Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help to Remove ransomware and decrypt files encrypted by ransomware [C


  • This topic is locked This topic is locked

#1
[email protected]

[email protected]

    New Member

  • Member
  • Pip
  • 8 posts

Hi, this is the 1st time I come to this forum. I want to not only remove the ransomware from our Windows system, but also decrypt the MS Office and Adobe PDF files encrypted by the ransomware. We do not have clean bakcup files, because encrypted  files both in shared drive and backup drive. Could anyone point me if this is the right place to get the help? If yes, I would like to spend more time to send logs to here. Thank you very much for your help!

 

George

 

 


  • 0

Advertisements


#2
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hello [email protected], welcome to GeeksToGo Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.  
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 
     

======================================================
 

but also decrypt the MS Office and Adobe PDF files encrypted by the ransomware.

Depending on the ransomware present, this may not be possible I'm afraid. However, you may have other options available that do not involve decryption.
 
Running the diagnostic scans below will allow me to ascertain what options you have. 

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe / FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

STEP 2
IDToolbyNathan.png IDTool

  • Please download IDTool and save the file to your Desktop.
  • Right-Click idtool.zip and click Extract All. Select your Desktop and click Extract.
  • Right-Click IDTool.exe and click AVOiBNU.jpg Run as administrator to run the programme. 
  • If you're prompted to download and install Micorsoft .NET Framework, please agree. 
  • Allow the programme to collect the necessary data. 
  • Once the main console is loaded, click Rescan Computer and Generate a New Report.
  • Upon completion, and when prompted that the rescan is complete, click Generate Text Friendly Report for Forums.
  • Copy the contents of the report and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • FRST.txt
  • Addition.txt
  • IDTool log

  • 0

#3
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Adam, it was very nice to hear from you! You can call me George. I will follow your procedures and send you log file ASAP. 


  • 0

#4
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Adam, please see the following log for your information:

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-01-2015
Ran by georgepc (administrator) on GEORGEPAN-PC on 07-01-2015 13:43:13
Running from C:\Users\georgepc\Desktop\Geekstogo
Loaded Profile: georgepc (Available profiles: GeorgePan & georgepc & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Thomson Reuters) C:\Windows\csasvc.exe
(Thomson Reuters) C:\Windows\csifcsvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Thomson Tax & Accounting;  http://cs.thomson.com) \\dg4f5wv1\wincsi\csa\csa.exe
(Thomson Tax & Accounting;  http://cs.thomson.com) \\DG4F5WV1\WINCSI\CSA\CSAAPP.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\outlook.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\winword.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dpnsvr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3653136 2014-11-09] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\758\g2ax_winlogonx64.dll (Citrix Online, LLC)
HKU\S-1-5-21-3959093455-1914111138-4206043169-1001\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-07-23] (Google Inc.)
HKU\S-1-5-21-3959093455-1914111138-4206043169-1001\...\RunOnce: [Uninstall C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211_1\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211_1\amd64"
HKU\S-1-5-21-3959093455-1914111138-4206043169-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3959093455-1914111138-4206043169-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com...3CLRTYRY1_sp_ie
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...nt/ieatgpc1.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.9.1
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3959093455-1914111138-4206043169-1001: @citrixonline.com/appdetectorplugin -> C:\Users\georgepc\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
 
