Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Operation Global 3 decryption


  • This topic is locked This topic is locked
27 replies to this topic

#1 mrfssd

mrfssd

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 13 April 2015 - 08:59 AM

Ok.. I am new to this forum..  but not to computer.

 

I have a client who's computer got infected with the OG3.  For now I have put a hold on the randsomware and it is not running..  I still have a copy of the randsomware and files that are encrypted..  

 

I try OG3 patcher but it just say no infection found..  I also posted in the news section of the OG3 thread, but no response for a few days

 

I been reading the encryption code is in each and every encrypted file.  I was wonder since OG3 patcher is not working is there a way to manually fix the files and if so what is the procedure?

 

I wanted to attach a copy of the files that are encrypted, but it is all bigger than 512kb..  so I can't do it....

 

I also have submitted a copy of the virus to the virus sample section



BC AdBot (Login to Remove)

 


#2 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 14 April 2015 - 08:48 AM

OK here is frst post 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by ACG (administrator) on PNSERVER on 14-04-2015 09:41:38
Running from C:\Users\ACG\Desktop
Loaded Profiles: ACG & QBDataServiceUser22 & QBDataServiceUser23 (Available profiles: ACG & LogMeInRemoteUser & QBDataServiceUser22 & QBDataServiceUser23)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(iAnywhere Solutions, Inc.) C:\Program Files (x86)\Mitchell\eClaim\ASA\dbsrv9.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
() C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Code 42 Software) C:\Program Files\CrashPlan\CrashPlanService.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
() C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
(LITEON) C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\skdh8821.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(UltraVNC) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBDBMgrN.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 13.0\QBDBMgrN.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\System Update\SUService.exe
(Lenovo Group Limited) C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Code 42 Software, Inc.) C:\Program Files\CrashPlan\CrashPlanTray.exe
(Mitchell International) C:\Program Files (x86)\Mitchell\Communications\Mitchell.Platform.Appraisal.AlertChecker.WinApp.exe
(Mitchell International) C:\Program Files (x86)\Mitchell\Communications\McDm.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(UltraVNC) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [403328 2012-08-23] (Acronis)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9955872 2010-01-12] (Realtek Semiconductor)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [Power Manager Power Agenda] => C:\Program Files (x86)\ThinkPad\Utilities\DPMHost.EXE [72256 2010-03-05] ()
HKLM-x32\...\Run: [Message Center Plus] => C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe [49976 2009-05-28] ()
HKLM-x32\...\Run: [IdeaNotesUser] => C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [6010264 2012-08-23] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [941440 2012-07-24] (Acronis)
HKLM-x32\...\Run: [cgUkMIwc.exe] => C:\ProgramData\OKssEIwc\cgUkMIwc.exe [0 2015-04-07] ()
HKLM-x32\...\Run: [EstimateReview] => C:\Program Files (x86)\Estimate Review\Estimate Review.exe [2801664 2014-01-28] (Mitchell International)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\ProgramData\OKssEIwc\cgUkMIwc.exe,
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\OKssEIwc\cgUkMIwc.exe, [X]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\917\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\ACG\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 2118e775a05447d0b3a5c13194131d8b-56e0008ff529b2dc8bdec8413248270b5d9fcf7e --CMPID 0913b
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\Run: [qAUMUkQo.exe] => C:\Users\ACG\zWcoogUc\qAUMUkQo.exe [0 2015-04-07] ()
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\MountPoints2: {c8040a8a-c0a8-11e4-8585-806e6f6e6963} - E:\autorun.exe
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\MountPoints2: {d56214f4-6e60-11e1-9ae9-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\MountPoints2: {f483a63f-6ea1-11e1-9bd5-806e6f6e6963} - D:\autorun.exe
HKU\S-1-5-21-3660415269-4154276828-4034450638-1004\...\RunOnce: [] => [X]
HKU\S-1-5-21-3660415269-4154276828-4034450638-1004\...\RunOnce: [Lenovoautoqdrive] => C:\Program Files (x86)\Common Files\Lenovo\LenovoDrive\LenovoAutorunreg.exe [159744 2009-03-24] ()
HKU\S-1-5-21-3660415269-4154276828-4034450638-1005\...\RunOnce: [] => [X]
HKU\S-1-5-21-3660415269-4154276828-4034450638-1005\...\RunOnce: [Lenovoautoqdrive] => C:\Program Files (x86)\Common Files\Lenovo\LenovoDrive\LenovoAutorunreg.exe [159744 2009-03-24] ()
Startup: C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrashPlan Tray.lnk
ShortcutTarget: CrashPlan Tray.lnk -> C:\Program Files\CrashPlan\CrashPlanTray.exe (Code 42 Software, Inc.)
Startup: C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinodeDDNS.lnk
ShortcutTarget: LinodeDDNS.lnk -> C:\Linode\LinodeDDNS.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CrashPlan Tray.lnk
ShortcutTarget: CrashPlan Tray.lnk -> C:\Program Files\CrashPlan\CrashPlanTray.exe (Code 42 Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mapping.bat.lnk
ShortcutTarget: mapping.bat.lnk -> C:\mapping.bat ()
Startup: C:\Users\pc1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compliance Utility.lnk
ShortcutTarget: Compliance Utility.lnk -> C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}\Icon24849FC9.exe ()
Startup: C:\Users\pc5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compliance Utility.lnk
ShortcutTarget: Compliance Utility.lnk -> C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}\Icon24849FC9.exe ()
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll (Acronis)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKLM -> DefaultScope {0C5FF800-7324-4DA7-B882-42B21ABABA07} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0C5FF800-7324-4DA7-B882-42B21ABABA07} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {FCC98A3E-AC30-4D7C-826B-A8C881823BC7} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {FCC98A3E-AC30-4D7C-826B-A8C881823BC7} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3660415269-4154276828-4034450638-1000 -> {FCC98A3E-AC30-4D7C-826B-A8C881823BC7} URL = 
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssie.dll No File
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1081
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
Hosts: 192.168.1.5   pnserver
Tcpip\..\Interfaces\{C2240FA0-6C60-41BB-8F1A-4047B821F98E}: [NameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-19] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-19]
CHR Extension: (Google Docs) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-19]
CHR Extension: (Google Drive) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-19]
CHR Extension: (YouTube) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-19]
CHR Extension: (Google Search) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-19]
CHR Extension: (Google Sheets) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-21]
CHR Extension: (Google Wallet) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-19]
CHR Extension: (Gmail) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-19]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 CrashPlanService; C:\Program Files\CrashPlan\CrashPlanService.exe [223232 2014-06-26] (Code 42 Software) [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [417640 2015-02-24] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [234344 2015-02-24] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S3 PNDataService; C:\yadaapps\winpn\PNDataService\PNDataService.exe [2385408 2015-04-07] () [File not signed]
S3 PNDealerIntf; C:\YADAAPPS\winpn\serviceapp\pndealershipinterface.exe [1504768 2015-04-07] () [File not signed]
S3 PNMSGServiceAgent; C:\YADAAPPS\winpn\pnRelayService\PNMSGServiceAgent.exe [81920 2012-03-20] (YADA Systems Inc) [File not signed]
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2012-10-06] (Intuit) [File not signed]
R3 QuickBooksDB22; C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBDBMgrN.exe [679936 2011-04-13] (Intuit, Inc.) [File not signed]
R3 QuickBooksDB23; C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 13.0\QBDBMgrN.exe [679936 2012-10-06] (Intuit, Inc.) [File not signed]
R2 Sks8821; C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe [137216 2010-05-04] () [File not signed]
R2 SUService; c:\Program Files (x86)\Lenovo\System Update\SUService.exe [28672 2010-03-15] (Lenovo Group Limited) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5448464 2015-03-30] (TeamViewer GmbH)
R3 TermService; C:\Windows\System32\termsrv.dll [683520 2015-02-21] (Microsoft Corporation) [File not signed]
R2 ThinkVantage Registry Monitor Service; C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe [1019904 2009-08-28] (Lenovo Group Limited) [File not signed]
S3 TVT Backup Service; C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe [1475896 2010-07-29] (Lenovo Group Limited)
S2 TYYsoYLC; C:\ProgramData\NqgoYoAQ\AaQsoEMk.exe [0 2015-04-07] () <==== ATTENTION (zero size file/folder)
R2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-10] (Ulead Systems, Inc.) [File not signed]
R2 uvnc_service; C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe [2190584 2012-11-23] (UltraVNC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ASANYs_ECM3; C:\Program Files (x86)\Mitchell\eClaim\ASA\dbsrv9 -hvASANYs_ECM3 [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-06-20] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [1093256 2015-02-16] (Acronis)
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [166024 2015-02-16] (Acronis)
R2 zntport; C:\Windows\SysWow64\drivers\zntport.sys [13880 2007-12-22] (Zeal SoftStudio)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-14 09:41 - 2015-04-14 09:41 - 00017164 _____ () C:\Users\ACG\Desktop\FRST.txt
2015-04-14 09:41 - 2015-04-14 09:41 - 00000000 ____D () C:\FRST
2015-04-14 09:41 - 2015-04-14 09:40 - 02096640 _____ (Farbar) C:\Users\ACG\Desktop\FRST64.exe
2015-04-13 12:03 - 2015-04-13 12:03 - 00001299 _____ () C:\Users\Public\Desktop\CryptoMonitor.exe.lnk
