Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple instances of dllhost.exe slowing my PC, please help!


  • Please log in to reply
9 replies to this topic

#1 cnmms

cnmms

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 March 2015 - 11:27 AM

Every time I boot my computer, the computer runs slowly, and the task manager shows about 10 instances of Internet Explorer in applications and about 10 instances of dllhost.exe in processes. I have run scans with Malwarebytes, adwcleaner, ESET, and Microsoft Security Essentials. All of those programs find and remove infections, including Trojans, but the problem with the dllhost.exe processes keeps coming back every time I reboot. I remember the ESET online scan found the "Filecoder CR trojan" but I did not write down the names of the other trojans and problems that the other programs found.

 

Below is the FRST.txt report from the scan I just did, and attached is the addition.txt file.

 

Thank you for your help!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by nistor (administrator) on ASBE-NISTOR6320 on 11-03-2015 08:54:33
Running from C:\Users\nistor\Downloads
Loaded Profiles: nistor (Available profiles: nistor & Administrator)
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(CREDANT Technologies, Inc.) C:\Windows\System32\CmgShieldSvc.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\EmsService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AEstSrv.exe
(Avocent Corporation) C:\Program Files\LANDesk\Shared Files\residentAgent.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\LocalSch.EXE
(LANDesk Software, Inc. and its affiliates ) C:\Program Files\LANDesk\LDClient\collector.exe
(LANDesk Software Ltd.) C:\Windows\System32\cba\pds.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\issuser.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\tmcsvc.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\amtmon.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\SoftMon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\rcgui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\UdaterUI.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\CmgShieldUI.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\EmsServiceHelper.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\McTray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [505720 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [McAfeeUpdaterUI] => C:\Program Files\McAfee\Common Framework\udaterui.exe [140608 2010-06-01] (McAfee, Inc.)
HKLM\...\Run: [CmgShieldUI] => C:\Windows\System32\CMGShieldUI.exe [296912 2012-11-14] (CREDANT Technologies, Inc.)
HKLM\...\Run: [EmsService] => C:\Windows\system32\EmsServiceHelper.exe [989136 2012-11-14] (CREDANT Technologies, Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [536668 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [821144 2010-10-25] (Adobe Systems Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [FlashPlayerUpdate] => C:\Users\nistor\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [224256 2015-03-11] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [978520 2015-01-30] (Microsoft Corporation)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\evltrws: C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll [X]
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Google Update] => C:\Users\nistor\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-06-22] (Google Inc.)
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Elwktion] => regsvr32.exe C:\Users\nistor\AppData\Local\Elwktion\CNBJOP8n.DLL <===== ATTENTION
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Eqzmtion] => C:\Windows\System32\regsvr32.exe C:\Users\nistor\AppData\Local\Okqsics\BRMWUNI.DLL
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [FlashPlayerUpdate] => C:\Users\nistor\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [224256 2015-03-11] ()
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [BluetoothS] => rundll32.exe "%appdata%\BtvStack.dll",BTHF_Register
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\system: [DisableChangePassword] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [1] blaster.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [2] msblast.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [3] bleep32.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
HKU\S-1-5-18\...\Run: [evltrws] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll",evltrws <===== ATTENTION
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
Startup: C:\Users\nistor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\nistor\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://mywindow.chapman.edu
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-10-21] (Oracle Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-10-21] (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKU\.DEFAULT -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1229272821-1326574676-682003330-206732 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_41-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_41-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{0CD0E8D0-074D-4591-BBAA-1C94C6EBC3B3}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8361CA0F-05B0-4B09-B340-6ABC87693487}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{86BE4DB9-9563-47C2-BD8C-2400CB45D7B0}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\nistor\AppData\Roaming\Mozilla\Firefox\Profiles\94lkmvuz.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll [2013-02-27] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll [2012-08-08] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-10-21] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-10-21] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @talk.google.com/GoogleTalkPlugin -> C:\Users\nistor\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-01-27] (Google)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @talk.google.com/O1DPlugin -> C:\Users\nistor\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-01-27] (Google)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @tools.google.com/Google Update;version=3 -> C:\Users\nistor\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @tools.google.com/Google Update;version=9 -> C:\Users\nistor\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\nistor\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-01-27] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\nistor\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-01-27] (Google)
FF Extension: DirectSound Audio Renderer - C:\Users\nistor\AppData\Roaming\Mozilla\Firefox\Profiles\94lkmvuz.default\Extensions\{7921FDDF-DAEA-628E-4C40-DF895BD7F2BF} [2015-03-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA} [2015-02-27]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-09-11]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.) [File not signed]
R2 CBA8; C:\Program Files\LANDesk\Shared Files\residentagent.exe [147456 2011-08-01] (Avocent Corporation) [File not signed]
R2 CMGShield; C:\Windows\system32\CmgShieldSvc.exe [2533328 2012-11-14] (CREDANT Technologies, Inc.)
R2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [826272 2011-12-02] (Broadcom Corporation)
R2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [31648 2011-12-02] (Broadcom Corporation)
R2 EMS; C:\Windows\system32\EMSService.exe [1193936 2012-11-14] (CREDANT Technologies, Inc.)
R2 Intel Local Scheduler Service; C:\Program Files\LANDesk\LDClient\LocalSch.EXE [189952 2011-10-14] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 Intel PDS; C:\Windows\system32\CBA\pds.exe [32825 2012-09-11] (LANDesk Software Ltd.) [File not signed]
R2 ISSUSER; C:\Program Files\LANDesk\LDClient\issuser.exe [1459200 2011-10-20] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 LANDesk Policy Invoker; C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [207872 2011-09-29] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 LANDesk Targeted Multicast; C:\Program Files\LANDesk\LDClient\tmcsvc.exe [179200 2011-10-19] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 LANDesk® Out-of-Band Monitor Service; C:\Program Files\LANDesk\LDClient\amtmon.exe [1058304 2011-10-14] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [120128 2010-06-01] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22184 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284472 2015-01-30] (Microsoft Corporation)
R2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
S2 ProcTrigger; C:\Program Files\LANDesk\LDClient\ProcTriggerSvc.exe [143872 2011-10-19] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 Softmon; C:\Program Files\LANDesk\LDClient\softmon.exe [403632 2011-10-19] (LANDesk Software, Inc. and its affiliates.)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-01-25] (IDT, Inc.)
S2 tracksvc; C:\Program Files\LANDesk\LDClient\tracksvc.exe [66560 2011-10-19] (LANDesk Software, Inc. and its affiliates.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-07-22] (ST Microelectronics)
R0 CmgHiber; C:\Windows\System32\DRIVERS\CmgHiber.sys [133008 2012-11-14] (CREDANT Technologies, Inc.)
R0 CmgPassThrough; C:\Windows\System32\DRIVERS\CmgShPT.sys [15248 2012-11-14] (CREDANT Technologies, Inc.)
R0 CmgPCS; C:\Windows\System32\DRIVERS\CmgPCS.sys [118888 2012-11-14] (CREDANT Technologies, Inc.)
R0 CmgShieldCEF; C:\Windows\System32\DRIVERS\CMGShCEF.sys [314768 2012-11-14] (CREDANT Technologies, Inc.)
R0 CMGShieldReg; C:\Windows\System32\DRIVERS\CmgShREG.sys [22416 2012-11-14] (CREDANT Technologies, Inc.)
R3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [40040 2011-12-02] (Broadcom Corporation)
R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [268968 2011-07-20] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2749416 2010-10-04] (Realtek Semiconductor Corp.)
R0 iusb3hcs; C:\Windows\System32\drivers\iusb3hcs.sys [13592 2012-02-27] (Intel Corporation)
S3 ldblank; C:\Windows\System32\DRIVERS\ldblank.sys [14848 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R3 ldmirror; C:\Windows\System32\DRIVERS\ldmirror.sys [5120 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [114904 2015-03-11] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R3 mirrorflt; C:\Windows\System32\DRIVERS\mirrorflt.sys [6656 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [239224 2014-11-15] (Microsoft Corporation)
