Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptowall 3.0 removal help


  • This topic is locked This topic is locked
17 replies to this topic

#1 aquacraft

aquacraft

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 18 February 2015 - 05:06 PM

I thought I had removed this using Microsoft Security Essentials but evidently It didn't work because many of my files are encrypted. It also found it's way to my mapped server drives and did the same to many of those files. Does this mean both the computer and server need to have this removed or just the original computer it was unleashed from?

 

Here is the log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-02-2015
Ran by Lowell (administrator) on LOWELL-PC on 17-02-2015 09:25:26
Running from E:\virus
Loaded Profiles: Lowell (Available profiles: Lowell & Administrator & Lowell)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2svc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2comm.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2pre.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2tray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\TiMiniService.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\TiResumeSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Conexant Systems, Inc) C:\Program Files\CONEXANT\SAII\SmartAudio.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
() C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
(Inbox.com, Inc.) C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(Dropbox, Inc.) C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [310912 2011-06-24] (Conexant Systems, Inc.)
HKLM\...\Run: [VizorHtmlDialog.exe] => C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe [1139992 2011-05-20] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [192520 2011-05-20] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\VizorShortCut.exe [328400 2011-05-20] (Trend Micro Inc.)
HKLM\...\Run: [DBRMTray] => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2014-11-04] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2640408 2014-08-15] ()
HKLM-x32\...\Run: [InboxToolbar] => C:\Program Files (x86)\Inbox Toolbar\Inbox.exe [1380336 2013-12-02] (Inbox.com, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [DBRMTray] => C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1NR6t2w
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1NR6t2w
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2445902028-2695422737-3037335337-1162\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKU\S-1-5-21-2445902028-2695422737-3037335337-1162\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg.dll (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe64.dll (Trend Micro Inc.)
BHO: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: PasswordBox Helper -> {5DB69B97-934B-451D-94DB-32EF802A01CD} -> C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: AVG SafeGuard toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.790\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
BHO-x32: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Toolbar: HKLM - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.790\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
Handler-x32: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe64.dll (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg32.dll (Trend Micro Inc.)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.3
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.66 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\firefoxextension [2013-10-16]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4942384 2014-10-17] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [732160 2012-12-10] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165336 2013-01-14] (Intel Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 TiMiniService; C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [244440 2011-05-20] (Trend Micro Inc.)
R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-15] (AVG Secure Search)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-10-16] (Microsoft Corporation)
S3 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [209720 2014-11-04] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2014-10-17] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-15] (AVG Technologies)
R2 monblanking; C:\Windows\System32\DRIVERS\monblanking.sys [34960 2014-09-04] (Citrix Systems, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90896 2011-05-21] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [144656 2011-05-21] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [69392 2011-05-21] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2011-05-21] (Trend Micro Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-17 09:22 - 2015-02-17 09:25 - 00000000 ____D () C:\FRST
2015-02-17 09:22 - 2015-02-06 12:03 - 22497944 _____ () C:\Users\lowell.TRIDENT\Desktop\fix n zip.decryptedKLR.mp4
2015-02-17 09:22 - 2015-02-06 11:29 - 00009238 _____ () C:\Users\lowell.TRIDENT\Desktop\ORDER FEV 6.decryptedKLR.xlsx
2015-02-17 09:22 - 2015-02-05 13:04 - 01076168 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisolquart 2011.decryptedKLR.tif
2015-02-17 09:22 - 2015-02-05 13:04 - 00641260 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisol Sanitizer 2oz 2011.decryptedKLR.tif
2015-02-17 09:16 - 2015-02-17 09:18 - 02077880 _____ () C:\Users\lowell.TRIDENT\Desktop\ListCWall.txt
2015-02-16 15:43 - 2015-02-16 15:43 - 00000000 ____D () C:\Windows\pss
2015-02-16 11:59 - 2015-02-16 11:59 - 00000000 ____D () C:\Users\lowell.TRIDENT\Documents\ProcAlyzer Dumps
2015-02-11 09:59 - 2015-01-22 20:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-11 09:59 - 2015-01-22 20:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-11 09:59 - 2015-01-22 19:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-02-11 09:59 - 2015-01-22 19:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00894976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00762368 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-02-10 14:55 - 2015-02-03 19:13 - 01098752 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-10 14:55 - 2015-01-27 15:36 - 01239720 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-02-10 14:55 - 2015-01-06 19:15 - 00104896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mup.sys
2015-02-10 14:55 - 2015-01-06 19:10 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2015-02-10 14:55 - 2015-01-06 18:44 - 00079872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll
2015-02-10 14:55 - 2015-01-06 17:49 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys
2015-02-10 14:55 - 2015-01-06 17:49 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-02-10 14:55 - 2015-01-06 17:48 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-02-10 14:55 - 2015-01-06 17:48 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-02-10 14:55 - 2015-01-06 17:48 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2015-02-10 14:54 - 2015-01-13 21:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-10 14:54 - 2015-01-13 21:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-10 14:54 - 2015-01-12 19:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-10 14:54 - 2015-01-12 18:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-10 14:54 - 2015-01-11 19:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-10 14:54 - 2015-01-11 19:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-10 14:54 - 2015-01-11 19:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-10 14:54 - 2015-01-11 18:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-10 14:54 - 2015-01-11 18:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-10 14:54 - 2015-01-11 18:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-10 14:54 - 2015-01-11 18:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-10 14:54 - 2015-01-11 18:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-10 14:54 - 2015-01-11 18:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-10 14:54 - 2015-01-11 18:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-10 14:54 - 2015-01-11 18:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-10 14:54 - 2015-01-11 18:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-10 14:54 - 2015-01-11 18:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-10 14:54 - 2015-01-11 18:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-10 14:54 - 2015-01-11 18:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-10 14:54 - 2015-01-11 18:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-02-10 14:54 - 2015-01-11 18:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-10 14:54 - 2015-01-11 18:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-10 14:54 - 2015-01-11 18:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-10 14:54 - 2015-01-11 18:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-10 14:54 - 2015-01-11 18:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-10 14:54 - 2015-01-11 18:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-02-10 14:54 - 2015-01-11 18:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-02-10 14:54 - 2015-01-11 18:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-10 14:54 - 2015-01-11 18:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-10 14:54 - 2015-01-11 18:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-10 14:54 - 2015-01-11 18:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-02-10 14:54 - 2015-01-11 17:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-02-10 14:54 - 2015-01-11 17:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-02-10 14:54 - 2015-01-11 17:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-02-10 14:54 - 2015-01-11 17:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-10 14:54 - 2015-01-11 17:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-10 14:54 - 2015-01-11 17:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-10 14:54 - 2015-01-11 17:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-10 14:54 - 2015-01-11 17:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-10 14:54 - 2015-01-11 17:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-10 14:54 - 2015-01-11 17:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-10 14:54 - 2015-01-11 17:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-02-10 14:54 - 2015-01-11 17:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-02-10 14:54 - 2015-01-11 17:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-02-10 14:54 - 2015-01-11 17:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-10 14:54 - 2015-01-11 17:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-10 14:54 - 2015-01-11 17:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-10 14:54 - 2015-01-11 17:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-02-10 14:54 - 2015-01-11 17:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-10 14:54 - 2015-01-11 17:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-10 14:54 - 2015-01-11 17:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-10 14:54 - 2015-01-11 17:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-10 14:54 - 2015-01-11 16:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-10 14:54 - 2015-01-11 16:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-02-10 14:53 - 2015-01-15 00:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-10 14:53 - 2015-01-15 00:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-10 14:53 - 2015-01-15 00:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-10 14:53 - 2015-01-15 00:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-10 14:53 - 2015-01-15 00:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-10 14:53 - 2015-01-15 00:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-10 14:53 - 2015-01-15 00:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-10 14:53 - 2015-01-15 00:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-10 14:53 - 2015-01-15 00:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-10 14:53 - 2015-01-15 00:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-10 14:53 - 2015-01-15 00:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-10 14:53 - 2015-01-14 23:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-02-10 14:53 - 2015-01-14 23:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-10 14:53 - 2015-01-14 23:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-02-10 14:53 - 2015-01-14 23:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-10 14:53 - 2015-01-14 23:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-02-10 14:53 - 2015-01-14 23:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-10 14:53 - 2015-01-14 20:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-10 14:53 - 2015-01-13 22:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-10 14:53 - 2015-01-13 22:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-02-10 14:53 - 2015-01-13 22:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-02-10 14:53 - 2015-01-13 22:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-02-10 14:53 - 2015-01-13 21:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-02-10 14:53 - 2015-01-13 21:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-02-10 14:53 - 2015-01-13 21:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-02-10 14:53 - 2014-12-11 21:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-10 14:53 - 2014-12-11 21:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-02-10 14:53 - 2014-12-07 19:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-10 14:53 - 2014-12-07 18:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-10 14:53 - 2014-11-25 19:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-10 14:53 - 2014-11-25 19:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-10 14:53 - 2014-10-03 18:10 - 03722752 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-02-10 14:53 - 2014-10-03 17:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-02-10 14:53 - 2014-10-03 17:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2015-02-10 14:53 - 2014-07-06 18:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-02-10 14:53 - 2014-07-06 18:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-02-10 14:53 - 2014-07-06 17:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-02-10 14:53 - 2014-07-06 17:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-02-10 14:52 - 2015-01-08 18:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-06 12:03 - 2015-02-06 12:03 - 22497944 _____ () C:\Users\lowell.TRIDENT\Desktop\fix n zip.mp4
2015-02-06 12:02 - 2015-02-06 12:02 - 11949937 _____ () C:\Users\lowell.TRIDENT\Desktop\fix n zip.wmv
2015-02-06 09:41 - 2015-02-06 11:29 - 00009238 _____ () C:\Users\lowell.TRIDENT\Desktop\ORDER FEV 6.xlsx
2015-02-05 13:04 - 2015-02-05 13:04 - 01076168 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisolquart 2011.tif
2015-02-05 13:04 - 2015-02-05 13:04 - 00641260 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisol Sanitizer 2oz 2011.tif
2015-02-03 08:54 - 2015-02-16 10:36 - 00001038 _____ () C:\Users\lowell.TRIDENT\Desktop\ListCrilock.txt
2015-02-02 15:46 - 2015-02-16 12:02 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-02 15:46 - 2015-02-02 15:55 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-02-02 15:46 - 2015-02-02 15:46 - 00001397 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-02 15:46 - 2015-02-02 15:46 - 00001385 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-02-02 15:46 - 2015-02-02 15:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-02-02 15:46 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-02-02 08:47 - 2015-02-11 03:02 - 00002119 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-02-02 08:47 - 2015-02-11 03:02 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-02-02 08:46 - 2015-02-11 03:02 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-02-02 08:46 - 2015-02-11 03:02 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2015-02-01 16:23 - 2015-02-01 16:23 - 00008554 _____ () C:\Users\lowell.TRIDENT\HELP_DECRYPT.HTML
2015-02-01 16:23 - 2015-02-01 16:23 - 00004220 _____ () C:\Users\lowell.TRIDENT\HELP_DECRYPT.TXT
2015-02-01 16:23 - 2015-02-01 16:23 - 00000276 _____ () C:\Users\lowell.TRIDENT\HELP_DECRYPT.URL
2015-02-01 16:21 - 2015-02-01 16:21 - 00008554 _____ () C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.HTML
2015-02-01 16:21 - 2015-02-01 16:21 - 00004220 _____ () C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.TXT
2015-02-01 16:21 - 2015-02-01 16:21 - 00000276 _____ () C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.URL
2015-02-01 16:19 - 2015-02-01 16:19 - 00008554 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-01 16:19 - 2015-02-01 16:19 - 00008554 _____ () C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.HTML
2015-02-01 16:19 - 2015-02-01 16:19 - 00004220 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT
2015-02-01 16:19 - 2015-02-01 16:19 - 00004220 _____ () C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.TXT
2015-02-01 16:19 - 2015-02-01 16:19 - 00000276 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.URL
2015-02-01 16:19 - 2015-02-01 16:19 - 00000276 _____ () C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.URL
2015-02-01 16:18 - 2015-02-01 16:18 - 00008554 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML
2015-02-01 16:18 - 2015-02-01 16:18 - 00004220 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT
2015-02-01 16:18 - 2015-02-01 16:18 - 00000276 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.URL
2015-02-01 16:03 - 2015-02-01 16:03 - 00000480 ____H () C:\Users\lowell.TRIDENT\AppData\Roaming\麽鎒駓覜
2015-02-01 16:02 - 2015-02-01 16:05 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\FrameworkUpdate
2015-01-30 12:10 - 2015-02-01 16:21 - 00000000 ____D () C:\Users\lowell.TRIDENT\Desktop\sp ch
2015-01-30 12:06 - 2015-02-01 16:21 - 00000000 ____D () C:\Users\lowell.TRIDENT\Desktop\wm
2015-01-30 12:02 - 2015-02-16 10:40 - 00000000 ____D () C:\Users\lowell.TRIDENT\Desktop\desk top
2015-01-22 08:14 - 2015-01-22 08:14 - 00083744 _____ () C:\Users\lowell.TRIDENT\Desktop\文件.xls
2015-01-20 10:09 - 2015-01-20 10:10 - 00570752 _____ () C:\Users\lowell.TRIDENT\Documents\WM HUNTING SKU.xlsx
2015-01-19 14:33 - 2015-01-19 14:33 - 00000179 _____ () C:\Users\lowell.TRIDENT\Desktop\480_Motor_Yacht.pdf.url
2015-01-19 13:18 - 2015-01-19 13:18 - 00445408 _____ () C:\Users\lowell.TRIDENT\Desktop\2015 Underwater Kinetics Dive Price List_12_4_14_With20%Disc.xlsx
2015-01-19 08:11 - 2015-01-19 13:38 - 00374048 _____ () C:\Users\lowell.TRIDENT\Desktop\Extra items special to look over .msg
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-17 09:20 - 2009-07-13 21:13 - 00801542 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-17 09:16 - 2009-07-13 20:51 - 00037677 _____ () C:\Windows\setupact.log
2015-02-17 09:04 - 2013-10-16 06:16 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-17 08:52 - 2013-10-30 07:46 - 00000000 ____D () C:\ProgramData\MFAData
2015-02-17 08:31 - 2009-07-13 20:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-17 08:31 - 2009-07-13 20:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-17 08:27 - 2013-10-16 06:16 - 01877966 _____ () C:\Windows\WindowsUpdate.log
2015-02-17 08:24 - 2013-10-29 12:45 - 00000128 _____ () C:\Windows\system32\config\netlogon.ftl
2015-02-17 08:24 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-17 08:02 - 2013-10-29 12:50 - 00000032 _____ () C:\Windows\system32\y
2015-02-16 10:28 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-12 04:06 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2015-02-11 03:25 - 2009-07-13 20:45 - 00294400 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-11 03:22 - 2014-12-10 03:20 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-11 03:22 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-11 03:22 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-02-11 03:04 - 2013-10-30 07:21 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-02 12:45 - 2014-10-20 11:19 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox
2015-02-01 16:23 - 2014-10-20 11:21 - 00000000 ___RD () C:\Users\lowell.TRIDENT\Dropbox
2015-02-01 16:23 - 2013-12-20 10:37 - 00000000 ____D () C:\Users\lowell.TRIDENT
2015-02-01 16:19 - 2014-02-11 09:08 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\webex
2015-02-01 16:18 - 2013-12-20 10:37 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe
2015-02-01 16:12 - 2013-12-20 10:38 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Local\AVG SafeGuard toolbar
 
