Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remnant Ransomware, referencing RSA_(cryptosystem)


  • This topic is locked This topic is locked
4 replies to this topic

#1 Brasidas

Brasidas

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 28 December 2015 - 02:51 PM

I've had my first experience with ransomware. After clicking through a supposed java update, I believe amid trying to stream a sports event, the system rebooted the next morning to a pair of ransom demands, one in notepad, one in Chrome. The demands referenced "RSA_(cryptosystem)" on wikipedia.

I uninstalled chrome, the browser in which the system booted with one of the two ransom messages. I used the free form of malwarebytes to scan and fix the problem, using two passes in safe mode and two in normal boot. There were infected files found on all but the last normal boot.

After a clean scan after normal boot, I re-installed chrome. On the next boot, the ransom demands popped up again. I also noticed a set of added files in several directories, 
 
how_recover+kyr.html
how_recover+kyr.txt
how_recover+rwr.html
how_recover+rwr.txt

My ruined personal files, which are of no great importance, are suffixed with .vv
 
I have manually disabled the virtual CD software that I installed..
 
My intent is to quarantine the system and any media which has come in recent contact with it until any vestige of this attack is removed. Since malwarebytes failed to properly clean everything up, I would appreciate your assistance in doing so. I have no expectation of any of the attacked data being recovered, and while I would prefer not to start over again, I could just reformat the boot drive and start over again. Thank you for your help.

FRST.txt
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-12-2015
Ran by New Master (administrator) on HTPC2 (28-12-2015 12:31:38)
Running from E:\
Loaded Profiles: New Master (Available Profiles: AC & New Master)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ArcSoft, Inc.) C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
(Advanced Micro Devices, Inc.) C:\util\chipset\ATI.ACE\Fuel\Fuel.Service.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe
(TorchMedia Inc.) C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe
(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
(BlackBerry Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Research In Motion) C:\util\BlackBerry Link\BlackBerryLink.exe
(Advanced Micro Devices, Inc.) C:\util\chipset\ATI.ACE\Core-Static\CLIStart.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
(CyberLink Corporation.) C:\util\CyberLink\InstantBurn\Win2K\IBurn.exe
(CyberLink) C:\util\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\util\CyberLink\PowerDVD10\PDVD10Serv.exe
(cyberlink) C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
(BlackBerry Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe
(hxxp://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
() C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
(Research In Motion) C:\util\BlackBerry Link\BlackBerryLink.Helper.exe
(Research In Motion) C:\util\BlackBerry Link\BlackBerryLink.AutoUpdate.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13213840 2012-10-25] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1234064 2012-10-28] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2279712 2013-12-09] (NVIDIA Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\util\chipset\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-07] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [508256 2012-04-23] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [InstantBurn] => C:\util\CyberLink\InstantBurn\Win2K\IBurn.exe [701736 2012-02-02] (CyberLink Corporation.)
HKLM-x32\...\Run: [CLMLServer] => C:\util\CyberLink\Power2Go\CLMLSvc.exe [107816 2011-03-09] (CyberLink)
HKLM-x32\...\Run: [RemoteControl10] => C:\util\CyberLink\PowerDVD10\PDVD10Serv.exe [87336 2011-03-30] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] => C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [75048 2012-04-02] (cyberlink)
HKLM-x32\...\Run: [UpdatePPShortCut] => C:\util\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2012-03-06] (CyberLink Corp.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [443408 2014-03-18] (BlackBerry Limited)
HKLM-x32\...\Run: [RIM PeerManager] => C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe [4494848 2014-06-23] (Research In Motion Limited)
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Run: [Power2GoExpress] => 0
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Run: [BlackBerryLink.exe] => C:\util\BlackBerry Link\BlackBerryLink.exe [1462520 2014-06-24] (Research In Motion)
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Run: [Steam] => C:\parasite\Steam\steam.exe [3013712 2015-12-14] (Valve Corporation)
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Run: [BrowserUpdate] => C:\Users\New Master\AppData\Roaming\BrowserMe\GoogleUpdate.exe
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\MountPoints2: {c13702ea-ab17-11e3-a4d6-50e54954881d} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\start.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-06-19] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (hxxp://tortoisesvn.net)
Startup: C:\Users\AC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk [2014-01-01]
ShortcutTarget: explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Startup: C:\Users\AC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk [2013-08-31]
ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\util\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt [2015-12-24] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{80B55883-9BA6-401C-BA43-86037F3918CB}: [DhcpNameServer] 192.168.2.1
 
Internet Explorer:
==================
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
 