R1 MpKsl38e5dd42; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7E91BB14-D916-4EDC-9C0C-DB399BD3D9FD}\MpKsl38e5dd42.sys [39464 2015-03-11] (Microsoft Corporation)
R1 MpKslcfe5245a; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7E91BB14-D916-4EDC-9C0C-DB399BD3D9FD}\MpKslcfe5245a.sys [39464 2015-03-11] (Microsoft Corporation)
R3 O2SDJRDR; C:\Windows\System32\drivers\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17904 2011-07-15] (ST Microelectronics)
S3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_ACCEL.sys [59888 2011-11-04] (STMicroelectronics)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 08:54 - 2015-03-11 08:57 - 00025925 _____ () C:\Users\nistor\Downloads\FRST.txt
2015-03-11 08:52 - 2015-03-11 08:55 - 00000000 ____D () C:\FRST
2015-03-11 08:49 - 2015-03-11 08:50 - 01135104 _____ (Farbar) C:\Users\nistor\Downloads\FRST.exe
2015-03-11 02:35 - 2015-03-11 06:17 - 00000000 ____D () C:\Users\nistor\AppData\Local\CrashDumps
2015-03-11 02:33 - 2015-03-11 02:51 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-11 02:33 - 2015-03-11 02:46 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-11 02:33 - 2015-03-11 02:33 - 15625816 _____ () C:\Users\nistor\Downloads\RogueKiller.exe
2015-03-11 02:12 - 2015-03-11 02:12 - 00000965 _____ () C:\Users\nistor\Desktop\JRT.txt
2015-03-11 02:03 - 2015-03-11 02:49 - 00000224 _____ () C:\Windows\setupact.log
2015-03-11 02:03 - 2015-03-11 02:03 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-11 02:02 - 2015-03-11 02:02 - 00000566 _____ () C:\Windows\PFRO.log
2015-03-11 01:55 - 2015-03-11 01:55 - 00000000 ____D () C:\Program Files\Temp File Cleaner
2015-03-11 01:50 - 2015-03-11 01:50 - 00521060 _____ () C:\Users\nistor\Desktop\ESET online virus scanner results.txt
2015-03-11 00:56 - 2015-03-11 00:56 - 00000000 ____D () C:\Program Files\ESET
2015-03-11 00:55 - 2015-03-11 00:56 - 02347384 _____ (ESET) C:\Users\nistor\Downloads\esetsmartinstaller_enu.exe
2015-03-11 00:51 - 2015-03-11 00:51 - 01388333 _____ (Thisisu) C:\Users\nistor\Downloads\JRT.exe
2015-03-11 00:48 - 2015-03-11 00:48 - 00000000 ____D () C:\Users\nistor\AppData\Local\VirtualStore
2015-03-11 00:43 - 2015-03-11 08:55 - 00114561 _____ () C:\Windows\WindowsUpdate.log
2015-03-11 00:35 - 2015-03-11 00:35 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\addpcs
2015-03-11 00:34 - 2015-03-11 01:55 - 00001027 _____ () C:\Users\nistor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Temp File Cleaner.lnk
2015-03-11 00:34 - 2015-03-11 01:55 - 00000997 _____ () C:\Users\nistor\Desktop\Temp File Cleaner.lnk
2015-03-11 00:34 - 2015-03-11 00:34 - 02073320 _____ () C:\Users\nistor\Downloads\TempFileCleaner_4.4.0_Setup.exe
2015-03-11 00:29 - 2015-03-11 00:29 - 00232200 _____ () C:\Users\nistor\Downloads\JRT-28781103.exe
2015-03-11 00:27 - 2015-03-11 00:28 - 00232200 _____ () C:\Users\nistor\Downloads\TempFileCleaner_4.4.0_Setup-28780879.exe
2015-03-11 00:04 - 2015-03-11 02:01 - 00000000 ____D () C:\AdwCleaner
2015-03-11 00:03 - 2015-03-11 00:04 - 02171392 _____ () C:\Users\nistor\Downloads\adwcleaner_4.112.exe
2015-03-10 21:40 - 2015-03-10 21:40 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-03-10 21:40 - 2015-03-10 21:40 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-03-10 21:40 - 2015-03-10 21:40 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-03-10 21:39 - 2015-03-10 21:39 - 11530032 _____ (Microsoft Corporation) C:\Users\nistor\Downloads\mseinstall.exe
2015-03-10 18:19 - 2015-03-10 18:19 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-03-10 17:06 - 2015-03-10 17:06 - 00008706 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-10 17:06 - 2015-03-10 17:06 - 00008706 _____ () C:\Users\nistor\AppData\HELP_DECRYPT.HTML
2015-03-10 17:06 - 2015-03-10 17:06 - 00004296 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-10 17:06 - 2015-03-10 17:06 - 00004296 _____ () C:\Users\nistor\AppData\HELP_DECRYPT.TXT
2015-03-10 17:06 - 2015-03-10 17:06 - 00000304 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.URL
2015-03-10 17:06 - 2015-03-10 17:06 - 00000304 _____ () C:\Users\nistor\AppData\HELP_DECRYPT.URL
2015-03-10 15:55 - 2015-03-10 15:55 - 00008706 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.HTML
2015-03-10 15:55 - 2015-03-10 15:55 - 00004296 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.TXT
2015-03-10 15:55 - 2015-03-10 15:55 - 00000304 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\kirkley510\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\kirkley510\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\kirkley510\AppData\Local\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\kirkley510\AppData\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\cwilliam510\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\cwilliam510\Downloads\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\cwilliam510\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\cwilliam510\AppData\Local\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00008706 _____ () C:\Users\cwilliam510\AppData\HELP_DECRYPT.HTML
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\kirkley510\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\kirkley510\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\kirkley510\AppData\Local\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\kirkley510\AppData\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\cwilliam510\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\cwilliam510\Downloads\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\cwilliam510\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\cwilliam510\AppData\Local\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00004296 _____ () C:\Users\cwilliam510\AppData\HELP_DECRYPT.TXT
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\kirkley510\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\kirkley510\AppData\Roaming\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\kirkley510\AppData\Local\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\kirkley510\AppData\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\cwilliam510\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\cwilliam510\Downloads\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\cwilliam510\AppData\Roaming\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\cwilliam510\AppData\Local\HELP_DECRYPT.URL
2015-03-10 15:45 - 2015-03-10 15:45 - 00000304 _____ () C:\Users\cwilliam510\AppData\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00008706 _____ () C:\Users\cwilliam\HELP_DECRYPT.HTML
2015-03-10 15:44 - 2015-03-10 15:44 - 00008706 _____ () C:\Users\cwilliam\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-10 15:44 - 2015-03-10 15:44 - 00008706 _____ () C:\Users\Administrator\HELP_DECRYPT.HTML
2015-03-10 15:44 - 2015-03-10 15:44 - 00008706 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-10 15:44 - 2015-03-10 15:44 - 00008706 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.HTML
2015-03-10 15:44 - 2015-03-10 15:44 - 00008706 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.HTML
2015-03-10 15:44 - 2015-03-10 15:44 - 00004296 _____ () C:\Users\cwilliam\HELP_DECRYPT.TXT
2015-03-10 15:44 - 2015-03-10 15:44 - 00004296 _____ () C:\Users\cwilliam\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-10 15:44 - 2015-03-10 15:44 - 00004296 _____ () C:\Users\Administrator\HELP_DECRYPT.TXT
2015-03-10 15:44 - 2015-03-10 15:44 - 00004296 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-10 15:44 - 2015-03-10 15:44 - 00004296 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.TXT
2015-03-10 15:44 - 2015-03-10 15:44 - 00004296 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.TXT
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\cwilliam\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\cwilliam\AppData\Roaming\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\cwilliam\AppData\Local\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\cwilliam\AppData\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\Administrator\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\Administrator\AppData\Roaming\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\Administrator\AppData\Local\HELP_DECRYPT.URL
2015-03-10 15:44 - 2015-03-10 15:44 - 00000304 _____ () C:\Users\Administrator\AppData\HELP_DECRYPT.URL
2015-03-10 15:43 - 2015-03-10 15:43 - 00008706 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-10 15:43 - 2015-03-10 15:43 - 00004296 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-10 15:43 - 2015-03-10 15:43 - 00000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-03-10 14:03 - 2015-03-11 00:42 - 00000000 ____D () C:\Windows\Minidump
2015-03-10 12:59 - 2015-03-10 14:56 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2015-03-10 10:44 - 2015-03-10 10:51 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Local Store
2015-03-10 10:22 - 2015-03-10 16:26 - 00000400 ____H () C:\ProgramData\@system3.att
2015-03-10 10:21 - 2015-03-11 00:20 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2015-03-10 10:21 - 2015-03-10 16:26 - 00000664 ____H () C:\ProgramData\@system.temp
2015-03-10 10:20 - 2015-03-11 00:47 - 00000000 ___HD () C:\1994dbd8
2015-03-10 10:20 - 2015-03-10 17:25 - 00000000 ____D () C:\Windows\FrameworkUpdate
2015-03-10 10:20 - 2015-03-10 10:20 - 00000480 ____H () C:\Users\nistor\AppData\Roaming\麽鎒駓覜
2015-03-10 08:34 - 2015-03-10 08:34 - 00000000 ____D () C:\Users\nistor\AppData\Local\Elwktion
2015-03-10 08:33 - 2015-03-10 17:25 - 00000000 ____D () C:\Users\nistor\AppData\Local\Okqsics
2015-02-27 11:47 - 2015-02-27 11:47 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-02-27 10:17 - 2015-02-27 10:17 - 00017768 _____ () C:\Users\nistor\Desktop\releasenotes ztree.txt
2015-02-27 10:16 - 2015-02-27 10:16 - 00000015 _____ () C:\Users\nistor\Desktop\server.eec
2015-02-27 10:16 - 2015-02-27 10:16 - 00000004 _____ () C:\Users\nistor\Desktop\150227_0916.gsf
2015-02-27 10:16 - 2015-02-27 10:16 - 00000000 _____ () C:\Windows\ztree.INI
2015-02-27 10:14 - 2015-02-27 10:14 - 02830353 _____ () C:\Users\nistor\Downloads\ztree-3_4_7.zip
2015-02-23 12:47 - 2015-03-10 17:07 - 00000000 ____D () C:\Users\nistor\Desktop\Camera
2015-02-23 12:44 - 2015-02-23 12:53 - 00000000 ____D () C:\Users\nistor\Desktop\samsung phone backup
2015-02-10 22:08 - 2015-02-11 21:35 - 00000000 ____D () C:\Users\nistor\Desktop\luke

