buddyclm

Members

View Profile See their activity

Posts
11
Joined
August 25, 2015
Last visited
April 19, 2018

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by buddyclm

Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

After this scan finished and removed the files it found, Excel opens correctly. The two extra screens no longer appear. eset.txt
- August 28, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

log file attached. After the tool ran, I rebooted and those 2 extra Excel screens still open. Fixlog.txt
- August 27, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

ESET scan file attached. eset.txt
- August 27, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

Please see log in previous post. I rebooted and opened Excel and those 2 extra screens still open along with the blank worksheet
- August 27, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

Fix result of Farbar Recovery Scan Tool (x86) Version:24-08-2015 Ran by chris (2015-08-27 09:44:30) Run:2 Running from C:\Users\chris\Desktop Loaded Profiles: chris (Available Profiles: chris & Administrator & user) Boot Mode: Normal ============================================== fixlist content: ***************** Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] () Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt [2015-07-10] () HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html ***************** C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html => moved successfully C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt => moved successfully "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully. "C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html" => File/Folder not found. ==== End of Fixlog 09:44:30 ====
- August 27, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:24-08-2015 Ran by chris (administrator) on WORKSTATION1 (27-08-2015 08:33:18) Running from C:\Users\chris\Desktop Loaded Profiles: chris (Available Profiles: chris & Administrator & user) Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe (Juniper Networks) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe (Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (VMware, Inc.) C:\Windows\System32\vmnat.exe (Data Perceptions / PowerProgrammer) C:\Windows\System32\WebUpdateSvc4.exe (VMware, Inc.) C:\Windows\System32\vmnetdhcp.exe (VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe (VMware, Inc.) C:\Program Files\VMware\VMware Player\vmware-authd.exe (Microsoft Corporation) C:\Windows\System32\vds.exe (EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebToolkitHost.exe (McAfee Inc.) C:\Program Files\McAfee\Raptor\Raptor.exe (Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe (Hewlett-Packard Company) C:\Program Files\HP\HP UT\bin\hppusg.exe (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [QuickFinder Scheduler] => c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE [83232 2009-06-22] (Corel Corporation) HKLM\...\Run: [intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2771832 2012-12-07] (Intuit Inc. All rights reserved.) HKLM\...\Run: [iSUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.) HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [38888 2012-11-18] (Nuance Communications, Inc.) HKLM\...\Run: [indexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [51176 2012-11-18] (Nuance Communications, Inc.) HKLM\...\Run: [PPort14reminder] => C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe [333672 2012-01-03] (Nuance Communications, Inc.) HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [30264 2009-10-06] (Hewlett-Packard Company) HKLM\...\Run: [APSDaemon] => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.) HKLM\...\Run: [backupStatusIcon] => C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe [210944 2015-05-22] (Online Backup Solution) HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation) HKLM\...\RunOnce: [Raptor] => C:\Program Files\McAfee\Raptor\Raptor.exe [1619824 2015-07-15] (McAfee Inc.) HKU\S-1-5-18\...\RunOnce: [sPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-23] (Microsoft Corporation) Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] () Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt [2015-07-10] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk [2014-01-10] ShortcutTarget: Event Reminder.lnk -> C:\Program Files\PrintMaster Platinum 18\Remind.exe (Broderbund Properties LLC) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2013-11-26] ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.att.yahoo.com/ BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2011-06-30] (Zeon Corporation) BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-29] (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-29] (Oracle Corporation) DPF: {037790A6-1576-11D6-903D-00105AABADD3} hxxps://navigator.ecorpnet.com/Member/bz052/sglw2hcm.ocx DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} hxxp://server1/aspnet_client/system_web/2_0_50727/crystalreportviewers12/ActiveXControls/PrintControl.cab DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} hxxp://192.168.0.150/WebClient.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://stericycle.webex.com/client/WBXclient-T28L10NSP12EP20-10001/webex/ieatgpc1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://qies-west.cms.gov/dana-cached/sc/JuniperSetupClient.cab Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll [2013-02-01] (Intuit, Inc.) Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 192.168.0.10 Tcpip\..\Interfaces\{733E64BC-C0B0-44A5-A1F9-C8C52DDF48EA}: [DhcpNameServer] 192.168.0.10 FireFox: ======== FF ProfilePath: C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-13] () FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-29] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-29] (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll [2012-03-29] ( Microsoft Corporation) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.) FF Plugin: ZEON/PDF,version=2.0 -> C:\Program Files\Nuance\PDF Viewer Plus\bin\nppdf.dll [2011-07-15] (Zeon Corporation) FF Plugin HKU\S-1-5-21-712691609-890981738-2795466230-1107: @citrixonline.com/appdetectorplugin -> C:\Users\chris\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-02-05] (Citrix Online) FF Extension: Bidi Spooler APIs - C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\Extensions\{2A51A223-F244-36E3-AD0D-FC0F70C42C0F} [2014-04-03] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 BackupAgent; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe [47616 2015-05-22] (Online Backup Solution) [File not signed] R2 BackupExtender; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe [51712 2015-05-22] (Online Backup Solution) [File not signed] R2 BackupUpdater; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe [51712 2015-05-22] (Online Backup Solution) [File not signed] R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [688240 2014-04-10] (Juniper Networks) R2 Emc.Captiva.WebCaptureService; C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe [39936 2012-04-04] (EMC Corporation) [File not signed] S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-08-20] (Hewlett-Packard Company) [File not signed] S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation) R2 msftesql$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation) R2 MSSQL$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation) S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation) R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed] R2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [220048 2012-11-18] (Nuance Communications, Inc.) R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed] R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-02-01] (Intuit) [File not signed] S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed] R2 VMAuthdService; C:\Program Files\VMware\VMware Player\vmware-authd.exe [87120 2013-02-26] (VMware, Inc.) R2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [357456 2013-02-26] (VMware, Inc.) R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [721048 2012-10-11] (VMware, Inc.) R2 VMware NAT Service; C:\Windows\system32\vmnat.exe [436304 2013-02-26] (VMware, Inc.) R2 WebUpdate4; C:\Windows\system32\WebUpdateSvc4.exe [412776 2013-11-25] (Data Perceptions / PowerProgrammer) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [27648 2013-07-24] (Juniper Networks) R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41496 2012-10-11] (VMware, Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation) S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2008-02-26] (Sonic Solutions) R3 TSUSB2; C:\Windows\System32\DRIVERS\TSUSB2.sys [54016 2007-01-19] (HTL) S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2014-06-10] (Apple, Inc.) [File not signed] R1 VHDTrack; C:\Windows\System32\DRIVERS\VHDTrack.sys [125840 2015-05-22] (AI Consulting) R3 vmkbd; C:\Windows\system32\drivers\VMkbd.sys [26064 2013-02-26] (VMware, Inc.) R3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16664 2013-02-26] (VMware, Inc.) R2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [37016 2013-02-26] (VMware, Inc.) R2 VMnetuserif; C:\Windows\system32\drivers\vmnetuserif.sys [26192 2013-02-26] (VMware, Inc.) R2 VMparport; C:\Windows\system32\Drivers\VMparport.sys [24272 2013-02-26] (VMware, Inc.) S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2012-10-11] (VMware, Inc.) R2 vmx86; C:\Windows\system32\Drivers\vmx86.sys [62416 2013-02-26] (VMware, Inc.) R0 vsock; C:\Windows\System32\drivers\vsock.sys [61464 2012-10-24] (VMware, Inc.) S3 catchme; \??\C:\Users\chris\AppData\Local\Temp\catchme.sys [X] S3 eapihdrv; \??\C:\Users\chris\AppData\Local\Temp\ehdrv.