FireFox:
========
FF ProfilePath: C:\Users\New Master\AppData\Roaming\Mozilla\Firefox\Profiles\y1hpnv5f.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll [2014-04-08] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll [2014-04-08] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2014-06-24] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\util\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: TorchVLC -> C:\Users\New Master\AppData\Local\Torch\Plugins\Video\VLC\npvlc.dll [2013-07-30] (VideoLAN)
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [2015-12-17] ()
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [2015-12-17] (Hola)
FF Plugin HKU\S-1-5-21-2897383642-4032862370-585284992-1004: @hola.org/vlc,version=1.6.676 -> C:\Users\New Master\AppData\Local\Hola\firefox\app\vlc [2015-12-24] ()
FF Extension: Hola Better Internet - C:\Users\New Master\AppData\Roaming\Mozilla\Firefox\Profiles\y1hpnv5f.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack [2015-12-24] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-12-28]
CHR Extension: (Google Docs) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-12-28]
CHR Extension: (Google Drive) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-28]
CHR Extension: (YouTube) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-28]
CHR Extension: (Google Search) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-28]
CHR Extension: (Google Sheets) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-12-28]
CHR Extension: (Google Docs Offline) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-12-28]
CHR Extension: (Gmail) - C:\Users\New Master\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-12-28]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ADExchange; C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [43072 2012-03-19] (ArcSoft, Inc.)
R2 AMD FUEL Service; C:\util\chipset\ATI.ACE\Fuel\Fuel.Service.exe [361984 2013-03-07] (Advanced Micro Devices, Inc.) [File not signed]
R3 BlackBerry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [585728 2014-03-18] (BlackBerry Limited) [File not signed]
S2 CLKMSVC10_A48121D4; C:\util\CyberLink\PowerDVD10\NavFilter\kmsvc.exe [241648 2012-04-02] (CyberLink)
S2 MBAMService; C:\util\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1494304 2013-12-09] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15129376 2013-12-09] (NVIDIA Corporation)
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-09-06] () [File not signed]
R2 RIM MDNS; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [389632 2014-06-23] (Apple Inc.) [File not signed]
R2 RIM Tunnel Service; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [1325568 2014-06-23] (Research In Motion Limited) [File not signed]
R2 TorchCrashHandler; C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe [1217032 2014-11-23] (TorchMedia Inc.) <==== ATTENTION
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 RzMaelstromVADStreamingService; "C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138664 2014-04-24] (SlySoft, Inc.)
R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [138664 2014-04-24] (SlySoft, Inc.)
R2 AODDriver4.2; C:\util\chipset\ATI.ACE\Fuel\amd64\AODDriver2.sys [57472 2012-04-09] (Advanced Micro Devices)
R1 ArcSec; C:\Windows\System32\drivers\ArcSec.sys [311872 2011-11-10] ()
S3 blackberryncm; C:\Windows\System32\DRIVERS\blackberryncm6_AMD64.sys [24576 2014-04-15] (BlackBerry)
R1 CLBStor; C:\Windows\System32\DRIVERS\CLBStor.sys [24560 2012-02-02] (Cyberlink Co.,Ltd.)
R2 CLBUDF; C:\Windows\System32\Drivers\CLBUDF.sys [377840 2012-02-02] (CyberLink Corporation.)
R3 cmudaxp; C:\Windows\System32\drivers\cmudaxp.sys [2725376 2011-03-10] (C-Media Inc)
R1 dvdfabio; C:\Windows\system32\drivers\dvdfabio.sys [9976 2013-11-06] (Fengtao Software Inc.) [File not signed]
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-05] (NVIDIA Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [79872 2013-12-02] (BlackBerry Limited)
R3 rimvndis; C:\Windows\System32\Drivers\rimvndis6_AMD64.sys [17920 2014-06-23] (Research in Motion Limited)
S3 RZMAELSTROMVADService; C:\Windows\System32\drivers\RzMaelstromVAD.sys [32768 2014-05-23] (Windows ® Win 7 DDK provider)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2013-02-11] (Microsoft Corporation)
R3 vdrive; C:\Windows\System32\DRIVERS\vdrive.sys [42232 2013-11-06] (Fengtao Software Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-28 11:52 - 2015-12-28 12:30 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-28 11:52 - 2015-12-28 11:57 - 00000906 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-28 11:52 - 2015-12-28 11:52 - 00002255 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-12-28 11:52 - 2015-12-28 11:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-12-28 08:14 - 2015-12-28 12:20 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-28 08:14 - 2015-12-28 08:14 - 00000800 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-28 08:14 - 2015-12-28 08:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-28 08:14 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-12-28 08:14 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-12-28 08:14 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-12-28 08:12 - 2015-12-28 08:12 - 22908888 _____ (Malwarebytes ) C:\Users\New Master\Downloads\mbam-setup-2.2.0.1024.exe
2015-12-28 08:07 - 2015-12-28 08:07 - 00000000 ____D C:\Windows\pss
2015-12-28 07:55 - 2015-12-28 12:31 - 00000000 ____D C:\FRST
2015-12-24 14:58 - 2015-12-24 14:58 - 00002411 _____ C:\Users\New Master\Desktop\Howto_Restore_FILES.TXT
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\Public\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\Public\Downloads\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\Downloads\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\Documents\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\AppData\Roaming\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\AppData\LocalLow\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\AppData\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\Public\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\Public\Downloads\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\Downloads\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\Documents\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\AppData\Roaming\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\AppData\LocalLow\how_recover+kyr.txt
2015-12-24 14:52 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\AppData\how_recover+kyr.txt
2015-12-24 14:48 - 2015-12-28 10:23 - 00000000 ____H C:\ProgramData\@system.temp
2015-12-24 14:48 - 2015-12-24 14:48 - 00000008 ____H C:\ProgramData\@000001.dat
2015-12-24 14:47 - 2015-12-24 14:52 - 00010654 _____ C:\Users\Public\Documents\how_recover+kyr.html
2015-12-24 14:47 - 2015-12-24 14:52 - 00010654 _____ C:\Users\New Master\AppData\Local\how_recover+kyr.html
2015-12-24 14:47 - 2015-12-24 14:52 - 00010654 _____ C:\ProgramData\how_recover+kyr.html
2015-12-24 14:47 - 2015-12-24 14:52 - 00002411 _____ C:\Users\Public\Documents\how_recover+kyr.txt
2015-12-24 14:47 - 2015-12-24 14:52 - 00002411 _____ C:\Users\New Master\AppData\Local\how_recover+kyr.txt
2015-12-24 14:47 - 2015-12-24 14:52 - 00002411 _____ C:\ProgramData\how_recover+kyr.txt
2015-12-24 14:47 - 2015-12-24 14:47 - 00010654 _____ C:\Users\New Master\AppData\Local\Apps\how_recover+kyr.html
2015-12-24 14:47 - 2015-12-24 14:47 - 00002411 _____ C:\Users\New Master\AppData\Local\Apps\how_recover+kyr.txt
2015-12-24 14:46 - 2015-12-24 14:46 - 00000253 _____ C:\Users\New Master\Documents\recover_file_fusorarit.txt
2015-12-24 13:25 - 2015-12-24 14:52 - 00408318 _____ C:\Users\New Master\Downloads\Dublin desk potato heads.jpg.vvv
2015-12-24 03:35 - 2015-12-24 14:58 - 03452054 _____ C:\Users\New Master\Desktop\Howto_Restore_FILES.BMP
2015-12-24 03:35 - 2015-12-24 14:58 - 00010654 _____ C:\Users\New Master\Desktop\Howto_Restore_FILES.HTM
2015-12-24 03:35 - 2015-12-24 14:52 - 00002830 _____ C:\Users\New Master\Desktop\Howto_Restore_FILES.TXT.vvv
2015-12-24 02:53 - 2015-12-24 02:53 - 00010654 _____ C:\Users\Public\how_recover+rwr.html
2015-12-24 02:53 - 2015-12-24 02:53 - 00010654 _____ C:\Users\Public\Downloads\how_recover+rwr.html
2015-12-24 02:53 - 2015-12-24 02:53 - 00010654 _____ C:\Users\New Master\how_recover+rwr.html
2015-12-24 02:53 - 2015-12-24 02:53 - 00010654 _____ C:\Users\New Master\Downloads\how_recover+rwr.html
2015-12-24 02:53 - 2015-12-24 02:53 - 00002411 _____ C:\Users\Public\how_recover+rwr.txt
2015-12-24 02:53 - 2015-12-24 02:53 - 00002411 _____ C:\Users\Public\Downloads\how_recover+rwr.txt
2015-12-24 02:53 - 2015-12-24 02:53 - 00002411 _____ C:\Users\New Master\how_recover+rwr.txt
2015-12-24 02:53 - 2015-12-24 02:53 - 00002411 _____ C:\Users\New Master\Downloads\how_recover+rwr.txt
2015-12-24 02:49 - 2015-12-24 02:53 - 00010654 _____ C:\Users\New Master\Documents\how_recover+rwr.html
2015-12-24 02:49 - 2015-12-24 02:53 - 00002411 _____ C:\Users\New Master\Documents\how_recover+rwr.txt