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 08:55 - 2009-07-13 21:34 - 00019328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-11 08:55 - 2009-07-13 21:34 - 00019328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-11 08:46 - 2012-09-13 14:49 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-11 07:58 - 2013-06-22 11:39 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-682003330-206732UA.job
2015-03-11 02:50 - 2014-06-30 16:35 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-11 02:49 - 2009-07-13 21:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-11 02:03 - 2012-09-11 10:32 - 00000000 ____D () C:\ProgramData\CREDANT
2015-03-10 21:58 - 2013-06-22 11:39 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-682003330-206732Core.job
2015-03-10 21:05 - 2009-07-13 19:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-10 17:30 - 2010-11-20 14:01 - 00782838 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-10 17:27 - 2012-10-29 20:05 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Dropbox
2015-03-10 17:21 - 2013-06-21 15:49 - 00000000 ___RD () C:\Users\nistor\Desktop\FDADevice
2015-03-10 17:07 - 2015-01-10 19:15 - 00000000 ____D () C:\Users\nistor\Desktop\CS Evals Adi
2015-03-10 17:06 - 2012-10-08 10:22 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Skype
2015-03-10 17:06 - 2012-09-18 14:22 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Mozilla
2015-03-10 17:06 - 2012-09-18 13:59 - 00000000 ____D () C:\Users\nistor
2015-03-10 17:05 - 2012-10-08 10:00 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\MiKTeX
2015-03-10 15:58 - 2012-09-18 13:59 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\McAfee
2015-03-10 15:57 - 2012-09-18 13:59 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Adobe
2015-03-10 15:55 - 2012-10-08 09:59 - 00000000 ____D () C:\Users\nistor\AppData\Local\MiKTeX
2015-03-10 15:55 - 2012-09-28 13:30 - 00000000 ____D () C:\Users\nistor\AppData\Local\Skype
2015-03-10 15:55 - 2012-09-18 14:22 - 00000000 ____D () C:\Users\nistor\AppData\Local\Mozilla
2015-03-10 15:45 - 2013-06-22 11:39 - 00000000 ____D () C:\Users\nistor\AppData\Local\Google
2015-03-10 15:45 - 2012-10-05 15:38 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\MiKTeX
2015-03-10 15:45 - 2012-10-04 17:02 - 00000000 ____D () C:\Users\cwilliam510\AppData\Local\MiKTeX
2015-03-10 15:45 - 2012-10-04 16:56 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\Skype
2015-03-10 15:45 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\Mozilla
2015-03-10 15:45 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\McAfee
2015-03-10 15:45 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\Adobe
2015-03-10 15:45 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Local\Mozilla
2015-03-10 15:45 - 2012-09-13 14:43 - 00000000 ____D () C:\Users\cwilliam510
2015-03-10 15:45 - 2012-09-11 10:59 - 00000000 ____D () C:\Users\kirkley510\AppData\Local\Dell
2015-03-10 15:45 - 2012-09-11 10:35 - 00000000 ____D () C:\Users\kirkley510\AppData\Roaming\McAfee
2015-03-10 15:45 - 2012-09-11 10:35 - 00000000 ____D () C:\Users\kirkley510
2015-03-10 15:44 - 2012-10-05 15:44 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\MiKTeX
2015-03-10 15:44 - 2012-10-05 15:44 - 00000000 ____D () C:\Users\cwilliam\AppData\Local\MiKTeX
2015-03-10 15:44 - 2012-10-05 15:42 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\Mozilla
2015-03-10 15:44 - 2012-10-05 15:42 - 00000000 ____D () C:\Users\cwilliam\AppData\Local\Mozilla
2015-03-10 15:44 - 2012-10-05 15:41 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\McAfee
2015-03-10 15:44 - 2012-10-05 15:41 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\Adobe
2015-03-10 15:44 - 2012-10-05 15:41 - 00000000 ____D () C:\Users\cwilliam
2015-03-10 15:44 - 2012-09-11 22:23 - 00000000 ____D () C:\Users\Administrator
2015-03-10 15:44 - 2012-09-11 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\McAfee
2015-03-10 15:43 - 2012-10-04 17:01 - 00000000 ____D () C:\ProgramData\MiKTeX
2015-03-10 15:43 - 2012-09-11 22:24 - 00000000 ____D () C:\ProgramData\vulScan
2015-03-10 15:43 - 2012-09-11 22:24 - 00000000 ____D () C:\ProgramData\LANDesk
2015-03-10 15:43 - 2012-09-11 10:41 - 00000000 ____D () C:\Dell
2015-03-10 15:43 - 2012-09-11 10:31 - 00000000 ____D () C:\ProgramData\McAfee
2015-03-10 14:58 - 2014-06-30 16:35 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-10 14:58 - 2014-06-30 16:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-10 14:58 - 2014-06-30 16:35 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-10 14:56 - 2012-10-29 20:08 - 00000000 ___RD () C:\Users\nistor\Dropbox
2015-03-09 16:46 - 2012-09-11 22:25 - 00000408 _____ () C:\Windows\system32\config\netlogon.ftl
2015-03-09 13:31 - 2013-06-22 11:39 - 00000000 ____D () C:\Users\nistor\AppData\Local\Deployment
2015-03-09 13:10 - 2014-10-15 10:44 - 00007233 _____ () C:\Users\nistor\Gpresult.txt
2015-03-09 13:10 - 2013-02-04 18:24 - 00018720 _____ () C:\Users\nistor\debug.txt
2015-03-03 06:16 - 2012-07-31 10:48 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-28 09:05 - 2012-09-13 14:47 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-02-27 10:16 - 2014-07-22 10:48 - 03571712 _____ () C:\Users\nistor\Desktop\ztree.exe
2015-02-27 10:16 - 2014-07-22 10:48 - 03001856 _____ () C:\Users\nistor\Desktop\zleaf.exe
2015-02-27 10:16 - 2014-07-21 16:35 - 00017768 _____ () C:\Users\nistor\Desktop\releasenotes.txt
2015-02-26 10:26 - 2013-10-11 18:53 - 00000000 ____D () C:\Users\nistor\AppData\Local\CutePDF Writer
2015-02-13 02:48 - 2012-10-29 20:08 - 00000982 _____ () C:\Users\nistor\Desktop\Dropbox.lnk
2015-02-13 02:48 - 2012-10-29 20:05 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-11 19:42 - 2009-07-13 21:53 - 00032628 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-02-10 14:38 - 2009-07-13 21:52 - 00000000 ____D () C:\Windows\system32\FxsTmp