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-08-27 08:31 - 2015-08-27 08:33 - 00014633 _____ C:\Users\chris\Desktop\FRST.txt 2015-08-26 16:08 - 2015-08-26 16:08 - 00011392 _____ C:\ComboFix.txt 2015-08-26 16:02 - 2015-08-27 08:33 - 00000000 ____D C:\Users\chris\Desktop\txt files 2015-08-26 16:00 - 2015-08-26 16:01 - 00000000 ____D C:\32788R22FWJFW 2015-08-26 13:56 - 2015-08-26 13:56 - 00001052 _____ C:\mbam.txt 2015-08-26 13:33 - 2015-08-26 12:34 - 01798560 _____ (Malwarebytes Corporation) C:\Users\chris\Desktop\JRT.exe 2015-08-26 13:15 - 2015-08-26 13:15 - 00000000 ____D C:\AdwCleaner 2015-08-26 13:11 - 2015-08-26 13:13 - 01605632 _____ C:\Users\chris\Desktop\AdwCleaner.exe 2015-08-26 13:03 - 2015-08-26 13:03 - 00781312 _____ C:\Users\chris\Desktop\delfix_1.011.exe 2015-08-26 13:03 - 2015-08-26 13:03 - 00000265 _____ C:\DelFix.txt 2015-08-26 13:03 - 2015-08-26 13:03 - 00000000 ____D C:\Windows\ERUNT 2015-08-26 09:35 - 2015-08-26 09:39 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys 2015-08-26 09:35 - 2015-08-26 09:38 - 00000000 ____D C:\ProgramData\RogueKiller 2015-08-26 09:34 - 2015-08-26 09:35 - 18772040 _____ C:\Users\chris\Desktop\RogueKiller.exe 2015-08-25 10:27 - 2015-08-27 08:33 - 00000000 ____D C:\FRST 2015-08-25 10:27 - 2015-08-25 10:27 - 01690112 _____ (Farbar) C:\Users\chris\Desktop\FRST.exe 2015-08-24 16:05 - 2015-08-26 14:00 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-08-24 16:04 - 2015-08-24 16:04 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2015-08-24 16:04 - 2015-08-24 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2015-08-24 16:04 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2015-08-24 16:04 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2015-08-24 16:04 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2015-08-24 13:44 - 2015-08-24 14:10 - 00012805 _____ C:\Users\chris\Desktop\2015 bims scores.xlsx 2015-08-24 08:45 - 2015-08-24 08:45 - 00000881 _____ C:\Users\chris\Desktop\JTAW32.EXE.lnk 2015-08-18 16:03 - 2015-08-18 16:04 - 00014359 _____ C:\Users\chris\Desktop\mm fair coupon.wpd 2015-08-14 14:03 - 2015-08-14 13:57 - 00171067 _____ C:\Users\chris\Desktop\201508141357_FC01_91.zip 2015-07-29 14:16 - 2015-07-29 14:16 - 00006636 _____ C:\Users\chris\Documents\personell policy.wpd ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-08-27 08:27 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-08-27 08:27 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-08-27 08:25 - 2013-11-26 15:36 - 00910090 _____ C:\Windows\system32\PerfStringBackup.INI 2015-08-27 08:23 - 2013-11-26 15:33 - 01049256 _____ C:\Windows\WindowsUpdate.log 2015-08-27 08:21 - 2013-11-26 15:35 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl 2015-08-27 08:20 - 2014-04-22 13:57 - 00000000 ____D C:\ProgramData\VMware 2015-08-27 08:20 - 2013-11-26 16:25 - 00014710 _____ C:\Windows\PFRO.log 2015-08-27 08:20 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-08-27 08:20 - 2009-07-13 23:39 - 00059445 _____ C:\Windows\setupact.log 2015-08-26 16:08 - 2015-07-11 22:10 - 00000000 ____D C:\Qoobox 2015-08-26 16:06 - 2009-07-13 21:04 - 00000215 _____ C:\Windows\system.ini 2015-08-26 16:00 - 2015-07-12 14:10 - 05635162 ____R (Swearware) C:\Users\chris\Desktop\ComboFix.exe 2015-08-26 15:49 - 2014-04-23 14:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-08-26 15:35 - 2015-06-04 10:30 - 00000610 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job 2015-08-26 15:34 - 2015-02-05 13:49 - 00000514 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job 2015-08-26 12:48 - 2015-03-02 13:52 - 00000000 ____D C:\ProgramData\Roxio 2015-08-25 12:39 - 2015-07-06 09:52 - 00000000 ____D C:\ProgramData\BlueZone 2015-08-25 12:18 - 2013-11-26 18:17 - 00000848 ___SH C:\ProgramData\KGyGaAvL.sys 2015-08-25 12:18 - 2009-07-13 23:52 - 00000000 ____D C:\Windows\system32\FxsTmp 2015-08-25 08:29 - 2009-07-13 23:53 - 00032594 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2015-08-24 16:04 - 2015-07-11 23:12 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware 2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOB.FOR 2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOA.FOR 2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXMR.FOR 2015-08-24 09:37 - 2013-11-26 18:22 - 00002032 ____H C:\Users\chris\Documents\Default.rdp 2015-08-24 08:39 - 2014-06-16 12:18 - 00000000 ____D C:\Users\chris\Desktop\move 2015-08-18 15:57 - 2013-11-26 18:17 - 00000000 ____D C:\Users\chris\Documents\Corel User Files 2015-08-13 09:49 - 2013-12-05 16:47 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2015-08-13 09:49 - 2013-12-05 16:47 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl ==================== Files in the root of some directories ======= 2014-02-06 13:16 - 2014-02-06 13:16 - 0000218 _____ () C:\Users\chris\AppData\Roaming\default.rss 2014-12-24 14:17 - 2014-12-24 14:17 - 0000000 _____ () C:\Users\chris\AppData\Local\rx_image32.Cache 2014-01-02 12:09 - 2014-01-02 14:05 - 0004180 _____ () C:\ProgramData\hpzinstall.log 2013-11-26 18:17 - 2015-08-25 12:18 - 0000848 ___SH () C:\ProgramData\KGyGaAvL.sys ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-08-24 10:43 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x86) Version:24-08-2015 Ran by chris (2015-08-27 08:33:32) Running from C:\Users\chris\Desktop Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-777155561-1165665369-343804298-500 - Administrator - Disabled) ASPNET (S-1-5-21-777155561-1165665369-343804298-1008 - Limited - Enabled) Guest (S-1-5-21-777155561-1165665369-343804298-501 - Limited - Disabled) user (S-1-5-21-777155561-1165665369-343804298-1001 - Administrator - Enabled) => C:\Users\user ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated) Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated) Adobe Reader XI (11.0.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated) Advertising Center (Version: 0.0.0.1 - Nero AG) Hidden Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Citrix Online Launcher (HKLM\...\{1EFF9E6C-76E1-43F9-81FB-BC8C037B0902}) (Version: 1.0.258 - Citrix) Corel WordPerfect Office - iFilter (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.00.000 - Corel Corporation) Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.0.0 - Business Objects) CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden DolbyFiles (Version: 0.1 - Nero AG) Hidden ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version: - ) FIS DCC Driver Package 2011 (HKLM\...\FIS DCC Driver Package 2011) (Version: 2014.1.0.0 - FIS) Fujitsu NetCOBOL Free Run-time (HKLM\...\InstallShield_{F84C7212-9DC4-4963-A564-73C2EFA18935}) (Version: 10.1.0000.0000 - FUJITSU LIMITED) Fujitsu NetCOBOL Free Run-time (Version: 10.1.0000.0000 - FUJITSU LIMITED) Hidden GoToMeeting 7.2.4.3215 (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\GoToMeeting) (Version: 7.2.4.3215 - CitrixOnline) HP Customer Participation Program 10.0 (HKLM\...\HPExtendedCapabilities) (Version: 10.0 - HP) HP Easy Scan (HKLM\...\{0007FD40-3ED2-4FDC-B45B-0C3A1C1A8C17}) (Version: 1.0.7.0 - Hewlett-Packard Company) HP LaserJet P2050 Series 6.0 (HKLM\...\{6F801026-6AF0-4520-9153-4C9B4CAAB361}) (Version: 6.0 - HP) HP Scanjet 3000 s2 ISIS Driver (HKLM\...\{20D6301E-0A14-4238-841D-45ECA567DB69}) (Version: 1.0.2597 - EMC Corporation) HP Scanjet Pro 3000 s2 (HKLM\...\{1868D30B-72C7-41E8-9657-69C5DFE1C768}) (Version: 1.00.0000 - HP) hppFonts (Version: 001.001.00061 - Hewlett-Packard) Hidden hppQFolderP2050 (Version: 1.00.0000 - Hewlett-Packard) Hidden hppusgP2050 (Version: 1.1.0.1 - Hewlett-Packard) Hidden ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden InventoryControl (HKLM\...\{97C0445D-E7B6-4320-A541-50A5AB345422}) (Version: 5 - Wasp Technologies) Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation) Juniper Networks Network Connect 7.4.0 (HKLM\...\Juniper Network Connect 7.4.0) (Version: 7.4.0.30667 - Juniper Networks) Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\Juniper_Setup_Client) (Version: 7.4.9.45013 - Juniper Networks, Inc.) Labeler (HKLM\...\{78DA4EC4-8E94-45D4-B047-027B662EC6A6}) (Version: 6.0 - Wasp Technologies) LightScribe System Software (HKLM\...\{CC8E94A2-55C7-4460-953C-2A790180578C}) (Version: 1.18.8.1 - LightScribe) Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation) MarketResearch (Version: 100.0.170.000 - Hewlett-Packard) Hidden MCRIF32 - SNF (HKLM\...\{79EEAD1F-AD83-4F0C-A783-CD77C0BC1F2A}) (Version: 5.14.153.0 - Health Financial Systems) Menu Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation) Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation) Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.4518.1014 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation) Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version: - Microsoft Corporation) Microsoft SQL Server Management Studio Express (HKLM\...\{F43867C9-68FD-46C7-B0AF-214356305B5E}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft SQL Server Native Client (HKLM\...\{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft SQL Server VSS Writer (HKLM\...\{56B4002F-671C-49F4-984C-C760FE3806B5}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048 (HKLM\...\{5B1F2843-B379-3FF2-B0D3-64DD143ED53A}) (Version: 9.0.30729.4048 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation) Microsoft Web Publishing Wizard 1.52 (HKLM\...\WebPost) (Version: - ) MM Backup (HKLM\...\{34A6764B-D838-4E93-A6C0-9D67BE564691}) (Version: 5.5.4 - M & M Computer Solutions, LLC) Movie Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden Mozilla Firefox 31.0 (x86 en-US) (HKLM\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation) Nero 9 Essentials (HKLM\...\{1008cf13-3650-46d1-8ed6-31c0945215f6}) (Version: - Nero AG) Nuance PaperPort 14 (HKLM\...\{2C92D969-468E-4711-8CCA-01AD9C7EB4E7}) (Version: 14.2.0000 - Nuance Communications, Inc.) Nuance PDF Viewer Plus (HKLM\...\{FC984E39-43D0-4AB2-ACC7-A7B87977B009}) (Version: 7.20.3274 - Nuance Communications, Inc.) PaperPort Image Printer (HKLM\...\{6EF2FDAB-7FBF-4AB9-92CD-594BDDB6A56B}) (Version: 14.00.0000 - Nuance Communications, Inc.) PrintMaster Platinum 18 (HKLM\...\{EBD9A954-6C1A-4E9F-A098-C98653035381}) (Version: 18.00.0000 - Broderbund Software) QuickBooks (Version: 20.0.4017.807 - Intuit Inc.) Hidden QuickBooks Pro 2010 (HKLM\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4017.807 - Intuit Inc.) QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.) Readiris Pro 14 (HKLM\...\{C34A50FC-2B95-4E69-809C-96310E9D7852}) (Version: 14.00.2719 - I.R.I.S.) Roxio Creator LE 10 (HKLM\...\{537BF16E-7412-448C-95D8-846E85A1D817}) (Version: 10.1 - Roxio) Scansoft PDF Professional (Version: - ) Hidden Software Update Wizard (Redist) 4.5 (HKLM\...