Chrome: 
=======
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3488784 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
R2 CSAPrintService; C:\Windows\csasvc.exe [115712 2013-10-30] (Thomson Reuters) [File not signed]
R2 FCPrintService; C:\Windows\csifcsvc.exe [115712 2013-10-30] (Thomson Reuters) [File not signed]
S3 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\758\g2ax_service.exe [610888 2014-10-03] (Citrix Online, LLC)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-02-06] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-02-19] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [174368 2014-01-17] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-02-19] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-10-31] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-10-31] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2014-10-31] (LogMeIn, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [224840 2013-05-10] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [1915920 2014-04-04] (SoftThinks SAS)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [327296 2012-12-27] (Atheros)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-25] (Atheros)
S2 McAPExe; "C:\Program Files\McAfee\MSC\McAPExe.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [263960 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28656 2013-01-15] (Intel Corporation)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2014-10-31] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [116736 2014-02-19] (Intel Corporation)
S3 SPPD; \??\C:\Windows\system32\drivers\SPPD.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-07 13:40 - 2015-01-07 13:43 - 00000000 ____D () C:\FRST
2015-01-07 13:39 - 2015-01-07 13:43 - 00000000 ____D () C:\Users\georgepc\Desktop\Geekstogo
2015-01-06 19:08 - 2015-01-07 13:35 - 00000000 ____D () C:\Users\georgepc\AppData\Roaming\Siegazsi
2015-01-06 19:08 - 2015-01-07 13:00 - 00000826 _____ () C:\Windows\Tasks\Security Center Update - 3401159158.job
2015-01-06 19:08 - 2015-01-06 19:08 - 00003840 _____ () C:\Windows\System32\Tasks\Security Center Update - 3401159158
2015-01-06 13:42 - 2015-01-06 13:42 - 00002285 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\WinZip.lnk
2015-01-06 13:42 - 2015-01-06 13:42 - 00002279 _____ () C:\Users\Public\Desktop\WinZip.lnk
2015-01-06 13:42 - 2015-01-06 13:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
2015-01-06 13:41 - 2015-01-06 13:42 - 00000000 ____D () C:\Users\Administrator\AppData\Local\WinZip
2015-01-06 13:41 - 2015-01-06 13:42 - 00000000 ____D () C:\ProgramData\WinZip
2015-01-06 13:41 - 2015-01-06 13:41 - 00000000 ____D () C:\Program Files\WinZip
2015-01-06 13:40 - 2015-01-06 13:40 - 00906024 _____ ( ) C:\Users\Administrator\Downloads\winzip19.exe
2015-01-06 13:30 - 2015-01-06 13:31 - 00000000 ____D () C:\Users\Administrator\Desktop\GP_Ransom
2015-01-06 13:26 - 2015-01-06 13:26 - 00019822 _____ () C:\Users\Administrator\Desktop\dds.txt
2015-01-06 13:26 - 2015-01-06 13:26 - 00005473 _____ () C:\Users\Administrator\Desktop\attach.txt
2015-01-06 13:22 - 2015-01-06 13:20 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com
2015-01-06 13:20 - 2015-01-06 13:20 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds.com
2015-01-06 13:19 - 2015-01-06 13:19 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Macromedia
2015-01-06 13:18 - 2015-01-06 13:18 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieUserList
2015-01-06 13:18 - 2015-01-06 13:18 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieSiteList
2015-01-06 13:18 - 2015-01-06 13:18 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieBrowserModeList
2015-01-05 18:51 - 2015-01-05 18:51 - 00001660 _____ () C:\Users\Public\Desktop\Recuva.lnk
2015-01-05 18:51 - 2015-01-05 18:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recuva
2015-01-05 18:51 - 2015-01-05 18:51 - 00000000 ____D () C:\Program Files\Recuva
2015-01-05 18:27 - 2015-01-06 12:47 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2015-01-05 18:22 - 2015-01-05 18:23 - 00344064 _____ () C:\Users\georgepc\Documents\Database2.accdb
2015-01-05 18:22 - 2015-01-05 18:22 - 00344064 _____ () C:\Users\georgepc\Documents\Database1.accdb
2015-01-05 18:14 - 2015-01-05 18:14 - 00000000 ____D () C:\Windows\pss
2015-01-05 18:09 - 2015-01-05 18:09 - 00000000 ____D () C:\cd871ceb1dc9e339b4fc59bb388a
2015-01-05 17:20 - 2015-01-05 17:20 - 00023552 _____ () C:\Users\georgepc\AppData\Local\kenxoil.dll
2015-01-05 12:15 - 2015-01-05 12:15 - 00015872 _____ () C:\Users\georgepc\AppData\Roaming\cowitches.d
2015-01-03 21:35 - 2015-01-07 13:42 - 00001688 _____ () C:\Users\georgepc\Desktop\Computer.lnk
2015-01-03 21:35 - 2015-01-07 13:42 - 00000288 _____ () C:\Users\georgepc\AppData\Roaming\B268479A.reg
2015-01-03 21:35 - 2015-01-06 19:00 - 00928768 _____ () C:\Users\georgepc\AppData\Roaming\ScanDisc.exe
2015-01-03 21:33 - 2015-01-03 21:33 - 00000000 ____D () C:\Users\georgepc\Desktop\2007 Extension 7004 & 4868
2015-01-03 20:54 - 2015-01-03 20:56 - 00000000 ____D () C:\Users\georgepc\Desktop\temptemp
2015-01-03 20:40 - 2015-01-03 20:40 - 00120864 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-03 20:40 - 2015-01-03 20:40 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Intel Corporation
2015-01-03 20:39 - 2015-01-03 20:39 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\AVG2015
2015-01-03 20:39 - 2015-01-03 20:39 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Atheros
2015-01-03 20:39 - 2015-01-03 20:39 - 00000000 ____D () C:\Users\Administrator\AppData\Local\LogMeIn
2015-01-03 20:39 - 2015-01-03 20:39 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Avg2015
2015-01-03 20:38 - 2015-01-03 20:38 - 00001415 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-03 20:38 - 2015-01-03 20:38 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
2015-01-03 20:37 - 2015-01-03 20:38 - 00000000 ____D () C:\Users\Administrator
2015-01-03 20:37 - 2015-01-03 20:37 - 00000020 ___SH () C:\Users\Administrator\ntuser.ini
2015-01-03 20:37 - 2014-08-14 08:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\TuneUp Software
2015-01-03 20:37 - 2014-07-26 15:15 - 00002106 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2015-01-03 20:37 - 2009-07-13 20:54 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-01-03 20:37 - 2009-07-13 20:49 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-01-02 22:57 - 2015-01-02 22:57 - 06220854 _____ () C:\Users\georgepc\Documents\Decrypt All Files wymfrlk.bmp
2015-01-02 22:57 - 2015-01-02 22:57 - 00001240 _____ () C:\Users\georgepc\Documents\Decrypt All Files wymfrlk.txt
2015-01-02 08:32 - 2014-12-31 19:28 - 00013408 _____ () C:\Users\georgepc\Documents\Copy of 2014 Dr  Noralahi income tax withholding (2).XLSX.wymfrlk
2014-12-31 16:05 - 2015-01-02 22:57 - 04611046 _____ () C:\ProgramData\odxwyle.html
2014-12-31 08:58 - 2014-12-30 15:17 - 08447865 _____ (AME Software Products, Inc. ) C:\Users\georgepc\Desktop\ame_update_2015_v2_3_1.exe
2014-12-30 13:12 - 2014-12-30 13:12 - 00003038 _____ () C:\Windows\System32\Tasks\dvwgmok
2014-12-24 20:44 - 2014-12-24 20:44 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-24 20:33 - 2015-01-07 03:40 - 00000000 ____D () C:\ProgramData\lmyrj