==================== Files in the root of some directories =======

2013-06-26 02:54 - 2013-06-26 02:54 - 0255312 _____ (Microsoft Corporation) C:\Users\nistor\AppData\Roaming\BtvStack.dll
2015-03-10 17:06 - 2015-03-10 17:06 - 0008706 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.HTML
2015-03-10 17:06 - 2015-03-10 17:06 - 0045823 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.PNG
2015-03-10 17:06 - 2015-03-10 17:06 - 0004296 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.TXT
2015-03-10 17:06 - 2015-03-10 17:06 - 0000304 _____ () C:\Users\nistor\AppData\Roaming\HELP_DECRYPT.URL
2015-03-10 10:20 - 2015-03-10 10:20 - 0000480 ____H () C:\Users\nistor\AppData\Roaming\麽鎒駓覜
2013-11-12 16:37 - 2015-01-26 18:40 - 0005120 _____ () C:\Users\nistor\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-10 15:55 - 2015-03-10 15:55 - 0008706 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.HTML
2015-03-10 15:55 - 2015-03-10 15:55 - 0045823 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.PNG
2015-03-10 15:55 - 2015-03-10 15:55 - 0004296 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.TXT
2015-03-10 15:55 - 2015-03-10 15:55 - 0000304 _____ () C:\Users\nistor\AppData\Local\HELP_DECRYPT.URL
2014-08-14 09:50 - 2014-08-14 09:50 - 0007606 _____ () C:\Users\nistor\AppData\Local\Resmon.ResmonCfg
2015-03-10 10:21 - 2015-03-10 16:26 - 0000664 ____H () C:\ProgramData\@system.temp
2015-03-10 10:22 - 2015-03-10 16:26 - 0000400 ____H () C:\ProgramData\@system3.att
2015-03-10 15:43 - 2015-03-10 15:43 - 0008706 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-03-10 15:43 - 2015-03-10 15:43 - 0045823 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-03-10 15:43 - 2015-03-10 15:43 - 0004296 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2015-03-10 15:43 - 2015-03-10 15:43 - 0000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-01-07 17:22 - 2015-01-07 17:22 - 34771968 _____ () C:\ProgramData\pollev_presenter_.msi
2015-01-01 09:56 - 2015-01-01 09:56 - 0396480 _____ (Sysinternals - www.sysinternals.com) C:\ProgramData\PsExec.exe

Files to move or delete:
====================
C:\ProgramData\PsExec.exe


Some content of TEMP:
====================
C:\Users\nistor\AppData\Local\Temp\dllnt_dump.dll
C:\Users\nistor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpd3hagj.dll
C:\Users\nistor\AppData\Local\Temp\Quarantine.exe
C:\Users\nistor\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-05 15:35

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:09 AM

Posted 11 March 2015 - 02:17 PM

Your computer is infected with Ransomware, perhaps Cryptowall. You can read about it here.

 

BleepingComputer.com has created a tool called ListCwall that automates the finding and exporting the list of encrypted files from an infected computer. This tool will also allow you to backup the encrypted files to another location in the event that you want to archive the encrypted files and reformat the machine.

ListCwall can be downloaded from this URL: http://www.bleepingcomputer.com/download/listcwall/

 

To use the tool, simply double-click on the and let the program run. ListCwall will search for the registry key that contains the encrypted files and then export them to the ListCwall.txt file on your desktop. Post that list on your next reply.

 

The followng fix may help you with the computer behavior.

 

Please download this attached and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 cnmms

cnmms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 March 2015 - 03:06 PM

I tired running the fix as you suggested. After a few seconds, a dialog box said something like "the computer must restart because the CMG shield terminated unexpectedly." I tried twice and this happened both times. No log file was generated by FRST. The dllhost.exe files still run on boot. Could I try something else?

#4 cnmms

cnmms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 March 2015 - 03:08 PM

Actually, there is a log file. I pasted it below. (It appears the problem still exists, though.)

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by nistor at 2015-03-11 13:00:40 Run:2
Running from C:\Users\nistor\Downloads
Loaded Profiles: nistor (Available profiles: nistor & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
Hosts:
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\evltrws: C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll [X]
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Elwktion] => regsvr32.exe C:\Users\nistor\AppData\Local\Elwktion\CNBJOP8n.DLL <===== ATTENTION
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Eqzmtion] => C:\Windows\System32\regsvr32.exe C:\Users\nistor\AppData\Local\Okqsics\BRMWUNI.DLL
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [BluetoothS] => rundll32.exe "%appdata%\BtvStack.dll",BTHF_Register
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\system: [DisableChangePassword] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [1] blaster.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [2] msblast.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [3] bleep32.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
HKU\S-1-5-18\...\Run: [evltrws] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll",evltrws <===== ATTENTION
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Tcpip\..\Interfaces\{0CD0E8D0-074D-4591-BBAA-1C94C6EBC3B3}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8361CA0F-05B0-4B09-B340-6ABC87693487}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{86BE4DB9-9563-47C2-BD8C-2400CB45D7B0}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
C:\Users\nistor\AppData\Roaming\麽鎒駓覜
C:\ProgramData\@system.temp
C:\ProgramData\@system3.att
C:\ProgramData\PsExec.exe
C:\Users\nistor\AppData\Local\Temp\dllnt_dump.dll
C:\Users\nistor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpd3hagj.dll
C:\Users\nistor\AppData\Local\Temp\Quarantine.exe
C:\Users\nistor\AppData\Local\Temp\sqlite3.dll
Task: {E43E90CB-5699-498F-B82B-AFBF81C13506} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {F174CE96-0463-4BEC-9856-9028AB0DC155} - System32\Tasks\4852 => Wscript.exe C:\Users\nistor\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
C:\Users\nistor\AppData\Local\Temp\launchie.vbs
Task: {35FBCD54-FEB6-4306-A88A-329BAE03FDFC} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll
CMD: DEL /Q /F /S C:\HELP_DECRYPT*
EMPTYTEMP:
Reboot:
End
*****************