\Software Update Wizard (Redist)) (Version: 4.5 - PowerProgrammer) TellerScan 32-bit and 64-bit Combined Driver v4.2 (HKLM\...\{95D2D2E3-2FC4-4245-8DC2-C6202BE704CB}) (Version: 4.02.0000 - Precision Software Technologies, Inc.) UB-04 ICD10 (HKLM\...\{2D0C2A6F-CD38-47C8-8C73-5586A8C73804}) (Version: 1.0.1.90 - SpeedySoft USA) Visual Foxpro 6.0 Runtime version 6.00 (HKLM\...\{6016312C-6BA3-4AEA-B73D-8FC405508E8D}_is1) (Version: 6.00 - ) VMware Player (HKLM\...\VMware_Player) (Version: 5.0.2 - VMware, Inc) VMware Player (Version: 5.0.2 - VMware, Inc.) Hidden WebReg (Version: 100.0.170.000 - Hewlett-Packard) Hidden WordPerfect Office X4 - Common (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Content (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - EN (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Filters (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Graphics (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - ICA (Version: 14.1 - Corel Corporation) Hidden WordPerfect Office X4 - IPM (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - IPM EN (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Migration Manager (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - PerfectExperts (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - PR (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - QP (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Skins (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - System (Version: 14.1 - Corel Corporation) Hidden WordPerfect Office X4 - WP (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 (HKLM\...\_{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}) (Version: - Corel Corporation) WordPerfect Office X4 (Version: 14.2 - Corel Corporation) Hidden ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{810CADD9-2658-4820-BA95-30199625191E}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\2185\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) ==================== Restore Points ========================= 29-07-2015 11:51:06 Scheduled Checkpoint 10-08-2015 10:38:00 Scheduled Checkpoint 18-08-2015 09:18:55 Scheduled Checkpoint 25-08-2015 11:14:36 Scheduled Checkpoint 26-08-2015 13:06:27 Restore Point Created by FRST 26-08-2015 13:33:58 JRT Pre-Junkware Removal ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:04 - 2015-08-14 14:04 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {25A01E62-3698-47F8-B578-400F1F9A0D9A} - System32\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.) Task: {33B991F4-BED6-416D-9DCC-41B44CDC4E80} - System32\Tasks\{5EF5189C-3E71-4B71-B665-40BC9FDEFD6A} => pcalua.exe -a D:\Setup.exe -d D:\ Task: {6E6FC9A2-11DD-4899-A5A3-1E18FD44FBE6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-08-13] (Adobe Systems Incorporated) Task: {996FA9DF-2204-485B-8A3B-3B6CFE1DFDDD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated) Task: {C1FDB8BF-262E-4E40-864C-5A2EDDED79F8} - System32\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe ==================== Loaded Modules (Whitelisted) ============== 2015-05-22 11:15 - 2015-05-22 11:15 - 00016896 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vds.Common.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00124928 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\VDS.Platform.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 01711616 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vim25Service.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 03685456 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\gvmomi.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 01229904 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libxml2.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00329808 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libcurl.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00318032 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libldap_r.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00144976 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\liblber.dll 2012-04-04 20:54 - 2012-04-04 20:54 - 00015360 _____ () C:\Program Files\EMC Captiva\Captiva Cloud Runtime\SSLSupport.dll 2013-02-26 02:28 - 2013-02-26 02:28 - 01260624 _____ () C:\Program Files\VMware\VMware Player\libxml2.dll 2006-10-26 21:30 - 2006-10-26 21:30 - 00065312 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll 2006-10-27 15:35 - 2006-10-27 15:35 - 00436512 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll 2006-10-26 13:56 - 2006-10-26 13:56 - 00757008 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\ecorpnet.com -> hxxps://navigator.ecorpnet.com IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\server1 -> hxxp://server1 ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-712691609-890981738-2795466230-1107\Control Panel\Desktop\\Wallpaper -> C:\Users\chris\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 192.168.0.10 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0) Windows Firewall is disabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: AdobeARMservice => 2 MSCONFIG\Services: LightScribeService => 2 MSCONFIG\Services: Nero BackItUp Scheduler 4.0 => 2 MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: LightScribe Control Panel => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden MSCONFIG\startupreg: PDFProHook => "C:\Program Files\Nuance\PDF Viewer Plus\pdfpro7hook.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [{8DF9BE9A-F03A-4B49-A92B-4CE446187EB4}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe FirewallRules: [{6EDDD859-D085-4685-87AD-0947A111A474}] => (Allow) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe FirewallRules: [{EE4DDED9-EBCA-45C3-B1C1-B4EDF29DA501}] => (Allow) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe FirewallRules: [{970A4628-B556-44E3-800E-9B552E22A0EC}] => (Allow) LPort=6160 FirewallRules: [{CB1FC5CF-6B22-40F2-8B6E-4475D3E7AC77}] => (Allow) C:\Program Files\Wasp Technologies\InventoryControl\InventoryControl.exe FirewallRules: [{13946AFF-2682-4264-A80A-8223D67B6310}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupMonitor.exe FirewallRules: [{635F315A-F94E-4523-B825-FE6F33AFAD85}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe FirewallRules: [{43EEB0EB-7F12-4784-B56C-955422B0F0B4}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe FirewallRules: [{FAB54C15-84EC-4ABF-AB1A-F9F7ABC6C55B}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe FirewallRules: [{71F50830-FA10-4D91-9C41-69D5E172859A}] => (Allow) C:\Program Files\Artisteer 4\bin\Artisteer.exe FirewallRules: [{05FE104F-C24D-45B8-881A-66FFC781E2DC}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe FirewallRules: [{29E25875-15B7-42F7-A7C6-F7EF091FC596}] => (Allow) LPort=8877 FirewallRules: [{0357C77A-FBF0-4FEC-B282-B124C9A5E834}] => (Allow) LPort=8878 ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (08/27/2015 08:20:53 AM) (Source: BackupAgent) (EventID: 0) (User: ) Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD Error: (08/26/2015 02:56:34 PM) (Source: QuickBooks) (EventID: 4) (User: ) Description: An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance Handle Error: (08/26/2015 02:56:34 PM) (Source: QuickBooks) (EventID: 4) (User: ) Description: An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance Handle Error: (08/26/2015 02:56:34 PM) (Source: QuickBooks) (EventID: 4) (User: ) Description: An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance Handle Error: (08/26/2015 01:09:33 PM) (Source: BackupAgent) (EventID: 0) (User: ) Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD Error: (08/26/2015 01:06:26 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {02a3a31d-f266-4ed5-9a00-0bdef541d0a4} Error: (08/26/2015 12:00:28 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {02a3a31d-f266-4ed5-9a00-0bdef541d0a4} Error: (08/26/2015 12:00:18 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {02a3a31d-f266-4ed5-9a00-0bdef541d0a4} Error: (08/26/2015 10:24:52 AM) (Source: SideBySide) (EventID: 33) (User: ) Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1". Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis. Error: (08/26/2015 08:45:24 AM) (Source: BackupAgent) (EventID: 0) (User: ) Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD System errors: ============= Error: (08/27/2015 08:20:36 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY) Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). Error: (08/27/2015 08:20:34 AM) (Source: NETLOGON) (EventID: 5719) (User: ) Description: This computer was not able to set up a secure session with a domain controller in domain GLENHAVEN due to the following: %%1311 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. Error: (08/26/2015 04:06:54 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (08/26/2015 04:04:34 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (08/26/2015 04:02:13 PM) (Source: Service Control Manager) (EventID: 7030) (User: ) Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly. Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Virtual Disk service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The VMware USB Arbitration Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The VMware DHCP Service service terminated unexpectedly. It has done this 1 time(s). Error: (08/26/2015 01:34:21 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The VMware Authorization Service service terminated unexpectedly. It has done this 1 time(s). Microsoft Office: ========================= ==================== Memory info =========================== Processor: Intel® Core2 Duo CPU E8400 @ 3.00GHz Percentage of memory in use: 47% Total physical RAM: 3033.82 MB Available physical RAM: 1597.5 MB Total Virtual: 7032.11 MB Available Virtual: 5325.46 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:297.99 GB) (Free:245.58 GB) NTFS Drive f: (apps) (Network) (Total:488.28 GB) (Free:391.48 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 3136FBFA) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS) ==================== End of FRST.txt ============================
- August 27, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