==================== Files in the root of some directories =======
 
2015-02-01 16:19 - 2015-02-01 16:19 - 0008554 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-01 16:19 - 2015-02-01 16:19 - 0046071 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.PNG
2015-02-01 16:19 - 2015-02-01 16:19 - 0004220 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT
2015-02-01 16:19 - 2015-02-01 16:19 - 0000276 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.URL
2015-02-01 16:03 - 2015-02-01 16:03 - 0000480 ____H () C:\Users\lowell.TRIDENT\AppData\Roaming\麽鎒駓覜
2014-04-23 14:12 - 2014-04-23 14:12 - 0006656 _____ () C:\Users\lowell.TRIDENT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-01 16:18 - 2015-02-01 16:18 - 0008554 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML
2015-02-01 16:18 - 2015-02-01 16:18 - 0046071 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.PNG
2015-02-01 16:18 - 2015-02-01 16:18 - 0004220 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT
2015-02-01 16:18 - 2015-02-01 16:18 - 0000276 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.URL
 
Some content of TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\oi_{0213B3AA-B6AE-4778-8BFE-AA91979944A5}.exe
C:\Users\administrator\AppData\Local\Temp\ose00000.exe
C:\Users\lowell.TRIDENT\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4dfu6m.dll
C:\Users\lowell.TRIDENT\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj8accm.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-13 00:24
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 PM

Posted 23 February 2015 - 05:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/567532 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 25 February 2015 - 07:21 PM

Here is the updated logs:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-02-2015 01
Ran by Lowell (administrator) on LOWELL-PC on 25-02-2015 12:13:28
Running from C:\Users\lowell.TRIDENT\Desktop
Loaded Profiles: Lowell (Available profiles: Lowell & Administrator & Lowell)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2svc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2comm.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2pre.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2tray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\TiMiniService.exe
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Titanium\TiResumeSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
(Conexant Systems, Inc) C:\Program Files\CONEXANT\SAII\SmartAudio.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
() C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
(Inbox.com, Inc.) C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Dropbox, Inc.) C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Exact Software North America) \\w2k3fp\MACAPPS\macsql\MACOLA32.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrvx.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_11_8_800_94_ActiveX.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [564352 2011-12-15] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [310912 2011-06-24] (Conexant Systems, Inc.)
HKLM\...\Run: [VizorHtmlDialog.exe] => C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe [1139992 2011-05-20] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [192520 2011-05-20] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\VizorShortCut.exe [328400 2011-05-20] (Trend Micro Inc.)
HKLM\...\Run: [DBRMTray] => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2014-11-04] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2640408 2014-08-15] ()
HKLM-x32\...\Run: [InboxToolbar] => C:\Program Files (x86)\Inbox Toolbar\Inbox.exe [1380336 2013-12-02] (Inbox.com, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\RunOnce: [DBRMTray] => C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1NR6t2w
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1NR6t2w
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2445902028-2695422737-3037335337-1162\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKU\S-1-5-21-2445902028-2695422737-3037335337-1162\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg.dll (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe64.dll (Trend Micro Inc.)
BHO: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: PasswordBox Helper -> {5DB69B97-934B-451D-94DB-32EF802A01CD} -> C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: AVG SafeGuard toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.790\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
BHO-x32: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Toolbar: HKLM - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.790\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T29L10NSP3-17099/webex/ieatgpc1.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
Handler-x32: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe64.dll (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\TmIEPlg32.dll (Trend Micro Inc.)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.3