2015-12-24 02:46 - 2015-12-24 02:53 - 00010654 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\how_recover+rwr.html
2015-12-24 02:46 - 2015-12-24 02:53 - 00002411 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\how_recover+rwr.txt
2015-12-24 02:46 - 2015-12-24 02:46 - 00010654 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\how_recover+rwr.html
2015-12-24 02:46 - 2015-12-24 02:46 - 00010654 _____ C:\Users\New Master\AppData\Roaming\how_recover+rwr.html
2015-12-24 02:46 - 2015-12-24 02:46 - 00010654 _____ C:\Users\New Master\AppData\how_recover+rwr.html
2015-12-24 02:46 - 2015-12-24 02:46 - 00002411 _____ C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\how_recover+rwr.txt
2015-12-24 02:46 - 2015-12-24 02:46 - 00002411 _____ C:\Users\New Master\AppData\Roaming\how_recover+rwr.txt
2015-12-24 02:46 - 2015-12-24 02:46 - 00002411 _____ C:\Users\New Master\AppData\how_recover+rwr.txt
2015-12-24 02:45 - 2015-12-24 02:45 - 00010654 _____ C:\Users\New Master\AppData\LocalLow\how_recover+rwr.html
2015-12-24 02:45 - 2015-12-24 02:45 - 00002411 _____ C:\Users\New Master\AppData\LocalLow\how_recover+rwr.txt
2015-12-24 02:38 - 2015-12-24 03:00 - 00010654 _____ C:\Users\Public\Documents\how_recover+rwr.html
2015-12-24 02:38 - 2015-12-24 03:00 - 00010654 _____ C:\ProgramData\how_recover+rwr.html
2015-12-24 02:38 - 2015-12-24 03:00 - 00002411 _____ C:\Users\Public\Documents\how_recover+rwr.txt
2015-12-24 02:38 - 2015-12-24 03:00 - 00002411 _____ C:\ProgramData\how_recover+rwr.txt
2015-12-24 02:38 - 2015-12-24 02:53 - 00010654 _____ C:\Users\New Master\AppData\Local\how_recover+rwr.html
2015-12-24 02:38 - 2015-12-24 02:53 - 00002411 _____ C:\Users\New Master\AppData\Local\how_recover+rwr.txt
2015-12-24 02:38 - 2015-12-24 02:38 - 00010654 _____ C:\Users\New Master\AppData\Local\Apps\how_recover+rwr.html
2015-12-24 02:38 - 2015-12-24 02:38 - 00002411 _____ C:\Users\New Master\AppData\Local\Apps\how_recover+rwr.txt
2015-12-24 02:10 - 2015-12-28 10:21 - 00000124 _____ C:\Users\New Master\AppData\Roaming\@00000052.bat
2015-12-24 02:10 - 2015-12-24 02:10 - 00000576 ____H C:\ProgramData\@system3.att
2015-12-24 02:10 - 2015-12-24 02:10 - 00000480 ____H C:\Users\New Master\AppData\Roaming\½ž’“Ó™œ‰
2015-12-24 02:09 - 2015-12-28 10:38 - 00000000 ____D C:\Users\New Master\AppData\Roaming\BrowserMe
2015-12-24 02:09 - 2015-12-28 08:32 - 00000000 ____D C:\Users\New Master\AppData\Local\Ulmedia
2015-12-24 02:09 - 2015-12-24 02:09 - 00000253 _____ C:\Users\New Master\Documents\recover_file_xbtljyjfv.txt
2015-12-23 12:16 - 2015-12-24 02:46 - 00000494 _____ C:\Users\New Master\Desktop\rhonda xmas.txt.vvv
2015-12-17 19:58 - 2015-12-17 19:58 - 00079654 _____ C:\Users\New Master\Desktop\backup.reg
2015-12-17 19:31 - 2015-12-17 19:31 - 00505224 _____ C:\Windows\Minidump\121715-11778-01.dmp
2015-12-12 19:53 - 2015-12-12 19:25 - 1773111797 _____ C:\Users\New Master\Desktop\Draft.Day.2014.1080p.BluRay.x264.YIFY.mp4
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-28 12:30 - 2015-04-03 08:25 - 00000000 ____D C:\Users\New Master\AppData\Local\TSVNCache
2015-12-28 12:30 - 2014-11-29 18:26 - 00000000 ____D C:\ProgramData\TorchCrashHandler
2015-12-28 12:30 - 2014-02-15 08:50 - 00000000 ____D C:\ProgramData\NVIDIA
2015-12-28 12:30 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-28 12:30 - 2009-07-13 21:45 - 00014416 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-28 12:30 - 2009-07-13 21:45 - 00014416 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-28 12:28 - 2014-04-06 21:24 - 00000000 ____D C:\Users\New Master\AppData\Roaming\BitTorrent
2015-12-28 12:27 - 2014-06-05 03:39 - 00000000 ____D C:\Users\New Master\AppData\Roaming\uTorrent
2015-12-28 11:52 - 2013-06-17 21:27 - 00003902 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-28 11:52 - 2013-06-17 21:27 - 00003650 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-12-28 11:52 - 2013-06-17 21:27 - 00000000 ____D C:\Program Files (x86)\Google
2015-12-28 11:51 - 2014-12-27 21:28 - 00000000 ____D C:\Users\New Master\AppData\Local\Deployment
2015-12-28 10:44 - 2009-07-13 22:13 - 00779266 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-28 10:44 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2015-12-28 10:38 - 2014-01-01 12:38 - 00000000 ____D C:\Users\New Master
2015-12-28 10:38 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\TAPI
2015-12-28 10:15 - 2013-06-17 20:21 - 00000000 ____D C:\Windows\Panther
2015-12-28 08:07 - 2009-07-13 20:20 - 00000000 ____D C:\Windows
2015-12-28 07:55 - 2013-11-28 14:33 - 00883864 _____ C:\Windows\ntbtlog.txt
2015-12-28 07:53 - 2015-04-03 04:47 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Subversion
2015-12-24 14:52 - 2015-11-07 12:23 - 00000000 ____D C:\Users\New Master\Downloads\PopcornTime
2015-12-24 14:52 - 2015-06-19 22:50 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Fallout
2015-12-24 14:52 - 2015-06-09 11:11 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Hola
2015-12-24 14:52 - 2015-05-30 06:30 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Malwarebytes
2015-12-24 14:52 - 2015-05-10 14:04 - 00000000 ____D C:\Users\New Master\Documents\XL
2015-12-24 14:52 - 2015-04-19 18:35 - 00000000 ____D C:\Users\New Master\AppData\Roaming\BHOK
2015-12-24 14:52 - 2015-04-19 11:21 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Torch
2015-12-24 14:52 - 2015-04-19 05:49 - 00000000 ____D C:\Users\New Master\Documents\Bonus
2015-12-24 14:52 - 2015-04-10 19:35 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-12-24 14:52 - 2015-04-10 19:32 - 00000000 ____D C:\Users\New Master\AppData\Local\Steam
2015-12-24 14:52 - 2015-04-03 10:08 - 00000000 ____D C:\Users\New Master\AppData\Roaming\InstallShield
2015-12-24 14:52 - 2015-04-03 07:30 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Civilization IV - A New Dawn
2015-12-24 14:52 - 2015-04-03 05:00 - 00000000 ____D C:\Users\New Master\AppData\Local\TortoiseSVN
2015-12-24 14:52 - 2015-04-03 04:50 - 00000000 ____D C:\Users\New Master\AppData\Roaming\TortoiseSVN
2015-12-24 14:52 - 2015-04-03 04:45 - 00000000 __RHD C:\Users\New Master\AppData\Roaming\SecuROM
2015-12-24 14:52 - 2015-04-03 04:45 - 00000000 ____D C:\Users\New Master\Documents\My Games
2015-12-24 14:52 - 2015-04-03 04:45 - 00000000 ____D C:\Users\New Master\AppData\Local\My Games
2015-12-24 14:52 - 2015-03-08 11:42 - 00000000 ____D C:\Users\New Master\Downloads\Hola
2015-12-24 14:52 - 2014-11-29 18:43 - 00000000 ____D C:\Users\New Master\Downloads\Marvel.Agents.of.S.H.I.E.L.D.S02E07.The.Writing.on.the.Wall.WEB-DL.x264.AAC
2015-12-24 14:52 - 2014-11-29 18:25 - 00000000 ____D C:\Users\New Master\AppData\Local\Torch
2015-12-24 14:52 - 2014-11-16 17:16 - 00000000 ____D C:\Users\New Master\Documents\BlackBerry
2015-12-24 14:52 - 2014-11-16 17:16 - 00000000 ____D C:\Users\New Master\AppData\Roaming\XCPCSync.OEM
2015-12-24 14:52 - 2014-11-16 17:14 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Research In Motion
2015-12-24 14:52 - 2014-11-16 17:14 - 00000000 ____D C:\Users\New Master\AppData\Local\Research In Motion
2015-12-24 14:52 - 2014-11-15 11:32 - 00000000 ____D C:\Users\New Master\Documents\AnyDVDHD
2015-12-24 14:52 - 2014-07-19 08:58 - 00000000 ____D C:\Users\New Master\Documents\ArcSoft
2015-12-24 14:52 - 2014-07-19 06:55 - 00000000 ____D C:\Users\New Master\AppData\Roaming\ArcSoft
2015-12-24 14:52 - 2014-05-30 06:47 - 00000000 ____D C:\Users\New Master\AppData\Roaming\pycam
2015-12-24 14:52 - 2014-05-27 18:19 - 00000000 ____D C:\Users\New Master\AppData\Roaming\MPC-HC
2015-12-24 14:52 - 2014-05-22 19:42 - 00000000 ____D C:\Users\New Master\AppData\Roaming\dvdcss
2015-12-24 14:52 - 2014-03-31 05:20 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Popcorn Time
2015-12-24 14:52 - 2014-03-28 19:55 - 00000000 ____D C:\Users\New Master\AppData\Roaming\NVIDIA
2015-12-24 14:52 - 2014-03-13 21:10 - 00000000 ____D C:\Users\New Master\AppData\Roaming\WebApp
2015-12-24 14:52 - 2014-03-13 19:02 - 00000000 ____D C:\Users\New Master\Documents\CyberLink
2015-12-24 14:52 - 2014-03-13 18:39 - 00000000 ____D C:\Users\Public\CyberLink
2015-12-24 14:52 - 2014-03-13 18:27 - 00000000 ____D C:\Users\New Master\AppData\Local\Power2Go
2015-12-24 14:52 - 2014-03-13 18:15 - 00000000 ____D C:\Users\New Master\AppData\Roaming\CyberLink
2015-12-24 14:52 - 2014-03-10 01:26 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MakeMKV
2015-12-24 14:52 - 2014-02-15 12:16 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-12-24 14:52 - 2014-02-15 06:35 - 00000000 ____D C:\Users\New Master\Documents\Paradox Interactive
2015-12-24 14:52 - 2014-02-15 06:12 - 00000000 ____D C:\Users\New Master\Downloads\GamersGate temporary files
2015-12-24 14:52 - 2014-02-09 12:21 - 00000000 ____D C:\Users\New Master\Documents\Calibre Library
2015-12-24 14:52 - 2014-02-09 12:21 - 00000000 ____D C:\Users\New Master\AppData\Roaming\calibre
2015-12-24 14:52 - 2014-01-26 04:01 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Warplanner
2015-12-24 14:52 - 2014-01-07 17:19 - 00000000 ____D C:\Users\New Master\AppData\Roaming\OpenOffice.org