no, those 2 screens still pop up when I open excel or excel files
- August 27, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

ComboFix 15-08-24.01 - chris 08/26/2015 16:02:19.2.2 - x86 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3034.1677 [GMT -5:00] Running from: c:\users\chris\Desktop\ComboFix.exe SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2015-07-26 to 2015-08-26 ))))))))))))))))))))))))))))))) . . 2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\user\AppData\Local\temp 2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\Public\AppData\Local\temp 2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\Default\AppData\Local\temp 2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\administrator\AppData\Local\temp 2015-08-26 21:00 . 2015-08-26 21:01 -------- d-----w- C:\32788R22FWJFW 2015-08-26 18:15 . 2015-08-26 18:15 -------- d-----w- C:\AdwCleaner 2015-08-26 18:03 . 2015-08-26 18:03 -------- d-----w- c:\windows\ERUNT 2015-08-26 14:35 . 2015-08-26 14:39 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2015-08-26 14:35 . 2015-08-26 14:38 -------- d-----w- c:\programdata\RogueKiller 2015-08-25 15:27 . 2015-08-26 18:09 -------- d-----w- C:\FRST 2015-08-24 21:05 . 2015-08-26 19:00 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2015-08-24 21:04 . 2015-06-18 13:41 51928 ----a-w- c:\windows\system32\drivers\mwac.sys 2015-08-24 21:04 . 2015-06-18 13:41 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2015-08-24 21:04 . 2015-06-18 13:41 23256 ----a-w- c:\windows\system32\drivers\mbam.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-08-25 17:18 . 2013-11-26 23:17 848 --sha-w- c:\programdata\KGyGaAvL.sys 2015-08-24 17:29 . 2014-10-23 17:36 1409 ----a-w- c:\windows\system32\BCFXOB.FOR 2015-08-24 17:29 . 2014-10-23 17:36 1409 ----a-w- c:\windows\system32\BCFXOA.FOR 2015-08-24 17:29 . 2014-10-23 17:36 1409 ----a-w- c:\windows\system32\BCFXMR.FOR 2015-08-13 14:49 . 2013-12-05 21:47 778440 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-08-13 14:49 . 2013-12-05 21:47 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2015-05-29 14:15 . 2015-01-30 22:11 96352 ----a-w- c:\windows\system32\WindowsAccessBridge.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BackupStatusIcon"="c:\program files\M & M Computer Solutions" [X] "QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2009-06-22 83232] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-07 2771832] "ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976] "PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2012-11-19 38888] "IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2012-11-19 51176] "PPort14reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2012-01-03 333672] "HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2009-10-06 30264] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [bU] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-04-30 334896] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Raptor"="c:\program files\McAfee\Raptor\Raptor.exe" [2015-07-15 1619824] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-06-23 280576] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ help_restore_files_ohymd.html [2015-7-10 3811] help_restore_files_ohymd.txt [2015-7-10 2171] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Event Reminder.lnk - c:\program files\PrintMaster Platinum 18\Remind.exe [2007-9-9 344064] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-2-1 1155912] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2015-07-08 01:12 998104 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] 2009-08-20 19:25 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFProHook] 2012-11-06 02:41 641424 ----a-w- c:\program files\Nuance\PDF Viewer Plus\PdfPro7Hook.exe . R2 BackupAgent;Backup Agent;c:\program files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe [2015-05-22 47616] R2 BackupExtender;Backup Extender;c:\program files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe [2015-05-22 51712] R2 BackupUpdater;Backup Updater;c:\program files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe [2015-05-22 51712] R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2015-06-18 1133880] R2 msftesql$WASPDBEXPRESS;SQL Server FullText Search (WASPDBEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592] R2 MSSQL$WASPDBEXPRESS;SQL Server (WASPDBEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712] R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe [2012-11-19 220048] R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2013-11-25 412776] R3 eapihdrv;eapihdrv;c:\users\chris\AppData\Local\Temp\ehdrv.sys [x] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-06-23 108032] R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-06-18 51928] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2014-06-23 1343400] S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2012-10-24 71152] S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-10-24 61464] S1 VHDTrack;VHDTrack;c:\windows\system32\DRIVERS\VHDTrack.sys [2015-05-22 125840] S2 Emc.Captiva.WebCaptureService;EMC Captiva Cloud Service;c:\program files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe [2012-04-05 39936] S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2012-10-11 721048] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-06-18 23256] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776] S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys [2007-01-19 54016] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-08-20 19:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2015-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-05 14:49] . 2015-08-26 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job - c:\program files\Citrix\GoToMeeting\3215\g2mupdate.exe [2015-08-14 18:46] . 2015-08-26 c:\windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job - c:\program files\Citrix\GoToMeeting\3215\g2mupload.exe [2015-08-14 18:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.att.yahoo.com/ mStart Page = about:blank IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000 IE: Open with PDF Viewer 7 - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta LSP: %windir%\system32\vsocklib.dll Trusted Zone: ecorpnet.com\navigator Trusted Zone: server1 TCP: DhcpNameServer = 192.168.0.10 DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://navigator.ecorpnet.com/Member/bz052/sglw2hcm.ocx DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} - hxxp://server1/aspnet_client/system_web/2_0_50727/crystalreportviewers12/ActiveXControls/PrintControl.cab DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://192.168.0.150/WebClient.cab FF - ProfilePath - c:\users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\ . - - - - ORPHANS REMOVED - - - - . AddRemove-{52357C6C-FE7F-4E8C-B045-EDE5146A1F9C} - c:\progra~2\TARMAI~1\{52357~1\Setup.exe . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$WASPDBEXPRESS] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:WASPDBEXPRESS" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2015-08-26 16:08:09 ComboFix-quarantined-files.txt 2015-08-26 21:08 ComboFix2.txt 2015-07-12 19:18 ComboFix3.txt 2015-07-12 03:17 . Pre-Run: 263,891,894,272 bytes free Post-Run: 263,609,864,192 bytes free . - - End Of File - - 788A13591799485F29189DAA99053091 A36C5E4F47E84449FF07ED3517B43A31
- August 26, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

