 _____ () C:\Documents and Settings\User7\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:41 - 2010-05-06 14:17 - 00068622 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\error_GDIPFONTCACHEV1.DAT
2015-02-03 09:38 - 2009-06-03 16:15 - 00000278 ___SH () C:\Documents and Settings\User3\ntuser.ini
2015-02-03 09:37 - 2014-11-12 16:14 - 00002139 _____ () C:\Documents and Settings\User3\Desktop\Point Of Sale for Accounting V14.lnk
2015-02-03 09:34 - 2014-03-03 12:39 - 00001324 _____ () C:\Documents and Settings\User3\Local Settings\Application Data\d3d9caps.tmp
2015-02-02 18:00 - 2009-06-01 20:11 - 00000278 ___SH () C:\Documents and Settings\User11\ntuser.ini
2015-02-02 17:52 - 2014-11-12 16:15 - 00002139 _____ () C:\Documents and Settings\User11\Desktop\Point Of Sale for Accounting V14.lnk
2015-02-02 17:52 - 2012-07-24 16:51 - 00001324 _____ () C:\Documents and Settings\User11\Local Settings\Application Data\d3d9caps.tmp
2015-02-02 13:35 - 2010-03-08 11:41 - 00000438 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{9D2CF06F-C3BB-48E4-A579-3250964361A9}.job
2015-02-01 01:49 - 2009-05-28 16:10 - 00032592 _____ () C:\WINDOWS\Tasks\SchedLgU.Txt
2015-01-29 16:17 - 2010-07-21 06:57 - 00000178 ___SH () C:\Documents and Settings\User10\ntuser.ini
2015-01-29 16:16 - 2012-10-03 14:51 - 00001324 _____ () C:\Documents and Settings\User10\Local Settings\Application Data\d3d9caps.tmp
2015-01-29 10:33 - 2009-06-01 19:36 - 00000278 ___SH () C:\Documents and Settings\User8\ntuser.ini
2015-01-28 11:56 - 2014-11-12 16:08 - 00002129 _____ () C:\Documents and Settings\User8\Desktop\Accounting Partner V14.lnk
2015-01-27 18:46 - 2013-09-18 13:46 - 00008170 _____ () C:\cerr.txt
2015-01-24 22:49 - 2013-09-20 15:49 - 03539632 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-01-24 22:49 - 2013-09-18 13:55 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-24 22:49 - 2013-09-18 13:55 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-22 12:49 - 2014-11-12 16:08 - 00002139 _____ () C:\Documents and Settings\User8\Desktop\Point Of Sale for Accounting V14.lnk
2015-01-14 03:08 - 2009-05-28 17:35 - 02922331 _____ () C:\WINDOWS\ocgen.log
2015-01-14 03:08 - 2009-05-28 17:35 - 02754733 _____ () C:\WINDOWS\FaxSetup.log
2015-01-14 03:08 - 2009-05-28 17:35 - 02702423 _____ () C:\WINDOWS\iis6.log
2015-01-14 03:08 - 2009-05-28 17:35 - 01581212 _____ () C:\WINDOWS\uddisetup.log
2015-01-14 03:08 - 2009-05-28 17:35 - 01307746 _____ () C:\WINDOWS\msmqinst.log
2015-01-14 03:08 - 2009-05-28 17:35 - 01161399 _____ () C:\WINDOWS\tsoc.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00812844 _____ () C:\WINDOWS\comsetup.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00512339 _____ () C:\WINDOWS\ntdtcsetup.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00441450 _____ () C:\WINDOWS\netfxocm.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00383649 _____ () C:\WINDOWS\aspnetocm.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00274007 _____ () C:\WINDOWS\LicenOc.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00135850 _____ () C:\WINDOWS\pop3oc.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00046091 _____ () C:\WINDOWS\certocm.log
2015-01-14 03:08 - 2009-05-28 17:35 - 00003423 _____ () C:\WINDOWS\imsins.log
2015-01-14 03:08 - 2009-05-28 16:21 - 00823686 _____ () C:\WINDOWS\nfsocm.log
2015-01-14 03:08 - 2009-05-28 16:21 - 00390794 _____ () C:\WINDOWS\sfuocgen.log
2015-01-14 03:08 - 2009-05-28 16:21 - 00110805 _____ () C:\WINDOWS\AdfsOcm.log
2015-01-14 03:08 - 2009-05-28 16:21 - 00088602 _____ () C:\WINDOWS\ocwss.log
2015-01-14 03:07 - 2013-08-16 08:14 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:02 - 2010-03-04 11:04 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-14 03:02 - 2009-05-28 17:35 - 00003423 _____ () C:\WINDOWS\imsins.BAK
2015-01-12 14:17 - 2014-11-24 09:44 - 00002139 _____ () C:\Documents and Settings\User9\Desktop\Point Of Sale for Accounting V14.lnk
2015-01-09 20:02 - 2007-02-18 14:00 - 00134144 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iassam.dll
2015-01-09 20:02 - 2007-02-18 14:00 - 00134144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iassam.dll