2015-12-24 14:52 - 2014-01-05 21:43 - 00000000 ____D C:\Users\New Master\AppData\Roaming\vlc
2015-12-24 14:52 - 2014-01-05 12:06 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Macromedia
2015-12-24 14:52 - 2014-01-05 12:01 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Mozilla
2015-12-24 14:52 - 2014-01-05 12:01 - 00000000 ____D C:\Users\New Master\AppData\Local\Mozilla
2015-12-24 14:52 - 2014-01-01 19:43 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Media Player Classic
2015-12-24 14:52 - 2014-01-01 13:15 - 00000000 ____D C:\Users\New Master\AppData\Roaming\ATI
2015-12-24 14:52 - 2014-01-01 13:12 - 00000000 ____D C:\Users\New Master\AppData\Local\NVIDIA
2015-12-24 14:52 - 2014-01-01 12:40 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Adobe
2015-12-24 14:52 - 2014-01-01 12:40 - 00000000 ____D C:\Users\New Master\AppData\Local\VirtualStore
2015-12-24 14:52 - 2014-01-01 12:38 - 00000000 ____D C:\Users\New Master\AppData\Roaming\Media Center Programs
2015-12-24 14:52 - 2013-06-17 21:18 - 00000000 ____D C:\util
2015-12-24 14:52 - 2009-07-14 00:45 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-12-24 14:52 - 2009-07-13 20:20 - 00000000 __RHD C:\Users\Public\Libraries
2015-12-24 14:47 - 2015-08-26 11:38 - 00000000 ____D C:\swkotor
2015-12-24 14:47 - 2015-08-24 14:16 - 00000000 ____D C:\Users\New Master\AppData\Local\CEF
2015-12-24 14:47 - 2015-06-19 20:55 - 00000000 ____D C:\ProgramData\RzMaelstromVAD_1.1.58.1854
2015-12-24 14:47 - 2015-06-19 20:54 - 00000000 ____D C:\ProgramData\Razer
2015-12-24 14:47 - 2015-06-18 14:54 - 00000000 ____D C:\Hola
2015-12-24 14:47 - 2015-04-19 11:19 - 00000000 ____D C:\Users\New Master\AppData\Local\IsolatedStorage
2015-12-24 14:47 - 2014-12-27 21:28 - 00000000 ____D C:\Users\New Master\AppData\Local\Apps\2.0
2015-12-24 14:47 - 2014-12-10 13:19 - 00000000 ____D C:\Users\New Master\AppData\Local\Hola
2015-12-24 14:47 - 2014-11-29 18:17 - 00000000 ____D C:\Program Files\Hola
2015-12-24 14:47 - 2014-11-16 17:44 - 00000000 ____D C:\Users\New Master\AppData\Local\calibre-cache
2015-12-24 14:47 - 2014-11-16 17:14 - 00000000 ____D C:\ProgramData\Research In Motion
2015-12-24 14:47 - 2014-11-15 03:12 - 00000000 ____D C:\ProgramData\SlySoft
2015-12-24 14:47 - 2014-07-30 11:44 - 00000000 ___HD C:\ProgramData\CanonBJ
2015-12-24 14:47 - 2014-07-19 06:09 - 00000000 ____D C:\Users\New Master\AppData\Local\ArcSoft
2015-12-24 14:47 - 2014-07-19 06:09 - 00000000 ____D C:\ProgramData\ArcSoft
2015-12-24 14:47 - 2014-07-19 06:08 - 00000000 ____D C:\Users\New Master\AppData\Local\Downloaded Installations
2015-12-24 14:47 - 2014-07-12 00:18 - 00000000 ____D C:\Parasite
2015-12-24 14:47 - 2014-04-08 05:06 - 00000000 ____D C:\ProgramData\McAfee
2015-12-24 14:47 - 2014-03-13 18:15 - 00000000 ____D C:\Users\New Master\AppData\Local\Cyberlink
2015-12-24 14:47 - 2014-03-13 18:12 - 00000000 ____D C:\ProgramData\CyberLink
2015-12-24 14:47 - 2014-03-13 18:10 - 00000000 ____D C:\ProgramData\Temp
2015-12-24 14:47 - 2014-03-11 08:06 - 00000000 ____D C:\temp
2015-12-24 14:47 - 2014-03-10 01:26 - 00000000 ____D C:\Users\New Master\.MakeMKV
2015-12-24 14:47 - 2014-02-16 11:41 - 00000000 ____D C:\SeaTemp
2015-12-24 14:47 - 2014-02-15 08:48 - 00000000 ____D C:\NVIDIA
2015-12-24 14:47 - 2014-01-26 04:01 - 00000000 ____D C:\Users\New Master\AppData\Local\CTS_Solutions
2015-12-24 14:47 - 2014-01-05 12:06 - 00000000 ____D C:\Users\New Master\AppData\Local\Macromedia
2015-12-24 14:47 - 2014-01-05 12:06 - 00000000 ____D C:\Users\New Master\AppData\Local\Adobe
2015-12-24 14:47 - 2014-01-05 12:01 - 00000000 ____D C:\ProgramData\Mozilla
2015-12-24 14:47 - 2014-01-01 13:15 - 00000000 ____D C:\Users\New Master\AppData\Local\ATI
2015-12-24 14:47 - 2014-01-01 13:15 - 00000000 ____D C:\Users\New Master\AppData\Local\AMD
2015-12-24 14:47 - 2014-01-01 13:12 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2015-12-24 14:47 - 2014-01-01 12:42 - 00000000 ____D C:\Users\New Master\AppData\Local\Google
2015-12-24 14:47 - 2013-12-22 12:28 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-24 14:47 - 2013-06-19 06:56 - 00000000 ____D C:\ProgramData\Stardock
2015-12-24 14:47 - 2013-06-19 06:52 - 00000000 __HDC C:\ProgramData\{E85E33C5-6E42-4F51-B138-3C5E865B73C3}
2015-12-24 14:47 - 2013-06-19 06:49 - 00000000 ____D C:\games
2015-12-24 14:47 - 2013-06-17 21:42 - 00000000 ____D C:\ProgramData\ATI
2015-12-24 14:47 - 2013-06-17 21:22 - 00000000 ____D C:\ProgramData\AMD
2015-12-24 02:53 - 2015-08-26 11:47 - 00306654 _____ C:\Users\New Master\Downloads\uniws.zip.vvv
2015-12-24 02:53 - 2014-11-06 16:55 - 00007678 _____ C:\Users\New Master\Downloads\RIM 6.5x16 ET45 rev2.jpg.vvv
2015-12-24 02:53 - 2014-11-06 16:31 - 00058990 _____ C:\Users\New Master\Downloads\RIM 6.5x16 ET45.jpg.vvv
2015-12-24 02:53 - 2014-10-13 20:03 - 00285182 _____ C:\Users\New Master\Downloads\[De_Camp_L_Sprague]_De_Camp,_L_Sprague_-_RK_1_-_Th(BookZZ.org).txt.vvv
2015-12-24 02:53 - 2014-08-06 07:53 - 00021422 _____ C:\Users\New Master\Downloads\research.doc.vvv
2015-12-24 02:53 - 2014-08-02 10:31 - 00033710 _____ C:\Users\New Master\Downloads\Resume -Chris Fleming Tech Officer.doc.vvv
2015-12-24 02:53 - 2014-08-02 10:19 - 00024862 _____ C:\Users\New Master\Downloads\Resume -Chris Fleming General rev2.docx.vvv
2015-12-24 02:53 - 2014-07-30 01:51 - 00050606 _____ C:\Users\New Master\Downloads\Timeline 30Jul14.doc.vvv
2015-12-24 02:53 - 2014-07-30 01:31 - 00048046 _____ C:\Users\New Master\Downloads\Timeline 29Jul14 (3) Revised Dad1.doc.vvv
2015-12-24 02:53 - 2014-07-29 19:55 - 00050606 _____ C:\Users\New Master\Downloads\Timeline 29Jul14.doc.vvv
2015-12-24 02:53 - 2014-07-29 09:00 - 00060334 _____ C:\Users\New Master\Downloads\SUPERVISOR, PLANT OPERATIONS.DOC.vvv
2015-12-24 02:53 - 2014-07-28 05:54 - 00044462 _____ C:\Users\New Master\Downloads\Timeline 28Jul14.doc.vvv
2015-12-24 02:53 - 2014-07-28 05:31 - 00021710 _____ C:\Users\New Master\Downloads\Timeline 4Mar14.docx.vvv
2015-12-24 02:53 - 2014-06-09 14:19 - 00056558 _____ C:\Users\New Master\Downloads\tdw400.dwg.vvv
2015-12-24 02:53 - 2014-05-24 02:20 - 00086926 _____ C:\Users\New Master\Downloads\rx1.JPG.vvv
2015-12-24 02:53 - 2014-05-18 13:28 - 00014862 _____ C:\Users\New Master\Downloads\s27.JPG.vvv
2015-12-24 02:53 - 2014-05-18 05:26 - 00028334 _____ C:\Users\New Master\Downloads\rav1.jpg.vvv
2015-12-24 02:53 - 2014-05-13 07:37 - 01555662 _____ C:\Users\New Master\Downloads\relocation motion and info.pptx.vvv
2015-12-24 02:53 - 2014-03-03 20:46 - 00021662 _____ C:\Users\New Master\Downloads\Timeline 3Mar14.docx.vvv
2015-12-24 02:53 - 2014-03-01 13:59 - 00070158 _____ C:\Users\New Master\Downloads\Scan0139.jpg.vvv
2015-12-24 02:53 - 2014-03-01 13:59 - 00038430 _____ C:\Users\New Master\Downloads\Scan0140.jpg.vvv
2015-12-24 02:53 - 2014-02-10 22:17 - 00071310 _____ C:\Users\New Master\Downloads\Reserve TOR Bartender - V1.docx (2).docx.vvv
2015-12-24 02:53 - 2014-02-10 22:08 - 00071310 _____ C:\Users\New Master\Downloads\Reserve TOR Bartender - V1.docx (1).docx.vvv
2015-12-24 02:53 - 2014-02-10 22:07 - 00071310 _____ C:\Users\New Master\Downloads\Reserve TOR Bartender - V1.docx.docx.vvv
2015-12-24 02:53 - 2014-02-08 07:51 - 00097294 _____ C:\Users\New Master\Downloads\q6600cpu.jpg.vvv
2015-12-24 02:53 - 2014-01-26 08:54 - 00432622 _____ C:\Users\New Master\Downloads\SITREP 03 - Restoration of Canadian Identity ver 9 (13 Dec 13) (1).pdf.vvv
2015-12-24 02:53 - 2014-01-26 08:53 - 00432622 _____ C:\Users\New Master\Downloads\SITREP 03 - Restoration of Canadian Identity ver 9 (13 Dec 13).pdf.vvv
2015-12-24 02:53 - 2014-01-07 17:19 - 00018526 _____ C:\Users\New Master\Downloads\Work.docx.vvv
2015-12-24 02:50 - 2014-10-25 19:28 - 00089086 _____ C:\Users\New Master\Downloads\Picture12.jpg.vvv
2015-12-24 02:50 - 2014-10-25 19:28 - 00027950 _____ C:\Users\New Master\Downloads\Picture9.jpg.vvv
2015-12-24 02:50 - 2014-06-01 09:38 - 04550958 _____ C:\Users\New Master\Downloads\photo (3).JPG.vvv
2015-12-24 02:50 - 2014-05-27 06:08 - 00108446 _____ C:\Users\New Master\Downloads\Order.jpg.vvv
2015-12-24 02:50 - 2014-05-14 06:40 - 00068814 _____ C:\Users\New Master\Downloads\Nowhere.jpg.vvv
2015-12-24 02:50 - 2014-04-28 17:19 - 00013230 _____ C:\Users\New Master\Downloads\Memo for Ex Excusal.doc.vvv
2015-12-24 02:50 - 2014-04-04 05:59 - 00121614 _____ C:\Users\New Master\Downloads\photo (2).JPG.vvv
2015-12-24 02:50 - 2014-04-02 21:04 - 00121614 _____ C:\Users\New Master\Downloads\photo (1).JPG.vvv
2015-12-24 02:50 - 2014-03-11 08:05 - 11077278 _____ C:\Users\New Master\Downloads\PCI_DS_6_12_8_1794_Vista (1).rar.vvv
2015-12-24 02:50 - 2014-03-11 08:03 - 11077278 _____ C:\Users\New Master\Downloads\PCI_DS_6_12_8_1794_Vista.rar.vvv
2015-12-24 02:50 - 2014-03-06 20:25 - 00021934 _____ C:\Users\New Master\Downloads\On 12 Aug 13.doc.vvv
2015-12-24 02:50 - 2014-01-19 21:46 - 00563790 _____ C:\Users\New Master\Downloads\photo.JPG.vvv
2015-12-24 02:50 - 2014-01-07 17:19 - 00013742 _____ C:\Users\New Master\Downloads\Overall Goals.docx.vvv
2015-12-24 02:49 - 2015-08-27 09:20 - 04942078 _____ C:\Users\New Master\Downloads\GS Rules (Dec 13, 2014).docx.vvv