Processes closed successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\evltrws => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value not found.
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore => Key not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Run\\Elwktion => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Run\\Eqzmtion => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Run\\BluetoothS => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableChangePassword => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1 => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2 => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3 => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoStartMenuMyGames => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => Key not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\evltrws => Value not found.
HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => Key not found.
HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0CD0E8D0-074D-4591-BBAA-1C94C6EBC3B3}\\NameServer => Value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8361CA0F-05B0-4B09-B340-6ABC87693487}\\NameServer => Value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{86BE4DB9-9563-47C2-BD8C-2400CB45D7B0}\\NameServer => Value not found.
"C:\Users\nistor\AppData\Roaming\麽鎒駓覜" => File/Directory not found.
"C:\ProgramData\@system.temp" => File/Directory not found.
"C:\ProgramData\@system3.att" => File/Directory not found.
"C:\ProgramData\PsExec.exe" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\dllnt_dump.dll" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpd3hagj.dll" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\Quarantine.exe" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\sqlite3.dll" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E43E90CB-5699-498F-B82B-AFBF81C13506} => Key not found.
C:\Windows\System32\Tasks\0 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0 => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F174CE96-0463-4BEC-9856-9028AB0DC155} => Key not found.
C:\Windows\System32\Tasks\4852 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4852 => Key not found.
"C:\Users\nistor\AppData\Local\Temp\launchie.vbs" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{35FBCD54-FEB6-4306-A88A-329BAE03FDFC} => Key not found.
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask => Key not found.
"C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll" => File/Directory not found.

=========  DEL /Q /F /S C:\HELP_DECRYPT* =========


========= End of CMD: =========
 



#5 cnmms

cnmms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 March 2015 - 03:10 PM

Just tried again and it said "the EMS service terminated unexpectedly" and rebooted.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:09 AM

Posted 11 March 2015 - 07:54 PM

This is due to the CMG Windows Shield that comes with Dell. It is a security program to protect your files from encryption and other damages.

 

Are your personal files, such as Word, Excel, Adobe and pictures working. Can you open these type of files? Were you able to run ListCwall.exe?

 

Please re-scan with FRST and post  a new FRST.txt log.


Edited by JSntgRvr, 11 March 2015 - 07:57 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 cnmms

cnmms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 March 2015 - 09:37 PM

Yes, LIstCwall.exe found over 8000 files that have been encrypted by Cryptowall. Fortunately, I have most of them backed up.

I tried running the Fix again using Windows safe mode. It ran this time, but the problem with the dllhost.exe files is still there after reboot.

 