I do not recognize that FireFox Extension. I hardly ever use FireFox. Fix result of Farbar Recovery Scan Tool (x86) Version:24-08-2015 Ran by chris (2015-08-26 13:06:26) Run:1 Running from C:\Users\chris\Desktop Loaded Profiles: chris (Available Profiles: chris & Administrator & user) Boot Mode: Normal ============================================== fixlist content: ***************** CreateRestorePoint: EmptyTemp: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION FF Plugin: @microsoft.com/GENUINE -> disabled [No File] S3 catchme; \??\C:\Users\chris\AppData\Local\Temp\catchme.sys [X] CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File ***************** Restore point was successfully created. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully. "HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully. catchme => service removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}" => key removed successfully. "HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}" => key removed successfully. EmptyTemp: => 790 MB temporary data Removed. The system needed a reboot. ==== End of Fixlog 13:07:53 ==== # AdwCleaner v5.003 - Logfile created 26/08/2015 at 13:15:06 # Updated 20/08/2015 by Xplode # Database : 2015-08-25.1 [server] # Operating system : Windows 7 Professional Service Pack 1 (x86) # Username : chris - WORKSTATION1 # Running from : C:\Users\chris\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Folders ] ***** Folder Found : C:\ProgramData\Tarma Installer ***** [ Files ] ***** File Found : C:\Program Files\Mozilla Firefox\browser\searchplugins\yahoo.xml ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** ***** [ Web browsers ] ***** ########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [648 bytes] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 7.5.8 (08.24.2015:1) OS: Windows 7 Professional x86 Ran by chris on Wed 08/26/2015 at 13:33:57.12 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Tasks ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders Successfully deleted: [Folder] C:\ProgramData\tarma installer ~~~ FireFox Emptied folder: C:\Users\chris\AppData\Roaming\mozilla\firefox\profiles\gp0mcsih.default\minidumps [1 files] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Wed 08/26/2015 at 13:35:08.59 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/26/2015 Scan Time: 1:36 PM Logfile: mbam.txt Administrator: Yes Version: 2.1.8.1057 Malware Database: v2015.08.26.07 Rootkit Database: v2015.08.16.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: chris Scan Type: Threat Scan Result: Completed Objects Scanned: 419444 Time Elapsed: 10 min, 47 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)
- August 26, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm replied to buddyclm's topic in Resolved Malware Removal Logs

Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/26/2015 Scan Time: 9:16 AM Logfile: mbam 8-26-15.txt Administrator: Yes Version: 2.1.8.1057 Malware Database: v2015.08.26.06 Rootkit Database: v2015.08.16.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: chris Scan Type: Threat Scan Result: Completed Objects Scanned: 423005 Time Elapsed: 11 min, 1 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Malwarebytes Anti-Malware www.malwarebytes.org Error, 8/26/2015 8:45 AM, SYSTEM, WORKSTATION1, Protection, IsLicensed, 13, Protection, 8/26/2015 8:45 AM, SYSTEM, WORKSTATION1, Protection, Malware Protection, Stopping, Protection, 8/26/2015 8:45 AM, SYSTEM, WORKSTATION1, Protection, Malware Protection, Stopped, Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, Remediation Database, 2015.8.18.1, 2015.8.25.1, Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, AKA IP Database, 2015.8.21.1, 2015.8.25.1, Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, AKA Domain Database, 2015.8.24.2, 2015.8.25.1, Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, Malware Database, 2015.8.25.4, 2015.8.26.6, Scan, 8/26/2015 9:27 AM, SYSTEM, WORKSTATION1, Manual, Start:8/26/2015 9:16 AM, Duration:11 min 1 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, (end) Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:24-08-2015 Ran by chris (administrator) on WORKSTATION1 (26-08-2015 09:30:52) Running from C:\Users\chris\Desktop Loaded Profiles: chris (Available Profiles: chris & Administrator & user) Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States) Internet Explorer Version 11 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe (Juniper Networks) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe (EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe (Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (VMware, Inc.) C:\Windows\System32\vmnat.exe (Data Perceptions / PowerProgrammer) C:\Windows\System32\WebUpdateSvc4.exe (VMware, Inc.) C:\Windows\System32\vmnetdhcp.exe (VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe (VMware, Inc.) C:\Program Files\VMware\VMware Player\vmware-authd.exe (Microsoft Corporation) C:\Windows\System32\vds.exe (McAfee Inc.) C:\Program Files\McAfee\Raptor\Raptor.exe (Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe (Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebToolkitHost.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [QuickFinder Scheduler] => c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE [83232 2009-06-22] (Corel Corporation) HKLM\...\Run: [intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2771832 2012-12-07] (Intuit Inc. All rights reserved.) HKLM\...\Run: [iSUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.) HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [38888 2012-11-18] (Nuance Communications, Inc.) HKLM\...\Run: [indexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [51176 2012-11-18] (Nuance Communications, Inc.) HKLM\...\Run: [PPort14reminder] => C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe [333672 2012-01-03] (Nuance Communications, Inc.) HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [30264 2009-10-06] (Hewlett-Packard Company) HKLM\...\Run: [APSDaemon] => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.) HKLM\...\Run: [backupStatusIcon] => C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe [210944 2015-05-22] (Online Backup Solution) HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation) HKLM\...\RunOnce: [Raptor] => C:\Program Files\McAfee\Raptor\Raptor.exe [1619824 2015-07-15] (McAfee Inc.) HKLM\...\Policies\Explorer: [NoFolderOptions] 0 HKLM\...\Policies\Explorer: [NoControlPanel] 0 HKU\S-1-5-18\...\RunOnce: [sPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-23] (Microsoft Corporation) Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] () Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt [2015-07-10] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk [2014-01-10] ShortcutTarget: Event Reminder.lnk -> C:\Program Files\PrintMaster Platinum 18\Remind.exe (Broderbund Properties LLC) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2013-11-26] ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.att.yahoo.com/ BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2011-06-30] (Zeon Corporation) BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-29] (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-29] (Oracle Corporation) DPF: {037790A6-1576-11D6-903D-00105AABADD3} hxxps://navigator.ecorpnet.com/Member/bz052/sglw2hcm.ocx DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} hxxp://server1/aspnet_client/system_web/2_0_50727/crystalreportviewers12/ActiveXControls/PrintControl.cab DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} hxxp://192.168.0.150/WebClient.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://stericycle.webex.com/client/WBXclient-T28L10NSP12EP20-10001/webex/ieatgpc1.cab DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://qies-west.cms.gov/dana-cached/sc/JuniperSetupClient.cab Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll [2013-02-01] (Intuit, Inc.) Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 192.168.0.10 Tcpip\..\Interfaces\{733E64BC-C0B0-44A5-A1F9-C8C52DDF48EA}: [DhcpNameServer] 192.168.0.10 FireFox: ======== FF ProfilePath: C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-13] () FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-29] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-29] (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll [2012-03-29] ( Microsoft Corporation) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.) FF Plugin: ZEON/PDF,version=2.0 -> C:\Program Files\Nuance\PDF Viewer Plus\bin\nppdf.dll [2011-07-15] (Zeon Corporation) FF Plugin HKU\S-1-5-21-712691609-890981738-2795466230-1107: @citrixonline.com/appdetectorplugin -> C:\Users\chris\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-02-05] (Citrix Online) FF Extension: Bidi Spooler APIs - C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\Extensions\{2A51A223-F244-36E3-AD0D-FC0F70C42C0F} [2014-04-03] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 BackupAgent; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe [47616 2015-05-22] (Online Backup Solution) [File not signed] R2 BackupExtender; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe [51712 2015-05-22] (Online Backup Solution) [File not signed] R2 BackupUpdater; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe [51712 2015-05-22] (Online Backup Solution) [File not signed] R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [688240 2014-04-10] (Juniper Networks) R2 Emc.Captiva.WebCaptureService; C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe [39936 2012-04-04] (EMC Corporation) [File not signed] S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-08-20] (Hewlett-Packard Company) [File not signed] S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation) R2 msftesql$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation) R2 MSSQL$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation) S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation) R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed] R2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [220048 2012-11-18] (Nuance Communications, Inc.) R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed] R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-02-01] (Intuit) [File not signed] S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed] R2 VMAuthdService; C:\Program Files\VMware\VMware Player\vmware-authd.exe [87120 2013-02-26] (VMware, Inc.) R2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [357456 2013-02-26] (VMware, Inc.) R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [721048 2012-10-11] (VMware, Inc.) R2 VMware NAT Service; C:\Windows\system32\vmnat.exe [436304 2013-02-26] (VMware, Inc.) R2 WebUpdate4; C:\Windows\system32\WebUpdateSvc4.exe [412776 2013-11-25] (Data Perceptions / PowerProgrammer) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [27648 2013-07-24] (Juniper Networks) S3 eapihdrv; C:\Users\chris\AppData\Local\Temp\ehdrv.sys [135760 2015-07-13] (ESET) R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41496 2012-10-11] (VMware, Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation) S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2008-02-26] (Sonic Solutions) R3 TSUSB2; C:\Windows\System32\DRIVERS\TSUSB2.sys [54016 2007-01-19] (HTL) S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2014-06-10] (Apple, Inc.) [File not signed] R1 VHDTrack; C:\Windows\System32\DRIVERS\VHDTrack.sys [125840 2015-05-22] (AI Consulting) R3 vmkbd; C:\Windows\system32\drivers\VMkbd.sys [26064 2013-02-26] (VMware, Inc.) R3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16664 2013-02-26] (VMware, Inc.) R2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [37016 2013-02-26] (VMware, Inc.) R2 VMnetuserif; C:\Windows\system32\drivers\vmnetuserif.sys [26192 2013-02-26] (VMware, Inc.) R2 VMparport; C:\Windows\system32\Drivers\VMparport.sys [24272 2013-02-26] (VMware, Inc.) S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2012-10-11] (VMware, Inc.) R2 vmx86; C:\Windows\system32\Drivers\vmx86.sys [62416 2013-02-26] (VMware, Inc.) R0 vsock; C:\Windows\System32\drivers\vsock.sys [61464 2012-10-24] (VMware, Inc.) S3 catchme; \??\C:\Users\chris\AppData\Local\Temp\catchme.