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.66 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1077\firefoxextension [2013-10-16]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4942384 2014-10-17] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [732160 2012-12-10] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165336 2013-01-14] (Intel Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 TiMiniService; C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [244440 2011-05-20] (Trend Micro Inc.)
R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-15] (AVG Secure Search)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-10-16] (Microsoft Corporation)
S3 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [209720 2014-11-04] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2014-10-17] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-15] (AVG Technologies)
R2 monblanking; C:\Windows\System32\DRIVERS\monblanking.sys [34960 2014-09-04] (Citrix Systems, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [90896 2011-05-21] (Trend Micro Inc.)
R2 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [144656 2011-05-21] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [69392 2011-05-21] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105552 2011-05-21] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-25 12:13 - 2015-02-25 12:13 - 02087936 _____ (Farbar) C:\Users\lowell.TRIDENT\Desktop\FRST64.exe
2015-02-25 12:13 - 2015-02-25 12:13 - 00017717 _____ () C:\Users\lowell.TRIDENT\Desktop\FRST.txt
2015-02-25 03:00 - 2015-01-08 15:44 - 00419936 _____ () C:\Windows\SysWOW64\locale.nls
2015-02-25 03:00 - 2015-01-08 15:43 - 00419936 _____ () C:\Windows\system32\locale.nls
2015-02-17 09:22 - 2015-02-25 12:13 - 00000000 ____D () C:\FRST
2015-02-17 09:22 - 2015-02-06 12:03 - 22497944 _____ () C:\Users\lowell.TRIDENT\Desktop\fix n zip.decryptedKLR.mp4
2015-02-17 09:22 - 2015-02-06 11:29 - 00009238 _____ () C:\Users\lowell.TRIDENT\Desktop\ORDER FEV 6.decryptedKLR.xlsx
2015-02-17 09:22 - 2015-02-05 13:04 - 01076168 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisolquart 2011.decryptedKLR.tif
2015-02-17 09:22 - 2015-02-05 13:04 - 00641260 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisol Sanitizer 2oz 2011.decryptedKLR.tif
2015-02-17 09:16 - 2015-02-17 09:18 - 02077880 _____ () C:\Users\lowell.TRIDENT\Desktop\ListCWall.txt
2015-02-16 15:43 - 2015-02-16 15:43 - 00000000 ____D () C:\Windows\pss
2015-02-16 11:59 - 2015-02-16 11:59 - 00000000 ____D () C:\Users\lowell.TRIDENT\Documents\ProcAlyzer Dumps
2015-02-11 09:59 - 2015-01-22 20:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-11 09:59 - 2015-01-22 20:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-11 09:59 - 2015-01-22 19:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-02-11 09:59 - 2015-01-22 19:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00894976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00762368 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-10 14:55 - 2015-02-03 19:16 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-02-10 14:55 - 2015-02-03 19:13 - 01098752 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-10 14:55 - 2015-01-27 15:36 - 01239720 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-02-10 14:55 - 2015-01-06 19:15 - 00104896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mup.sys
2015-02-10 14:55 - 2015-01-06 19:10 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2015-02-10 14:55 - 2015-01-06 18:44 - 00079872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll
2015-02-10 14:55 - 2015-01-06 17:49 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys
2015-02-10 14:55 - 2015-01-06 17:49 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-02-10 14:55 - 2015-01-06 17:48 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-02-10 14:55 - 2015-01-06 17:48 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-02-10 14:55 - 2015-01-06 17:48 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2015-02-10 14:54 - 2015-01-13 21:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-10 14:54 - 2015-01-13 21:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-10 14:54 - 2015-01-12 19:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-10 14:54 - 2015-01-12 18:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-10 14:54 - 2015-01-11 19:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-10 14:54 - 2015-01-11 19:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-10 14:54 - 2015-01-11 19:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-10 14:54 - 2015-01-11 18:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-10 14:54 - 2015-01-11 18:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-10 14:54 - 2015-01-11 18:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-10 14:54 - 2015-01-11 18:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-10 14:54 - 2015-01-11 18:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-10 14:54 - 2015-01-11 18:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-10 14:54 - 2015-01-11 18:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-10 14:54 - 2015-01-11 18:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-10 14:54 - 2015-01-11 18:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-10 14:54 - 2015-01-11 18:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-10 14:54 - 2015-01-11 18:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-10 14:54 - 2015-01-11 18:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-10 14:54 - 2015-01-11 18:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-02-10 14:54 - 2015-01-11 18:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-10 14:54 - 2015-01-11 18:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-10 14:54 - 2015-01-11 18:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-10 14:54 - 2015-01-11 18:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-10 14:54 - 2015-01-11 18:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-10 14:54 - 2015-01-11 18:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-02-10 14:54 - 2015-01-11 18:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-02-10 14:54 - 2015-01-11 18:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-10 14:54 - 2015-01-11 18:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-10 14:54 - 2015-01-11 18:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-10 14:54 - 2015-01-11 18:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-02-10 14:54 - 2015-01-11 17:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-02-10 14:54 - 2015-01-11 17:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-02-10 14:54 - 2015-01-11 17:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-02-10 14:54 - 2015-01-11 17:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-10 14:54 - 2015-01-11 17:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-10 14:54 - 2015-01-11 17:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-10 14:54 - 2015-01-11 17:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-10 14:54 - 2015-01-11 17:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-10 14:54 - 2015-01-11 17:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-10 14:54 - 2015-01-11 17:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-10 14:54 - 2015-01-11 17:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-02-10 14:54 - 2015-01-11 17:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-02-10 14:54 - 2015-01-11 17:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-02-10 14:54 - 2015-01-11 17:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-10 14:54 - 2015-01-11 17:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-10 14:54 - 2015-01-11 17:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-10 14:54 - 2015-01-11 17:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-02-10 14:54 - 2015-01-11 17:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-10 14:54 - 2015-01-11 17:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-10 14:54 - 2015-01-11 17:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-10 14:54 - 2015-01-11 17:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-10 14:54 - 2015-01-11 16:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-10 14:54 - 2015-01-11 16:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-10 14:54 - 2015-01-09 22:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-02-10 14:54 - 2015-01-09 22:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-02-10 14:53 - 2015-01-15 00:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-10 14:53 - 2015-01-15 00:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-10 14:53 - 2015-01-15 00:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-10 14:53 - 2015-01-15 00:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-10 14:53 - 2015-01-15 00:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-10 14:53 - 2015-01-15 00:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-10 14:53 - 2015-01-15 00:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-10 14:53 - 2015-01-15 00:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-10 14:53 - 2015-01-15 00:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-10 14:53 - 2015-01-15 00:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-10 14:53 - 2015-01-15 00:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-10 14:53 - 2015-01-14 23:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-02-10 14:53 - 2015-01-14 23:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-10 14:53 - 2015-01-14 23:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-02-10 14:53 - 2015-01-14 23:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-10 14:53 - 2015-01-14 23:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-02-10 14:53 - 2015-01-14 23:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-10 14:53 - 2015-01-14 20:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-10 14:53 - 2015-01-13 22:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-10 14:53 - 2015-01-13 22:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-02-10 14:53 - 2015-01-13 22:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-02-10 14:53 - 2015-01-13 22:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-02-10 14:53 - 2015-01-13 21:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-02-10 14:53 - 2015-01-13 21:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-02-10 14:53 - 2015-01-13 21:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-02-10 14:53 - 2014-12-11 21:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-10 14:53 - 2014-12-11 21:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-02-10 14:53 - 2014-12-07 19:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-10 14:53 - 2014-12-07 18:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-10 14:53 - 2014-11-25 19:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-10 14:53 - 2014-11-25 19:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-10 14:53 - 2014-10-03 18:10 - 03722752 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-02-10 14:53 - 2014-10-03 17:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-02-10 14:53 - 2014-10-03 17:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2015-02-10 14:53 - 2014-07-06 18:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-02-10 14:53 - 2014-07-06 18:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-02-10 14:53 - 2014-07-06 17:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-02-10 14:53 - 2014-07-06 17:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-02-10 14:52 - 2015-01-08 18:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-06 12:03 - 2015-02-06 12:03 - 22497944 _____ () C:\Users\lowell.TRIDENT\Desktop\fix n zip.mp4
2015-02-06 12:02 - 2015-02-06 12:02 - 11949937 _____ () C:\Users\lowell.TRIDENT\Desktop\fix n zip.wmv
2015-02-06 09:41 - 2015-02-06 11:29 - 00009238 _____ () C:\Users\lowell.TRIDENT\Desktop\ORDER FEV 6.xlsx
2015-02-05 13:04 - 2015-02-05 13:04 - 01076168 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisolquart 2011.tif
2015-02-05 13:04 - 2015-02-05 13:04 - 00641260 _____ () C:\Users\lowell.TRIDENT\Desktop\Sterisol Sanitizer 2oz 2011.tif
2015-02-03 08:54 - 2015-02-16 10:36 - 00001038 _____ () C:\Users\lowell.TRIDENT\Desktop\ListCrilock.txt
2015-02-02 15:46 - 2015-02-16 12:02 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-02 15:46 - 2015-02-02 15:55 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-02-02 15:46 - 2015-02-02 15:46 - 00001397 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-02 15:46 - 2015-02-02 15:46 - 00001385 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-02-02 15:46 - 2015-02-02 15:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-02-02 15:46 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-02-02 08:47 - 2015-02-11 03:02 - 00002119 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-02-02 08:47 - 2015-02-11 03:02 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-02-02 08:46 - 2015-02-11 03:02 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-02-02 08:46 - 2015-02-11 03:02 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2015-02-01 16:23 - 2015-02-01 16:23 - 00008554 _____ () C:\Users\lowell.TRIDENT\HELP_DECRYPT.HTML
2015-02-01 16:23 - 2015-02-01 16:23 - 00004220 _____ () C:\Users\lowell.TRIDENT\HELP_DECRYPT.TXT
2015-02-01 16:23 - 2015-02-01 16:23 - 00000276 _____ () C:\Users\lowell.TRIDENT\HELP_DECRYPT.URL
2015-02-01 16:21 - 2015-02-01 16:21 - 00008554 _____ () C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.HTML
2015-02-01 16:21 - 2015-02-01 16:21 - 00004220 _____ () C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.TXT
2015-02-01 16:21 - 2015-02-01 16:21 - 00000276 _____ () C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.URL
2015-02-01 16:19 - 2015-02-01 16:19 - 00008554 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-01 16:19 - 2015-02-01 16:19 - 00008554 _____ () C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.HTML
2015-02-01 16:19 - 2015-02-01 16:19 - 00004220 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT
2015-02-01 16:19 - 2015-02-01 16:19 - 00004220 _____ () C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.TXT
2015-02-01 16:19 - 2015-02-01 16:19 - 00000276 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.URL
2015-02-01 16:19 - 2015-02-01 16:19 - 00000276 _____ () C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.URL
2015-02-01 16:18 - 2015-02-01 16:18 - 00008554 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML
2015-02-01 16:18 - 2015-02-01 16:18 - 00004220 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT
2015-02-01 16:18 - 2015-02-01 16:18 - 00000276 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.URL
2015-02-01 16:03 - 2015-02-01 16:03 - 00000480 ____H () C:\Users\lowell.TRIDENT\AppData\Roaming\麽鎒駓覜
2015-02-01 16:02 - 2015-02-01 16:05 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\FrameworkUpdate
2015-01-30 12:10 - 2015-02-01 16:21 - 00000000 ____D () C:\Users\lowell.TRIDENT\Desktop\sp ch
2015-01-30 12:06 - 2015-02-01 16:21 - 00000000 ____D () C:\Users\lowell.TRIDENT\Desktop\wm
2015-01-30 12:02 - 2015-02-16 10:40 - 00000000 ____D () C:\Users\lowell.TRIDENT\Desktop\desk top

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-25 12:12 - 2009-07-13 21:13 - 00801542 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-25 12:04 - 2013-10-16 06:16 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-25 11:37 - 2013-10-16 06:16 - 01700628 _____ () C:\Windows\WindowsUpdate.log
2015-02-25 11:13 - 2013-10-29 12:45 - 00000128 _____ () C:\Windows\system32\config\netlogon.ftl
2015-02-25 09:20 - 2013-10-30 07:46 - 00000000 ____D () C:\ProgramData\MFAData
2015-02-25 03:24 - 2009-07-13 20:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-25 03:24 - 2009-07-13 20:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-25 03:17 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-25 03:17 - 2009-07-13 20:51 - 00037845 _____ () C:\Windows\setupact.log
2015-02-17 08:02 - 2013-10-29 12:50 - 00000032 _____ () C:\Windows\system32\y
2015-02-16 10:28 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-12 04:06 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2015-02-11 03:25 - 2009-07-13 20:45 - 00294400 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-11 03:22 - 2014-12-10 03:20 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-11 03:22 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-11 03:22 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-02-11 03:04 - 2013-10-30 07:21 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-02 12:45 - 2014-10-20 11:19 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox
2015-02-01 16:23 - 2014-10-20 11:21 - 00000000 ___RD () C:\Users\lowell.TRIDENT\Dropbox
2015-02-01 16:23 - 2013-12-20 10:37 - 00000000 ____D () C:\Users\lowell.TRIDENT
2015-02-01 16:19 - 2014-02-11 09:08 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\webex
2015-02-01 16:18 - 2013-12-20 10:37 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe
2015-02-01 16:12 - 2013-12-20 10:38 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Local\AVG SafeGuard toolbar

==================== Files in the root of some directories =======

2015-02-01 16:19 - 2015-02-01 16:19 - 0008554 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-01 16:19 - 2015-02-01 16:19 - 0046071 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.PNG
2015-02-01 16:19 - 2015-02-01 16:19 - 0004220 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT
2015-02-01 16:19 - 2015-02-01 16:19 - 0000276 _____ () C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.URL
2015-02-01 16:03 - 2015-02-01 16:03 - 0000480 ____H () C:\Users\lowell.TRIDENT\AppData\Roaming\麽鎒駓覜
2014-04-23 14:12 - 2014-04-23 14:12 - 0006656 _____ () C:\Users\lowell.TRIDENT\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-02-01 16:18 - 2015-02-01 16:18 - 0008554 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML
2015-02-01 16:18 - 2015-02-01 16:18 - 0046071 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.PNG
2015-02-01 16:18 - 2015-02-01 16:18 - 0004220 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT
2015-02-01 16:18 - 2015-02-01 16:18 - 0000276 _____ () C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.URL

Some content of TEMP:
====================
C:\Users\administrator\AppData\Local\Temp\oi_{0213B3AA-B6AE-4778-8BFE-AA91979944A5}.exe
C:\Users\administrator\AppData\Local\Temp\ose00000.exe
C:\Users\lowell.TRIDENT\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpk0vnqp.dll
C:\Users\lowell.TRIDENT\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpmqrs2z.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-23 00:35

==================== End Of Log ============================

Attached Files



#4 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 26 February 2015 - 02:26 PM

Hi. My name is Brian, and I would be happy to look into your issue.
 