2015-12-24 02:49 - 2015-08-26 11:37 - 01375998 _____ C:\Users\New Master\Downloads\fdx-sk13.rar.vvv
2015-12-24 02:49 - 2015-08-26 11:22 - 01326206 _____ C:\Users\New Master\Downloads\Kotor+no+cd+crack+1.03+windows+7.rar.vvv
2015-12-24 02:49 - 2015-06-06 06:46 - 00012350 _____ C:\Users\New Master\Downloads\conops.jpg.vvv
2015-12-24 02:49 - 2015-04-03 10:05 - 171625342 _____ C:\Users\New Master\Downloads\Civ4BeyondTheSwordPatch3.19.zip.vvv
2015-12-24 02:49 - 2015-01-11 13:39 - 00078766 _____ C:\Users\New Master\Downloads\ATT_TIPS.doc.vvv
2015-12-24 02:49 - 2015-01-04 11:12 - 00008718 _____ C:\Users\New Master\Downloads\denon_avr-1513_5.1_channel_home_theater_receiver_-b-stock-_(avr-1513)_l1.pdf.vvv
2015-12-24 02:49 - 2014-11-30 09:48 - 00103166 _____ C:\Users\New Master\Downloads\Hagel and Rice.jpg.vvv
2015-12-24 02:49 - 2014-11-16 17:37 - 00458222 _____ C:\Users\New Master\Downloads\E_caliphate.zip.vvv
2015-12-24 02:49 - 2014-08-27 10:26 - 00404334 _____ C:\Users\New Master\Downloads\3B Medical Release Timeline.pdf.vvv
2015-12-24 02:49 - 2014-08-26 08:50 - 00924206 _____ C:\Users\New Master\Downloads\DivFix++_v0.34-Win32.zip.vvv
2015-12-24 02:49 - 2014-08-23 09:47 - 00050526 _____ C:\Users\New Master\Downloads\benq_g2255.jpg.vvv
2015-12-24 02:49 - 2014-08-22 04:31 - 00028686 _____ C:\Users\New Master\Downloads\faust_20.png.vvv
2015-12-24 02:49 - 2014-08-18 10:48 - 00016670 _____ C:\Users\New Master\Downloads\Communications Coordinator Job Description.docx.vvv
2015-12-24 02:49 - 2014-08-06 08:01 - 00017838 _____ C:\Users\New Master\Downloads\crane.doc.vvv
2015-12-24 02:49 - 2014-08-06 07:53 - 00017838 _____ C:\Users\New Master\Downloads\General.doc.vvv
2015-12-24 02:49 - 2014-08-05 17:45 - 00368654 _____ C:\Users\New Master\Downloads\Forces-Canada1_Page_2.jpg.vvv
2015-12-24 02:49 - 2014-08-05 17:45 - 00368654 _____ C:\Users\New Master\Downloads\Forces-Canada1_Page_2 (1).jpg.vvv
2015-12-24 02:49 - 2014-08-01 08:50 - 00069070 _____ C:\Users\New Master\Downloads\Fleming_MPRR_side1.jpg.vvv
2015-12-24 02:49 - 2014-08-01 08:50 - 00048686 _____ C:\Users\New Master\Downloads\Fleming_MPRR_side2.jpg.vvv
2015-12-24 02:49 - 2014-07-20 14:59 - 00034734 _____ C:\Users\New Master\Downloads\Bartender_Contract_Debney_JR_Mess.xls.vvv
2015-12-24 02:49 - 2014-07-20 14:59 - 00026542 _____ C:\Users\New Master\Downloads\Bartender_Terms_of_Reference.xls.vvv
2015-12-24 02:49 - 2014-07-17 06:47 - 00052542 _____ C:\Users\New Master\Downloads\Hurt feelings.pdf.vvv
2015-12-24 02:49 - 2014-07-09 04:38 - 00208302 _____ C:\Users\New Master\Downloads\2000PDP070.doc.vvv
2015-12-24 02:49 - 2014-07-05 12:45 - 00027022 _____ C:\Users\New Master\Downloads\bueler.png.vvv
2015-12-24 02:49 - 2014-06-13 20:33 - 00002830 _____ C:\Users\New Master\Downloads\15 Jun 2014_A51348505.pdf.vvv
2015-12-24 02:49 - 2014-06-08 08:23 - 77826638 _____ C:\Users\New Master\Downloads\HLS5086w.zip.vvv
2015-12-24 02:49 - 2014-05-29 20:11 - 00002910 _____ C:\Users\New Master\Downloads\31 May 2014_A51348505.pdf.vvv
2015-12-24 02:49 - 2014-05-19 16:50 - 00902350 _____ C:\Users\New Master\Downloads\ChrisFleming.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 01405886 _____ C:\Users\New Master\Downloads\IMG_7601.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 01306126 _____ C:\Users\New Master\Downloads\IMG_7597.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 01252062 _____ C:\Users\New Master\Downloads\IMG_7600.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 01242862 _____ C:\Users\New Master\Downloads\IMG_7598.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 01227294 _____ C:\Users\New Master\Downloads\IMG_7594.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 00868958 _____ C:\Users\New Master\Downloads\IMG_7596.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 00867246 _____ C:\Users\New Master\Downloads\IMG_7599 (1).JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:53 - 00735486 _____ C:\Users\New Master\Downloads\IMG_7595.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:52 - 01162734 _____ C:\Users\New Master\Downloads\IMG_7593.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:52 - 00867246 _____ C:\Users\New Master\Downloads\IMG_7599.JPG.vvv
2015-12-24 02:49 - 2014-05-18 05:47 - 00036270 _____ C:\Users\New Master\Downloads\Fleming_MESS_5May13.doc.vvv
2015-12-24 02:49 - 2014-05-18 05:46 - 00567406 _____ C:\Users\New Master\Downloads\Email001.jpg.vvv
2015-12-24 02:49 - 2014-05-18 05:25 - 00062382 _____ C:\Users\New Master\Downloads\1998 TOYOTA RAV4 AWD 4X4.doc.vvv
2015-12-24 02:49 - 2014-04-28 17:20 - 00153518 _____ C:\Users\New Master\Downloads\A_Tp_Org_Chart_2014.ppt.vvv
2015-12-24 02:49 - 2014-04-28 17:11 - 00035246 _____ C:\Users\New Master\Downloads\50 - FLEMING CPL - Memo for Statement of Understanding (1 Apr 14) (1).doc.vvv
2015-12-24 02:49 - 2014-04-05 13:12 - 01678222 _____ C:\Users\New Master\Downloads\20140405_133317.jpg.vvv
2015-12-24 02:49 - 2014-04-03 07:17 - 00104814 _____ C:\Users\New Master\Downloads\img-324143442-0001.pdf.vvv
2015-12-24 02:49 - 2014-04-01 03:27 - 00015278 _____ C:\Users\New Master\Downloads\50 - FLEMING CPL - Memo for Statement of Understanding (1 Apr 14).doc.vvv
2015-12-24 02:49 - 2014-03-06 20:28 - 00053678 _____ C:\Users\New Master\Downloads\12 Aug 13 Statement.doc.vvv
2015-12-24 02:49 - 2014-03-06 20:26 - 00014254 _____ C:\Users\New Master\Downloads\12 Aug 13 Statemeny.doc.vvv
2015-12-24 02:49 - 2014-03-06 20:18 - 00053678 _____ C:\Users\New Master\Downloads\CF98_12Aug13.doc.vvv
2015-12-24 02:49 - 2014-03-06 19:46 - 00051118 _____ C:\Users\New Master\Downloads\CF98.doc.vvv
2015-12-24 02:49 - 2014-03-03 08:55 - 00241870 _____ C:\Users\New Master\Downloads\CHRISFLEMING_2012.pdf.vvv
2015-12-24 02:49 - 2014-03-02 10:23 - 00009694 _____ C:\Users\New Master\Downloads\barracuda.jpg.vvv
2015-12-24 02:49 - 2014-02-28 20:17 - 01618622 _____ C:\Users\New Master\Downloads\A Tp Org Chart 23Oct13 (1).jpg.vvv
2015-12-24 02:49 - 2014-02-28 19:52 - 01618622 _____ C:\Users\New Master\Downloads\A Tp Org Chart 23Oct13.jpg.vvv
2015-12-24 02:49 - 2014-02-28 11:19 - 00045406 _____ C:\Users\New Master\Downloads\CF98_Fleming_19Dec12 chit from CDU-C.png.vvv
2015-12-24 02:49 - 2014-02-28 11:18 - 00111182 _____ C:\Users\New Master\Downloads\CF98_Fleming_15Dec12 report.png.vvv
2015-12-24 02:49 - 2014-02-18 18:47 - 00070574 _____ C:\Users\New Master\Downloads\Budget2013-2014-V4 (1).xls.vvv
2015-12-24 02:49 - 2014-02-18 18:44 - 00064942 _____ C:\Users\New Master\Downloads\Budget2013-2014-V1.xls.vvv
2015-12-24 02:49 - 2014-02-18 18:42 - 00031662 _____ C:\Users\New Master\Downloads\Manager Contract - Jan 13.doc.vvv
2015-12-24 02:49 - 2014-02-18 18:40 - 00017006 _____ C:\Users\New Master\Downloads\Feb 19, 2014 General Meeting - Agenda.docx.vvv
2015-12-24 02:49 - 2014-02-17 17:03 - 00025614 _____ C:\Users\New Master\Downloads\Debney Jr Ranks_DoA Signed Annex B.PDF.vvv
2015-12-24 02:49 - 2014-02-11 18:22 - 00017854 _____ C:\Users\New Master\Downloads\Dave Walker Email 15Jan_1Feb.rtf.vvv
2015-12-24 02:49 - 2014-02-11 06:31 - 01800942 _____ C:\Users\New Master\Downloads\Bartender signed contract - Jan 15, 2014 (2).pdf.vvv
2015-12-24 02:49 - 2014-02-10 22:14 - 01800942 _____ C:\Users\New Master\Downloads\Bartender signed contract - Jan 15, 2014 (1).pdf.vvv
2015-12-24 02:49 - 2014-02-10 21:58 - 00061358 _____ C:\Users\New Master\Downloads\Direct Funds Transfer.doc.doc.doc.vvv
2015-12-24 02:49 - 2014-02-09 12:27 - 00669166 _____ C:\Users\New Master\Downloads\Claws_That_Catch.lrf.vvv
2015-12-24 02:49 - 2014-02-08 08:05 - 00726798 _____ C:\Users\New Master\Downloads\m57 socket.jpg.vvv
2015-12-24 02:49 - 2014-02-08 07:53 - 00064142 _____ C:\Users\New Master\Downloads\e2140.jpg.vvv
2015-12-24 02:49 - 2014-02-07 22:39 - 01800942 _____ C:\Users\New Master\Downloads\Bartender signed contract - Jan 15, 2014.pdf.vvv
2015-12-24 02:49 - 2014-01-28 22:03 - 00638382 _____ C:\Users\New Master\Downloads\CF 895 Class A Pay Sheet - 20 Fd_CO.doc.vvv
2015-12-24 02:49 - 2014-01-26 08:07 - 00017054 _____ C:\Users\New Master\Downloads\Aide_18-20.pdf.vvv
2015-12-24 02:49 - 2014-01-21 21:00 - 00170510 _____ C:\Users\New Master\Downloads\imagejpeg_2(1).jpg.vvv
2015-12-24 02:49 - 2014-01-07 17:19 - 00016846 _____ C:\Users\New Master\Downloads\Chris Fleming Overview.docx.vvv
2015-12-24 02:46 - 2014-08-26 13:00 - 01533582 _____ C:\Users\New Master\Documents\lg um65.pdf.vvv
2015-12-24 02:46 - 2014-08-26 12:57 - 00375454 _____ C:\Users\New Master\Documents\LG ea73.pdf.vvv
2015-12-24 02:46 - 2014-05-13 08:20 - 00389438 _____ C:\Users\New Master\Documents\electronics flowchart.jpg.vvv
2015-12-24 02:46 - 2014-03-13 18:11 - 00000000 ____D C:\Users\New Master\Desktop\Licences
2015-12-24 02:46 - 2014-03-03 20:46 - 00031006 _____ C:\Users\New Master\Documents\Budget2013-2014-V1.xls_0.ods.vvv
2015-12-24 02:46 - 2014-02-02 19:23 - 00000446 _____ C:\Users\New Master\Desktop\DNS-Servers.txt.vvv
2015-12-17 19:31 - 2014-02-11 04:03 - 00000000 ____D C:\Windows\Minidump
2015-12-17 16:58 - 2014-07-19 06:09 - 00516096 _____ C:\errlog.dat
 