2015-04-13 12:03 - 2015-04-13 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasySync CryptoMonitor
2015-04-13 12:03 - 2015-04-13 12:03 - 00000000 ____D () C:\Program Files\EasySync Solutions
2015-04-13 12:01 - 2015-04-13 12:01 - 00000000 ____D () C:\Users\ACG\AppData\Roaming\EasySync Solutions
2015-04-13 11:54 - 2015-04-13 11:54 - 00000000 _____ () C:\Windows\util_frlock.INI
2015-04-13 11:31 - 2010-11-20 09:25 - 00257024 _____ (Microsoft Corporation) C:\explorer.exe
2015-04-07 19:13 - 2015-04-07 19:13 - 00000008 _____ () C:\Users\ACG\Desktop\New Text Document.txt
2015-04-07 17:15 - 2015-04-07 18:18 - 00000000 ____D () C:\mb
2015-04-07 15:32 - 2015-04-07 15:32 - 00000000 ____D () C:\Windows\pss
2015-04-07 14:21 - 2015-04-13 11:22 - 00992768 _____ () C:\Users\ACG\Downloads\explorer.exe
2015-04-07 13:49 - 2015-04-07 13:49 - 00760320 _____ () C:\Users\ACG\Desktop\1.pdf.exe
2015-04-07 08:38 - 2015-04-07 08:38 - 00844800 _____ () C:\Windows\SysWOW64\cQcK.exe
2015-04-07 08:27 - 2015-04-07 16:14 - 00000000 __SHD () C:\Users\ACG\zWcoogUc
2015-04-07 08:25 - 2015-04-13 11:28 - 00000000 __SHD () C:\Users\pc5\zWcoogUc
2015-04-07 08:25 - 2015-04-07 08:25 - 00002303 _____ () C:\Users\pc5\Desktop\Google Chrome.lnk
2015-04-07 08:25 - 2015-04-07 08:25 - 00000000 ____D () C:\Users\pc5\AppData\Local\Google
2015-04-07 07:32 - 2015-04-07 07:32 - 13607424 _____ () C:\Windows\SysWOW64\shell32.dll.exe
2015-04-07 06:08 - 2015-04-07 06:08 - 00870912 _____ () C:\Users\ACG\Downloads\UniversalTermsrvPatch_20090425.zip.exe
2015-04-07 06:08 - 2015-04-07 06:08 - 00751104 _____ () C:\Users\pc5\Documents\- Estimate # 10595.pdf.exe
2015-04-07 06:08 - 2015-04-07 06:08 - 00749056 _____ () C:\Users\pc5\Documents\- Estimate # 10649.pdf.exe
2015-04-07 05:53 - 2015-04-13 11:41 - 01513172 _____ () C:\ProgramData\ysEQ.txt
2015-04-07 05:53 - 2015-04-13 11:15 - 00000000 __SHD () C:\Users\pc1\zWcoogUc
2015-04-07 05:53 - 2015-04-07 16:11 - 00000000 __SHD () C:\ProgramData\NqgoYoAQ
2015-04-07 05:53 - 2015-04-07 15:36 - 00000000 __SHD () C:\ProgramData\OKssEIwc
2015-04-07 01:50 - 2015-04-07 01:50 - 00000000 ____D () C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC
2015-04-07 00:03 - 2015-04-07 02:11 - 00000000 ___RD () C:\Users\ACG\Virtual Machines
2015-04-06 23:47 - 2015-04-06 23:51 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\tr-TR
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\th-TH
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\ro-RO
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\he-IL
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\ar-SA
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Program Files (x86)\Windows Virtual PC
2015-04-06 23:45 - 2010-11-20 09:34 - 00360832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpcvmm.sys
2015-04-06 23:45 - 2010-11-20 09:34 - 00194944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpchbus.sys
2015-04-06 23:45 - 2010-11-20 09:27 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\vpchbuspipe.dll
2015-04-06 23:45 - 2010-11-20 09:25 - 04514816 _____ (Microsoft Corporation) C:\Windows\system32\vpc.exe
2015-04-06 23:45 - 2010-11-20 09:25 - 02264064 _____ (Microsoft Corporation) C:\Windows\system32\VPCWizard.exe
2015-04-06 23:45 - 2010-11-20 09:25 - 01369600 _____ (Microsoft Corporation) C:\Windows\system32\VPCSettings.exe
2015-04-06 23:45 - 2010-11-20 07:37 - 01210368 _____ (Microsoft Corporation) C:\Windows\system32\VMWindow.exe
2015-04-06 23:45 - 2010-11-20 07:37 - 00936448 _____ (Microsoft Corporation) C:\Windows\system32\vmsal.exe
2015-04-06 23:45 - 2010-11-20 07:35 - 00562176 _____ (Microsoft Corporation) C:\Windows\system32\VMCPropertyHandler.dll
2015-04-06 23:45 - 2010-11-20 07:35 - 00095232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpcusb.sys
2015-04-06 23:45 - 2010-11-20 07:35 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpcnfltr.sys
2015-04-06 23:45 - 2010-11-20 06:52 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vmsal.exe
2015-04-06 23:30 - 2015-04-06 23:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-04-06 23:30 - 2015-04-06 23:30 - 00000000 ____D () C:\Program Files\7-Zip
2015-04-06 21:38 - 2015-04-06 21:49 - 1615949824 _____ () C:\Users\ACG\Downloads\GRMHVxFRE1_DVD.iso
2015-04-06 21:31 - 2015-04-06 21:31 - 00000000 ____D () C:\Program Files\Hyper-V
2015-04-06 21:19 - 2010-11-20 08:15 - 00196096 _____ (Microsoft Corporation) C:\Windows\system32\RemoteFileBrowse.dll
2015-04-06 21:18 - 2009-07-13 21:41 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\rsatclient.dll
2015-04-06 08:14 - 2015-04-06 08:14 - 00002303 _____ () C:\Users\pc1\Desktop\Google Chrome.lnk
2015-04-06 08:14 - 2015-04-06 08:14 - 00000000 ____D () C:\Users\pc1\AppData\Local\Google
2015-04-02 15:04 - 2015-04-02 15:04 - 00003056 _____ () C:\Windows\System32\Tasks\Mapping
2015-04-02 14:59 - 2015-04-02 15:00 - 00000097 _____ () C:\mapping.bat
2015-03-19 19:29 - 2015-04-06 23:49 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-19 19:29 - 2015-04-06 23:49 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-19 19:29 - 2015-04-02 15:04 - 00003900 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-03-19 19:29 - 2015-04-02 15:04 - 00003648 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-03-19 19:29 - 2015-03-19 19:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-19 19:29 - 2015-03-19 19:29 - 00000000 ____D () C:\Program Files (x86)\Google
2015-03-19 19:28 - 2015-03-19 19:29 - 00000000 ____D () C:\Users\ACG\AppData\Local\Google
2015-03-16 12:09 - 2015-03-16 12:09 - 00000000 ____D () C:\Users\ACG\Documents\Network Monitor 3
2015-03-16 12:09 - 2015-03-16 12:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Network Monitor 3.4
2015-03-16 12:09 - 2015-03-16 12:09 - 00000000 ____D () C:\Program Files\Microsoft Network Monitor 3
2015-03-16 11:45 - 2015-03-16 11:45 - 00000963 ____N () C:\Users\ACG\Desktop\LinodeDDNS - Shortcut.lnk
2015-03-16 11:44 - 2015-04-07 16:16 - 00000000 ____D () C:\Linode
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-14 09:40 - 2012-11-30 14:01 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-14 09:37 - 2012-10-01 11:52 - 00000000 ____D () C:\QB
2015-04-14 09:37 - 2011-05-09 15:22 - 00000528 _____ () C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-04-14 09:35 - 2011-05-09 15:22 - 00000382 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2015-04-14 02:38 - 2011-05-09 15:15 - 02087360 _____ () C:\Windows\WindowsUpdate.log
2015-04-13 12:03 - 2009-07-14 01:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-13 12:02 - 2012-03-20 15:05 - 00000000 ____D () C:\ProgramData\Mitchell
2015-04-13 12:01 - 2012-03-15 12:07 - 00000000 ____D () C:\Mitchell
2015-04-13 12:00 - 2013-04-23 16:00 - 00001912 _____ () C:\Users\Public\Desktop\Mitchell Estimating.lnk
2015-04-13 12:00 - 2012-03-20 13:54 - 00000479 _____ () C:\Windows\ODBC.INI
2015-04-13 11:58 - 2015-02-16 06:49 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-04-13 11:53 - 2012-03-15 11:58 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-04-13 11:15 - 2015-03-12 17:19 - 00000000 ____D () C:\Program Files (x86)\Estimate Review
2015-04-10 03:36 - 2015-03-07 14:05 - 00002242 ____H () C:\Users\ACG\Documents\Default.rdp
2015-04-07 19:06 - 2012-03-15 10:57 - 00000000 ____D () C:\Users\ACG\AppData\Local\Deployment
2015-04-07 17:35 - 2014-05-07 15:51 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-04-07 16:25 - 2009-07-14 00:45 - 00028368 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-07 16:25 - 2009-07-14 00:45 - 00028368 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-07 16:21 - 2009-07-14 01:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-07 16:16 - 2014-01-22 04:25 - 00001048 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-04-07 16:16 - 2014-01-22 04:25 - 00001032 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-04-07 16:16 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-07 16:16 - 2009-07-14 00:51 - 00054949 _____ () C:\Windows\setupact.log
2015-04-07 09:40 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2015-04-07 08:27 - 2012-03-14 22:39 - 00000000 ____D () C:\Users\ACG
2015-04-07 08:25 - 2015-03-02 02:29 - 00000000 ____D () C:\Users\pc5
2015-04-07 07:53 - 2015-03-02 02:18 - 00000000 ____D () C:\Users\pc1
2015-04-07 06:08 - 2015-03-11 10:52 - 07397376 _____ () C:\Users\pc1\Desktop\SetupSMCC138.exe
2015-04-07 06:08 - 2014-06-18 09:13 - 00845312 _____ () C:\Users\ACG\Downloads\ipscan221.exe
2015-04-07 06:08 - 2013-11-01 09:44 - 04119552 _____ () C:\Users\ACG\Downloads\avg_remover_stf_x64_2014_4116.exe
2015-04-07 06:08 - 2012-12-18 17:51 - 00000000 ___RD () C:\Users\ACG\My Cubby
2015-04-07 06:08 - 2012-12-14 15:17 - 19465728 _____ () C:\Users\Public\Downloads\Thunderbird Setup 16.0.2.exe
2015-04-07 06:08 - 2012-12-14 15:17 - 08283136 _____ () C:\Users\Public\Downloads\InternationalPrimoPDF.exe
2015-04-07 06:08 - 2012-12-14 15:17 - 07401984 _____ () C:\Users\Public\Downloads\SetupSMCC138.exe
2015-04-07 06:08 - 2012-11-29 04:09 - 04423680 _____ () C:\Users\ACG\Downloads\UltraVNC_1_1_8_X64_Setup.exe
2015-04-07 05:53 - 2015-03-12 16:50 - 00000000 ____D () C:\Estimate Review
2015-04-07 05:53 - 2011-05-09 15:50 - 00000000 ____D () C:\mfg
2015-04-07 05:53 - 2011-05-09 15:25 - 00000000 ____D () C:\Books
2015-04-07 00:03 - 2015-03-02 02:43 - 00000000 ____D () C:\Users\ACG\AppData\Local\Adobe
2015-04-07 00:01 - 2012-11-30 14:01 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-07 00:00 - 2012-11-30 14:01 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-07 00:00 - 2012-11-30 14:01 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-06 23:49 - 2012-03-15 12:03 - 00241440 _____ () C:\Windows\PFRO.log
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\tr-TR
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\th-TH
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\ro-RO
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\he-IL
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\ar-SA
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\tr-TR
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\th-TH
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\ro-RO
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\he-IL
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\ar-SA
2015-04-06 21:28 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\zh-HK
2015-03-31 21:39 - 2015-02-16 06:49 - 00001015 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-03-18 12:00 - 2011-05-09 15:13 - 00000000 ____D () C:\swshare
2015-03-16 11:58 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
 