Then I ran FRST scan again. The log is below:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by nistor (administrator) on ASBE-NISTOR6320 on 11-03-2015 19:34:46
Running from C:\Users\nistor\Downloads
Loaded Profiles: nistor (Available profiles: nistor & Administrator)
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(CREDANT Technologies, Inc.) C:\Windows\System32\CmgShieldSvc.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\EmsService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AEstSrv.exe
(Avocent Corporation) C:\Program Files\LANDesk\Shared Files\residentAgent.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\LocalSch.EXE
(LANDesk Software Ltd.) C:\Windows\System32\cba\pds.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\issuser.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
(LANDesk Software, Inc. and its affiliates ) C:\Program Files\LANDesk\LDClient\collector.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\tmcsvc.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\amtmon.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\SoftMon.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files\LANDesk\LDClient\rcgui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\UdaterUI.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\CmgShieldUI.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\EmsServiceHelper.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(McAfee, Inc.) C:\Program Files\McAfee\Common Framework\McTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Google Inc.) C:\Users\nistor\AppData\Local\Google\Update\GoogleUpdate.exe
(Dropbox, Inc.) C:\Users\nistor\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\reader_sl.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [505720 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [McAfeeUpdaterUI] => C:\Program Files\McAfee\Common Framework\udaterui.exe [140608 2010-06-01] (McAfee, Inc.)
HKLM\...\Run: [CmgShieldUI] => C:\Windows\System32\CMGShieldUI.exe [296912 2012-11-14] (CREDANT Technologies, Inc.)
HKLM\...\Run: [EmsService] => C:\Windows\system32\EmsServiceHelper.exe [989136 2012-11-14] (CREDANT Technologies, Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [536668 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [821144 2010-10-25] (Adobe Systems Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [FlashPlayerUpdate] => C:\Users\nistor\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [224256 2015-03-11] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [978520 2015-01-30] (Microsoft Corporation)
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Google Update] => C:\Users\nistor\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-06-22] (Google Inc.)
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [FlashPlayerUpdate] => C:\Users\nistor\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [224256 2015-03-11] ()
Startup: C:\Users\nistor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\nistor\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\nistor\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=MSSE
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://mywindow.chapman.edu
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-10-21] (Oracle Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-10-21] (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKU\.DEFAULT -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1229272821-1326574676-682003330-206732 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_41-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_41-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\nistor\AppData\Roaming\Mozilla\Firefox\Profiles\94lkmvuz.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_168.dll [2013-02-27] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1167637.dll [2012-08-08] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-10-21] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-10-21] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @talk.google.com/GoogleTalkPlugin -> C:\Users\nistor\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-01-27] (Google)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @talk.google.com/O1DPlugin -> C:\Users\nistor\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-01-27] (Google)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @tools.google.com/Google Update;version=3 -> C:\Users\nistor\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin HKU\S-1-5-21-1229272821-1326574676-682003330-206732: @tools.google.com/Google Update;version=9 -> C:\Users\nistor\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-12-02] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2012-09-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\nistor\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-01-27] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\nistor\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-01-27] (Google)
FF Extension: DirectSound Audio Renderer - C:\Users\nistor\AppData\Roaming\Mozilla\Firefox\Profiles\94lkmvuz.default\Extensions\{7921FDDF-DAEA-628E-4C40-DF895BD7F2BF} [2015-03-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA} [2015-02-27]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-09-11]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.) [File not signed]
R2 CBA8; C:\Program Files\LANDesk\Shared Files\residentagent.exe [147456 2011-08-01] (Avocent Corporation) [File not signed]
R2 CMGShield; C:\Windows\system32\CmgShieldSvc.exe [2533328 2012-11-14] (CREDANT Technologies, Inc.)
R2 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [826272 2011-12-02] (Broadcom Corporation)
R2 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [31648 2011-12-02] (Broadcom Corporation)
R2 EMS; C:\Windows\system32\EMSService.exe [1193936 2012-11-14] (CREDANT Technologies, Inc.)
R2 Intel Local Scheduler Service; C:\Program Files\LANDesk\LDClient\LocalSch.EXE [189952 2011-10-14] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 Intel PDS; C:\Windows\system32\CBA\pds.exe [32825 2012-09-11] (LANDesk Software Ltd.) [File not signed]
R2 ISSUSER; C:\Program Files\LANDesk\LDClient\issuser.exe [1459200 2011-10-20] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 LANDesk Policy Invoker; C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe [207872 2011-09-29] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 LANDesk Targeted Multicast; C:\Program Files\LANDesk\LDClient\tmcsvc.exe [179200 2011-10-19] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 LANDesk® Out-of-Band Monitor Service; C:\Program Files\LANDesk\LDClient\amtmon.exe [1058304 2011-10-14] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [120128 2010-06-01] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22184 2015-01-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284472 2015-01-30] (Microsoft Corporation)
R2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
S2 ProcTrigger; C:\Program Files\LANDesk\LDClient\ProcTriggerSvc.exe [143872 2011-10-19] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 Softmon; C:\Program Files\LANDesk\LDClient\softmon.exe [403632 2011-10-19] (LANDesk Software, Inc. and its affiliates.)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-01-25] (IDT, Inc.)
S2 tracksvc; C:\Program Files\LANDesk\LDClient\tracksvc.exe [66560 2011-10-19] (LANDesk Software, Inc. and its affiliates.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-07-22] (ST Microelectronics)
R0 CmgHiber; C:\Windows\System32\DRIVERS\CmgHiber.sys [133008 2012-11-14] (CREDANT Technologies, Inc.)
R0 CmgPassThrough; C:\Windows\System32\DRIVERS\CmgShPT.sys [15248 2012-11-14] (CREDANT Technologies, Inc.)
R0 CmgPCS; C:\Windows\System32\DRIVERS\CmgPCS.sys [118888 2012-11-14] (CREDANT Technologies, Inc.)
R0 CmgShieldCEF; C:\Windows\System32\DRIVERS\CMGShCEF.sys [314768 2012-11-14] (CREDANT Technologies, Inc.)
R0 CMGShieldReg; C:\Windows\System32\DRIVERS\CmgShREG.sys [22416 2012-11-14] (CREDANT Technologies, Inc.)
R3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [40040 2011-12-02] (Broadcom Corporation)
R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [268968 2011-07-20] (Intel Corporation)
S3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2749416 2010-10-04] (Realtek Semiconductor Corp.)
R0 iusb3hcs; C:\Windows\System32\drivers\iusb3hcs.sys [13592 2012-02-27] (Intel Corporation)
S3 ldblank; C:\Windows\System32\DRIVERS\ldblank.sys [14848 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R3 ldmirror; C:\Windows\System32\DRIVERS\ldmirror.sys [5120 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [114904 2015-03-11] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R3 mirrorflt; C:\Windows\System32\DRIVERS\mirrorflt.sys [6656 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [239224 2014-11-15] (Microsoft Corporation)
R3 O2SDJRDR; C:\Windows\System32\drivers\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17904 2011-07-15] (ST Microelectronics)
S3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_ACCEL.sys [59888 2011-11-04] (STMicroelectronics)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 19:35 - 2015-03-11 19:35 - 00021625 _____ () C:\Users\nistor\Downloads\FRST.txt
2015-03-11 19:26 - 2015-03-11 19:27 - 01387052 _____ () C:\Users\nistor\Desktop\ListCWall.txt
2015-03-11 19:26 - 2015-03-11 19:26 - 00452424 _____ (Bleeping Computer, LLC) C:\Users\nistor\Downloads\ListCWall.exe
2015-03-11 08:58 - 2015-03-11 09:00 - 00033242 _____ () C:\Users\nistor\Downloads\Addition.txt
2015-03-11 08:52 - 2015-03-11 19:35 - 00000000 ____D () C:\FRST
2015-03-11 08:49 - 2015-03-11 08:50 - 01135104 _____ (Farbar) C:\Users\nistor\Downloads\FRST.exe
2015-03-11 02:35 - 2015-03-11 19:28 - 00000000 ____D () C:\Users\nistor\AppData\Local\CrashDumps
2015-03-11 02:33 - 2015-03-11 02:51 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-11 02:33 - 2015-03-11 02:46 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-11 02:33 - 2015-03-11 02:33 - 15625816 _____ () C:\Users\nistor\Downloads\RogueKiller.exe
2015-03-11 02:12 - 2015-03-11 02:12 - 00000965 _____ () C:\Users\nistor\Desktop\JRT.txt
2015-03-11 02:03 - 2015-03-11 19:21 - 00001466 _____ () C:\Windows\setupact.log
2015-03-11 02:03 - 2015-03-11 02:03 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-11 02:02 - 2015-03-11 02:02 - 00000566 _____ () C:\Windows\PFRO.log
2015-03-11 01:55 - 2015-03-11 01:55 - 00000000 ____D () C:\Program Files\Temp File Cleaner
2015-03-11 01:50 - 2015-03-11 01:50 - 00521060 _____ () C:\Users\nistor\Desktop\ESET online virus scanner results.txt
2015-03-11 00:56 - 2015-03-11 00:56 - 00000000 ____D () C:\Program Files\ESET
2015-03-11 00:55 - 2015-03-11 00:56 - 02347384 _____ (ESET) C:\Users\nistor\Downloads\esetsmartinstaller_enu.exe
2015-03-11 00:51 - 2015-03-11 00:51 - 01388333 _____ (Thisisu) C:\Users\nistor\Downloads\JRT.exe
2015-03-11 00:48 - 2015-03-11 00:48 - 00000000 ____D () C:\Users\nistor\AppData\Local\VirtualStore
2015-03-11 00:43 - 2015-03-11 19:05 - 00167364 _____ () C:\Windows\WindowsUpdate.log
2015-03-11 00:35 - 2015-03-11 00:35 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\addpcs
2015-03-11 00:34 - 2015-03-11 01:55 - 00001027 _____ () C:\Users\nistor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Temp File Cleaner.lnk
2015-03-11 00:34 - 2015-03-11 01:55 - 00000997 _____ () C:\Users\nistor\Desktop\Temp File Cleaner.lnk
2015-03-11 00:34 - 2015-03-11 00:34 - 02073320 _____ () C:\Users\nistor\Downloads\TempFileCleaner_4.4.0_Setup.exe
2015-03-11 00:29 - 2015-03-11 00:29 - 00232200 _____ () C:\Users\nistor\Downloads\JRT-28781103.exe
2015-03-11 00:27 - 2015-03-11 00:28 - 00232200 _____ () C:\Users\nistor\Downloads\TempFileCleaner_4.4.0_Setup-28780879.exe
2015-03-11 00:04 - 2015-03-11 12:56 - 00000000 ____D () C:\AdwCleaner
2015-03-11 00:03 - 2015-03-11 00:04 - 02171392 _____ () C:\Users\nistor\Downloads\adwcleaner_4.112.exe
2015-03-10 21:40 - 2015-03-10 21:40 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-03-10 21:40 - 2015-03-10 21:40 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-03-10 21:40 - 2015-03-10 21:40 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-03-10 21:39 - 2015-03-10 21:39 - 11530032 _____ (Microsoft Corporation) C:\Users\nistor\Downloads\mseinstall.exe
2015-03-10 18:19 - 2015-03-10 18:19 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-03-10 14:03 - 2015-03-11 00:42 - 00000000 ____D () C:\Windows\Minidump
2015-03-10 12:59 - 2015-03-10 14:56 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2015-03-10 10:44 - 2015-03-10 10:51 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Local Store
2015-03-10 10:21 - 2015-03-11 00:20 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2015-03-10 10:20 - 2015-03-11 00:47 - 00000000 ___HD () C:\1994dbd8
2015-03-10 10:20 - 2015-03-10 17:25 - 00000000 ____D () C:\Windows\FrameworkUpdate
2015-03-10 08:34 - 2015-03-10 08:34 - 00000000 ____D () C:\Users\nistor\AppData\Local\Elwktion
2015-03-10 08:33 - 2015-03-10 17:25 - 00000000 ____D () C:\Users\nistor\AppData\Local\Okqsics
2015-02-27 11:47 - 2015-02-27 11:47 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-02-27 10:17 - 2015-02-27 10:17 - 00017768 _____ () C:\Users\nistor\Desktop\releasenotes ztree.txt
2015-02-27 10:16 - 2015-02-27 10:16 - 00000015 _____ () C:\Users\nistor\Desktop\server.eec
2015-02-27 10:16 - 2015-02-27 10:16 - 00000004 _____ () C:\Users\nistor\Desktop\150227_0916.gsf
2015-02-27 10:16 - 2015-02-27 10:16 - 00000000 _____ () C:\Windows\ztree.INI
2015-02-27 10:14 - 2015-02-27 10:14 - 02830353 _____ () C:\Users\nistor\Downloads\ztree-3_4_7.zip
2015-02-23 12:47 - 2015-03-11 19:13 - 00000000 ____D () C:\Users\nistor\Desktop\Camera
2015-02-23 12:44 - 2015-02-23 12:53 - 00000000 ____D () C:\Users\nistor\Desktop\samsung phone backup
2015-02-10 22:08 - 2015-02-11 21:35 - 00000000 ____D () C:\Users\nistor\Desktop\luke