==================== Files in the root of some directories =======
 
2015-12-24 02:10 - 2015-12-28 10:21 - 0000124 _____ () C:\Users\New Master\AppData\Roaming\@00000052.bat
2015-12-24 14:52 - 2015-12-24 14:52 - 0010654 _____ () C:\Users\New Master\AppData\Roaming\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 0002411 _____ () C:\Users\New Master\AppData\Roaming\how_recover+kyr.txt
2015-12-24 02:46 - 2015-12-24 02:46 - 0010654 _____ () C:\Users\New Master\AppData\Roaming\how_recover+rwr.html
2015-12-24 02:46 - 2015-12-24 02:46 - 0002411 _____ () C:\Users\New Master\AppData\Roaming\how_recover+rwr.txt
2015-12-24 02:10 - 2015-12-24 02:10 - 0000480 ____H () C:\Users\New Master\AppData\Roaming\½ž’“Ó™œ‰
2015-12-24 14:52 - 2015-12-24 14:52 - 0010654 _____ () C:\Users\New Master\AppData\Roaming\Microsoft\how_recover+kyr.html
2015-12-24 14:52 - 2015-12-24 14:52 - 0002411 _____ () C:\Users\New Master\AppData\Roaming\Microsoft\how_recover+kyr.txt
2015-12-24 02:46 - 2015-12-24 02:46 - 0010654 _____ () C:\Users\New Master\AppData\Roaming\Microsoft\how_recover+rwr.html
2015-12-24 02:46 - 2015-12-24 02:46 - 0002411 _____ () C:\Users\New Master\AppData\Roaming\Microsoft\how_recover+rwr.txt
2015-12-24 14:47 - 2015-12-24 14:52 - 0010654 _____ () C:\Users\New Master\AppData\Local\how_recover+kyr.html
2015-12-24 14:47 - 2015-12-24 14:52 - 0002411 _____ () C:\Users\New Master\AppData\Local\how_recover+kyr.txt
2015-12-24 02:38 - 2015-12-24 02:53 - 0010654 _____ () C:\Users\New Master\AppData\Local\how_recover+rwr.html
2015-12-24 02:38 - 2015-12-24 02:53 - 0002411 _____ () C:\Users\New Master\AppData\Local\how_recover+rwr.txt
2015-10-02 20:00 - 2015-10-02 20:00 - 28260104 _____ () C:\Users\New Master\AppData\Local\package.nw.new
2014-11-15 03:24 - 2014-11-15 03:24 - 0000040 ___SH () C:\ProgramData\.zreglib
2015-12-24 14:48 - 2015-12-24 14:48 - 0000008 ____H () C:\ProgramData\@000001.dat
2015-12-24 14:48 - 2015-12-28 10:23 - 0000000 ____H () C:\ProgramData\@system.temp
2015-12-24 02:10 - 2015-12-24 02:10 - 0000576 ____H () C:\ProgramData\@system3.att
2013-06-22 18:37 - 2013-06-22 18:37 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-12-24 14:47 - 2015-12-24 14:52 - 0010654 _____ () C:\ProgramData\how_recover+kyr.html
2015-12-24 14:47 - 2015-12-24 14:52 - 0002411 _____ () C:\ProgramData\how_recover+kyr.txt
2015-12-24 02:38 - 2015-12-24 03:00 - 0010654 _____ () C:\ProgramData\how_recover+rwr.html
2015-12-24 02:38 - 2015-12-24 03:00 - 0002411 _____ () C:\ProgramData\how_recover+rwr.txt
 
Files to move or delete:
====================
C:\ProgramData\@000001.dat
 
 
Some files in TEMP:
====================
C:\Users\New Master\AppData\Local\Temp\rbpmh.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-23 22:50
 
==================== End of FRST.txt ============================



Mod Edit by quietman7: Information sent via PM advising OP they are dealing with new variant of TeslaCrypt and provided link for discussion topic for any questions not related to malware removal.