==================== Files in the root of some directories =======
 
2015-02-18 09:30 - 2015-03-02 00:27 - 0007589 _____ () C:\Users\ACG\AppData\Local\Resmon.ResmonCfg
2015-04-07 05:53 - 2015-04-13 11:41 - 1513172 _____ () C:\ProgramData\ysEQ.txt
 
Some content of TEMP:
====================
C:\Users\ACG\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\ACG\AppData\Local\Temp\Abspdf.exe
C:\Users\ACG\AppData\Local\Temp\acfpdfu.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfui.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\ACG\AppData\Local\Temp\cdintf.dll
C:\Users\ACG\AppData\Local\Temp\Intercep.exe.exe
C:\Users\ACG\AppData\Local\Temp\LinodeDDNS.exe
C:\Users\ACG\AppData\Local\Temp\MSN37E3.exe
C:\Users\ACG\AppData\Local\Temp\PDFPRT400.exe
C:\Users\ACG\AppData\Local\Temp\util_frlock.exe
C:\Users\ACG\AppData\Local\Temp\xmllite.dll
C:\Users\pc5\AppData\Local\Temp\Estimate.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-14 00:44
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-04-2015
Ran by ACG at 2015-04-14 09:42:11
Running from C:\Users\ACG\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.38 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0938-000001000000}) (Version: 9.38.00.0 - Igor Pavlov)
Adobe Flash Player 10 Plugin (HKLM-x32\...\{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}) (Version: 10.0.32.18 - Adobe Systems, Inc.)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Reader 9.1 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Burn.Now 4.5 (x32 Version: 4.5.0 - Corel Corporation) Hidden
Compliance Utility - Workstation 4.4.0 (HKLM-x32\...\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}) (Version: 4.4.0 - Mitchell International)
Corel Burn.Now Lenovo Edition (HKLM-x32\...\InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}) (Version: 4.5.0 - Corel Corporation)
Corel DVD MovieFactory 7 (x32 Version: 7.0.0 - Corel Corporation) Hidden
Corel DVD MovieFactory Lenovo Edition (HKLM-x32\...\InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}) (Version: 7.0.0 - Corel Corporation)
CrashPlan (HKLM\...\{F80817FB-59A8-4591-AFB3-A8949D573B87}) (Version: 3.6.3 - Code 42 Software)
Create Recovery Media (HKLM-x32\...\{50DC5136-21E8-48BC-97E5-1AD055F6B0B6}) (Version: 1.20.0.00 - Lenovo Group Limited)
Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM-x32\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.0.0 - Business Objects)
DIBS (x32 Version: 1.7.0 - DDNI) Hidden
Direct DiscRecorder (x32 Version: 1.00.0000 - Corel Corporation) Hidden
EasySync CryptoMonitor (HKLM-x32\...\EasySync CryptoMonitor 2.0.210.0) (Version: 2.0.210.0 - EasySync Solutions)
EasySync CryptoMonitor (Version: 2.0.210.0 - EasySync Solutions) Hidden
eClaim Manager (x32 Version: 3.6.6 - Mitchell International) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 10.4.0.917 - Citrix Online, a division of Citrix Systems, Inc.)
Infinity (HKLM-x32\...\{A46483E3-8A48-4C67-A0AE-84F16EDA37B7}) (Version: 11.4.3.3 - YADA Systems, Inc.)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2025 - Intel Corporation)
Lenovo Idea Notes (HKLM-x32\...\{C0C17EF3-83ED-4956-8638-7354EBE7FFFF}) (Version: 1.6.0.0 - DDNI)
Lenovo Slim USB Keyboard (HKLM\...\{494D80C4-3557-4D73-A153-65FE4B3ECDC3}) (Version: 1.05 - Lenovo)
Lenovo ThinkVantage Toolbox (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5717.21 - PC-Doctor, Inc.)
Lenovo Welcome (HKLM-x32\...\{67708668-13ED-4CB3-B01F-EEE6155020A7}) (Version: 1.7.5.10 - DDNI)
Lenovo Welcome (HKLM-x32\...\Lenovo Welcome_is1) (Version:  - Lenovo)
LogMeIn (HKLM-x32\...\{2BFDA78F-39F7-4537-9995-71424CFA88BB}) (Version: 4.1.2138 - LogMeIn, Inc.)
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1034 - Marvell)
Message Center Plus (HKLM-x32\...\{FD331A3B-F7A5-4C31-B8D4-DF413C85AF7A}) (Version: 2.0.0012.00 - Lenovo Group Limited)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Network Monitor 3.4 (HKLM\...\{8C5B5A11-CBF8-451B-B201-77FAB0D0B77D}) (Version: 3.4.2350.0 - Microsoft Corporation)
Microsoft Network Monitor: NetworkMonitor Parsers 3.4 (HKLM\...\{963E5FEB-1367-46B9-851D-A957F1A3747F}) (Version: 3.4.2350.0 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM-x32\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mitchell Communications 1.9.147 (HKLM-x32\...\{58E92AFC-88BC-46BD-90F1-B2DB35B629EA}) (Version: 1.9.147 - Mitchell International)
Mitchell eClaim Manager 3.6.6 (HKLM-x32\...\InstallShield_{9D8ADF32-1222-49CA-8D5F-BAA57196531B}) (Version: 3.6.6 - Mitchell International)
Mitchell Estimating 7.1.177 (HKLM-x32\...\{F2BE3ADF-2239-4000-897D-32AD57087A23}) (Version: 7.1.177 - Mitchell International)
MSXML 4.0 SP2 (KB941833) (HKLM-x32\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
PDF-XChange 4 (HKLM\...\{EA08048C-3823-4DC8-B169-1D5D11FFC19F}_is1) (Version: 4.0.195.0 - Tracker Software Products Ltd)
PNDataService (HKLM-x32\...\{623AE57B-DC99-43AB-9301-A8945B75EA33}) (Version: 9.0.0.1323 - YADA Systems, Inc.)
ProfitNet DBUtilities and Relay (HKLM-x32\...\{DC2482CD-1921-4E4D-B22A-53C1C543A972}) (Version: 9.0.0.1403 - YADA Systems, Inc)
QuickBooks (x32 Version: 22.0.4005.2206 - Intuit Canada ULC) Hidden
QuickBooks (x32 Version: 23.0.4003.2305 - Intuit Canada ULC) Hidden
QuickBooks Enterprise Server 12.0 (HKLM-x32\...\{2F4E29A0-0A9D-41AE-92AD-2902FE3F7D53}) (Version: 22.0.4005.2206 - Intuit Canada ULC)
QuickBooks Enterprise Server 13.0 (HKLM-x32\...\{370C7AA5-27C6-4BE4-A32E-F5B6501F6FE3}) (Version: 23.0.4003.2305 - Intuit Canada ULC)
Raster-XChange (HKLM\...\Raster-XChange_is1) (Version: 1.10.0057.0000 - Tracker Software)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.11.1127.2009 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6024 - Realtek Semiconductor Corp.)
Rescue and Recovery (HKLM-x32\...\{B383F243-0ABC-4E56-AA30-923B8D85076E}) (Version: 4.30.0025.00 - Lenovo Group Limited)
System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 4.00.0032 - Lenovo)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.40798 - TeamViewer)
ThinkVantage Power Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}) (Version: 1.02.0015 - Lenovo Group Limited)
True Image 2013 (HKLM-x32\...\{ADAEEC53-24AF-4A49-B872-75FCBDA59916}Visible) (Version: 16.0.5551 - Acronis)
True Image 2013 (x32 Version: 16.0.5551 - Acronis) Hidden
UltraVnc (HKLM\...\Ultravnc2_is1) (Version: 1.1.8 - uvnc bvba)
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows Driver Package - Intel Corporation (igfx) Display  (12/18/2009 8.15.10.2025) (HKLM\...\6F990E6891C30B876DC65CD55006B38F2CA7A292) (Version: 12/18/2009 8.15.10.2025 - Intel Corporation)
Windows Driver Package - Realtek (RTL8167) Net  (11/27/2009 7.011.1127.2009) (HKLM\...\4A6263828F32211742974C677F066151C53114B7) (Version: 11/27/2009 7.011.1127.2009 - Realtek)
Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (01/12/2010 6.0.1.6024) (HKLM\...\456D70BDB547B334625B4BDDCAFAD194FC8DAD93) (Version: 01/12/2010 6.0.1.6024 - Realtek Semiconductor Corp.)
Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (01/12/2010 6.0.1.6024) (HKLM\...\BD9DEB93FCF1F953DA0A954F8C17AB5C6BFDBF1C) (Version: 01/12/2010 6.0.1.6024 - Realtek Semiconductor Corp.)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version:  - )
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2012-03-20 14:05 - 00000853 ____N C:\Windows\system32\Drivers\etc\hosts
192.168.1.5   pnserver
   