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-11 19:29 - 2009-07-13 21:34 - 00019328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-11 19:29 - 2009-07-13 21:34 - 00019328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-11 19:22 - 2014-06-30 16:35 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-11 19:21 - 2009-07-13 21:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-11 19:13 - 2015-01-10 19:15 - 00000000 ____D () C:\Users\nistor\Desktop\CS Evals Adi
2015-03-11 19:13 - 2012-10-08 10:22 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Skype
2015-03-11 19:13 - 2012-09-18 14:22 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Mozilla
2015-03-11 19:12 - 2012-10-29 20:05 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Dropbox
2015-03-11 19:12 - 2012-10-08 10:00 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\MiKTeX
2015-03-11 19:12 - 2012-09-18 13:59 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\McAfee
2015-03-11 19:12 - 2012-09-18 13:59 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Adobe
2015-03-11 19:10 - 2013-06-22 11:39 - 00000000 ____D () C:\Users\nistor\AppData\Local\Google
2015-03-11 19:10 - 2012-10-08 09:59 - 00000000 ____D () C:\Users\nistor\AppData\Local\MiKTeX
2015-03-11 19:10 - 2012-10-05 15:44 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\MiKTeX
2015-03-11 19:10 - 2012-10-05 15:44 - 00000000 ____D () C:\Users\cwilliam\AppData\Local\MiKTeX
2015-03-11 19:10 - 2012-10-05 15:42 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\Mozilla
2015-03-11 19:10 - 2012-10-05 15:42 - 00000000 ____D () C:\Users\cwilliam\AppData\Local\Mozilla
2015-03-11 19:10 - 2012-10-05 15:41 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\McAfee
2015-03-11 19:10 - 2012-10-05 15:41 - 00000000 ____D () C:\Users\cwilliam\AppData\Roaming\Adobe
2015-03-11 19:10 - 2012-10-05 15:41 - 00000000 ____D () C:\Users\cwilliam
2015-03-11 19:10 - 2012-10-05 15:38 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\MiKTeX
2015-03-11 19:10 - 2012-10-04 17:02 - 00000000 ____D () C:\Users\cwilliam510\AppData\Local\MiKTeX
2015-03-11 19:10 - 2012-10-04 17:01 - 00000000 ____D () C:\ProgramData\MiKTeX
2015-03-11 19:10 - 2012-10-04 16:56 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\Skype
2015-03-11 19:10 - 2012-09-28 13:30 - 00000000 ____D () C:\Users\nistor\AppData\Local\Skype
2015-03-11 19:10 - 2012-09-18 14:22 - 00000000 ____D () C:\Users\nistor\AppData\Local\Mozilla
2015-03-11 19:10 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\Mozilla
2015-03-11 19:10 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\McAfee
2015-03-11 19:10 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Roaming\Adobe
2015-03-11 19:10 - 2012-09-13 14:44 - 00000000 ____D () C:\Users\cwilliam510\AppData\Local\Mozilla
2015-03-11 19:10 - 2012-09-13 14:43 - 00000000 ____D () C:\Users\cwilliam510
2015-03-11 19:10 - 2012-09-11 22:24 - 00000000 ____D () C:\ProgramData\vulScan
2015-03-11 19:10 - 2012-09-11 22:24 - 00000000 ____D () C:\ProgramData\LANDesk
2015-03-11 19:10 - 2012-09-11 22:23 - 00000000 ____D () C:\Users\Administrator
2015-03-11 19:10 - 2012-09-11 10:59 - 00000000 ____D () C:\Users\kirkley510\AppData\Local\Dell
2015-03-11 19:10 - 2012-09-11 10:35 - 00000000 ____D () C:\Users\kirkley510\AppData\Roaming\McAfee
2015-03-11 19:10 - 2012-09-11 10:35 - 00000000 ____D () C:\Users\kirkley510
2015-03-11 19:10 - 2012-09-11 10:31 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\McAfee
2015-03-11 19:10 - 2012-09-11 10:31 - 00000000 ____D () C:\ProgramData\McAfee
2015-03-11 12:58 - 2013-06-22 11:39 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-682003330-206732UA.job
2015-03-11 12:56 - 2012-09-11 10:41 - 00000000 ____D () C:\Dell
2015-03-11 11:29 - 2013-06-22 11:39 - 00000000 ____D () C:\Users\nistor\AppData\Local\Deployment
2015-03-11 11:27 - 2010-11-20 14:01 - 00782838 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-11 11:26 - 2015-02-04 13:25 - 00000000 ____D () C:\Users\nistor\Desktop\meeting chancellor
2015-03-11 11:23 - 2013-06-21 15:49 - 00000000 ___RD () C:\Users\nistor\Desktop\FDADevice
2015-03-11 09:46 - 2012-09-13 14:49 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-11 02:03 - 2012-09-11 10:32 - 00000000 ____D () C:\ProgramData\CREDANT
2015-03-10 21:58 - 2013-06-22 11:39 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1326574676-682003330-206732Core.job
2015-03-10 21:05 - 2009-07-13 19:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-10 17:06 - 2012-09-18 13:59 - 00000000 ____D () C:\Users\nistor
2015-03-10 14:58 - 2014-06-30 16:35 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-10 14:58 - 2014-06-30 16:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-10 14:58 - 2014-06-30 16:35 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-10 14:56 - 2012-10-29 20:08 - 00000000 ___RD () C:\Users\nistor\Dropbox
2015-03-09 16:46 - 2012-09-11 22:25 - 00000408 _____ () C:\Windows\system32\config\netlogon.ftl
2015-03-09 13:10 - 2014-10-15 10:44 - 00007233 _____ () C:\Users\nistor\Gpresult.txt
2015-03-09 13:10 - 2013-02-04 18:24 - 00018720 _____ () C:\Users\nistor\debug.txt
2015-03-03 06:16 - 2012-07-31 10:48 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-28 09:05 - 2012-09-13 14:47 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-02-27 10:16 - 2014-07-22 10:48 - 03571712 _____ () C:\Users\nistor\Desktop\ztree.exe
2015-02-27 10:16 - 2014-07-22 10:48 - 03001856 _____ () C:\Users\nistor\Desktop\zleaf.exe
2015-02-27 10:16 - 2014-07-21 16:35 - 00017768 _____ () C:\Users\nistor\Desktop\releasenotes.txt
2015-02-26 10:26 - 2013-10-11 18:53 - 00000000 ____D () C:\Users\nistor\AppData\Local\CutePDF Writer
2015-02-13 02:48 - 2012-10-29 20:08 - 00000982 _____ () C:\Users\nistor\Desktop\Dropbox.lnk
2015-02-13 02:48 - 2012-10-29 20:05 - 00000000 ____D () C:\Users\nistor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-11 19:42 - 2009-07-13 21:53 - 00032628 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-02-10 14:38 - 2009-07-13 21:52 - 00000000 ____D () C:\Windows\system32\FxsTmp

==================== Files in the root of some directories =======

2013-06-26 02:54 - 2013-06-26 02:54 - 0255312 _____ (Microsoft Corporation) C:\Users\nistor\AppData\Roaming\BtvStack.dll
2013-11-12 16:37 - 2015-01-26 18:40 - 0005120 _____ () C:\Users\nistor\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-14 09:50 - 2014-08-14 09:50 - 0007606 _____ () C:\Users\nistor\AppData\Local\Resmon.ResmonCfg
2015-01-07 17:22 - 2015-01-07 17:22 - 34771968 _____ () C:\ProgramData\pollev_presenter_.msi