2014-12-24 20:29 - 2014-12-24 20:36 - 00000000 ____D () C:\ProgramData\AojahEzfec
2014-12-18 13:47 - 2014-12-18 13:47 - 00001658 _____ () C:\Users\georgepc\Desktop\eFileCabinet 2014.lnk
2014-12-18 12:36 - 2014-12-18 12:24 - 00005522 _____ () C:\Users\georgepc\Desktop\Copy of UT13_ClientContact  business -  Bookkeeping.csv
2014-12-18 12:36 - 2014-12-18 12:24 - 00004206 _____ () C:\Users\georgepc\Desktop\Copy of UT13_ClientContact  business - Payroll.csv
2014-12-17 11:01 - 2014-12-12 21:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-17 11:01 - 2014-12-12 19:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-16 08:52 - 2014-12-16 08:52 - 00000029 _____ () C:\Users\georgepc\Foxit Reader SDK ActiveX.ini
2014-12-15 14:58 - 2014-12-15 14:58 - 00001440 _____ () C:\Users\georgepc\Desktop\0224SWM.ASC
2014-12-15 12:23 - 2014-12-15 12:23 - 00000641 _____ () C:\Users\georgepc\Desktop\0224DPO.ASC
2014-12-15 11:56 - 2014-12-15 11:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eFileCabinet 2014
2014-12-15 11:50 - 2014-12-15 11:50 - 00000000 ____D () C:\Users\georgepc\AppData\Roaming\eFileCabinet
2014-12-15 11:50 - 2014-11-06 11:32 - 00000448 _____ () C:\Users\georgepc\Documents\ChatLog NorCal Meeting w_Steve R_ 2014_11_06 11_32.RTF.wymfrlk
2014-12-15 11:48 - 2014-12-15 12:08 - 00014337 _____ () C:\Users\georgepc\Desktop\UT13_ClientContact.csv
2014-12-15 11:44 - 2014-12-15 11:45 - 00001109 _____ () C:\Users\georgepc\Desktop\0224tt.csv
2014-12-15 11:41 - 2014-12-15 11:41 - 00001008 _____ () C:\Users\georgepc\Desktop\0224TT.ASC
2014-12-12 12:01 - 2014-12-12 12:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-12-12 12:00 - 2014-12-12 12:00 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-12 12:00 - 2014-12-12 12:00 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-12-12 11:40 - 2014-12-12 11:40 - 00065630 _____ () C:\Users\georgepc\Desktop\ame payroll client.html
2014-12-12 09:36 - 2014-12-12 09:36 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage007.bmp
2014-12-12 09:36 - 2014-12-12 09:36 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage006.bmp
2014-12-12 09:36 - 2014-12-12 09:36 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage005.bmp
2014-12-12 09:35 - 2014-12-12 09:35 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage004.bmp
2014-12-12 09:35 - 2014-12-12 09:35 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage003.bmp
2014-12-12 09:35 - 2014-12-12 09:35 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage002.bmp
2014-12-12 09:35 - 2014-12-12 09:35 - 03371604 _____ () C:\Users\georgepc\Desktop\AttendeeViewerImage001.bmp
2014-12-10 03:16 - 2014-12-10 03:16 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-10 03:00 - 2014-10-17 18:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-10 03:00 - 2014-10-17 17:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-10 03:00 - 2014-07-06 18:06 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2014-12-10 03:00 - 2014-07-06 18:06 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2014-12-10 03:00 - 2014-07-06 18:06 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2014-12-10 03:00 - 2014-07-06 18:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2014-12-10 03:00 - 2014-07-06 17:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2014-12-10 03:00 - 2014-07-06 17:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2014-12-10 03:00 - 2014-07-06 17:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2014-12-10 03:00 - 2014-07-06 17:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2014-12-09 13:00 - 2014-12-03 18:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-09 13:00 - 2014-12-03 18:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-09 13:00 - 2014-12-03 18:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-09 13:00 - 2014-12-03 18:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-09 13:00 - 2014-12-03 18:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-09 13:00 - 2014-12-03 18:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-09 13:00 - 2014-12-03 18:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-09 13:00 - 2014-12-01 15:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-09 13:00 - 2014-11-26 17:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-09 13:00 - 2014-11-26 17:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-09 13:00 - 2014-11-21 19:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-09 13:00 - 2014-11-21 19:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-09 13:00 - 2014-11-21 19:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-09 13:00 - 2014-11-21 18:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-09 13:00 - 2014-11-21 18:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-09 13:00 - 2014-11-21 18:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-09 13:00 - 2014-11-21 18:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-09 13:00 - 2014-11-21 18:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-09 13:00 - 2014-11-21 18:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-09 13:00 - 2014-11-21 18:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-09 13:00 - 2014-11-21 18:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-09 13:00 - 2014-11-21 18:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-09 13:00 - 2014-11-21 18:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-09 13:00 - 2014-11-21 18:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-09 13:00 - 2014-11-21 18:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-09 13:00 - 2014-11-21 18:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-09 13:00 - 2014-11-21 18:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-09 13:00 - 2014-11-21 18:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-09 13:00 - 2014-11-21 18:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-09 13:00 - 2014-11-21 18:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-09 13:00 - 2014-11-21 18:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-09 13:00 - 2014-11-21 18:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-09 13:00 - 2014-11-21 18:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-09 13:00 - 2014-11-21 18:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-09 13:00 - 2014-11-21 18:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-09 13:00 - 2014-11-21 18:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-09 13:00 - 2014-11-21 18:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-09 13:00 - 2014-11-21 17:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-09 13:00 - 2014-11-21 17:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-09 13:00 - 2014-11-21 17:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-09 13:00 - 2014-11-21 17:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-09 13:00 - 2014-11-21 17:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-09 13:00 - 2014-11-21 17:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-09 13:00 - 2014-11-21 17:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-09 13:00 - 2014-11-21 17:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-09 13:00 - 2014-11-21 17:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-09 13:00 - 2014-11-21 17:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-09 13:00 - 2014-11-21 17:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-09 13:00 - 2014-11-21 17:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-09 13:00 - 2014-11-21 17:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-09 13:00 - 2014-11-21 17:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-09 13:00 - 2014-11-21 17:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-09 13:00 - 2014-11-21 17:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-09 13:00 - 2014-11-21 17:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-09 13:00 - 2014-11-21 17:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-09 13:00 - 2014-11-21 17:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-09 13:00 - 2014-11-21 17:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-09 13:00 - 2014-11-21 17:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-09 13:00 - 2014-11-21 17:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-09 13:00 - 2014-11-21 17:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-09 13:00 - 2014-11-21 16:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-09 13:00 - 2014-11-21 16:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-09 13:00 - 2014-11-10 19:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-09 13:00 - 2014-11-10 18:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-09 13:00 - 2014-11-10 17:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-09 12:59 - 2014-11-07 19:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-09 12:59 - 2014-11-07 18:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-09 12:59 - 2014-10-29 18:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-09 12:59 - 2014-10-29 17:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-09 12:59 - 2014-10-02 18:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-09 12:59 - 2014-10-02 18:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-09 12:59 - 2014-10-02 18:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-09 12:59 - 2014-10-02 18:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-09 12:59 - 2014-10-02 18:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-09 12:59 - 2014-10-02 17:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-09 12:59 - 2014-10-02 17:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-09 12:59 - 2014-10-02 17:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-09 12:59 - 2014-10-02 17:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-09 12:59 - 2014-10-02 17:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-09 12:43 - 2015-01-06 14:15 - 00001006 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2014-12-09 12:43 - 2015-01-06 14:15 - 00000990 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-12-09 12:43 - 2014-12-09 12:48 - 00000000 ____D () C:\Program Files (x86)\LogMeIn
2014-12-09 12:43 - 2014-12-09 12:43 - 00000000 ____D () C:\Users\georgepc\AppData\Local\LogMeIn
2014-12-09 12:43 - 2014-10-31 11:55 - 00107392 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll
2014-12-09 12:43 - 2014-10-31 11:54 - 00092520 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2014-12-09 12:43 - 2014-10-31 11:54 - 00035688 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2014-12-09 12:43 - 2014-10-31 11:15 - 00072216 _____ (LogMeIn, Inc.) C:\Windows\system32\Drivers\LMIRfsDriver.sys
2014-12-09 12:38 - 2014-12-09 12:38 - 26279936 _____ () C:\Users\georgepc\Downloads\LogMeIn.msi
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-07 13:43 - 2014-09-01 08:03 - 00000000 ____D () C:\Users\georgepc\Documents\Outlook Files
2015-01-07 12:52 - 2014-06-03 17:19 - 01967789 _____ () C:\Windows\WindowsUpdate.log
2015-01-07 12:50 - 2014-10-02 15:39 - 00000580 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3959093455-1914111138-4206043169-1001.job
2015-01-07 12:50 - 2014-07-23 21:27 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-07 12:12 - 2014-10-02 13:44 - 00000000 ____D () C:\Users\georgepc\AppData\Local\CrashDumps
2015-01-07 09:44 - 2014-07-19 13:04 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-07 08:50 - 2014-07-23 21:27 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-06 16:56 - 2014-09-04 20:13 - 00005002 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for GeorgePan-PC-georgepc GeorgePan-PC
2015-01-06 14:23 - 2009-07-13 20:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-06 14:23 - 2009-07-13 20:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-06 14:17 - 2014-06-03 15:48 - 00006462 _____ () C:\Windows\SysWOW64\Gms.log
2015-01-06 14:17 - 2014-06-03 15:42 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-01-06 14:15 - 2014-12-06 17:30 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-06 14:15 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-06 14:15 - 2009-07-13 20:51 - 00039188 _____ () C:\Windows\setupact.log
2015-01-06 13:00 - 2014-08-19 09:19 - 00000000 ____D () C:\Users\georgepc\AppData\Roaming\TeamViewer
2015-01-05 18:21 - 2014-07-23 21:31 - 00000000 ____D () C:\Ame 2.0
2015-01-05 18:14 - 2009-07-13 21:13 - 00783606 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-05 11:45 - 2014-07-19 12:05 - 00000000 ____D () C:\ProgramData\softthinks
2015-01-03 20:39 - 2009-07-13 20:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-01-02 20:59 - 2014-08-07 10:21 - 00000000 ____D () C:\PAS42
2014-12-31 21:48 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-12-31 16:13 - 2010-11-20 19:47 - 00277854 _____ () C:\Windows\PFRO.log
2014-12-31 08:59 - 2014-08-05 15:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Update AME 2.0
2014-12-30 16:05 - 2014-11-20 21:51 - 00000000 ____D () C:\Users\georgepc\AppData\Local\Avg2015
2014-12-30 13:12 - 2014-06-03 15:53 - 00000000 ____D () C:\ProgramData\Atheros
2014-12-30 09:50 - 2014-09-23 08:59 - 00000000 __SHD () C:\Users\georgepc\Documents\cache
2014-12-30 08:03 - 2014-09-23 08:58 - 00000000 ____D () C:\ProgramData\WebEx
2014-12-24 20:35 - 2014-11-20 21:53 - 00000000 ____D () C:\ProgramData\AVG2015
2014-12-23 03:56 - 2014-07-26 15:08 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-12-21 13:52 - 2014-10-02 15:39 - 00003620 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3959093455-1914111138-4206043169-1001
2014-12-16 09:27 - 2014-07-23 22:06 - 00001998 ____H () C:\Users\georgepc\Documents\Default.rdp
2014-12-16 08:52 - 2014-07-19 12:52 - 00000000 ____D () C:\Users\georgepc
2014-12-15 12:26 - 2014-07-26 23:13 - 00000000 ____D () C:\Users\georgepc\AppData\Local\Microsoft Help
2014-12-15 11:56 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\Registration
2014-12-13 03:00 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-12-12 03:54 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-12-11 16:57 - 2014-06-03 15:42 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-10 03:16 - 2014-07-21 02:30 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-10 03:16 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-10 03:16 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-09 12:43 - 2014-12-06 17:30 - 00001024 _____ () C:\.rnd
2014-12-09 12:36 - 2014-07-19 13:08 - 00000000 ____D () C:\Windows\system32\appmgmt
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-04 00:23
 