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-08-26 09:29 - 2015-08-26 09:29 - 00001060 _____ C:\Users\chris\Desktop\mbam 8-26-15.txt 2015-08-26 09:29 - 2015-08-26 09:29 - 00000926 _____ C:\Users\chris\Desktop\mbam 2 8-26-15.txt 2015-08-25 10:28 - 2015-08-25 10:28 - 00042232 _____ C:\Users\chris\Desktop\Addition.txt 2015-08-25 10:27 - 2015-08-26 09:31 - 00014691 _____ C:\Users\chris\Desktop\FRST.txt 2015-08-25 10:27 - 2015-08-26 09:30 - 00000000 ____D C:\FRST 2015-08-25 10:27 - 2015-08-25 10:27 - 01690112 _____ (Farbar) C:\Users\chris\Desktop\FRST.exe 2015-08-24 16:05 - 2015-08-26 09:16 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-08-24 16:04 - 2015-08-24 16:04 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2015-08-24 16:04 - 2015-08-24 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2015-08-24 16:04 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2015-08-24 16:04 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2015-08-24 16:04 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys 2015-08-24 13:44 - 2015-08-24 14:10 - 00012805 _____ C:\Users\chris\Documents\2015 bims scores.xlsx 2015-08-24 08:45 - 2015-08-24 08:45 - 00000881 _____ C:\Users\chris\Desktop\JTAW32.EXE.lnk 2015-08-18 16:03 - 2015-08-18 16:04 - 00014359 _____ C:\Users\chris\Desktop\mm fair coupon.wpd 2015-08-14 14:03 - 2015-08-14 13:57 - 00171067 _____ C:\Users\chris\Desktop\201508141357_FC01_91.zip 2015-07-29 14:16 - 2015-07-29 14:16 - 00006636 _____ C:\Users\chris\Documents\personell policy.wpd 2015-07-27 14:34 - 2015-07-27 14:34 - 00002301 _____ C:\Users\chris\Desktop\43014Employees of Glenhaven that have accumulated fourteen (14).wpd 2015-07-27 13:57 - 2012-12-12 12:05 - 00007453 _____ C:\Users\chris\Desktop\technology policy 2.wpd ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-08-26 08:52 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-08-26 08:52 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-08-26 08:49 - 2014-04-23 14:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-08-26 08:49 - 2013-11-26 15:36 - 00910090 _____ C:\Windows\system32\PerfStringBackup.INI 2015-08-26 08:48 - 2013-11-26 15:33 - 02089153 _____ C:\Windows\WindowsUpdate.log 2015-08-26 08:46 - 2013-11-26 15:35 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl 2015-08-26 08:45 - 2014-04-22 13:57 - 00000000 ____D C:\ProgramData\VMware 2015-08-26 08:45 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-08-26 08:45 - 2009-07-13 23:39 - 00059333 _____ C:\Windows\setupact.log 2015-08-25 15:35 - 2015-06-04 10:30 - 00000610 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job 2015-08-25 15:34 - 2015-02-05 13:49 - 00000514 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job 2015-08-25 12:39 - 2015-07-06 09:52 - 00000000 ____D C:\ProgramData\BlueZone 2015-08-25 12:18 - 2013-11-26 18:17 - 00000848 ___SH C:\ProgramData\KGyGaAvL.sys 2015-08-25 12:18 - 2009-07-13 23:52 - 00000000 ____D C:\Windows\system32\FxsTmp 2015-08-25 08:29 - 2013-11-26 16:25 - 00013866 _____ C:\Windows\PFRO.log 2015-08-25 08:29 - 2009-07-13 23:53 - 00032594 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2015-08-24 16:04 - 2015-07-11 23:12 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware 2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOB.FOR 2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOA.FOR 2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXMR.FOR 2015-08-24 09:37 - 2013-11-26 18:22 - 00002032 ____H C:\Users\chris\Documents\Default.rdp 2015-08-24 08:39 - 2014-06-16 12:18 - 00000000 ____D C:\Users\chris\Desktop\move 2015-08-18 15:57 - 2013-11-26 18:17 - 00000000 ____D C:\Users\chris\Documents\Corel User Files 2015-08-13 09:49 - 2013-12-05 16:47 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2015-08-13 09:49 - 2013-12-05 16:47 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl 2015-07-27 08:52 - 2015-07-21 17:06 - 00012067 _____ C:\Users\chris\Desktop\june suplies.xlsx ==================== Files in the root of some directories ======= 2014-02-06 13:16 - 2014-02-06 13:16 - 0000218 _____ () C:\Users\chris\AppData\Roaming\default.rss 2014-12-24 14:17 - 2014-12-24 14:17 - 0000000 _____ () C:\Users\chris\AppData\Local\rx_image32.Cache 2014-01-02 12:09 - 2014-01-02 14:05 - 0004180 _____ () C:\ProgramData\hpzinstall.log 2013-11-26 18:17 - 2015-08-25 12:18 - 0000848 ___SH () C:\ProgramData\KGyGaAvL.sys ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-08-24 10:43 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x86) Version:24-08-2015 Ran by chris (2015-08-26 09:31:19) Running from C:\Users\chris\Desktop Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-777155561-1165665369-343804298-500 - Administrator - Disabled) ASPNET (S-1-5-21-777155561-1165665369-343804298-1008 - Limited - Enabled) Guest (S-1-5-21-777155561-1165665369-343804298-501 - Limited - Disabled) user (S-1-5-21-777155561-1165665369-343804298-1001 - Administrator - Enabled) => C:\Users\user ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated) Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated) Adobe Reader XI (11.0.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated) Advertising Center (Version: 0.0.0.1 - Nero AG) Hidden Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Citrix Online Launcher (HKLM\...\{1EFF9E6C-76E1-43F9-81FB-BC8C037B0902}) (Version: 1.0.258 - Citrix) Corel WordPerfect Office - iFilter (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.00.000 - Corel Corporation) Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.0.0 - Business Objects) CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden DolbyFiles (Version: 0.1 - Nero AG) Hidden ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version: - ) FIS DCC Driver Package 2011 (HKLM\...\FIS DCC Driver Package 2011) (Version: 2014.1.0.0 - FIS) Fujitsu NetCOBOL Free Run-time (HKLM\...\InstallShield_{F84C7212-9DC4-4963-A564-73C2EFA18935}) (Version: 10.1.0000.0000 - FUJITSU LIMITED) Fujitsu NetCOBOL Free Run-time (Version: 10.1.0000.0000 - FUJITSU LIMITED) Hidden GoToMeeting 7.2.4.3215 (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\GoToMeeting) (Version: 7.2.4.3215 - CitrixOnline) HP Customer Participation Program 10.0 (HKLM\...\HPExtendedCapabilities) (Version: 10.0 - HP) HP Easy Scan (HKLM\...\{0007FD40-3ED2-4FDC-B45B-0C3A1C1A8C17}) (Version: 1.0.7.0 - Hewlett-Packard Company) HP LaserJet P2050 Series 6.0 (HKLM\...\{6F801026-6AF0-4520-9153-4C9B4CAAB361}) (Version: 6.0 - HP) HP Scanjet 3000 s2 ISIS Driver (HKLM\...\{20D6301E-0A14-4238-841D-45ECA567DB69}) (Version: 1.0.2597 - EMC Corporation) HP Scanjet Pro 3000 s2 (HKLM\...\{1868D30B-72C7-41E8-9657-69C5DFE1C768}) (Version: 1.00.0000 - HP) hppFonts (Version: 001.001.00061 - Hewlett-Packard) Hidden hppQFolderP2050 (Version: 1.00.0000 - Hewlett-Packard) Hidden hppusgP2050 (Version: 1.1.0.1 - Hewlett-Packard) Hidden ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden InventoryControl (HKLM\...\{97C0445D-E7B6-4320-A541-50A5AB345422}) (Version: 5 - Wasp Technologies) Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation) Juniper Networks Network Connect 7.4.0 (HKLM\...\Juniper Network Connect 7.4.0) (Version: 7.4.0.30667 - Juniper Networks) Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\Juniper_Setup_Client) (Version: 7.4.9.45013 - Juniper Networks, Inc.) Labeler (HKLM\...\{78DA4EC4-8E94-45D4-B047-027B662EC6A6}) (Version: 6.0 - Wasp Technologies) LightScribe System Software (HKLM\...\{CC8E94A2-55C7-4460-953C-2A790180578C}) (Version: 1.18.8.1 - LightScribe) Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation) MarketResearch (Version: 100.0.170.000 - Hewlett-Packard) Hidden MCRIF32 - SNF (HKLM\...\{79EEAD1F-AD83-4F0C-A783-CD77C0BC1F2A}) (Version: 5.14.153.0 - Health Financial Systems) Menu Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation) Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation) Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.4518.1014 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation) Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version: - Microsoft Corporation) Microsoft SQL Server Management Studio Express (HKLM\...\{F43867C9-68FD-46C7-B0AF-214356305B5E}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft SQL Server Native Client (HKLM\...\{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft SQL Server VSS Writer (HKLM\...\{56B4002F-671C-49F4-984C-C760FE3806B5}) (Version: 9.00.4035.00 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048 (HKLM\...\{5B1F2843-B379-3FF2-B0D3-64DD143ED53A}) (Version: 9.0.30729.4048 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation) Microsoft Web Publishing Wizard 1.52 (HKLM\...\WebPost) (Version: - ) MM Backup (HKLM\...\{34A6764B-D838-4E93-A6C0-9D67BE564691}) (Version: 5.5.4 - M & M Computer Solutions, LLC) Movie Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden Mozilla Firefox 31.0 (x86 en-US) (HKLM\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation) Nero 9 Essentials (HKLM\...\{1008cf13-3650-46d1-8ed6-31c0945215f6}) (Version: - Nero AG) Nuance PaperPort 14 (HKLM\...\{2C92D969-468E-4711-8CCA-01AD9C7EB4E7}) (Version: 14.2.0000 - Nuance Communications, Inc.) Nuance PDF Viewer Plus (HKLM\...\{FC984E39-43D0-4AB2-ACC7-A7B87977B009}) (Version: 7.20.3274 - Nuance Communications, Inc.) PaperPort Anywhere 1.4.4661.38157 powered by OfficeDrop (HKLM\...\{52357C6C-FE7F-4E8C-B045-EDE5146A1F9C}) (Version: 1.4.4661.38157 - OfficeDrop) PaperPort Image Printer (HKLM\...\{6EF2FDAB-7FBF-4AB9-92CD-594BDDB6A56B}) (Version: 14.00.0000 - Nuance Communications, Inc.) PrintMaster Platinum 18 (HKLM\...\{EBD9A954-6C1A-4E9F-A098-C98653035381}) (Version: 18.00.0000 - Broderbund Software) QuickBooks (Version: 20.0.4017.807 - Intuit Inc.) Hidden QuickBooks Pro 2010 (HKLM\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4017.807 - Intuit Inc.) QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.) Readiris Pro 14 (HKLM\...\{C34A50FC-2B95-4E69-809C-96310E9D7852}) (Version: 14.00.2719 - I.R.I.S.) Roxio Creator LE 10 (HKLM\...\{537BF16E-7412-448C-95D8-846E85A1D817}) (Version: 10.1 - Roxio) Scansoft PDF Professional (Version: - ) Hidden Software Update Wizard (Redist) 4.5 (HKLM\...\Software Update Wizard (Redist)) (Version: 4.5 - PowerProgrammer) TellerScan 32-bit and 64-bit Combined Driver v4.2 (HKLM\...\{95D2D2E3-2FC4-4245-8DC2-C6202BE704CB}) (Version: 4.02.0000 - Precision Software Technologies, Inc.) UB-04 ICD10 (HKLM\...\{2D0C2A6F-CD38-47C8-8C73-5586A8C73804}) (Version: 1.0.1.90 - SpeedySoft USA) Visual Foxpro 6.0 Runtime version 6.00 (HKLM\...\{6016312C-6BA3-4AEA-B73D-8FC405508E8D}_is1) (Version: 6.00 - ) VMware Player (HKLM\...\VMware_Player) (Version: 5.0.2 - VMware, Inc) VMware Player (Version: 5.0.2 - VMware, Inc.) Hidden WebReg (Version: 100.0.170.000 - Hewlett-Packard) Hidden WordPerfect Office X4 - Common (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Content (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - EN (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Filters (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Graphics (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - ICA (Version: 14.1 - Corel Corporation) Hidden WordPerfect Office X4 - IPM (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - IPM EN (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Migration Manager (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - PerfectExperts (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - PR (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - QP (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - Skins (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 - System (Version: 14.1 - Corel Corporation) Hidden WordPerfect Office X4 - WP (Version: 14.2 - Corel Corporation) Hidden WordPerfect Office X4 (HKLM\...