Some content of TEMP:
====================
C:\Users\nistor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpmwxuil.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-05 15:35

==================== End Of Log ============================



#8 cnmms

cnmms
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 11 March 2015 - 09:48 PM

I tried to include the log from running Fix in safe mode, but apparently it's too large to paste or attach. Below are the beginning and end of this log.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by nistor at 2015-03-11 19:10:06 Run:1
Running from C:\Users\nistor\Downloads
Loaded Profiles: nistor (Available profiles: nistor & Administrator)
Boot Mode: Safe Mode (minimal)

==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
Hosts:
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\evltrws: C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll [X]
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Elwktion] => regsvr32.exe C:\Users\nistor\AppData\Local\Elwktion\CNBJOP8n.DLL <===== ATTENTION
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [Eqzmtion] => C:\Windows\System32\regsvr32.exe C:\Users\nistor\AppData\Local\Okqsics\BRMWUNI.DLL
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Run: [BluetoothS] => rundll32.exe "%appdata%\BtvStack.dll",BTHF_Register
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\system: [DisableChangePassword] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [1] blaster.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [2] msblast.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer\DisallowRun: [3] bleep32.exe
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
HKU\S-1-5-18\...\Run: [evltrws] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll",evltrws <===== ATTENTION
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Tcpip\..\Interfaces\{0CD0E8D0-074D-4591-BBAA-1C94C6EBC3B3}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8361CA0F-05B0-4B09-B340-6ABC87693487}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{86BE4DB9-9563-47C2-BD8C-2400CB45D7B0}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
C:\Users\nistor\AppData\Roaming\麽鎒駓覜
C:\ProgramData\@system.temp
C:\ProgramData\@system3.att
C:\ProgramData\PsExec.exe
C:\Users\nistor\AppData\Local\Temp\dllnt_dump.dll
C:\Users\nistor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpd3hagj.dll
C:\Users\nistor\AppData\Local\Temp\Quarantine.exe
C:\Users\nistor\AppData\Local\Temp\sqlite3.dll
Task: {E43E90CB-5699-498F-B82B-AFBF81C13506} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {F174CE96-0463-4BEC-9856-9028AB0DC155} - System32\Tasks\4852 => Wscript.exe C:\Users\nistor\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
C:\Users\nistor\AppData\Local\Temp\launchie.vbs
Task: {35FBCD54-FEB6-4306-A88A-329BAE03FDFC} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll
CMD: DEL /Q /F /S C:\HELP_DECRYPT*
EMPTYTEMP:
Reboot:
End
*****************

Processes closed successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\evltrws => Key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value not found.
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore => Key not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Run\\Elwktion => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Run\\Eqzmtion => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Run\\BluetoothS => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableChangePassword => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\1 => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\2 => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\\3 => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoStartMenuMyGames => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowRun => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => Value not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => Key not found.
HKU\S-1-5-21-1229272821-1326574676-682003330-206732\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\evltrws => Value not found.
HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => Key not found.
HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0CD0E8D0-074D-4591-BBAA-1C94C6EBC3B3}\\NameServer => Value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8361CA0F-05B0-4B09-B340-6ABC87693487}\\NameServer => Value not found.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{86BE4DB9-9563-47C2-BD8C-2400CB45D7B0}\\NameServer => Value not found.
"C:\Users\nistor\AppData\Roaming\麽鎒駓覜" => File/Directory not found.
"C:\ProgramData\@system.temp" => File/Directory not found.
"C:\ProgramData\@system3.att" => File/Directory not found.
"C:\ProgramData\PsExec.exe" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\dllnt_dump.dll" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpd3hagj.dll" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\Quarantine.exe" => File/Directory not found.
"C:\Users\nistor\AppData\Local\Temp\sqlite3.dll" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E43E90CB-5699-498F-B82B-AFBF81C13506} => Key not found.
C:\Windows\System32\Tasks\0 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0 => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F174CE96-0463-4BEC-9856-9028AB0DC155} => Key not found.
C:\Windows\System32\Tasks\4852 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4852 => Key not found.
"C:\Users\nistor\AppData\Local\Temp\launchie.vbs" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{35FBCD54-FEB6-4306-A88A-329BAE03FDFC} => Key not found.
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask => Key not found.
"C:\Windows\system32\config\systemprofile\AppData\Local\evltrws.dll" => File/Directory not found.

=========  DEL /Q /F /S C:\HELP_DECRYPT* =========

Deleted file - C:\ProgramData\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\LANDesk\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\LANDesk\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\LANDesk\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\LANDesk\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\Database\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\Database\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\Database\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\LANDesk\ManagementSuite\Database\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\McAfee\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\McAfee\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\McAfee\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\McAfee\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\McAfee\Common Framework\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\McAfee\Common Framework\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\McAfee\Common Framework\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\McAfee\Common Framework\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\Microsoft\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\Microsoft\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\Microsoft\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\Microsoft\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\Microsoft\RAC\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\Microsoft\RAC\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\Microsoft\RAC\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\Microsoft\RAC\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\Microsoft\RAC\PublishedData\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\Microsoft\RAC\PublishedData\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\Microsoft\RAC\PublishedData\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\Microsoft\RAC\PublishedData\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\Microsoft\RAC\StateData\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\Microsoft\RAC\StateData\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\Microsoft\RAC\StateData\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\Microsoft\RAC\StateData\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\MiKTeX\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\MiKTeX\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\MiKTeX\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\MiKTeX\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\MiKTeX\2.9\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\MiKTeX\2.9\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\MiKTeX\2.9\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\MiKTeX\2.9\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\config\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\config\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\config\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\MiKTeX\2.9\tex\generic\config\HELP_DECRYPT.URL
Deleted file - C:\ProgramData\vulScan\HELP_DECRYPT.HTML
Deleted file - C:\ProgramData\vulScan\HELP_DECRYPT.PNG
Deleted file - C:\ProgramData\vulScan\HELP_DECRYPT.TXT
Deleted file - C:\ProgramData\vulScan\HELP_DECRYPT.URL
Deleted file - C:\Users\Administrator\HELP_DECRYPT.HTML
Deleted file - C:\Users\Administrator\HELP_DECRYPT.PNG
Deleted file - C:\Users\Administrator\HELP_DECRYPT.TXT
Deleted file - C:\Users\Administrator\HELP_DECRYPT.URL

 

 

 

[skipped many lines]

 

 

 

Deleted file - C:\Users\nistor\Desktop\FDADevice\paper\paperlatexv1\HELP_DECRYPT.URL
Deleted file - C:\Users\nistor\Desktop\FDADevice\paper\paperlatexv2\HELP_DECRYPT.HTML
Deleted file - C:\Users\nistor\Desktop\FDADevice\paper\paperlatexv2\HELP_DECRYPT.PNG
Deleted file - C:\Users\nistor\Desktop\FDADevice\paper\paperlatexv2\HELP_DECRYPT.TXT
Deleted file - C:\Users\nistor\Desktop\FDADevice\paper\paperlatexv2\HELP_DECRYPT.URL

========= End of CMD: =========

EmptyTemp: => Removed 1.7 GB temporary data.


The system needed a reboot.

==== End of Fixlog 19:19:36 ====



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:09 AM

Posted 12 March 2015 - 08:16 AM

Lets perform an online scanner.

  • Run the ESET Online Scanner.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

 

 


Edited by JSntgRvr, 12 March 2015 - 08:24 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:09 AM

Posted 12 March 2015 - 08:26 AM

Whenever the log is too large, have it uploaded here.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users