==================== End Of Log ============================
  • Addition.txt
  • Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-01-2015
    Ran by georgepc at 2015-01-07 13:43:55
    Running from C:\Users\georgepc\Desktop\Geekstogo
    Boot Mode: Normal
    ==========================================================
     
     
    ==================== Security Center ========================
     
    (If an entry is included in the fixlist, it will be removed.)
     
    AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}
     
    ==================== Installed Programs ======================
     
    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
     
    2010 Lacerte Tax (HKLM-x32\...\2010 Lacerte Tax) (Version:  - Intuit Inc.)
    64 Bit HP CIO Components Installer (Version: 4.2.1 - Hewlett-Packard) Hidden
    Accidental Damage Services Agreement (HKLM-x32\...\{EF85FEF4-EB92-4075-A6D2-5F519BB30A2C}) (Version: 2.0.0 - Dell Inc.)
    Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
    Adobe Reader XI  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.00 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
    AME 2.0 (HKLM-x32\...\AME 2.0) (Version:  - AME Software Products, Inc.)
    AME 2.0 (x32 Version: 2.0 - AME Software Products, Inc.) Hidden
    AME Efiling 2014 version 2.5.1 (HKLM-x32\...\{BB38C01D-7F97-4D9E-8E6B-38FC2E1C9DF9}_is1) (Version: 2.5.1 - AME Software Products, Inc.)
    Atheros Bluetooth Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.4.0.170 - Atheros)
    AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5577 - AVG Technologies)
    AVG 2015 (Version: 15.0.4257 - AVG Technologies) Hidden
    AVG 2015 (Version: 15.0.5577 - AVG Technologies) Hidden
    Banctec Service Agreement (HKLM-x32\...\{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}) (Version: 2.0.0 - Dell Inc.)
    Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
    Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
    Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
    Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
    Citrix Online Launcher (HKLM-x32\...\{C57F6C71-C365-4AFF-9108-397BBAD6127F}) (Version: 1.0.204 - Citrix)
    Complete Care Business Service Agreement (HKLM-x32\...\{0ECFCB07-9BFE-4970-ACA1-D568D982760B}) (Version: 2.0.0 - Dell Inc.)
    Consumer In-Home Service Agreement (HKLM-x32\...\{F47C37A4-7189-430A-B81D-739FF8A7A554}) (Version: 2.0.0 - Dell Inc.)
    Creative Solutions Accounting - Workstation (HKLM-x32\...\Creative Solutions Accounting Workstation) (Version:  - )
    Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.7.1.2 - Dell Inc.)
    Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.7.1.2 - Dell Inc.)
    Dell Digital Delivery (HKLM-x32\...\{D850CB7E-72BC-4510-BA4F-48932BFAB295}) (Version: 2.9.901.0 - Dell Products, LP)
    Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
    Dell Home Systems Service Agreement (HKLM-x32\...\{AB2FDE4F-6BED-4E9E-B676-3DCCEBB1FBFE}) (Version: 2.0.0 - Dell Inc.)
    Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Dell Inc.)
    eFileCabinet 2014 Client (HKLM-x32\...\{4E422FDA-BA7A-4EB4-9B9D-C6E66815B93F}) (Version: 5.0.0 - eFileCabinet, inc)
    eFileScanner 5 (HKLM-x32\...\{EFE78675-4C12-43C8-961C-439F5C55A3D4}) (Version: 5.0.0 - eFileCabinet, Inc)
    FileCabinet CS (HKLM-x32\...\FileCabinet CS) (Version: 13.1.0 - Thomson Reuters)
    FileCabinet CS Print Driver (HKLM-x32\...\FileCabinet CS Print Driver) (Version: 13.1.0 - Thomson Reuters)
    Fixed Assets CS (HKLM-x32\...\Fixed Assets CS) (Version: 13.1.0 - Thomson Reuters)
    Foxit PhantomPDF Business (HKLM-x32\...\{E9AA5BDC-7DFA-4CB8-96B5-F545F20EBFDB}) (Version: 7.0.3.916 - Foxit Software Inc.)
    Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
    Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
    Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
    GoToAssist Customer 2.2.0.758 (HKLM-x32\...\GoToAssist Express Customer) (Version: 2.2.0.758 - Citrix Online)
    GoToMeeting 7.0.5.2130 (HKU\S-1-5-21-3959093455-1914111138-4206043169-1001\...\GoToMeeting) (Version: 7.0.5.2130 - CitrixOnline)
    Infragisticsv112Install 2013 (HKLM-x32\...\{E20658ED-E86A-4681-9649-2AB8151B4ADF}) (Version: 13.1.0 - Thomson Reuters)
    Infragisticsv62Install 2010 (HKLM-x32\...\{705292ED-22B2-4BCF-8DD4-F9B393844D7D}) (Version: 10.1.0 - Thomson Reuters)
    Intel® Chipset Device Software (x32 Version: 10.0.13 - Intel® Corporation) Hidden
    Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1168 - Intel Corporation)
    Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.0.2.1001 - Intel Corporation)
    Intel® Update Manager (HKLM-x32\...\{AD6B46F2-FE21-496F-BE90-BE19AABE353C}) (Version: 2.2.12 - Intel Corporation)
    Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation)
    Intuit Runtime Components 6.0.16 (HKLM-x32\...\{6A3CAA8E-6DDB-4AA7-A411-9982FF9180FE}) (Version: 6.0.16 - Intuit Inc.)
    LogMeIn (HKLM-x32\...\{F93EE340-3735-4032-8B74-0A3E489017A0}) (Version: 4.1.4670 - LogMeIn, Inc.)
    Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
    Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 15.0.4675.1003 - Microsoft Corporation)
    Microsoft OneDrive (HKU\S-1-5-21-3959093455-1914111138-4206043169-1001\...\OneDriveSetup.exe) (Version: 17.3.1171.0714 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft WSE 3.0 Runtime (HKLM-x32\...\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}) (Version: 3.0.5305.0 - Microsoft Corp.)
    MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
    Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
    Office 15 Click-to-Run Licensing Component (Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
    Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
    Padgett 4.2 Client (HKLM-x32\...\{C3130FA3-57C6-47E3-ADEA-1656CC072C1E}) (Version: 4.2 - Padgett Business Services)
    PAS42Client (x32 Version: 1.00.000 - Sybase) Hidden
    Premium Service Agreement (HKLM-x32\...\{C33AA6D6-F5EC-48F3-AFDC-8141345D473A}) (Version: 2.0.0 - Dell Inc.)
    QualxServ Service Agreement (HKLM-x32\...\{903679E8-44C8-4C07-9600-05C92654FC50}) (Version: 2.0.0 - Dell Inc.)
    Quickfinder Tax & Financial Tools (HKLM-x32\...\{2C6BA65D-90D8-4F86-9525-62DABB693C9D}) (Version: 123.131.03585 - Thomson Reuters)
    Quickfinder Tax & Financial Tools Shared Files (HKLM-x32\...\{DEAF53FA-06E1-4B1D-875E-F729EC303C35}) (Version: 123.131.03585 - Thomson Reuters)
    Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
    Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6909 - Realtek Semiconductor Corp.)
    Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform)
    Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
    Small Business Tools 2007 (HKLM-x32\...\Small Business Tools 2007) (Version:  - )
    TaxTools 2011 (HKLM-x32\...\{A2E08D37-BEA0-43D7-94A1-D88246D39F94}) (Version: 11.111.147 - CFS Tax Software, Inc.)
    TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
    UltraTax Font Installer (HKLM-x32\...\{7177CDFD-3274-4F8C-977F-7C82C73CA34C}) (Version: 12.00.0000 - Thomson Reuters)
    UltraTax Font Installer (HKLM-x32\...\{7699AA03-8A8C-489E-AF9D-A76A5E97E879}) (Version: 1.00.0000 - Thomson Tax & Accounting)
    Update AME 2.0 version 2.3.1 (HKLM-x32\...\{1A2CBA77-0146-4CC5-A9C5-93C8DDB9D303}_is1) (Version: 2.3.1 - AME Software Products, Inc.)
    Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
    Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
    WinZip 19.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E5}) (Version: 19.0.11293 - WinZip Computing, S.L. )
     
    ==================== Custom CLSID (selected items): ==========================
     
    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
     
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\georgepc\AppData\Local\Citrix\GoToMeeting\2031\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
    CustomCLSID: HKU\S-1-5-21-3959093455-1914111138-4206043169-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\georgepc\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\FileSyncApi64.dll (Microsoft Corporation)
     
    ==================== Restore Points  =========================
     
    06-01-2015 16:46:09 Scheduled Checkpoint
     
    ==================== Hosts content: ==========================
     
    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)
     
    2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
     
    ==================== Scheduled Tasks (whitelisted) =============
     
    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
     
    Task: {02E4327D-8276-4DF4-9950-2ACA3F910C02} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-23] (Google Inc.)
    Task: {2AED3F10-5CCF-42B3-8D6C-AB78C7B3CAFF} - System32\Tasks\dvwgmok => C:\Users\georgepc\AppData\Local\Temp\spgcdak.exe <==== ATTENTION
    Task: {3FAA4E53-36FB-406A-97F0-F5C056C1A125} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-23] (Google Inc.)
    Task: {424F2418-3CE7-46FD-BAC1-DE3B79F6AFBA} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2014-11-11] (Microsoft Corporation)
    Task: {49D42AE4-7E9B-468D-B927-6A9B7E97F311} - System32\Tasks\Microsoft Office 15 Sync Maintenance for GeorgePan-PC-georgepc GeorgePan-PC => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
    Task: {5357BD43-1F7F-4064-A44E-6E17F04857DA} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-11-04] (Microsoft Corporation)
    Task: {6CBACCAD-195E-40FC-83A3-930A5DAA7BD8} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-01-17] ()
    Task: {72DBB58A-C0A2-49F8-A755-6FE7A9A2FF47} - System32\Tasks\G2MUpdateTask-S-1-5-21-3959093455-1914111138-4206043169-1001 => C:\Users\georgepc\AppData\Local\Citrix\GoToMeeting\2130\g2mupdate.exe [2014-12-21] (Citrix Online, a division of Citrix Systems, Inc.)
    Task: {C16CD23B-3616-4B8D-88C8-CFAE033F2CF7} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
    Task: {DE8240FD-BA3C-48D6-9375-DF6775FBA7AA} - System32\Tasks\Security Center Update - 3401159158 => C:\Users\georgepc\AppData\Roaming\Siegazsi\kaxynek.exe <==== ATTENTION
    Task: {E5058AA4-D140-4DCC-9FB8-05A2BC093850} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-01-17] ()
    Task: {EF1E168D-5FDB-400A-9F32-34F2B03901CB} - System32\Tasks\0614aUpdateInfo => C:\ProgramData\Avg_Update_0614a\0614a_AVG-Secure-Search-Update.exe [2014-06-19] ()
    Task: {FFFC73B7-4DDD-4A6B-87AE-6F90D21D9DF9} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
    Task: C:\Windows\Tasks\0614aUpdateInfo.job => C:\ProgramData\Avg_Update_0614a\0614a_AVG-Secure-Search-Update.exe
    Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3959093455-1914111138-4206043169-1001.job => C:\Users\georgepc\AppData\Local\Citrix\GoToMeeting\2130\g2mupdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\Security Center Update - 3401159158.job => C:\Users\georgepc\AppData\Roaming\Siegazsi\kaxynek.exe <==== ATTENTION
     