==================== Files in the root of some directories =======

2010-10-05 12:47 - 2010-05-06 14:17 - 0001680 _____ () C:\Program Files\ACT! by Sage Premium.lnk
2015-02-03 09:47 - 2015-02-03 09:47 - 0000866 _____ () C:\Program Files\READ_ME.txt
2009-06-01 12:04 - 2009-06-01 12:04 - 0000190 _____ () C:\Program Files\Common Files\psasetup.log
2012-07-24 11:27 - 2012-07-24 11:30 - 11104216 _____ (Sage Software                                                ) C:\Documents and Settings\Administrator\Application Data\ACT2012HotFix_SS.exe
2010-05-06 14:19 - 2010-05-06 14:19 - 0000000 ____H () C:\Documents and Settings\Administrator\Application Data\ActUpdate.log
2012-07-24 12:23 - 2012-07-24 12:23 - 0031637 _____ () C:\Documents and Settings\Administrator\Application Data\NGEN_AppLog_Install.txt
2015-02-03 09:45 - 2015-02-03 09:45 - 0000866 _____ () C:\Documents and Settings\Administrator\Application Data\READ_ME.txt
2012-04-17 09:46 - 2015-02-03 09:59 - 0003566 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\error_BICPartnerV11.log
2013-01-28 11:44 - 2015-02-03 09:59 - 0013502 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\error_BICPartnerV12.log
2015-02-03 09:46 - 2015-02-03 09:46 - 0000866 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\READ_ME.txt
2015-02-03 09:46 - 2015-02-03 09:46 - 0000866 _____ () C:\Documents and Settings\All Users\READ_ME.txt

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\7.2.20.2-EasyShrx.Dll
C:\Documents and Settings\Administrator\Local Settings\Temp\applnch.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\isutldll.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpegc.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== End Of Log ============================



#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 PM

Posted 14 February 2015 - 05:59 PM

Greetings ElectronZA and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I appreciate the opportunity to address your situation as an opportunity to possibly help someone else. However, we unfortunately have a growing number of Crypto malware examples and between that, and the number of people still waiting for assistance it is best if we pass on this opportunity.

Let me know if you need any assistance.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 ElectronZA

ElectronZA
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 15 February 2015 - 12:15 PM

Thank you Gary.

 

My name is Howard.

I would like to identify this cryptoware if possible as I believe other people are also being subject to this ransom. 

What would I need to do to  help identify it?



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 PM

Posted 16 February 2015 - 08:48 AM

I am not ignoring you but I am quite busy with Topics which need to be resolved. Unfortunately I will have to keep this on the back burner until I can catch up with them and also my Instructor responsibilities. If your situation is consistent with recent Crypto malware versions this too will be impossible to decrypt. If I thought otherwise I would give it a greater priority.

I trust you understand.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 ElectronZA

ElectronZA
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 16 February 2015 - 11:45 PM

I do, thank you for taking the time.

Regards

Howard



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 PM

Posted 19 February 2015 - 03:47 PM

Hi Howard, thank you for your patience.

I am not seeing anything in your log pointing to workable information which would allow identification of your Crypto variant.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 ElectronZA

ElectronZA
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 19 February 2015 - 11:48 PM

Thanks Gary

I appreciate you taking the time. I am happy to close off the thread at this point as we have completely recovered from backups.

Thank you for taking a look at the info.

Howard.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 PM

Posted 20 February 2015 - 09:32 AM

No problem Howard,

What we would need is the dropper file and even then I am not sure how successful we would be in making any meaningful progress.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:35 PM

Posted 20 February 2015 - 09:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users