Attached Files


Edited by quietman7, 28 December 2015 - 05:05 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:35 PM

Posted 29 December 2015 - 09:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Delete these prgrams in bold via the Control Panel > Programs and Features applet.
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.4.0.0 - Popcorn Time)
Torch (HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Torch) (Version: 39.0.0.9626 - Torch Media, Inc) <==== ATTENTION


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(TorchMedia Inc.) C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe
(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Run: [BrowserUpdate] => C:\Users\New Master\AppData\Roaming\BrowserMe\GoogleUpdate.exe
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\MountPoints2: {c13702ea-ab17-11e3-a4d6-50e54954881d} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\start.exe
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt [2015-12-24] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [2015-12-17] ()
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [2015-12-17] (Hola)
FF Plugin HKU\S-1-5-21-2897383642-4032862370-585284992-1004: @hola.org/vlc,version=1.6.676 -> C:\Users\New Master\AppData\Local\Hola\firefox\app\vlc [2015-12-24] ()
R2 TorchCrashHandler; C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe [1217032 2014-11-23] (TorchMedia Inc.) <==== ATTENTION
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S2 RzMaelstromVADStreamingService; "C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe" [X]
Task: {F776C1E3-7645-45EF-932F-09334E50362E} - System32\Tasks\System Components Update => C:\Users\NEWMAS~1\AppData\Local\Temp\stuprt.exe <==== ATTENTION
ShortcutWithArgument: C:\Users\New Master\Desktop\ctv.ca.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) ->  --run-by-ddi hxxp://ctv.ca/
ShortcutWithArgument: C:\Users\New Master\Desktop\Free Games.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) -> --run-by-tg hxxp://games.torchbrowser.com
ShortcutWithArgument: C:\Users\New Master\Desktop\Free Music.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) -> --run-by-tm hxxp://music.torchbrowser.com
ShortcutWithArgument: C:\Users\New Master\Desktop\Kijiji.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) ->  --run-by-ddi hxxp://www.kijiji.ca/
FirewallRules: [TCP Query User{37022B18-FC41-438D-9FD9-383D327D93F9}C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe] => (Allow) C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe
FirewallRules: [UDP Query User{71A23294-71BD-47B2-B923-63C58AB71364}C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe] => (Allow) C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe
FirewallRules: [TCP Query User{93321DD2-A89B-4E13-91E1-8B2AC03AF612}C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe] => (Allow) C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe
FirewallRules: [UDP Query User{6E3B35B9-1263-4336-A150-863CEBEC0838}C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe] => (Allow) C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe
FirewallRules: [{02A13E04-B3D8-4593-B685-49D12E989866}] => (Allow) C:\Users\New Master\AppData\Local\Torch\Application\torch.exe
FirewallRules: [{7FA081D9-5299-4769-A3CF-EB7CE14BFF79}] => (Allow) C:\Users\New Master\AppData\Local\Torch\Plugins\Hola\hola_plugin.exe
FirewallRules: [{A739698B-6CF1-4EE7-9133-6E782F058CE3}] => (Allow) C:\Users\New Master\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe
FirewallRules: [TCP Query User{14BD991F-FB64-4D56-85AB-1B87E6ABFE3B}C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe] => (Block) C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [UDP Query User{AEE69123-0193-47A6-BE64-C19D5E05A4B5}C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe] => (Block) C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [{B645E567-C77B-4653-ACFB-CF7339D81183}] => (Allow) C:\Program Files\Hola\app\hola_updater.exe
FirewallRules: [{D9584CDF-2C88-48BA-9110-6647BD3D6D24}] => (Allow) C:\Program Files\Hola\app\hola_updater.exe
FirewallRules: [TCP Query User{029012A1-F17B-4F7B-A6E5-69640B6AD863}C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [UDP Query User{A434F5D6-4E2D-4BFF-B9E1-3C1117136DA5}C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [{4956A358-4DD1-4B13-9CD3-4160A98C2315}] => (Allow) C:\Windows\System32\config\systemprofile\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [{F30B5EED-561A-41D4-B022-92FE0DCDB256}] => (Allow) C:\Windows\System32\config\systemprofile\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [{3225545F-0391-423B-BB52-E8EE1E36B17E}] => (Allow) C:\Program Files\Hola\app\hola_svc.exe
FirewallRules: [{DDC1EF56-14C7-4028-A28C-AE18BD16C7A2}] => (Allow) C:\Program Files\Hola\app\hola_svc.exe
FirewallRules: [{C3B050EA-3AE4-431B-924D-5F8C3CF89065}] => (Allow) C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [{E36B89B5-EC17-41A9-AE83-3FF626404F83}] => (Allow) C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [TCP Query User{B5BD1BD1-3761-4D00-BD75-A2B04EE3DC9C}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{0982F116-6A4D-4784-AD98-9D8462FA2C8D}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [TCP Query User{9C372C77-2420-4C6C-A695-4393FCC4F370}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{EFE28EE6-7B22-415A-AD90-DD3A54F83A46}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [{931040F5-2178-4EDA-AB1D-19D21CEE4352}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{82FD0FDC-28F3-4B98-9E26-8AB2371A966A}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{97E1A021-8C93-4153-BA96-491877077BAC}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{79274F13-92AF-4788-B76B-095FDBB914CA}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{AE87AE36-9D69-4D0A-AE77-375C60B0DEFB}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{218A9819-34B8-4854-B618-2F3E2E5D8415}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
C:\Users\NEWMAS~1\AppData\Local\Temp\stuprt.exe
C:\Users\New Master\AppData\Local\Torch\Update
C:\Program Files (x86)\Popcorn Time
C:\Users\New Master\AppData\Roaming\BrowserMe
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt 
C:\Users\New Master\AppData\Local\Hola

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problems persists.

#3 Brasidas

Brasidas
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 29 December 2015 - 11:59 AM

Thanks, nasdaq.

 

I followed your directions, and after you confirm, I think I just have some manual deletion of files and re-installation of programs to do.

There were comments on the removal of torch and popcorntime that some files would need to be manually removed. I also observed the same text files as before, located in several directories. I have already deleted the following from a blank disk writing queue:

 

desktop.ini

how_recover+kyr.html
how_recover+kyr.txt
how_recover+rwr.html
how_recover+rwr.txt

 

I have attempted to start programs, in particular a couple of games through steam, which fail to start. My intent is to uninstall then reinstall them.
 

Here is the log:

Fix result of Farbar Recovery Scan Tool (x64) Version:27-12-2015
Ran by New Master (2015-12-29 09:36:51) Run:2
Running from E:\
Loaded Profiles: New Master (Available Profiles: AC & New Master)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
(TorchMedia Inc.) C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe
(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\Run: [BrowserUpdate] => C:\Users\New Master\AppData\Roaming\BrowserMe\GoogleUpdate.exe
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\...\MountPoints2: {c13702ea-ab17-11e3-a4d6-50e54954881d} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\start.exe
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html [2015-12-24] ()
Startup: C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt [2015-12-24] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [2015-12-17] ()
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [2015-12-17] (Hola)
FF Plugin HKU\S-1-5-21-2897383642-4032862370-585284992-1004: @hola.org/vlc,version=1.6.676 -> C:\Users\New Master\AppData\Local\Hola\firefox\app\vlc [2015-12-24] ()
R2 TorchCrashHandler; C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe [1217032 2014-11-23] (TorchMedia Inc.) <==== ATTENTION
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S2 RzMaelstromVADStreamingService; "C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe" [X]
Task: {F776C1E3-7645-45EF-932F-09334E50362E} - System32\Tasks\System Components Update => C:\Users\NEWMAS~1\AppData\Local\Temp\stuprt.exe <==== ATTENTION
ShortcutWithArgument: C:\Users\New Master\Desktop\ctv.ca.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) ->  --run-by-ddi hxxp://ctv.ca/
ShortcutWithArgument: C:\Users\New Master\Desktop\Free Games.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) -> --run-by-tg hxxp://games.torchbrowser.com
ShortcutWithArgument: C:\Users\New Master\Desktop\Free Music.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) -> --run-by-tm hxxp://music.torchbrowser.com
ShortcutWithArgument: C:\Users\New Master\Desktop\Kijiji.lnk -> C:\Users\New Master\AppData\Local\Torch\Application\torch.exe (Torch Media Inc.) ->  --run-by-ddi hxxp://www.kijiji.ca/
FirewallRules: [TCP Query User{37022B18-FC41-438D-9FD9-383D327D93F9}C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe] => (Allow) C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe
FirewallRules: [UDP Query User{71A23294-71BD-47B2-B923-63C58AB71364}C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe] => (Allow) C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe
FirewallRules: [TCP Query User{93321DD2-A89B-4E13-91E1-8B2AC03AF612}C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe] => (Allow) C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe
FirewallRules: [UDP Query User{6E3B35B9-1263-4336-A150-863CEBEC0838}C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe] => (Allow) C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe
FirewallRules: [{02A13E04-B3D8-4593-B685-49D12E989866}] => (Allow) C:\Users\New Master\AppData\Local\Torch\Application\torch.exe
FirewallRules: [{7FA081D9-5299-4769-A3CF-EB7CE14BFF79}] => (Allow) C:\Users\New Master\AppData\Local\Torch\Plugins\Hola\hola_plugin.exe
FirewallRules: [{A739698B-6CF1-4EE7-9133-6E782F058CE3}] => (Allow) C:\Users\New Master\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe
FirewallRules: [TCP Query User{14BD991F-FB64-4D56-85AB-1B87E6ABFE3B}C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe] => (Block) C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [UDP Query User{AEE69123-0193-47A6-BE64-C19D5E05A4B5}C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe] => (Block) C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe
FirewallRules: [{B645E567-C77B-4653-ACFB-CF7339D81183}] => (Allow) C:\Program Files\Hola\app\hola_updater.exe
FirewallRules: [{D9584CDF-2C88-48BA-9110-6647BD3D6D24}] => (Allow) C:\Program Files\Hola\app\hola_updater.exe
FirewallRules: [TCP Query User{029012A1-F17B-4F7B-A6E5-69640B6AD863}C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [UDP Query User{A434F5D6-4E2D-4BFF-B9E1-3C1117136DA5}C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [{4956A358-4DD1-4B13-9CD3-4160A98C2315}] => (Allow) C:\Windows\System32\config\systemprofile\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [{F30B5EED-561A-41D4-B022-92FE0DCDB256}] => (Allow) C:\Windows\System32\config\systemprofile\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [{3225545F-0391-423B-BB52-E8EE1E36B17E}] => (Allow) C:\Program Files\Hola\app\hola_svc.exe
FirewallRules: [{DDC1EF56-14C7-4028-A28C-AE18BD16C7A2}] => (Allow) C:\Program Files\Hola\app\hola_svc.exe
FirewallRules: [{C3B050EA-3AE4-431B-924D-5F8C3CF89065}] => (Allow) C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [{E36B89B5-EC17-41A9-AE83-3FF626404F83}] => (Allow) C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\hola_plugin.exe
FirewallRules: [TCP Query User{B5BD1BD1-3761-4D00-BD75-A2B04EE3DC9C}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{0982F116-6A4D-4784-AD98-9D8462FA2C8D}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [TCP Query User{9C372C77-2420-4C6C-A695-4393FCC4F370}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{EFE28EE6-7B22-415A-AD90-DD3A54F83A46}C:\users\new master\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\new master\appdata\local\popcorn time\nw.exe
FirewallRules: [{931040F5-2178-4EDA-AB1D-19D21CEE4352}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{82FD0FDC-28F3-4B98-9E26-8AB2371A966A}] => (Allow) C:\Program Files (x86)\Popcorn Time\Updater.exe
FirewallRules: [{97E1A021-8C93-4153-BA96-491877077BAC}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{79274F13-92AF-4788-B76B-095FDBB914CA}] => (Allow) C:\Program Files (x86)\Popcorn Time\PopcornTimeDesktop.exe
FirewallRules: [{AE87AE36-9D69-4D0A-AE77-375C60B0DEFB}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
FirewallRules: [{218A9819-34B8-4854-B618-2F3E2E5D8415}] => (Allow) C:\Program Files (x86)\Popcorn Time\chromecast\node.exe
C:\Users\NEWMAS~1\AppData\Local\Temp\stuprt.exe
C:\Users\New Master\AppData\Local\Torch\Update
C:\Program Files (x86)\Popcorn Time
C:\Users\New Master\AppData\Roaming\BrowserMe
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt 
C:\Users\New Master\AppData\Local\Hola
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
C:\Users\New Master\AppData\Local\Torch\Update\TorchCrashHandler.exe => No running process found
C:\Program Files (x86)\Popcorn Time\Updater.exe => No running process found
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => key removed successfully
HKU\S-1-5-21-2897383642-4032862370-585284992-1004\Software\Microsoft\Windows\CurrentVersion\Run\\BrowserUpdate => value removed successfully
"HKU\S-1-5-21-2897383642-4032862370-585284992-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c13702ea-ab17-11e3-a4d6-50e54954881d}" => key removed successfully
HKCR\CLSID\{c13702ea-ab17-11e3-a4d6-50e54954881d} => key not found. 
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html => moved successfully
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt => moved successfully
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html => moved successfully
C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt => moved successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKU\.DEFAULT\Software\MozillaPlugins\@hola.org/FlashPlayer" => key removed successfully
C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll => moved successfully
"HKU\.DEFAULT\Software\MozillaPlugins\@hola.org/vlc" => key removed successfully
C:\Users\New Master\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll => moved successfully
"HKU\S-1-5-21-2897383642-4032862370-585284992-1004\Software\MozillaPlugins\@hola.org/vlc,version=1.6.676" => key removed successfully
FF Plugin HKU\S-1-5-21-2897383642-4032862370-585284992-1004: @hola.org/vlc,version=1.6.676 -> C:\Users\New Master\AppData\Local\Hola\firefox\app\vlc [2015-12-24] () => not found.
TorchCrashHandler => service not found.
Update service => service removed successfully
RzMaelstromVADStreamingService => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F776C1E3-7645-45EF-932F-09334E50362E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F776C1E3-7645-45EF-932F-09334E50362E}" => key removed successfully
C:\Windows\System32\Tasks\System Components Update => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Components Update" => key removed successfully
C:\Users\New Master\Desktop\ctv.ca.lnk => not found.
C:\Users\New Master\Desktop\Free Games.lnk => not found.
C:\Users\New Master\Desktop\Free Music.lnk => not found.
C:\Users\New Master\Desktop\Kijiji.lnk => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{37022B18-FC41-438D-9FD9-383D327D93F9}C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{71A23294-71BD-47B2-B923-63C58AB71364}C:\users\new master\appdata\roaming\popcorn time\node-webkit\popcorn-time.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{93321DD2-A89B-4E13-91E1-8B2AC03AF612}C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{6E3B35B9-1263-4336-A150-863CEBEC0838}C:\users\new master\appdata\roaming\mozilla\firefox\profiles\y1hpnv5f.default\extensions\jid1-4p0kohsjxu1qgg@jetpack\resources\hola_firefox_ext\data\plugins\hola_plugin_x64.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{02A13E04-B3D8-4593-B685-49D12E989866} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7FA081D9-5299-4769-A3CF-EB7CE14BFF79} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A739698B-6CF1-4EE7-9133-6E782F058CE3} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{14BD991F-FB64-4D56-85AB-1B87E6ABFE3B}C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{AEE69123-0193-47A6-BE64-C19D5E05A4B5}C:\users\new master\appdata\local\hola\firefox\app\hola_plugin.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B645E567-C77B-4653-ACFB-CF7339D81183} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D9584CDF-2C88-48BA-9110-6647BD3D6D24} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{029012A1-F17B-4F7B-A6E5-69640B6AD863}C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{A434F5D6-4E2D-4BFF-B9E1-3C1117136DA5}C:\users\new master\appdata\local\popcorn time\node-webkit\popcorn time.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4956A358-4DD1-4B13-9CD3-4160A98C2315} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F30B5EED-561A-41D4-B022-92FE0DCDB256} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3225545F-0391-423B-BB52-E8EE1E36B17E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DDC1EF56-14C7-4028-A28C-AE18BD16C7A2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C3B050EA-3AE4-431B-924D-5F8C3CF89065} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E36B89B5-EC17-41A9-AE83-3FF626404F83} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{B5BD1BD1-3761-4D00-BD75-A2B04EE3DC9C}C:\users\new master\appdata\local\popcorn time\nw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{0982F116-6A4D-4784-AD98-9D8462FA2C8D}C:\users\new master\appdata\local\popcorn time\nw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{9C372C77-2420-4C6C-A695-4393FCC4F370}C:\users\new master\appdata\local\popcorn time\nw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{EFE28EE6-7B22-415A-AD90-DD3A54F83A46}C:\users\new master\appdata\local\popcorn time\nw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{931040F5-2178-4EDA-AB1D-19D21CEE4352} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{82FD0FDC-28F3-4B98-9E26-8AB2371A966A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{97E1A021-8C93-4153-BA96-491877077BAC} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{79274F13-92AF-4788-B76B-095FDBB914CA} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AE87AE36-9D69-4D0A-AE77-375C60B0DEFB} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{218A9819-34B8-4854-B618-2F3E2E5D8415} => value not found.
"C:\Users\NEWMAS~1\AppData\Local\Temp\stuprt.exe" => not found.
"C:\Users\New Master\AppData\Local\Torch\Update" => not found.
C:\Program Files (x86)\Popcorn Time => moved successfully
C:\Users\New Master\AppData\Roaming\BrowserMe => moved successfully
"C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.html" => not found.
"C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+kyr.txt" => not found.
"C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.html" => not found.
"C:\Users\New Master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+rwr.txt" => not found.
C:\Users\New Master\AppData\Local\Hola => moved successfully
EmptyTemp: => 185.7 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 09:37:07 ====

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:35 PM

Posted 29 December 2015 - 03:49 PM

Files associated with the compromised programs could have been damaged.
The programs must be reinstalled.
 
If you still have many files in your downloads folders 
 
C:\Users\New Master\Downloads
 
Hilight them all then hold the Shift and DEL keys.
Accept the notice to remove them. They will NOT be sent to your Recycle bin and will be deleted completely.
 
===
 
When all is well
 
To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
===


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:35 PM

Posted 04 January 2016 - 02:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users