    ==================== Loaded Modules (whitelisted) =============
     
    2014-06-03 17:20 - 2014-01-07 16:48 - 00117536 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
    2014-08-02 13:47 - 2014-05-20 08:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
    2014-10-24 02:11 - 2014-09-23 05:36 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
    2014-02-19 15:51 - 2014-02-19 15:51 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
    2013-11-02 21:19 - 2006-03-17 16:56 - 00290816 _____ () \\DG4F5WV1\WINCSI\CSA\vc6-re200l.dll
    2015-01-06 14:55 - 2013-11-14 18:13 - 00081920 _____ () C:\Users\georgepc\AppData\Local\Temp\FileCabinet_CS\cs_20150106_145507\EN-US\cscabsv.dll.mui
    2015-01-06 14:55 - 2013-11-14 17:43 - 00881152 _____ () C:\Users\georgepc\AppData\Local\temp\FileCabinet_CS\cs_20150106_145507\fc_condll.dll
    2015-01-06 14:55 - 2013-11-14 17:43 - 00266240 _____ () C:\Users\georgepc\AppData\Local\temp\FileCabinet_CS\cs_20150106_145507\en-US\fc_condll.dll.mui
    2013-11-02 21:19 - 2010-03-16 08:40 - 01063424 _____ () \\DG4F5WV1\WinCSI\CSA\Wcis_c.dll
    2013-11-02 21:18 - 2008-11-13 12:59 - 00995328 _____ () \\DG4F5WV1\WINCSI\CSA\condll.dll
    2014-09-21 04:27 - 2014-11-23 06:53 - 00316576 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
    2014-09-21 04:27 - 2014-11-23 06:53 - 00316576 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\AppVIsvStream32.dll
    2015-01-06 15:39 - 2013-11-14 18:18 - 00009728 _____ () C:\Users\georgepc\AppData\Local\Temp\FileCabinet_CS_Addin\cs_20150106_153914\EN-US\cab_addin.dll.mui
     
    ==================== Alternate Data Streams (whitelisted) =========
     
    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
     
     
    ==================== Safe Mode (whitelisted) ===================
     
    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
     
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
     
    ==================== EXE Association (whitelisted) =============
     
    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
     
     
    ==================== MSCONFIG/TASK MANAGER disabled items =========
     
    (Currently there is no automatic fix for this section.)
     
    MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^CS Connect Background Services.lnk => C:\Windows\pss\CS Connect Background Services.lnk.CommonStartup
    MSCONFIG\startupreg: AthBtTray => "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\athbttray.exe"
    MSCONFIG\startupreg: AtherosBtStack => "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\btvstack.exe"
    MSCONFIG\startupreg: IAStorIcon => "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
    MSCONFIG\startupreg: kenxoil => rundll32 "C:\Users\georgepc\AppData\Local\kenxoil.dll",kenxoil
    MSCONFIG\startupreg: LogMeIn GUI => "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
    MSCONFIG\startupreg: RtHDVBg => "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX5REC
    MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
    MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
     
    ========================= Accounts: ==========================
     
    Administrator (S-1-5-21-3959093455-1914111138-4206043169-500 - Administrator - Enabled) => C:\Users\Administrator
    GeorgePan (S-1-5-21-3959093455-1914111138-4206043169-1000 - Administrator - Disabled) => C:\Users\GeorgePan
    georgepc (S-1-5-21-3959093455-1914111138-4206043169-1001 - Administrator - Enabled) => C:\Users\georgepc
    Guest (S-1-5-21-3959093455-1914111138-4206043169-501 - Limited - Disabled)
     
    ==================== Faulty Device Manager Devices =============
     
    Name: Dell Wireless 1703 802.11b/g/n (2.4GHz)
    Description: Dell Wireless 1703 802.11b/g/n (2.4GHz)
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: Atheros Communications Inc.
    Service: athr
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
     
    Name: Dell Wireless 1703 Bluetooth
    Description: Dell Wireless 1703 Bluetooth
    Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
    Manufacturer: Atheros Communications
    Service: BTHUSB
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
     
     
    ==================== Event log errors: =========================
     
    Application errors:
    ==================
    Error: (01/07/2015 00:12:10 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc96f
    Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
    Exception code: 0xc00000fd
    Fault offset: 0x0040b56c
    Faulting process id: 0x22f4
    Faulting application start time: 0xiexplore.exe0
    Faulting application path: iexplore.exe1
    Faulting module path: iexplore.exe2
    Report Id: iexplore.exe3
     
    Error: (01/07/2015 11:53:14 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: 5BDD.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Faulting module name: 5BDD.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Exception code: 0xc0000005
    Fault offset: 0x00001509
    Faulting process id: 0x3b48
    Faulting application start time: 0x5BDD.tmp0
    Faulting application path: 5BDD.tmp1
    Faulting module path: 5BDD.tmp2
    Report Id: 5BDD.tmp3
     
    Error: (01/07/2015 11:25:54 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: 55F3.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Faulting module name: 55F3.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Exception code: 0xc0000005
    Fault offset: 0x00001509
    Faulting process id: 0x157c
    Faulting application start time: 0x55F3.tmp0
    Faulting application path: 55F3.tmp1
    Faulting module path: 55F3.tmp2
    Report Id: 55F3.tmp3
     
    Error: (01/07/2015 10:03:48 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: 150C.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Faulting module name: 150C.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Exception code: 0xc0000005
    Fault offset: 0x00001509
    Faulting process id: 0x3058
    Faulting application start time: 0x150C.tmp0
    Faulting application path: 150C.tmp1
    Faulting module path: 150C.tmp2
    Report Id: 150C.tmp3
     
    Error: (01/07/2015 09:44:20 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: 5314.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Faulting module name: 5314.tmp, version: 0.0.0.0, time stamp: 0x54abbc39
    Exception code: 0xc0000005
    Fault offset: 0x00001509
    Faulting process id: 0x20e0
    Faulting application start time: 0x5314.tmp0
    Faulting application path: 5314.tmp1
    Faulting module path: 5314.tmp2
    Report Id: 5314.tmp3
     