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {15495CFB-3ABF-4F4F-A62B-38265EE49B06} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\PC-Doctor\uaclauncher.exe [2010-11-11] (PC-Doctor, Inc.)
Task: {1ADF2DF5-461C-4E8D-ACA8-050F8C91976A} - System32\Tasks\Mapping => C:\mapping.bat [2015-04-02] ()
Task: {1C498528-12DC-479C-9A6F-468F80841D60} - System32\Tasks\TVT\ChangePWD => %RR%\rrcmd.exe
Task: {2077F217-C293-4DC2-9780-FB0ED45417A3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-19] (Google Inc.)
Task: {35321211-2689-4EC9-AB75-CA0B128DFF17} - System32\Tasks\TVT\UpdateRnR => %TVTCOMMON%\Scheduler\tvtsetsched.exe
Task: {3C7C458A-0D0B-4504-809C-397E71D36B3A} - System32\Tasks\{2F450035-3773-4B28-B56C-6073FB93223E} => pcalua.exe -a "C:\Users\ACG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU06VYO1\SetupSMCC138.exe" -d C:\Users\ACG\Desktop
Task: {522C99D6-7DC4-4AF9-9F3C-18093807296A} - System32\Tasks\PCDEventLauncher => C:\Program Files\PC-Doctor\sessionchecker.exe [2010-11-11] ()
Task: {86E77E50-89A4-477D-AD7E-733FBB7C031C} - System32\Tasks\SystemToolsDailyTest => C:\Program Files\PC-Doctor\pcdrcui.exe [2010-11-11] (PC-Doctor, Inc.)
Task: {B19445DF-F564-4BDF-ACC5-E2E374CCCC62} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-07] (Adobe Systems Incorporated)
Task: {C57630D3-D06D-4D23-8970-C552BB667ED7} - System32\Tasks\realtekHDAudio => c:\program files\realtek\audio\hda\rthdvcpl.exe
Task: {C8475182-C797-4873-A645-5CEE8218EE74} - System32\Tasks\TVT\LaunchRnR => %RR%\rrcmd.exe
Task: {DF88E3DA-25CF-4C65-8192-21EF5FDF60AA} - System32\Tasks\PMTask => C:\Program Files (x86)\ThinkPad\Utilities\PWMIDTSV.EXE [2010-03-05] (Lenovo Group Limited)
Task: {E03A559F-E42B-4830-B5D1-831BA2183245} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-19] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\PC-Doctor\uaclauncher.exeq-backgroundmon scripts\backgroundmon.xml
Task: C:\Windows\Tasks\SystemToolsDailyTest.job => C:\Program Files\PC-Doctor\pcdrcui.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2015-03-01 21:18 - 2008-06-20 01:41 - 00062464 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2009-05-28 01:09 - 2009-05-28 01:09 - 00049976 ____N () C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
2014-06-26 15:07 - 2014-06-26 15:07 - 00014848 ____N () C:\Program Files\CrashPlan\md564.dll
2015-01-14 04:18 - 2015-01-14 04:18 - 00230400 ____N () C:\Program Files\CrashPlan\cpnative64.dll
2011-05-09 15:11 - 2010-03-03 13:02 - 00029184 ____N () C:\Program Files (x86)\ThinkPad\Utilities\US\PWMRT64V.DLL
2010-05-04 13:47 - 2010-05-04 13:47 - 00137216 ____N () C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
2012-08-23 01:32 - 2012-08-23 01:32 - 01525120 ____N () C:\Program Files (x86)\Common Files\Acronis\Home\icudt38.dll
2012-08-23 01:42 - 2012-08-23 01:42 - 00435584 ____N () C:\Program Files (x86)\Common Files\Acronis\Home\ulxmlrpcpp.dll
2014-07-08 19:15 - 2014-07-08 19:15 - 00013312 ____N () C:\Windows\assembly\GAC_MSIL\Mitchell.Platform.Appraisal.PendingAlerts\2.0.0.0__3bc11c3cab893eca\Mitchell.Platform.Appraisal.PendingAlerts.dll
2014-07-08 19:15 - 2014-07-08 19:15 - 00023040 ____N () C:\Windows\assembly\GAC_MSIL\Mitchell.Platform.Appraisal.Proxies.ServerProxy\2.0.0.0__0c4eff60b07f2fab\Mitchell.Platform.Appraisal.Proxies.ServerProxy.dll
2011-10-12 01:48 - 2011-10-12 01:48 - 00372736 ____N () C:\Program Files (x86)\Mitchell\Communications\McUmPgExtDb.dll
2012-08-23 02:12 - 2012-08-23 02:12 - 00019840 ____N () C:\Program Files (x86)\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Mitchell Communications Alert Checker.lnk => C:\Windows\pss\Mitchell Communications Alert Checker.lnk.CommonStartup
MSCONFIG\startupreg: cgUkMIwc.exe => C:\ProgramData\OKssEIwc\cgUkMIwc.exe
MSCONFIG\startupreg: EstimateReview => C:\Program Files (x86)\Estimate Review\Estimate Review.exe
MSCONFIG\startupreg: McDm => C:\Program Files (x86)\Mitchell\Communications\McDm.exe -StartUp
MSCONFIG\startupreg: qAUMUkQo.exe => C:\Users\ACG\zWcoogUc\qAUMUkQo.exe
MSCONFIG\startupreg: Skd8821 => C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Skd8821.exe
 
==================== Accounts: =============================
 
ACG (S-1-5-21-3660415269-4154276828-4034450638-1000 - Administrator - Enabled) => C:\Users\ACG
Admin (S-1-5-21-3660415269-4154276828-4034450638-1022 - Administrator - Enabled)
Administrator (S-1-5-21-3660415269-4154276828-4034450638-500 - Administrator - Disabled)
Guest (S-1-5-21-3660415269-4154276828-4034450638-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-3660415269-4154276828-4034450638-1002 - Limited - Enabled)
LogMeInRemoteUser (S-1-5-21-3660415269-4154276828-4034450638-1003 - Administrator - Enabled) => C:\Users\LogMeInRemoteUser
QBDataServiceUser22 (S-1-5-21-3660415269-4154276828-4034450638-1004 - Limited - Enabled) => C:\Users\QBDataServiceUser22
QBDataServiceUser23 (S-1-5-21-3660415269-4154276828-4034450638-1005 - Limited - Enabled) => C:\Users\QBDataServiceUser23
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/14/2015 02:38:07 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x80070422).
 
Error: (04/14/2015 00:00:00 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).
 
Error: (04/13/2015 00:03:49 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\msiexec.exe /V; Description = Installed EasySync CryptoMonitor; Error = 0x80070422).
 
Error: (04/13/2015 00:03:39 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\msiexec.exe /V; Description = Installed EasySync CryptoMonitor; Error = 0x80070422).
 
Error: (04/13/2015 00:03:39 PM) (Source: MsiInstaller) (EventID: 11500) (User: pnserver)
Description: Product: EasySync CryptoMonitor -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one.
 
Error: (04/13/2015 00:00:00 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).
 
Error: (04/12/2015 00:00:00 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).
 
Error: (04/11/2015 08:15:23 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.
 
Error: (04/11/2015 08:14:37 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.
 
Error: (04/11/2015 08:14:16 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.
 
 
System errors:
=============
Error: (04/14/2015 09:42:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 09:24:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 09:23:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 09:22:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 09:10:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 08:46:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 08:38:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 08:11:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 08:07:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
Error: (04/14/2015 08:00:00 AM) (Source: srv) (EventID: 2017) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
 
 
Microsoft Office Sessions:
=========================
Error: (04/14/2015 02:38:07 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x80070422
 
Error: (04/14/2015 00:00:00 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x80070422
 
Error: (04/13/2015 00:03:49 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\msiexec.exe /VInstalled EasySync CryptoMonitor0x80070422
 
Error: (04/13/2015 00:03:39 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\msiexec.exe /VInstalled EasySync CryptoMonitor0x80070422
 
Error: (04/13/2015 00:03:39 PM) (Source: MsiInstaller) (EventID: 11500) (User: pnserver)
Description: Product: EasySync CryptoMonitor -- Error 1500. Another installation is in progress. You must complete that installation before continuing this one.(NULL)(NULL)(NULL)(NULL)(NULL)
 
Error: (04/13/2015 00:00:00 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x80070422
 
Error: (04/12/2015 00:00:00 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationScheduled Checkpoint0x80070422
 
Error: (04/11/2015 08:15:23 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 
 
Error: (04/11/2015 08:14:37 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 
 
Error: (04/11/2015 08:14:16 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 
 
 
CodeIntegrity Errors:
===================================
  Date: 2015-04-13 11:38:57.131
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-13 11:28:54.878
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-13 11:15:52.205
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-13 09:18:57.014
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-10 02:57:00.762
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-07 23:02:13.626
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-07 22:38:03.730
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-07 22:18:06.334
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-07 20:01:22.702
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-04-07 19:50:05.707
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: AMD Phenom™ II X6 1055T Processor
Percentage of memory in use: 32%
Total physical RAM: 7927.76 MB
Available physical RAM: 5372.6 MB
Total Pagefile: 15853.7 MB
Available Pagefile: 12566.1 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
 
==================== Drives ================================
 
Drive c: (Windows7_OS) (Fixed) (Total:454.76 GB) (Free:160.91 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (picture) (Fixed) (Total:931.51 GB) (Free:915.63 GB) NTFS
Drive e: (MITCHELL ESTIMATING) (CDROM) (Total:3.93 GB) (Free:0 GB) UDF
Drive f: (Backup) (Fixed) (Total:107.42 GB) (Free:107.33 GB) NTFS
Drive m: (Windows7_OS) (Fixed) (Total:454.76 GB) (Free:160.91 GB) NTFS
Drive q: (Lenovo_Recovery) (Fixed) (Total:9.77 GB) (Free:2.9 GB) NTFS
Drive y: (Windows7_OS) (Fixed) (Total:454.76 GB) (Free:160.91 GB) NTFS
Drive z: (Windows7_OS) (Fixed) (Total:454.76 GB) (Free:160.91 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.7 GB) (Disk ID: 1AC4FDF8)
Partition 1: (Active) - (Size=1.2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=454.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=9.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: F42EFDD1)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (Size: 114.5 GB) (Disk ID: 888A353F)
Partition 1: (Not Active) - (Size=107.4 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

Attached Files


Edited by xXToffeeXx, 20 April 2015 - 11:08 AM.
Posted logs for ease~


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 18 April 2015 - 09:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/573094 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 18 April 2015 - 09:20 AM

Ok.. Still needed help here.. Btw have windows 7 disc

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:50 PM

Posted 20 April 2015 - 12:19 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi mrfssd,

We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM-x32\...\Run: [cgUkMIwc.exe] => C:\ProgramData\OKssEIwc\cgUkMIwc.exe [0 2015-04-07] ()
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\ProgramData\OKssEIwc\cgUkMIwc.exe,
HKLM-x32\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\OKssEIwc\cgUkMIwc.exe, [X]
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\Run: [qAUMUkQo.exe] => C:\Users\ACG\zWcoogUc\qAUMUkQo.exe [0 2015-04-07] ()
HKU\S-1-5-21-3660415269-4154276828-4034450638-1004\...\RunOnce: [] => [X]
HKU\S-1-5-21-3660415269-4154276828-4034450638-1005\...\RunOnce: [] => [X]
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3660415269-4154276828-4034450638-1000 -> {FCC98A3E-AC30-4D7C-826B-A8C881823BC7} URL = 
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssie.dll No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
S2 TYYsoYLC; C:\ProgramData\NqgoYoAQ\AaQsoEMk.exe [0 2015-04-07] () <==== ATTENTION (zero size file/folder)
S4 LMIRfsClientNP; No ImagePath
2015-04-13 11:54 - 2015-04-13 11:54 - 00000000 _____ () C:\Windows\util_frlock.INI
2015-04-07 08:38 - 2015-04-07 08:38 - 00844800 _____ () C:\Windows\SysWOW64\cQcK.exe
2015-04-07 08:27 - 2015-04-07 16:14 - 00000000 __SHD () C:\Users\ACG\zWcoogUc
2015-04-07 08:25 - 2015-04-13 11:28 - 00000000 __SHD () C:\Users\pc5\zWcoogUc
2015-04-07 05:53 - 2015-04-13 11:41 - 01513172 _____ () C:\ProgramData\ysEQ.txt
2015-04-07 05:53 - 2015-04-13 11:15 - 00000000 __SHD () C:\Users\pc1\zWcoogUc
2015-04-07 05:53 - 2015-04-07 16:11 - 00000000 __SHD () C:\ProgramData\NqgoYoAQ
2015-04-07 05:53 - 2015-04-07 15:36 - 00000000 __SHD () C:\ProgramData\OKssEIwc
C:\Users\ACG\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\ACG\AppData\Local\Temp\Abspdf.exe
C:\Users\ACG\AppData\Local\Temp\acfpdfu.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfui.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\ACG\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\ACG\AppData\Local\Temp\cdintf.dll
C:\Users\ACG\AppData\Local\Temp\Intercep.exe.exe
C:\Users\ACG\AppData\Local\Temp\LinodeDDNS.exe
C:\Users\ACG\AppData\Local\Temp\MSN37E3.exe
C:\Users\ACG\AppData\Local\Temp\PDFPRT400.exe
C:\Users\ACG\AppData\Local\Temp\util_frlock.exe
C:\Users\ACG\AppData\Local\Temp\xmllite.dll
C:\Users\pc5\AppData\Local\Temp\Estimate.exe
Folder: C:\yadaapps
Folder: C:\Program Files (x86)\Mitchell
Folder: C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}
Folder: C:\Linode
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:50 PM

Posted 23 April 2015 - 09:55 AM

Hi mrfssd,
 
This is a 3 day bump:
 
It has been 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 25 April 2015 - 11:35 AM

Sorry.. was not able to reply till now.. I will run it tonight



#8 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 25 April 2015 - 11:50 AM

Ok.. Just ran it on the computer... However that is just one of a few computers that's has been  attacked via the network.

 

However beside this computer and one more computer.. that is very important.. the rest I am not worry about.  So lets get this one fixed and then we will deal with the second one.

 

The fixlog is way too big.. I have uploaded it to here https://app.box.com/s/zwn1ffuk0c3m8kx0mmfchbom6mcct7vr


Edited by mrfssd, 25 April 2015 - 11:53 AM.


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:50 PM

Posted 26 April 2015 - 05:02 AM

Hi mrfssd,
 
No worries on the delay. 
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 26 April 2015 - 11:34 PM

here is the frst log

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-04-2015
Ran by ACG (administrator) on PNSERVER on 27-04-2015 00:31:29
Running from C:\Users\ACG\Desktop
Loaded Profiles: ACG & QBDataServiceUser22 & QBDataServiceUser23 (Available profiles: ACG & LogMeInRemoteUser & QBDataServiceUser22 & QBDataServiceUser23)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(iAnywhere Solutions, Inc.) C:\Program Files (x86)\Mitchell\eClaim\ASA\dbsrv9.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
() C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Code 42 Software) C:\Program Files\CrashPlan\CrashPlanService.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
() C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
(LITEON) C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\skdh8821.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(UltraVNC) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBDBMgrN.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 13.0\QBDBMgrN.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\System Update\SUService.exe
(Lenovo Group Limited) C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe
(Code 42 Software, Inc.) C:\Program Files\CrashPlan\CrashPlanTray.exe
(Mitchell International) C:\Program Files (x86)\Mitchell\Communications\Mitchell.Platform.Appraisal.AlertChecker.WinApp.exe
(Mitchell International) C:\Program Files (x86)\Mitchell\Communications\McDm.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(UltraVNC) C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [403328 2012-08-23] (Acronis)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9955872 2010-01-12] (Realtek Semiconductor)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [Power Manager Power Agenda] => C:\Program Files (x86)\ThinkPad\Utilities\DPMHost.EXE [72256 2010-03-05] ()
HKLM-x32\...\Run: [Message Center Plus] => C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe [49976 2009-05-28] ()
HKLM-x32\...\Run: [IdeaNotesUser] => C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [6010264 2012-08-23] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [941440 2012-07-24] (Acronis)
HKLM-x32\...\Run: [EstimateReview] => C:\Program Files (x86)\Estimate Review\Estimate Review.exe [2801664 2014-01-28] (Mitchell International)
HKLM-x32\...\RunOnce: [LaunchMissedRnRScheduler] => C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrstrigger.exe [21304 2009-08-28] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\917\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\ACG\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid 2118e775a05447d0b3a5c13194131d8b-56e0008ff529b2dc8bdec8413248270b5d9fcf7e --CMPID 0913b
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\MountPoints2: {c8040a8a-c0a8-11e4-8585-806e6f6e6963} - E:\autorun.exe
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\MountPoints2: {d56214f4-6e60-11e1-9ae9-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\...\MountPoints2: {f483a63f-6ea1-11e1-9bd5-806e6f6e6963} - D:\autorun.exe
HKU\S-1-5-21-3660415269-4154276828-4034450638-1004\...\RunOnce: [Lenovoautoqdrive] => C:\Program Files (x86)\Common Files\Lenovo\LenovoDrive\LenovoAutorunreg.exe [159744 2009-03-24] ()
HKU\S-1-5-21-3660415269-4154276828-4034450638-1005\...\RunOnce: [Lenovoautoqdrive] => C:\Program Files (x86)\Common Files\Lenovo\LenovoDrive\LenovoAutorunreg.exe [159744 2009-03-24] ()
Startup: C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrashPlan Tray.lnk [2013-01-24]
ShortcutTarget: CrashPlan Tray.lnk -> C:\Program Files\CrashPlan\CrashPlanTray.exe (Code 42 Software, Inc.)
Startup: C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinodeDDNS.lnk [2015-03-16]
ShortcutTarget: LinodeDDNS.lnk -> C:\Linode\LinodeDDNS.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CrashPlan Tray.lnk [2015-04-06]
ShortcutTarget: CrashPlan Tray.lnk -> C:\Program Files\CrashPlan\CrashPlanTray.exe (Code 42 Software, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mapping.bat.lnk [2015-04-07]
ShortcutTarget: mapping.bat.lnk -> C:\mapping.bat ()
Startup: C:\Users\pc1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compliance Utility.lnk [2015-03-12]
ShortcutTarget: Compliance Utility.lnk -> C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}\Icon24849FC9.exe ()
Startup: C:\Users\pc5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compliance Utility.lnk [2015-03-12]
ShortcutTarget: Compliance Utility.lnk -> C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}\Icon24849FC9.exe ()
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2012-08-23] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2012-08-23] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2012-08-23] (Acronis)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
HKU\S-1-5-21-3660415269-4154276828-4034450638-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKLM -> DefaultScope {0C5FF800-7324-4DA7-B882-42B21ABABA07} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM -> {0C5FF800-7324-4DA7-B882-42B21ABABA07} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {FCC98A3E-AC30-4D7C-826B-A8C881823BC7} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {FCC98A3E-AC30-4D7C-826B-A8C881823BC7} URL = http://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1081
Hosts: 192.168.1.5   pnserver
Tcpip\..\Interfaces\{C2240FA0-6C60-41BB-8F1A-4047B821F98E}: [NameServer] 192.168.1.1
 
FireFox:
========
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-19] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-19]
CHR Extension: (Google Docs) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-19]
CHR Extension: (Google Drive) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-03-19]
CHR Extension: (YouTube) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-03-19]
CHR Extension: (Google Search) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-19]
CHR Extension: (Google Sheets) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-21]
CHR Extension: (Google Wallet) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-19]
CHR Extension: (Gmail) - C:\Users\ACG\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-19]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 CrashPlanService; C:\Program Files\CrashPlan\CrashPlanService.exe [223232 2014-06-26] (Code 42 Software) [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [417640 2015-02-24] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [234344 2015-02-24] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S3 PNDataService; C:\yadaapps\winpn\PNDataService\PNDataService.exe [2385408 2015-04-07] () [File not signed]
S3 PNDealerIntf; C:\YADAAPPS\winpn\serviceapp\pndealershipinterface.exe [1504768 2015-04-07] () [File not signed]
S3 PNMSGServiceAgent; C:\YADAAPPS\winpn\pnRelayService\PNMSGServiceAgent.exe [81920 2012-03-20] (YADA Systems Inc) [File not signed]
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2012-10-06] (Intuit) [File not signed]
R3 QuickBooksDB22; C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 12.0\QBDBMgrN.exe [679936 2011-04-13] (Intuit, Inc.) [File not signed]
R3 QuickBooksDB23; C:\Program Files (x86)\Intuit\QuickBooks Enterprise Solutions 13.0\QBDBMgrN.exe [679936 2012-10-06] (Intuit, Inc.) [File not signed]
R2 Sks8821; C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe [137216 2010-05-04] () [File not signed]
R2 SUService; c:\Program Files (x86)\Lenovo\System Update\SUService.exe [28672 2010-03-15] (Lenovo Group Limited) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5448976 2015-04-17] (TeamViewer GmbH)
R3 TermService; C:\Windows\System32\termsrv.dll [683520 2015-02-21] (Microsoft Corporation) [File not signed]
R2 ThinkVantage Registry Monitor Service; C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe [1019904 2009-08-28] (Lenovo Group Limited) [File not signed]
R3 TVT Backup Service; C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe [1475896 2010-07-29] (Lenovo Group Limited)
R2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-10] (Ulead Systems, Inc.) [File not signed]
R2 uvnc_service; C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe [2190584 2012-11-23] (UltraVNC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ASANYs_ECM3; C:\Program Files (x86)\Mitchell\eClaim\ASA\dbsrv9 -hvASANYs_ECM3 [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-06-20] (LogMeIn, Inc.)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [1093256 2015-02-16] (Acronis)
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [166024 2015-02-16] (Acronis)
R2 zntport; C:\Windows\SysWow64\drivers\zntport.sys [13880 2007-12-22] (Zeal SoftStudio)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-25 12:36 - 2015-04-27 00:31 - 00000000 ____D () C:\Users\ACG\Desktop\FRST-OlderVersion
2015-04-14 09:42 - 2015-04-14 09:42 - 00027959 _____ () C:\Users\ACG\Desktop\Addition.txt
2015-04-14 09:41 - 2015-04-27 00:31 - 02101248 _____ (Farbar) C:\Users\ACG\Desktop\FRST64.exe
2015-04-14 09:41 - 2015-04-27 00:31 - 00015695 _____ () C:\Users\ACG\Desktop\FRST.txt
2015-04-14 09:41 - 2015-04-27 00:31 - 00000000 ____D () C:\FRST
2015-04-13 12:03 - 2015-04-13 12:03 - 00001299 _____ () C:\Users\Public\Desktop\CryptoMonitor.exe.lnk
2015-04-13 12:03 - 2015-04-13 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasySync CryptoMonitor
2015-04-13 12:03 - 2015-04-13 12:03 - 00000000 ____D () C:\Program Files\EasySync Solutions
2015-04-13 12:01 - 2015-04-13 12:01 - 00000000 ____D () C:\Users\ACG\AppData\Roaming\EasySync Solutions
2015-04-13 11:31 - 2010-11-20 09:25 - 00257024 _____ (Microsoft Corporation) C:\explorer.exe
2015-04-07 19:13 - 2015-04-07 19:13 - 00000008 _____ () C:\Users\ACG\Desktop\New Text Document.txt
2015-04-07 17:15 - 2015-04-07 18:18 - 00000000 ____D () C:\mb
2015-04-07 15:32 - 2015-04-07 15:32 - 00000000 ____D () C:\Windows\pss
2015-04-07 14:21 - 2015-04-13 11:22 - 00992768 _____ () C:\Users\ACG\Downloads\explorer.exe
2015-04-07 13:49 - 2015-04-07 13:49 - 00760320 _____ () C:\Users\ACG\Desktop\1.pdf.exe
2015-04-07 08:25 - 2015-04-07 08:25 - 00002303 _____ () C:\Users\pc5\Desktop\Google Chrome.lnk
2015-04-07 08:25 - 2015-04-07 08:25 - 00000000 ____D () C:\Users\pc5\AppData\Local\Google
2015-04-07 07:32 - 2015-04-07 07:32 - 13607424 _____ () C:\Windows\SysWOW64\shell32.dll.exe
2015-04-07 06:08 - 2015-04-07 06:08 - 00870912 _____ () C:\Users\ACG\Downloads\UniversalTermsrvPatch_20090425.zip.exe
2015-04-07 06:08 - 2015-04-07 06:08 - 00751104 _____ () C:\Users\pc5\Documents\- Estimate # 10595.pdf.exe
2015-04-07 06:08 - 2015-04-07 06:08 - 00749056 _____ () C:\Users\pc5\Documents\- Estimate # 10649.pdf.exe
2015-04-07 01:50 - 2015-04-07 01:50 - 00000000 ____D () C:\Users\ACG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC
2015-04-07 00:03 - 2015-04-07 02:11 - 00000000 ___RD () C:\Users\ACG\Virtual Machines
2015-04-06 23:47 - 2015-04-06 23:51 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\tr-TR
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\th-TH
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\ro-RO
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\he-IL
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Windows\system32\Drivers\ar-SA
2015-04-06 23:47 - 2015-04-06 23:47 - 00000000 ____D () C:\Program Files (x86)\Windows Virtual PC
2015-04-06 23:45 - 2010-11-20 09:34 - 00360832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpcvmm.sys
2015-04-06 23:45 - 2010-11-20 09:34 - 00194944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpchbus.sys
2015-04-06 23:45 - 2010-11-20 09:27 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\vpchbuspipe.dll
2015-04-06 23:45 - 2010-11-20 09:25 - 04514816 _____ (Microsoft Corporation) C:\Windows\system32\vpc.exe
2015-04-06 23:45 - 2010-11-20 09:25 - 02264064 _____ (Microsoft Corporation) C:\Windows\system32\VPCWizard.exe
2015-04-06 23:45 - 2010-11-20 09:25 - 01369600 _____ (Microsoft Corporation) C:\Windows\system32\VPCSettings.exe
2015-04-06 23:45 - 2010-11-20 07:37 - 01210368 _____ (Microsoft Corporation) C:\Windows\system32\VMWindow.exe
2015-04-06 23:45 - 2010-11-20 07:37 - 00936448 _____ (Microsoft Corporation) C:\Windows\system32\vmsal.exe
2015-04-06 23:45 - 2010-11-20 07:35 - 00562176 _____ (Microsoft Corporation) C:\Windows\system32\VMCPropertyHandler.dll
2015-04-06 23:45 - 2010-11-20 07:35 - 00095232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpcusb.sys
2015-04-06 23:45 - 2010-11-20 07:35 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpcnfltr.sys
2015-04-06 23:45 - 2010-11-20 06:52 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vmsal.exe
2015-04-06 23:30 - 2015-04-06 23:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-04-06 23:30 - 2015-04-06 23:30 - 00000000 ____D () C:\Program Files\7-Zip
2015-04-06 21:38 - 2015-04-06 21:49 - 1615949824 _____ () C:\Users\ACG\Downloads\GRMHVxFRE1_DVD.iso
2015-04-06 21:31 - 2015-04-06 21:31 - 00000000 ____D () C:\Program Files\Hyper-V
2015-04-06 21:19 - 2010-11-20 08:15 - 00196096 _____ (Microsoft Corporation) C:\Windows\system32\RemoteFileBrowse.dll
2015-04-06 21:18 - 2009-07-13 21:41 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\rsatclient.dll
2015-04-06 08:14 - 2015-04-06 08:14 - 00002303 _____ () C:\Users\pc1\Desktop\Google Chrome.lnk
2015-04-06 08:14 - 2015-04-06 08:14 - 00000000 ____D () C:\Users\pc1\AppData\Local\Google
2015-04-02 15:04 - 2015-04-02 15:04 - 00003056 _____ () C:\Windows\System32\Tasks\Mapping
2015-04-02 14:59 - 2015-04-02 15:00 - 00000097 _____ () C:\mapping.bat
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-27 00:31 - 2011-05-09 15:22 - 00000528 _____ () C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-04-27 00:29 - 2011-05-09 15:22 - 00000382 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2015-04-26 23:40 - 2012-11-30 14:01 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-26 02:38 - 2011-05-09 15:15 - 01195394 _____ () C:\Windows\WindowsUpdate.log
2015-04-26 00:37 - 2012-03-15 11:58 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-04-25 23:36 - 2012-10-01 11:52 - 00000000 ____D () C:\QB
2015-04-25 23:32 - 2015-02-16 06:49 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-04-25 12:43 - 2012-03-15 12:07 - 00000000 ____D () C:\Mitchell
2015-04-25 12:43 - 2009-07-14 01:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-25 12:36 - 2015-03-02 02:29 - 00000000 ____D () C:\Users\pc5
2015-04-25 12:36 - 2015-03-02 02:18 - 00000000 ____D () C:\Users\pc1
2015-04-25 12:36 - 2012-03-14 22:39 - 00000000 ____D () C:\Users\ACG
2015-04-23 11:54 - 2009-07-14 00:45 - 00028368 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-23 11:54 - 2009-07-14 00:45 - 00028368 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-20 20:15 - 2015-02-16 06:49 - 00001015 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-04-16 09:40 - 2012-11-30 14:01 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-16 09:40 - 2012-11-30 14:01 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-16 09:40 - 2012-11-30 14:01 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-13 12:02 - 2012-03-20 15:05 - 00000000 ____D () C:\ProgramData\Mitchell
2015-04-13 12:00 - 2013-04-23 16:00 - 00001912 _____ () C:\Users\Public\Desktop\Mitchell Estimating.lnk
2015-04-13 12:00 - 2012-03-20 13:54 - 00000479 _____ () C:\Windows\ODBC.INI
2015-04-13 11:15 - 2015-03-12 17:19 - 00000000 ____D () C:\Program Files (x86)\Estimate Review
2015-04-10 03:36 - 2015-03-07 14:05 - 00002242 ____H () C:\Users\ACG\Documents\Default.rdp
2015-04-07 19:06 - 2012-03-15 10:57 - 00000000 ____D () C:\Users\ACG\AppData\Local\Deployment
2015-04-07 17:35 - 2014-05-07 15:51 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-04-07 16:21 - 2009-07-14 01:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-07 16:16 - 2015-03-16 11:44 - 00000000 ____D () C:\Linode
2015-04-07 16:16 - 2014-01-22 04:25 - 00001048 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-04-07 16:16 - 2014-01-22 04:25 - 00001032 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-04-07 16:16 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-07 16:16 - 2009-07-14 00:51 - 00054949 _____ () C:\Windows\setupact.log
2015-04-07 09:40 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2015-04-07 06:08 - 2015-03-11 10:52 - 07397376 _____ () C:\Users\pc1\Desktop\SetupSMCC138.exe
2015-04-07 06:08 - 2014-06-18 09:13 - 00845312 _____ () C:\Users\ACG\Downloads\ipscan221.exe
2015-04-07 06:08 - 2013-11-01 09:44 - 04119552 _____ () C:\Users\ACG\Downloads\avg_remover_stf_x64_2014_4116.exe
2015-04-07 06:08 - 2012-12-18 17:51 - 00000000 ___RD () C:\Users\ACG\My Cubby
2015-04-07 06:08 - 2012-12-14 15:17 - 19465728 _____ () C:\Users\Public\Downloads\Thunderbird Setup 16.0.2.exe
2015-04-07 06:08 - 2012-12-14 15:17 - 08283136 _____ () C:\Users\Public\Downloads\InternationalPrimoPDF.exe
2015-04-07 06:08 - 2012-12-14 15:17 - 07401984 _____ () C:\Users\Public\Downloads\SetupSMCC138.exe
2015-04-07 06:08 - 2012-11-29 04:09 - 04423680 _____ () C:\Users\ACG\Downloads\UltraVNC_1_1_8_X64_Setup.exe
2015-04-07 05:53 - 2015-03-12 16:50 - 00000000 ____D () C:\Estimate Review
2015-04-07 05:53 - 2011-05-09 15:50 - 00000000 ____D () C:\mfg
2015-04-07 05:53 - 2011-05-09 15:25 - 00000000 ____D () C:\Books
2015-04-07 00:03 - 2015-03-02 02:43 - 00000000 ____D () C:\Users\ACG\AppData\Local\Adobe
2015-04-06 23:49 - 2015-03-19 19:29 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-06 23:49 - 2015-03-19 19:29 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-06 23:49 - 2012-03-15 12:03 - 00241440 _____ () C:\Windows\PFRO.log
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\tr-TR
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\th-TH
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\ro-RO
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\he-IL
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\ar-SA
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\tr-TR
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\th-TH
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\ro-RO
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\he-IL
2015-04-06 23:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\ar-SA
2015-04-06 21:28 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\zh-HK
2015-04-02 15:04 - 2015-03-19 19:29 - 00003900 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-04-02 15:04 - 2015-03-19 19:29 - 00003648 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
 
==================== Files in the root of some directories =======
 
2015-02-18 09:30 - 2015-03-02 00:27 - 0007589 _____ () C:\Users\ACG\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-24 00:34
 
==================== End Of Log ============================

Attached Files

  • Attached File  FRST.txt   27.44KB   3 downloads

Edited by xXToffeeXx, 27 April 2015 - 01:05 PM.
Posted log~


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:50 PM

Posted 27 April 2015 - 01:15 PM

Hi mrfssd,
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mapping.bat.lnk [2015-04-07]
ShortcutTarget: mapping.bat.lnk -> C:\mapping.bat ()
Startup: C:\Users\pc1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compliance Utility.lnk [2015-03-12]
ShortcutTarget: Compliance Utility.lnk -> C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}\Icon24849FC9.exe ()
Startup: C:\Users\pc5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Compliance Utility.lnk [2015-03-12]
ShortcutTarget: Compliance Utility.lnk -> C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}\Icon24849FC9.exe ()
C:\Windows\Installer\{9EE45AEF-2726-4997-BBBE-3F2F817F141E}
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please have a look at this post and see if this new version of the decrypter works for you.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 27 April 2015 - 02:08 PM

Just wanted to say this and confirm before I do anything.. the mapping and compliance utility is our own custom script and software.. are we sure we going ahead with this?



#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:50 PM

Posted 27 April 2015 - 02:14 PM

Hi mrfssd,

 

Oh, sorry about that. I did not realise. Don't run the fix then :)

 

Just have a look at the decrypter to see if you can decrypt the file.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 mrfssd

mrfssd
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 28 April 2015 - 11:26 PM

no good.. It still say infection exe could not be found..  Infection is needed on the machine to patch the decryption process!



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:50 PM

Posted 29 April 2015 - 08:26 AM

Hi mrfssd,

 

Please run one of the infected files (C:\Users\ACG\Desktop\1.pdf.exe will do), and then try the decrypter again.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users