\_{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}) (Version: - Corel Corporation) WordPerfect Office X4 (Version: 14.2 - Corel Corporation) Hidden ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{810CADD9-2658-4820-BA95-30199625191E}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\2185\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.) CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.) ==================== Restore Points ========================= 21-07-2015 10:43:42 Scheduled Checkpoint 21-07-2015 16:08:48 Configured Microsoft Office Small Business 2007 29-07-2015 11:51:06 Scheduled Checkpoint 10-08-2015 10:38:00 Scheduled Checkpoint 18-08-2015 09:18:55 Scheduled Checkpoint 25-08-2015 11:14:36 Scheduled Checkpoint ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:04 - 2015-08-14 14:04 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {25A01E62-3698-47F8-B578-400F1F9A0D9A} - System32\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.) Task: {33B991F4-BED6-416D-9DCC-41B44CDC4E80} - System32\Tasks\{5EF5189C-3E71-4B71-B665-40BC9FDEFD6A} => pcalua.exe -a D:\Setup.exe -d D:\ Task: {6E6FC9A2-11DD-4899-A5A3-1E18FD44FBE6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-08-13] (Adobe Systems Incorporated) Task: {996FA9DF-2204-485B-8A3B-3B6CFE1DFDDD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated) Task: {C1FDB8BF-262E-4E40-864C-5A2EDDED79F8} - System32\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe ==================== Loaded Modules (Whitelisted) ============== 2015-05-22 11:15 - 2015-05-22 11:15 - 00016896 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vds.Common.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00124928 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\VDS.Platform.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 01711616 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vim25Service.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 03685456 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\gvmomi.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 01229904 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libxml2.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00329808 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libcurl.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00318032 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libldap_r.dll 2015-05-22 11:15 - 2015-05-22 11:15 - 00144976 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\liblber.dll 2012-04-04 20:54 - 2012-04-04 20:54 - 00015360 _____ () C:\Program Files\EMC Captiva\Captiva Cloud Runtime\SSLSupport.dll 2013-02-26 02:28 - 2013-02-26 02:28 - 01260624 _____ () C:\Program Files\VMware\VMware Player\libxml2.dll 2006-10-26 21:30 - 2006-10-26 21:30 - 00065312 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll 2006-10-27 15:35 - 2006-10-27 15:35 - 00436512 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll 2006-10-26 13:56 - 2006-10-26 13:56 - 00757008 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\ecorpnet.com -> hxxps://navigator.ecorpnet.com IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\server1 -> hxxp://server1 ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-712691609-890981738-2795466230-1107\Control Panel\Desktop\\Wallpaper -> C:\Users\chris\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 192.168.0.10 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0) Windows Firewall is disabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: AdobeARMservice => 2 MSCONFIG\Services: LightScribeService => 2 MSCONFIG\Services: Nero BackItUp Scheduler 4.0 => 2 MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: LightScribe Control Panel => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden MSCONFIG\startupreg: PDFProHook => "C:\Program Files\Nuance\PDF Viewer Plus\pdfpro7hook.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [{8DF9BE9A-F03A-4B49-A92B-4CE446187EB4}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe FirewallRules: [{6EDDD859-D085-4685-87AD-0947A111A474}] => (Allow) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe FirewallRules: [{EE4DDED9-EBCA-45C3-B1C1-B4EDF29DA501}] => (Allow) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe FirewallRules: [{970A4628-B556-44E3-800E-9B552E22A0EC}] => (Allow) LPort=6160 FirewallRules: [{CB1FC5CF-6B22-40F2-8B6E-4475D3E7AC77}] => (Allow) C:\Program Files\Wasp Technologies\InventoryControl\InventoryControl.exe FirewallRules: [{13946AFF-2682-4264-A80A-8223D67B6310}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupMonitor.exe FirewallRules: [{635F315A-F94E-4523-B825-FE6F33AFAD85}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe FirewallRules: [{43EEB0EB-7F12-4784-B56C-955422B0F0B4}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe FirewallRules: [{FAB54C15-84EC-4ABF-AB1A-F9F7ABC6C55B}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe FirewallRules: [{71F50830-FA10-4D91-9C41-69D5E172859A}] => (Allow) C:\Program Files\Artisteer 4\bin\Artisteer.exe FirewallRules: [{05FE104F-C24D-45B8-881A-66FFC781E2DC}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe FirewallRules: [{29E25875-15B7-42F7-A7C6-F7EF091FC596}] => (Allow) LPort=8877 FirewallRules: [{0357C77A-FBF0-4FEC-B282-B124C9A5E834}] => (Allow) LPort=8878 ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (08/26/2015 08:45:24 AM) (Source: BackupAgent) (EventID: 0) (User: ) Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD Error: (08/25/2015 03:53:03 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: iexplore.exe, version: 11.0.9600.17126, time stamp: 0x53882e30 Faulting module name: MSHTML.dll, version: 11.0.9600.17126, time stamp: 0x53884c7d Exception code: 0xc0000005 Fault offset: 0x0027cd99 Faulting process id: 0x15a4 Faulting application start time: 0xiexplore.exe0 Faulting application path: iexplore.exe1 Faulting module path: iexplore.exe2 Report Id: iexplore.exe3 Error: (08/25/2015 12:00:42 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {11f9e127-c1c5-4084-8191-2f14fc50d3fd} Error: (08/25/2015 12:00:20 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {11f9e127-c1c5-4084-8191-2f14fc50d3fd} Error: (08/25/2015 11:08:35 AM) (Source: SideBySide) (EventID: 33) (User: ) Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1". Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis. Error: (08/25/2015 09:37:11 AM) (Source: QuickBooks) (EventID: 4) (User: ) Description: An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance Handle Error: (08/25/2015 09:37:11 AM) (Source: QuickBooks) (EventID: 4) (User: ) Description: An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance Handle Error: (08/25/2015 09:37:11 AM) (Source: QuickBooks) (EventID: 4) (User: ) Description: An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance Handle Error: (08/25/2015 08:30:19 AM) (Source: BackupAgent) (EventID: 0) (User: ) Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD Error: (08/24/2015 12:00:26 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {f3b7f81e-1d52-4a7f-8617-d564718bf865} System errors: ============= Error: (08/26/2015 08:45:09 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY) Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error: (08/26/2015 08:45:03 AM) (Source: NETLOGON) (EventID: 5719) (User: ) Description: This computer was not able to set up a secure session with a domain controller in domain GLENHAVEN due to the following: %%1311 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. Error: (08/25/2015 04:17:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The UPnP Device Host service failed to start due to the following error: %%1069 Error: (08/25/2015 04:17:27 PM) (Source: Service Control Manager) (EventID: 7038) (User: ) Description: The upnphost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: %%1352 To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC). Error: (08/25/2015 04:17:27 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1069upnphost{204810B9-73B2-11D4-BF42-00B0D0118B56} Error: (08/25/2015 08:29:58 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY) Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). Error: (08/25/2015 08:29:56 AM) (Source: NETLOGON) (EventID: 5719) (User: ) Description: This computer was not able to set up a secure session with a domain controller in domain GLENHAVEN due to the following: %%1311 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. Error: (08/24/2015 09:15:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 10. The internal error state is 10. Error: (08/24/2015 09:15:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 10. The internal error state is 10. Error: (08/24/2015 09:15:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY) Description: The following fatal alert was generated: 10. The internal error state is 10. Microsoft Office: ========================= ==================== Memory info =========================== Processor: Intel® Core2 Duo CPU E8400 @ 3.00GHz Percentage of memory in use: 47% Total physical RAM: 3033.82 MB Available physical RAM: 1603.38 MB Total Virtual: 7032.11 MB Available Virtual: 5241.36 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:297.99 GB) (Free:242.2 GB) NTFS Drive f: (apps) (Network) (Total:488.28 GB) (Free:391.52 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 3136FBFA) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS) ==================== End of FRST.txt ============================ RogueKiller V10.10.2.0 [Aug 24 2015] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : chris [Administrator] Started from : C:\Users\chris\Desktop\RogueKiller.exe Mode : Scan -- Date : 08/26/2015 09:46:06 ¤¤¤ Processes : 1 ¤¤¤ [Proc.Injected] Emc.Captiva.WebToolkitHost.exe(2424) -- C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebToolkitHost.exe[-] -> Killed [TermProc] ¤¤¤ Registry : 3 ¤¤¤ [suspicious.Path|VT.Unknown] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PPort14reminder : "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\14\Config\Ereg\Ereg.ini" [7][x][-] -> Found [PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD3200AAJS-00YZCA0 ATA Device +++++ --- User --- [MBR] b39075c2e5ee03714b6c11e0d0cc88f6 [bSP] 86a521cbc7c8754c985d8dac744f75c7 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK
- August 26, 2015
- 21 replies
Cryptowall 3.0 issue

buddyclm posted a topic in Resolved Malware Removal Logs

I got hit with Cryptowall 3.0 a month or two ago. I ran Malwarebytes, Superantispyware, and Spytbot. The infection I believe is gone, however, when I open Microsoft Excel by itself or a file that was backed up before the infection, it opens three tabs. One is the document I want to open and the other two are the Cryptowall warnings. Am I still partially infected or is there a way to stop the other two tabs from opening?
- August 25, 2015
- 21 replies

Sign In

buddyclm

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by buddyclm

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Cryptowall 3.0 issue

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information