    Error: (01/07/2015 06:53:09 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4ce7a46b
    Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
    Exception code: 0xc00000fd
    Fault offset: 0x0011fb5c
    Faulting process id: 0x1be4
    Faulting application start time: 0xiexplore.exe0
    Faulting application path: iexplore.exe1
    Faulting module path: iexplore.exe2
    Report Id: iexplore.exe3
     
    Error: (01/07/2015 06:13:49 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: 9DD8.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Faulting module name: 9DD8.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Exception code: 0xc0000005
    Fault offset: 0x00002496
    Faulting process id: 0x34a8
    Faulting application start time: 0x9DD8.tmp0
    Faulting application path: 9DD8.tmp1
    Faulting module path: 9DD8.tmp2
    Report Id: 9DD8.tmp3
     
    Error: (01/07/2015 06:13:41 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: 7ED1.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Faulting module name: 7ED1.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Exception code: 0xc0000005
    Fault offset: 0x00002496
    Faulting process id: 0x36e8
    Faulting application start time: 0x7ED1.tmp0
    Faulting application path: 7ED1.tmp1
    Faulting module path: 7ED1.tmp2
    Report Id: 7ED1.tmp3
     
    Error: (01/07/2015 05:51:09 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: DFF2.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Faulting module name: DFF2.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Exception code: 0xc0000005
    Fault offset: 0x00002496
    Faulting process id: 0x348c
    Faulting application start time: 0xDFF2.tmp0
    Faulting application path: DFF2.tmp1
    Faulting module path: DFF2.tmp2
    Report Id: DFF2.tmp3
     
    Error: (01/07/2015 05:51:01 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: BDEF.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Faulting module name: BDEF.tmp, version: 0.0.0.0, time stamp: 0x54986f74
    Exception code: 0xc0000005
    Fault offset: 0x00002496
    Faulting process id: 0x2478
    Faulting application start time: 0xBDEF.tmp0
    Faulting application path: BDEF.tmp1
    Faulting module path: BDEF.tmp2
    Report Id: BDEF.tmp3
     
     
    System errors:
    =============
    Error: (01/07/2015 01:39:33 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 01:35:08 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 01:02:58 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 00:01:58 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 00:01:02 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 11:43:19 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 11:24:34 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 11:13:23 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 11:07:23 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
    Error: (01/07/2015 10:25:29 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
    Description: The following fatal alert was received: 80.
     
     
    Microsoft Office Sessions:
    =========================
    Error: (01/07/2015 00:12:10 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: iexplore.exe11.0.9600.174964a5bc96fMSHTML.dll11.0.9600.17496546ff2f9c00000fd0040b56c22f401d02ab5ad96f9e2C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dll75834fb4-96a9-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 11:53:14 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: 5BDD.tmp0.0.0.054abbc395BDD.tmp0.0.0.054abbc39c0000005000015093b4801d02ab39249a5d3C:\Users\georgepc\AppData\Local\Temp\5BDD.tmpC:\Users\georgepc\AppData\Local\Temp\5BDD.tmpd05a2a7f-96a6-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 11:25:54 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: 55F3.tmp0.0.0.054abbc3955F3.tmp0.0.0.054abbc39c000000500001509157c01d02aafc0d021c6C:\Users\georgepc\AppData\Local\Temp\55F3.tmpC:\Users\georgepc\AppData\Local\Temp\55F3.tmpfed98251-96a2-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 10:03:48 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: 150C.tmp0.0.0.054abbc39150C.tmp0.0.0.054abbc39c000000500001509305801d02aa4481262a0C:\Users\georgepc\AppData\Local\Temp\150C.tmpC:\Users\georgepc\AppData\Local\Temp\150C.tmp86b93fa6-9697-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 09:44:20 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: 5314.tmp0.0.0.054abbc395314.tmp0.0.0.054abbc39c00000050000150920e001d02aa18f9bb08dC:\Users\georgepc\AppData\Local\Temp\5314.tmpC:\Users\georgepc\AppData\Local\Temp\5314.tmpce957c14-9694-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 06:53:09 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: iexplore.exe11.0.9600.174964ce7a46bMSHTML.dll11.0.9600.17496546ff2f9c00000fd0011fb5c1be401d02a896999f715C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dlle48b86cd-967c-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 06:13:49 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: 9DD8.tmp0.0.0.054986f749DD8.tmp0.0.0.054986f74c00000050000249634a801d02a84282c8f0bC:\Users\georgepc\AppData\Local\Temp\9DD8.tmpC:\Users\georgepc\AppData\Local\Temp\9DD8.tmp65db7b4c-9677-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 06:13:41 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: 7ED1.tmp0.0.0.054986f747ED1.tmp0.0.0.054986f74c00000050000249636e801d02a842341571aC:\Users\georgepc\AppData\Local\Temp\7ED1.tmpC:\Users\georgepc\AppData\Local\Temp\7ED1.tmp6118bac0-9677-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 05:51:09 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: DFF2.tmp0.0.0.054986f74DFF2.tmp0.0.0.054986f74c000000500002496348c01d02a80fddaaa03C:\Users\georgepc\AppData\Local\Temp\DFF2.tmpC:\Users\georgepc\AppData\Local\Temp\DFF2.tmp3b899644-9674-11e4-a242-3417eba71c52
     
    Error: (01/07/2015 05:51:01 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: BDEF.tmp0.0.0.054986f74BDEF.tmp0.0.0.054986f74c000000500002496247801d02a80f8786d45C:\Users\georgepc\AppData\Local\Temp\BDEF.tmpC:\Users\georgepc\AppData\Local\Temp\BDEF.tmp367aa9af-9674-11e4-a242-3417eba71c52
     
     
    ==================== Memory info =========================== 
     
    Processor: Intel® Core™ i7-4790 CPU @ 3.60GHz
    Percentage of memory in use: 48%
    Total physical RAM: 8143.23 MB
    Available physical RAM: 4219.92 MB
    Total Pagefile: 16284.63 MB
    Available Pagefile: 11587.27 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.83 MB
     
    ==================== Drives ================================
     
    Drive c: (OS) (Fixed) (Total:907.25 GB) (Free:818.52 GB) NTFS
    Drive i: (WDO_MEDIA64) (Removable) (Total:14.89 GB) (Free:14.6 GB) FAT32
     
    ==================== MBR & Partition Table ==================
     
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 0ADE5109)
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=24.2 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=907.3 GB) - (Type=07 NTFS)
     
    ========================================================
    Disk: 5 (MBR Code: Windows 7 or 8) (Size: 14.9 GB) (Disk ID: 00000000)
     
    Partition: GPT Partition Type.
     
    ==================== End Of Log ============================
  •  
  • IDTool log
  • Infection Detection Tool v1.6 - Nathan Scott
    --------------------------------------------
    Date/Time: 1/7/2015 1:50:30 PM
    Operating System: Windows 7
    Service Pack: Service Pack 1
    Version Number: 6.1
    Product Type: Workstation
    --------------------------------------------
    [Detected Flags]

  • 0

#5
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hi George, 
 
It looks as if you've been infected by CTB Locker (otherwise known as Critroni). Unfortunately, if this is indeed the case, brute forcing decryption of your encrypted files will not be possible.
 