- General Instructions -

  • Please read all instructions and fixes thoroughly. Read the ENTIRE post BEFORE performing any steps so you understand all that needs to be done.
  • I would advise printing any instructions for easy reference as some of the fixes may require you to boot in Safe mode. Access to these instructions may not be available in Safe Mode.
  • Any fixes provided by myself are for this log file only and should not be used on any other systems.
  • Do not run any other removal software or perform updates other than the ones I provide, as it will complicate the cleaning process.
  • It's very likely that part of our cleanup will include emptying your recycle bin. If you use your recycle bin as an archive and do not wish this to be emptied, please let me know.
  • You have 4 days to reply to each post or the topic will be closed.
  • Please feel free to ask any questions, especially if you are having problems with my instructions.


- Save ALL Tools to your Desktop-

 

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.
 
Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

- Finally Before We Start-

 
Removing malware is a complicated multiple step process, Please stay with me until I have declared your system clean. I strongly recommend you backup your personal files and folders. Although rare, attempting to remove malware can render your machine unbootable or cause data loss. Having backups of your data is your responsibility. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

 

 

 

Let's get started. I would be happy to assist you.

 

Step#1 - Warnings

Too Many AVs

You are running too many antivirus programs. This is not a good idea as this can cause problems such as slowness in computer speed, conflicts and cause more vulnerability to infection. It could also interfere with our fixes. It appears you are running Microsoft Security Essentials and AVG 2013 and also have Trend Micro Titanium Internet Security installed but disabled.

 

You need to pick one and uninstall the others. Let me know what you decide to do.

 

 

Spybot Search & Destroy
I see that you have Spybot Search & Destroy. We no longer recommend this product because of the poor testing results. I recommend uninstalling this program. If you don't want to uninstall the program then please at least disable Tea Timer while performing any of my instructions. You can re-enable it when we are all done. Instructions for that are here. If you do decide to uninstall the program, first Undo your immunization before uninstalling. You can do that by clicking the Undo button with Spybot S&D and then remove from Add/Remove programs.
immunize.JPG

 

 

Step#2 - Uninstalls
Please uninstall the following programs one at a time. Instructions for doing so are here.
If any of the programs give you an error during the uninstall, notate it and move on to the next one. Just let me know which ones had issues. If you are asked to reboot, answer No until all the programs have been uninstalled and then you can reboot. All of these programs are either outdated, malware/adware, have a bad reputation or are not recommended. If you absolutely must have one of them I suggest that you wait until you are declared clean before reinstalling.

24x7 Help
AVG SafeGuard toolbar
Inbox Toolbar

 

Step#3 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   3.68KB   10 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

 

 

Items for your next post

1. Let me know what you decided for your AV.

2. FRST Fix Log

 

 



#5 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 27 February 2015 - 11:41 AM

I have removed the following with no issues encountered:

Spybot

AVG

AVG safeguard toolbar

Trend Micro Security

24x7 Help

Inbox Toolbar

I will keep the Microsoft Security Essentials for now unless you have an alternative recommendation.

 

I will need to split this log into several posts as it appears to be too large.

 

 

Log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Lowell at 2015-02-26 12:52:07 Run:1
Running from C:\Users\lowell.TRIDENT\Desktop
Loaded Profiles: Lowell (Available profiles: Lowell & Administrator & Lowell)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
C:\Program Files (x86)\Common Files\AVG Secure Search
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
C:\Program Files (x86)\Common Files\AVG Secure Search
() C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
C:\Program Files (x86)\AVG SafeGuard toolbar\
(Inbox.com, Inc.) C:\Program Files (x86)\Inbox Toolbar\Inbox.exe
C:\Program Files (x86)\Inbox Toolbar
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2640408 2014-08-15] ()
HKLM-x32\...\Run: [InboxToolbar] => C:\Program Files (x86)\Inbox Toolbar\Inbox.exe [1380336 2013-12-02] (Inbox.com, Inc.)
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1NR6t2w
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.tostotor.com/1NR6t2w
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
BHO-x32: AVG SafeGuard toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.790\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
BHO-x32: Inbox Toolbar -> {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -> C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Toolbar: HKLM - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.790\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox64.dll (Inbox.com, Inc.)
Handler-x32: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files (x86)\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File
2015-02-01 16:12 - 2013-12-20 10:38 - 00000000 ____D () C:\Users\lowell.TRIDENT\AppData\Local\AVG SafeGuard toolbar
cmd: type C:\Users\lowell.TRIDENT\Desktop\ListCWall.txt
cmd: type C:\Users\lowell.TRIDENT\Desktop\ListCrilock.txt
cmd: bitsadmin /reset /allusers
EmptyTemp:

*****************

Restore point was successfully created.
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe => No running process found
"C:\Program Files (x86)\Common Files\AVG Secure Search" => File/Directory not found.
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe => No running process found
"C:\Program Files (x86)\Common Files\AVG Secure Search" => File/Directory not found.
C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe => No running process found
"C:\Program Files (x86)\AVG SafeGuard toolbar" => File/Directory not found.
C:\Program Files (x86)\Inbox Toolbar\Inbox.exe => No running process found
"C:\Program Files (x86)\Inbox Toolbar" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\InboxToolbar => Value not found.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML not found.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG not found.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT not found.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} => Key not found.
HKCR\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} => Key not found.
HKCR\Wow6432Node\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} => Value not found.
HKCR\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => Value not found.
HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} => Value not found.
HKCR\Wow6432Node\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} => Key not found.
HKCR\PROTOCOLS\Handler\inbox => Key not found.
HKCR\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\inbox => Key not found.
HKCR\Wow6432Node\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\viprotocol => Key not found.
HKCR\Wow6432Node\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9} => Key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin => Key not found.
"C:\Users\lowell.TRIDENT\AppData\Local\AVG SafeGuard toolbar" => File/Directory not found.

========= type C:\Users\lowell.TRIDENT\Desktop\ListCWall.txt =========

ListCWall 1.3.0 by Lawrence Abrams (Grinler)
Backup function added by The Pugilist
http://www.bleepingcomputer.com/

Copyright 2008-2015 BleepingComputer.com
More Information about the CryptoWall Ransomware can be found here:
http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

Windows Version: Windows 7 Professional Service Pack 1
Username: Lowell Computer Name: LOWELL-PC

Program started at: 02/17/2015 09:16:21 AM.

Exporting list of Encrypted Files from HKCU\Software\2775CCF371B2474FE0A1F5F0C6483804\00013445688ACEFF:

C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I0CW4HZ.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I1LUJ0X.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I2N1VHX.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I2RQG5Y.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I2RTSBT.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I3XN68P.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I49I1VW.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I4EDB0S.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I4L7F6M.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I5EPZ9T.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I5K2DKE.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I5P7748.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I6GF9O3.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I7HER5V.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I7T0QFC.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I7ZWXXE.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I85R63V.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I8J63H1.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I97GIDB.Doc
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I9MQD4A.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$I9VYR45.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IA1VL6G.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IAH5CL5.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IB6QO9U.pptx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IB8DNJP.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IBF2MOQ.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IBJ5AT8.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IBTNNDZ.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IBY014R.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IC1IA7O.txt
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IC8QICQ.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IDAXOUH.xlsb
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IDENYXZ.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IDITV9F.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IDTY42N.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IE40YBD.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IE8VJQ7.eps
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IEGF95U.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IEIB1BD.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IEMOBNQ.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IEXFD90.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IFMM9AE.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IFOYV7L.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IFTK1YT.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IG9D6TG.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IGEIU9Q.rtf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IGEKATW.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IGIF5J0.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IGIWTP2.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IHS7R2K.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IITVI5Q.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IKW8TQY.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IL1FV9D.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IL62AOZ.docx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ILBG4J8.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ILJVVQE.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ILLWLRH.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IM7TW52.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IMLRIJ5.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IMN8UTX.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IMWHI1Q.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IN11DKL.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IN9T240.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$INBHNBH.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$INKDWTL.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IO2PAYW.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IONS83T.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IOSUSAO.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IP30EF2.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IPIVYFK.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IQ8UE7G.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IQOLK04.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IQU8XC4.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IRF8GJP.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IS55JUQ.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ISK5EF1.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ISSQ7EX.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ITE66O9.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ITM0HRF.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ITVE8G9.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ITWBN0T.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IUXHAF9.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IUYME6X.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IV7DUS7.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IVA4VTM.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IWCH30O.Doc
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IWWJO82.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IWXEG7L.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IXOTLSQ.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IZ6F075.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$IZMDWWM.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R0CW4HZ.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R1LUJ0X.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R2N1VHX.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R2RQG5Y.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R2RTSBT.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R3XN68P.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R49I1VW.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R4EDB0S.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R4L7F6M.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R5EPZ9T.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R5K2DKE.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R5P7748.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R6GF9O3.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R7HER5V.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R7T0QFC.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R7ZWXXE.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R85R63V.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R8J63H1.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R97GIDB.Doc
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R9MQD4A.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$R9VYR45.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RA1VL6G.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RAH5CL5.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RB6QO9U.pptx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RB8DNJP.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RBF2MOQ.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RBJ5AT8.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RBTNNDZ.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RBY014R.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RC8QICQ.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RDAXOUH.xlsb
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RDENYXZ.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RDITV9F.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RDTY42N.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RE40YBD.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RE8VJQ7.eps
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$REGF95U.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$REIB1BD.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$REMOBNQ.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$REXFD90.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RFMM9AE.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RFOYV7L.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RFTK1YT.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RG9D6TG.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RGEIU9Q.rtf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RGEKATW.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RGIF5J0.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RGIWTP2.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RHS7R2K.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RITVI5Q.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RKW8TQY.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RL1FV9D.xlsx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RL62AOZ.docx
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RLBG4J8.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RLJVVQE.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RLLWLRH.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RM7TW52.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RMLRIJ5.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RMN8UTX.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RMWHI1Q.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RN11DKL.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RN9T240.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RNBHNBH.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RNKDWTL.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RO2PAYW.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RONS83T.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$ROSUSAO.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RP30EF2.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RPIVYFK.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RQ8UE7G.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RQOLK04.xls
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RQU8XC4.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RRF8GJP.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RS55JUQ.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RSK5EF1.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RSSQ7EX.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RTE66O9.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RTM0HRF.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RTVE8G9.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RTWBN0T.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RUXHAF9.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RUYME6X.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RV7DUS7.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RVA4VTM.msg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RWCH30O.Doc
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RWWJO82.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RWXEG7L.JPG
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RXOTLSQ.pdf
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RZ6F075.jpg
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\$RZMDWWM.pdf
C:\Users\lowell.TRIDENT\AppData\Local\AVG SafeGuard toolbar\SiteSafety\l_2015_01_30_08_35_54.db
C:\Users\lowell.TRIDENT\AppData\Local\AVG SafeGuard toolbar\SiteSafety\l_2015_01_31_09_36_39.db
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\dmrc.idx
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\brndlog.txt
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\msoidLiteTrace{9317BCB6-314B-442F-A5DA-9BC2BEBC271D}.txt
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{3B92CE8A-D086-4527-BCD3-EF69C1F54DA6}.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{944F0D00-3907-4DC8-B534-D766A4AE685F}.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\EB80A3BA-1.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\archive.pst
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\uanrdex.oab
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\ubrowse.oab
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\udetails.oab
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\updndex.oab
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\urdndex.oab
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\utmplts.oab
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\cacheSize.txt
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\qtquick2plugin.pdb
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\qtquickcontrolsplugin.pdb
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\xui_resources.zip
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\host.db
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\config.db
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\unlink.db
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\unlink.db
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\Normal.dotm
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\1386276999.jpg
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\WbxGTNEx.txt
C:\Users\lowell.TRIDENT\Desktop\2015 Underwater Kinetics Dive Price List_12_4_14_With20%Disc.xlsx
C:\Users\lowell.TRIDENT\Desktop\3517_o.pdf
C:\Users\lowell.TRIDENT\Desktop\AP.pdf
C:\Users\lowell.TRIDENT\Desktop\Doc1.pdf
C:\Users\lowell.TRIDENT\Desktop\EMOCEAN -FINAL 040814.pdf
C:\Users\lowell.TRIDENT\Desktop\EMOCEAN ??.pdf
C:\Users\lowell.TRIDENT\Desktop\Extra items special to look over .msg
C:\Users\lowell.TRIDENT\Desktop\Franco Maps Infringing Products.pdf
C:\Users\lowell.TRIDENT\Desktop\LTT.pdf
C:\Users\lowell.TRIDENT\Desktop\a2015trident.xls
C:\Users\lowell.TRIDENT\Desktop\aextra.pdf
C:\Users\lowell.TRIDENT\Desktop\atridentchanges.pdf
C:\Users\lowell.TRIDENT\Desktop\desk top\2014 - INSIGHT Medtech Price List Effective 11-3-2014 FINAL REV 2.pdf
C:\Users\lowell.TRIDENT\Desktop\desk top\453005_o.pdf
C:\Users\lowell.TRIDENT\Desktop\desk top\Kwik Tek 2015 USA Master Distributor Price List- abridged.xlsx
C:\Users\lowell.TRIDENT\Desktop\desk top\Newco.pdf
C:\Users\lowell.TRIDENT\Desktop\desk top\Newco.zip
C:\Users\lowell.TRIDENT\Desktop\desk top\fishcard backside.pdf
C:\Users\lowell.TRIDENT\Desktop\desk top\fishcard frontside.pdf
C:\Users\lowell.TRIDENT\Desktop\distrib changes.pdf
C:\Users\lowell.TRIDENT\Desktop\dw-accounts.pdf
C:\Users\lowell.TRIDENT\Desktop\lease ciyc.pdf
C:\Users\lowell.TRIDENT\Desktop\pelican\2014 GRAY Case Pricing.pdf
C:\Users\lowell.TRIDENT\Desktop\pelican\2014 GRAY AALG Pricing.pdf
C:\Users\lowell.TRIDENT\Desktop\pelican\2014 GRAY Light Pricing.pdf
C:\Users\lowell.TRIDENT\Desktop\pelican\2014 GRAY MAP Pricing.pdf
C:\Users\lowell.TRIDENT\Desktop\pelican\2014 GRAY Pro Gear Pricing.pdf
C:\Users\lowell.TRIDENT\Desktop\pelican\Trident Tanks and Weights 4.14.14.xls
C:\Users\lowell.TRIDENT\Desktop\sp ch\Copy of SPORT CHALET.jpg
C:\Users\lowell.TRIDENT\Desktop\sp ch\Dive Mat.jpg
C:\Users\lowell.TRIDENT\Desktop\sp ch\S-NEW RED SPORT CHALET SMALL WHITE LOGO 2.pdf
C:\Users\lowell.TRIDENT\Desktop\sp ch\S-SPORT CHALET 2.pdf
C:\Users\lowell.TRIDENT\Desktop\sp ch\SC04logo_199.pdf
C:\Users\lowell.TRIDENT\Desktop\sp ch\Sport Chalet Setup Sheet.xls
C:\Users\lowell.TRIDENT\Desktop\sp ch\trident sport chalet.zip
C:\Users\lowell.TRIDENT\Desktop\wm\Certification large & medium graphite.pdf
C:\Users\lowell.TRIDENT\Desktop\wm\Certification large & medium nickel.pdf
C:\Users\lowell.TRIDENT\Desktop\wm\Copy of SKU Set Up Form v6 0 13 (3)bd.xls
C:\Users\lowell.TRIDENT\Desktop\wm\Lowell Dreyfus, Trident Dive.pdf
C:\Users\lowell.TRIDENT\Desktop\wm\RE Help please .msg
C:\Users\lowell.TRIDENT\Desktop\wm\SKU Perf forTrident by Part Num 5.20.14.xls
C:\Users\lowell.TRIDENT\Desktop\wm\SKU Set Up Form v6.0.13.xls
C:\Users\lowell.TRIDENT\Desktop\wm\SKU WM 2015.xlsx
C:\Users\lowell.TRIDENT\Desktop\wm\Setup Sheet Hardgoods 2014.xlsm
C:\Users\lowell.TRIDENT\Desktop\wm\WM HUNTING SKU.xlsx
C:\Users\lowell.TRIDENT\Desktop\wm\west marine.pdf
C:\Users\lowell.TRIDENT\Desktop\wm\west marine_o.pdf
C:\Users\lowell.TRIDENT\Desktop\??.xls
C:\Users\lowell.TRIDENT\Documents\2015 NEW ITEMS.rtf
C:\Users\lowell.TRIDENT\Documents\2015 sheets.xlsx
C:\Users\lowell.TRIDENT\Documents\CIYC 2014 PRICES.rtf
C:\Users\lowell.TRIDENT\Documents\DD 2014 PRICES.xlsx
C:\Users\lowell.TRIDENT\Documents\FIBERGLASS ORDER 2014.xlsx
C:\Users\lowell.TRIDENT\Documents\FIX N ZIP.rtf
C:\Users\lowell.TRIDENT\Documents\FOB.xlsx
C:\Users\lowell.TRIDENT\Documents\Newco.pdf
C:\Users\lowell.TRIDENT\Documents\Responses_to_FI,_Set_One_-_BOPPELL.docx
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\Welcome Scan.jpg
C:\Users\lowell.TRIDENT\Documents\WM HUNTING SKU.xlsx
C:\Users\lowell.TRIDENT\Documents\ben.rtf
C:\Users\lowell.TRIDENT\Documents\boat_application.pdf
C:\Users\lowell.TRIDENT\Documents\emocean-diveflagnew.ai
C:\Users\lowell.TRIDENT\Documents\fishcard 2 (2).pdf
C:\Users\lowell.TRIDENT\Documents\fishcard 2 other side (4).pdf
C:\Users\lowell.TRIDENT\Documents\house of scuba custom.xlsx
C:\Users\lowell.TRIDENT\Documents\july special.xlsx
C:\Users\lowell.TRIDENT\Documents\lettt tom.rtf
C:\Users\lowell.TRIDENT\Documents\port supplu order 1.xlsx
C:\Users\lowell.TRIDENT\Documents\sport chalet towel final.jpg
C:\Users\lowell.TRIDENT\Dropbox\Getting Started.pdf
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\Boston City Flow.jpg
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\Costa Rican Frog.jpg
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\Pensive Parakeet.jpg
C:\Users\lowell.TRIDENT\Dropbox\Public\How to use the Public folder.txt
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5029.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5072.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5122.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5125.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5126.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5170.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 5205.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 9000.pdf
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\MT 9005.pdf
C:\Users\lowell.TRIDENT\Pictures\posiden.jpg



#6 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 27 February 2015 - 11:45 AM

I did not include all of the log. There is a large amount of encrypted files listed. If you kneed to know what those files are,I can post them in the next reply.

Here is the balance of the log:

 

13908 encrypted files found.

Program finished at: 02/17/2015 09:18:27 AM
Execution time: 0 hours(s), 2 minute(s), and 5 seconds(s)

========= End of CMD: =========

========= type C:\Users\lowell.TRIDENT\Desktop\ListCrilock.txt =========

ListCrilock 1.1.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/

Copyright 2008-2015 BleepingComputer.com
More Information about the CryptoLocker Ransomware can be found here:
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Windows Version: Windows 7 Professional Service Pack 1
Program started at: 02/16/2015 10:36:53 AM.

0 encrypted files found.

Program finished at: 02/16/2015 10:36:53 AM
Execution time: 0 hours(s), 0 minute(s), and 0 seconds(s)

========= End of CMD: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 1.7 GB temporary data.

The system needed a reboot.

==== End of Fixlog 12:57:15 ====



#7 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 27 February 2015 - 12:52 PM

I thought I had removed this using Microsoft Security Essentials but evidently It didn't work because many of my files are encrypted

 

You do understand that it isn't possible to recover your files except from backup (if you have one) correct? Some people have paid the ransom and were able to recover their files but I can't make that recommendation. Information you may have already read about is here http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information

 

Does this mean both the computer and server need to have this removed or just the original computer it was unleashed from?

 

Just the computer would have to be cleaned from the infection. The files on the server that are encrypted are also unrecoverable either.

 

Please confirm for me that you understand this and we'll continue cleaning up your computer to ensure the infection isn't still resident.



#8 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 27 February 2015 - 12:57 PM

I understand there is no way yet to recover the files without paying the ransom. Fortunately I have a backup for the server but not the workstation. 



#9 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 27 February 2015 - 01:19 PM

I got hit with this 3 different times at work so I feel your pain. We lost a lot of stuff. Like you some was backed up and some wasn't.
 
OK, let's finish cleaning your machine. Please do the following.
 
Step#1 - AdWCleaner
1. Please download AdwCleaner by Xplode onto your desktop.
2. Close all open programs and internet browsers.
3. Right-click on AdwCleaner.exe and select Run as administrator to run the tool.
4. Click on Scan.
5. After the scan is complete click on "Clean"
6. Confirm each time with Ok.
7. Your computer will be rebooted automatically. A text file will open after the restart.
8. Please post the content of that logfile with your next answer.
9. If need be, you can also find the logfile at C:\AdwCleaner\AdwCleaner[S0].txt as well.
 
Step#2 - Rootkit Scan
1. Download aswMBR to your desktop.
2. Right-click on aswMBR.exe and select Run as administrator to run it.
3. If you get a question about Virtualization Technology, answer Yes.
4. If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
5. Click the "Scan" button to start scan.
6. On completion of the scan click "Save log", save it to your desktop and post in your next reply.
NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
 
Step#3 - Run RogueKiller

  • Click here to go to the RogueKiller download page.
  • Scroll down on the page and click on the Download button for the 64-bit version.

64bit.JPG

  • Quit all programs and close all browsers.
  • Double click the RogueKiller icon to run the program.
    NOTE: If this is the first time you have used the program you will need to accept the User Agreement and the browser will open with some information related to the program.
  • Wait until Prescan has finished ...This may take a few minutes, especially if it is the first time you have used the program.
  • Click on Scan
  • Wait for the end of the scan.
  • DO NOT delete anything at this time.
  • Please post the results
  • NOTE: If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again

 

 

Items for your next post

1. Adwcleaner log

2. Rootkit scan log

3. RogueKiller log



#10 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 27 February 2015 - 04:14 PM

# AdwCleaner v4.111 - Logfile created 27/02/2015 at 10:34:32
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Lowell - LOWELL-PC
# Running from : C:\Users\lowell.TRIDENT\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{865D7100-82C7-42F4-9C06-860DEC0871B2}
Key Deleted : HKCU\Software\24x7help
Key Deleted : HKLM\SOFTWARE\24x7help
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\sweetwater.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.sweetwater.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:8080
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17631
 
 
*************************
 
AdwCleaner[R0].txt - [2085 bytes] - [27/02/2015 10:32:31]
AdwCleaner[S0].txt - [1998 bytes] - [27/02/2015 10:34:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2057  bytes] ##########
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-02-27 10:37:43
-----------------------------
10:37:43.295    OS Version: Windows x64 6.1.7601 Service Pack 1
10:37:43.295    Number of processors: 4 586 0x3A09
10:37:43.295    ComputerName: LOWELL-PC  UserName: Lowell
10:37:44.447    Initialize success
10:37:44.509    VM: initialized successfully
10:37:44.509    VM: Intel CPU supported 
10:38:02.043    VM: supported disk I/O ataport.SYS
10:40:45.762    AVAST engine defs: 15022700
10:41:07.379    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:41:07.395    Disk 0 Vendor: WDC_WD5000AAKX-75U6AA0 19.01H19 Size: 476940MB BusType: 11
10:41:07.472    VM: Disk 0 MBR read successfully
10:41:07.472    Disk 0 MBR scan
10:41:07.504    Disk 0 Windows VISTA default MBR code
10:41:07.519    Disk 0 Partition 1 00     DE Dell Utility DELL 4.1       39 MB offset 63
10:41:07.519    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        19014 MB offset 81920
10:41:07.535    Disk 0 Boot: NTFS     code=1
10:41:07.566    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       457885 MB offset 39022592
10:41:07.628    Disk 0 scanning C:\Windows\system32\drivers
10:41:18.499    Service scanning
10:41:42.521    Modules scanning
10:41:42.521    Disk 0 trace - called modules:
10:41:42.537    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
10:41:42.537    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004719060]
10:41:42.552    3 CLASSPNP.SYS[fffff880015b343f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800413d060]
10:41:43.893    AVAST engine scan C:\Windows
10:41:46.076    AVAST engine scan C:\Windows\system32
10:45:12.858    AVAST engine scan C:\Windows\system32\drivers
10:45:35.090    AVAST engine scan C:\Users\lowell.TRIDENT
10:47:42.243    AVAST engine scan C:\ProgramData
10:49:38.814    Disk 0 statistics 3462018/0/22 @ 6.72 MB/s
10:49:38.814    Scan finished successfully
11:46:15.289    Disk 0 MBR has been saved successfully to "C:\Users\lowell.TRIDENT\Desktop\MBR.dat"
11:46:15.305    The log file has been saved successfully to "C:\Users\lowell.TRIDENT\Desktop\aswMBR.txt"
11:46:26.181    Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:46:26.197    The log file has been saved successfully to "E:\aswMBR.txt"
________________________________________________________________________________________________
________________________________________________________________________________________________
 
RogueKiller V10.4.3.0 (x64) [Feb 23 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lowell [Administrator]
Mode : Scan -- Date : 02/27/2015  11:52:12
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR (\??\C:\Users\LOWELL~1.TRI\AppData\Local\Temp\aswMBR.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm (\??\C:\Users\LOWELL~1.TRI\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR (\??\C:\Users\LOWELL~1.TRI\AppData\Local\Temp\aswMBR.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswVmm (\??\C:\Users\LOWELL~1.TRI\AppData\Local\Temp\aswVmm.sys) -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2445902028-2695422737-3037335337-1162\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2445902028-2695422737-3037335337-1162\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKX-75U6AA0 ATA Device +++++
--- User ---
[MBR] 30c02134c1c6e18565c0aa69f99f017a
[BSP] 2a69e9f0b8075758ef60445be011c9af : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19014 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39022592 | Size: 457885 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: SanDisk Cruzer Glide USB Device +++++
--- User ---
[MBR] 81f9a8ad843446c5b9edcb4f0e665bbb
[BSP] 7518449fa49872b8f2fbc522c188dfd3 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 32 | Size: 30532 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 
 
 


#11 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 27 February 2015 - 05:09 PM

OK, the main infection is gone. Let's do a final two scans to ensure nothing else is lurking about. Will you be deleting all of your encrypted files or do you need assistance with that?

 

Please do the following.

 

Step#1 - Malwarebytes Scan

  • Download Malwarebytes to your desktop from here.
  • Right-click on the file that is downloaded to your desktop and select Run as administrator.
  • Select the appropriate language and click OK.
  • Click Next.
  • Select "I accept the agreement" and click Next.
  • Click Next
  • Change the install path if desired. Normally you will keep this as is. Click Next.
  • Click Next again.
  • Click Next again.
  • Click Install.
  • Uncheck "Enable free trial of Malwarebytes Anti-Malware Premium".
  • Click Finish
  • If an update is found you will be prompted to download and install. Go ahead.
  • Click the Settings button and then the Detection and Protection tab. Then check the box to Scan for rootkits. as shown below.
  • RootKitCheckBox.JPG
     
  • Click the Scan button at the top of the form and then click Scan Now.
    2.JPG
  • If anything is detected, there will be an Apply Actions button. Please click this.
  • Once the scan completes click the View detailed log link.
    3.JPG
  • Then click the Copy to clipboard button and paste into your next post.
    4.JPG

 

Step#2 - ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here. This scan can take hours to run but is necessary to ensure we don't miss anything. Plan accordingly.

 

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats is NOT checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
     
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed, if anything was detected please click the List of found threats link.
  • ThreatsFound.JPG
     
  • Then click the Copy to Clipboard link and paste this information into your next reply.
  • CopyToClipboard.JPG

     

     

  • Then you may click the Back button.
  • Check Uninstall Application on Close before clicking finish.

 
Items for your next post

 

1. Malwarebytes log
2. Contents of the ESET log file

 

 



#12 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 03 March 2015 - 11:56 AM

The Malware log showed not threats found.

 

The eset log:

 

C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\$Recycle.Bin\S-1-5-21-2445902028-2695422737-3037335337-1162\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Desktop\desk top\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Desktop\desk top\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Desktop\sp ch\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Desktop\sp ch\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Desktop\wm\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Desktop\wm\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\Photos\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\Photos\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\Public\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\Public\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Pictures\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\Users\lowell.TRIDENT\Pictures\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
 



#13 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 03 March 2015 - 12:07 PM

Excellent. Do you need assistance deleting all of your corrupt files or will you be handling that yourself?

 

Please do the following.

 

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   7.1KB   6 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.



#14 aquacraft

aquacraft
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 03 March 2015 - 01:27 PM

I am interested in help removing corrupt files.

I would also be interested in help with the server. Perhaps when we are finished with the workstation you can have a look at the server to verify there is no infection. I do have a month old backup for file restoration but want to make sure there is no infection present.

 

Workstation Log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-03-2015
Ran by Lowell at 2015-03-03 09:29:59 Run:2
Running from C:\Users\lowell.TRIDENT\Desktop
Loaded Profiles: Lowell (Available profiles: Lowell & Administrator & Lowell)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\lowell.TRIDENT\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Desktop\desk top\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Desktop\desk top\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Desktop\sp ch\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Desktop\sp ch\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Desktop\wm\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Desktop\wm\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Dropbox\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Dropbox\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Dropbox\Photos\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Dropbox\Photos\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Dropbox\Public\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Dropbox\Public\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\HELP_DECRYPT.HTML
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\HELP_DECRYPT.TXT
C:\Users\lowell.TRIDENT\Pictures\HELP_DECRYPT.HTML
C\Users\lowell.TRIDENT\Pictures\HELP_DECRYPT.TXT
EmptyTemp:
*****************

C:\Users\lowell.TRIDENT\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Device Metadata\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Internet Explorer\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\OIS\thumbnails\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Outlook\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Backup\new\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Mail\Stationery\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Local\Microsoft\Windows Media\12.0\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Adobe\Flash Player\AssetCache\GMXRPQUK\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick\Controls\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\bin\QtQuick.2\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Dropbox\instance1\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Document Building Blocks\1033\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\Microsoft\Templates\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\AppData\Roaming\webex\Avatar\U9FXQB1EHHTPQECXO2W43KRPC5-3CC3\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Desktop\desk top\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Desktop\desk top\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Desktop\sp ch\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Desktop\sp ch\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Desktop\wm\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Desktop\wm\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Documents\Scanned Documents\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\Photos\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\Photos\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\Photos\Sample Album\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\Public\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\Public\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\lowell.TRIDENT\Dropbox\TRIDENT2015\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\lowell.TRIDENT\Pictures\HELP_DECRYPT.HTML => Moved successfully.
C\Users\lowell.TRIDENT\Pictures\HELP_DECRYPT.TXT => Error: No automatic fix found for this entry.
EmptyTemp: => Removed 391.5 MB temporary data.

The system needed a reboot.

==== End of Fixlog 09:30:04 ====



#15 BrianDrab

BrianDrab

  • Malware Response Team
  • 266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 03 March 2015 - 01:51 PM

OK, please send me the file C:\Users\lowell.TRIDENT\Desktop\ListCWall.txt. Since it's large can upload it to a service like https://www.sendspace.com/ and then just post the link to the file. Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users