To confirm - please try to locate a ransom note dropped by the infection, and copy/paste the contents in your next reply. You should find a file named DecryptAllFiles <user_id>.txt, where <user_id> is a random number associated with your machine.
 
------------------------------
 
We have other a couple of recovery options available that involve the Shadow Volume and recovery software. However, before we proceed I must issue the following warning. Please have a read and let me know what you think.
 
Attempting recovery of your files is something we can do, but you must let me know if you wish to clean the infections present, or start from scratch and reformat your hard drive. 
 

goGMWSt.gifBACKDOOR WARNING
 
------------------------------
 
One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.
 
If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, Email, eBay, Paypal, online forums, etc).
 
Banking and credit card institutions should be notified of the possible security breach. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
 
Whilst the identified infection(s) can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your Hard Drive and reinstall your Operating System. This is due to the nature of the infection, which allows a remote attacker to make any number of modifications. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

You now have the choice between cleaning the infection(s) present or reformatting your computer. Ultimately, the decision is personal, and what you're most comfortable please. Have a read of the articles linked, then let me know how you wish to proceed, and if you have any questions.

  • 0

#6
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Hi Adam,

 

Thank you very much for your quick response! Please see the following information from the KEYHolder for your reference:

 

What happened to your files ?
 
All of your files were protected by a strong encryption with RSA-2048 using KEYHolder.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia...._(cryptosystem)
What does this mean ?
 
This means that the structure and data within your files have been irrevocably changed, you will not be able to work 
with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
 
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
 
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torprojec...browser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: mwyigd4n52mkbyhe.onion/00000003-4332D27D
4.Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal identification number (if you open the site (or TOR 's) directly): 00000003-4332D27D
------- End of Info from KEYHolder -----------------------

  • 0

#7
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Adam,

 

We definitely want to clean the infections present, or start from scratch and reformat your hard drive.  I ran Windows Defender Offline in the computer infected by the virus this morning. WDO found one severe threat and cleaned it. The deleted item is "Trojan:Win32/Powessere.Alreg from WDO. I also had detailed information about the Trojan in the  screenshots from WDO but I do not know how to send you the images.

 

We are also very interested in how to prevent our systems from Backdoor attack and also a total solution to protect our system. Would you like to give us any advice on the solution?

 

Thank you!

George


  • 0

#8
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hi George, 
 
What is the exact name of that file you copy/pasted?
Can you see any other files dropped by the infection (.txt, .bmp, .html, .gif, etc)? What are their names? 
 

We definitely want to clean the infections present, or start from scratch and reformat your hard drive.

We can do one or the other. You need to decide which option you wish to choose. 
Reformatting (or using your recovery partition to restore to factory image) will remove everything, thus guaranteeing complete removal of the malware. Manually cleaning the infections does not come with that guarantee. 


  • 0

#9
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Adam,

 

The file name I copy/pasted is 'how_decrypt.html'


  • 0

#10
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hello George, 

 

It looks as if you may have been infected by two different ransomware infections - KEYHolder and CTB Locker. 

 

Have you decided how you wish to proceed in regards to the malware on your computer? Do you wish to clean the machine or reformat?


  • 0

Advertisements


#11
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Adam,

 

I want to reformat the computer after I used MS Windows Defender to remove the virus.


  • 0

#12
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hi George, 
 
Windows Defender will be unable to remove the infections present on your machine. 
 
As you wish to start from scratch, lets see if we can recover your files now. Please bear in mind there are no guarantees. You may be lucky and have a successful result, but it's important to remember that you may be unsuccessful.  
 
Keep your machine disconnected from the Internet whilst you do the following. 
 
You have three options to try. Please let me know how you get on, and whether you are successful or not. 
If you're successful, I will provide instructions on how you get safely backup your files. If you're unsuccessful, I can help you with reformatting/using your recovery partition. 
 
y3MMIrs.png Previous Versions

  • Right-click the file/folder and click Properties.
  • Click Previous Versions.
  • This tab will list all copies of the file and the date they were backed up.
  • To restore a particular version of the file, click Copy and select the directory you wish to restore the file to.
  • If you wish to restore the selected file and replace the existing one, click Restore.
  • If you wish to view the contents of the file before restoring, click Open.
     

MzmiIl9.gif ShadowExplorer

  • Please download ShadowExplorer and save the file to your Desktop.
  • Right-Click ShadowExplorer-0.9-portable.zip and click Extract All. Select your Desktop and click Extract.
  • Right-Click ShadowExplorer.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • You will see a drop-down menu with the shadow copies of all partitions and disks present.
  • Click C:\ from the drop-down menu.
  • To the right, pick a date prior to the infection from the drop-down menu.
  • To restore a whole folder, right-click on your desired folder and click Export. You will then be prompted as to where you would like to restore the contents of the folder to.
     

J8xQM97.png File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.


  • 0

#13
[email protected]

[email protected]

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Adam,

 

Since all the original files, such as *.doc, *.xls, *.ppt, *.txt and  *.pdf, etc. were encrypted with a suffix ".wymfrlk" as a new file name. *.doc.wymfrlk, and *.doc did not exist. We do not have backup for the original files. Those *.wymfrlk files were created on aoround 08:30 pm, Dec 24,2014. I bet we have to decrypted those files encrypted by the ransomware.

 

When I go to *.doc.wymfrlk, right click on it, then, Properties, Previous Versions, there are no previous version available.

All the encrypted files are in shared network drive. When I Right-Click ShadowExplorerPortable.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJXIL2s Run as administrator. I do not know if it is really what you expected to see. Please take a look of the attached ShadowExplorerPortableScreenshot.jpg for your reference. The earliest date is Jan 9, 2015, later than the date when the encrypted files created. I can only got to c: drive and can not go to shared network drive.

 

I have not try the option 3, File Recovery Software

 

Please advise if there is anything I can do.

 

Thanks!

GeorgeShadowExplorerPortable_Screenshot.jpg

 

 


  • 0

#14
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hi George, 
 

Those *.wymfrlk files were created on aoround 08:30 pm, Dec 24,2014. I bet we have to decrypted those files encrypted by the ransomware.

Yes, CTB Locker appends a random 6-7 character extension to files it encrypts. 
Unfortunately, there is no way to decrypt these files unless you pay the ransom. 
 

I do not know if it is really what you expected to see.

I did not expect option 1 or 2 to work, but felt it was worth trying in any case. 
Many file encrypting ransomware infections delete Shadow Volume copies. So unfortunately, recovery of your files this way will not be possible. 
 

I have not try the option 3, File Recovery Software

This is your last option I'm afraid.


  • 0

#15
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

How are you getting on, George?


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP