A Bit Annoyed Posted January 16, 2016 Posted January 16, 2016 Long one, sorry. My Dad is in his early seventies but still working part time, in a business partnership. I used to help him a bit with computer stuff until I took on more hours at work. Anyway, he called me yesterday to say his email layout had changed and he didn't know how to change it back, so I called round in my lunch hour and restored his email, but noticed two new icons in his toolbar. One turned out to be Adblock Plus, the other is a capital, red A, that says ABlock. I asked Dad about them and he said he had had to pay for them when his computer had completely broken around a month ago. When I questioned him further, he said he had been looking for a new van when the computer froze and a message came up. He said he had had to ring a number, but he was getting embarrassed and staring skimping on the details. What I do know is that it took several long phone calls and a person with an American accent used remote access to his computer to remove the "problem" and install these Adblockers. He paid them nearly £600 by credit card. I found a receipt for this on his computer from Live Technologies, telephone number toll free 0 800 014 8983. I had no further time to investigate and the fact my Dad has said nothing to me about this before now means he didn't really want me to know, or my Mum to know meant he wouldn't give me full details. He said it was done through Sky (his provider) and he was told the price at every stage and was advised he would be better off getting a new PC, but Dad said he absolutely needed it for work so he went ahead. I have phoned him since and made him check his credit card activity and bank accounts, and he swears to me all is in order. His computer is an Average laptop, running on Vista. He's had it since 2007. Please advise me how to help him. I'm sure he wants discretion, but this has upset me so much Quote
DSTM Posted January 16, 2016 Posted January 16, 2016 (edited) Both ADBLOCK and ADBLOCK PLUS are free. They are scammers. I know another guy who lost $700 to these scammers, wrecked the OS into the bargain. Edited January 16, 2016 by DSTM Quote Confidence, is the feeling I get, moments before I stuff something up.
ExTS Admin Starbuck Posted January 16, 2016 ExTS Admin Posted January 16, 2016 Hi there, In cases like this, it's always best to check the whole system. If you want to follow these instructions we can get to work and check your fathers system for him. and don't worry, there is no charge for any work we do: Note: There are both 32-bit and 64-bit versions of Farbar Recovery Scan Tool available. Please pick the version that matches your operating system's bit type. If you are unsure what you're system bit type is..... click Here for help. For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop. For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop. Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator http://img.photobucket.com/albums/v708/starbuck50/frsticon_zpsdc3cbdc3.png When the tool opens click Yes to disclaimer. http://img.photobucket.com/albums/v708/starbuck50/frstdis_zps7f598f12.png Make sure that Addition.txt is selected at the bottom Press Scan button. http://img.photobucket.com/albums/v708/starbuck50/newfrst_zpsa63ffa3d.png It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also. In your next reply, please submit: Both reports from FRST. Thanks. Quote Member of:UNITE
A Bit Annoyed Posted January 17, 2016 Author Posted January 17, 2016 How long will this take to run? Hi there, In cases like this, it's always best to check the whole system. If you want to follow these instructions we can get to work and check your fathers system for him. and don't worry, there is no charge for any work we do: Note: There are both 32-bit and 64-bit versions of Farbar Recovery Scan Tool available. Please pick the version that matches your operating system's bit type. If you are unsure what you're system bit type is..... click Here for help. For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop. For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop. Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator http://img.photobucket.com/albums/v708/starbuck50/frsticon_zpsdc3cbdc3.png When the tool opens click Yes to disclaimer. http://img.photobucket.com/albums/v708/starbuck50/frstdis_zps7f598f12.png Make sure that Addition.txt is selected at the bottom Press Scan button. http://img.photobucket.com/albums/v708/starbuck50/newfrst_zpsa63ffa3d.png It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also. In your next reply, please submit: Both reports from FRST. Thanks. Thank you so much for replying. Getting access to his computer will be the problem, but if I can do this in under an hour, then I can go over in lunch hour and star having a look at things. Might be a few days before I can get a reply posted up here. I have got my brother involved now, who has dug out a tablet for him to use until we can get this sorted, so Dad is under strict instructions not to visit bank or buying sites on his computer. This started before Christmas, he has only just admitted to me and there has been no suspicious activity on his accounts apparently, just the one payment to Live Technologies. Quote
ExTS Admin Starbuck Posted January 17, 2016 ExTS Admin Posted January 17, 2016 Hi there, but if I can do this in under an hour, then I can go over in lunch hour and star having a look at things. The download and the initial scan can be completed in about 5 mins. Obviously once posted it will take me longer to go through the scan reports and write a fix if one is required. Just post the reports when you can, this post will always remain open. Quote Member of:UNITE
A Bit Annoyed Posted January 18, 2016 Author Posted January 18, 2016 Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:17-01-2015 Ran by Admin (administrator) on ADMIN-PC (18-01-2016 13:33:27) Running from C:\Users\Admin\Downloads Loaded Profiles: Admin (Available Profiles: Admin) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 9 (Default browser: Chrome) Boot Mode: Safe Mode (with Networking) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [NWEReboot] => [X] Winlogon\Notify\!SASWinLogon: F:\SASWINLO.DLL [X] HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\...\MountPoints2: {d38da53a-ccdc-11e1-9f4a-0016d4b23538} - H:\LaunchU3.exe -a HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [704512 2009-04-11] (Microsoft Corporation) ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - F:\SASSEH.DLL No File [ ] ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{538F1621-5099-4C03-BD04-BE2A05E2F80F}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{C581A5FF-006B-459F-9BCF-4145EA3C9B61}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.norton.com HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.skybroadband.com SearchScopes: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> DefaultScope {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NS&chn=retail&geo=GB&ver=22&locale=en_GB&gct=kwd&qsrc=2869 SearchScopes: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NS&chn=retail&geo=GB&ver=22&locale=en_GB&gct=kwd&qsrc=2869 BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited) BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-09-20] (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-09-20] (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) Toolbar: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0040-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab FireFox: ======== FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default FF NewTab: hxxp://search.babylon.com/?affID=111803&babsrc=NT_ss&mntrId=d2fdf9320000000000000019d220cce2 FF SearchEngineOrder.1: Search the web (Babylon) FF SelectedSearchEngine: Google FF Homepage: hxxp://search.babylon.com/?affID=111803&babsrc=HP_ss&mntrId=d2fdf9320000000000000019d220cce2 FF Keyword.URL: hxxp://search.babylon.com/?affID=111803&babsrc=KW_ss&mntrId=d2fdf9320000000000000019d220cce2&q= FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] () FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2011-06-10] (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] () FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.) FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\Windows\system32\npDeployJava1.dll [2013-09-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-09-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.40.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-09-20] (Oracle Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-11-30] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-11-30] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-06-26] (Adobe Systems Inc.) FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\user.js [2012-07-13] FF Extension: Adblock Plus - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-18] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-14] [not signed] FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.0.124\coFFAddon FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.0.124\coFFAddon [2016-01-13] FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-03] Chrome: ======= CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28] CHR Extension: (Adblock Plus) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-01-13] CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30] CHR Extension: (ABlock) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcchaiacddlgkccppchimljondmpikpg [2015-12-18] CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-24] CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29] CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\Exts\Chrome.crx [2015-11-05] CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx StartMenuInternet: Google Chrome.CI6XXID4S2E4GYKPJ7WETYJMDQ - C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [860160 2008-10-16] (Intel® Corporation) [File not signed] S2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89352 2014-09-15] (Hewlett-Packard Company) S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed] S2 NIS; C:\Program Files\Norton Internet Security\Engine\22.5.5.15\NIS.exe [282016 2015-11-20] (Symantec Corporation) S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed] S2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [466944 2008-10-16] (Intel® Corporation) [File not signed] S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [167936 2005-08-08] () [File not signed] S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160114.001\BHDrvx86.sys [1193032 2015-10-08] (Symantec Corporation) S1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1605050.00F\ccSetx86.sys [137456 2015-07-11] (Symantec Corporation) S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389968 2015-11-18] (Symantec Corporation) R3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [68096 2007-08-16] (ENE Technology Inc.) S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [125264 2015-11-18] (Symantec Corporation) R3 ESDCR; C:\Windows\System32\DRIVERS\ESD7SK.sys [47104 2007-08-16] (ENE Technology Inc.) R3 ESMCR; C:\Windows\System32\DRIVERS\ESM7SK.sys [64512 2007-08-16] (ENE Technology Inc.) S1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\IPSDefs\20160116.001\IDSvix86.sys [580344 2015-12-04] (Symantec Corporation) S3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\VirusDefs\20160117.023\NAVENG.SYS [104440 2015-10-30] (Symantec Corporation) S3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\VirusDefs\20160117.023\NAVEX15.SYS [1647216 2015-10-30] (Symantec Corporation) S3 Ph3xIB32; C:\Windows\System32\DRIVERS\Ph3xIB32.sys [1131136 2007-04-03] (Philips Semiconductors GmbH) S1 SRTSP; C:\Windows\System32\Drivers\NIS\1605050.00F\SRTSP.SYS [712944 2015-11-11] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NIS\1605050.00F\SRTSPX.SYS [44792 2015-07-11] (Symantec Corporation) R0 SymEFASI; C:\Windows\System32\drivers\NIS\1605050.00F\SYMEFASI.SYS [1287408 2015-11-11] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [103152 2015-07-27] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NIS\1605050.00F\Ironx86.SYS [234744 2015-07-11] (Symantec Corporation) S1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1605050.00F\SYMTDIV.SYS [358104 2015-11-11] (Symantec Corporation) S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed] S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B}; C:\Program Files\CyberLink\PowerDVD\000.fcl [13560 2006-11-02] (Cyberlink Corp.) S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-18 13:33 - 2016-01-18 13:34 - 00013738 _____ C:\Users\Admin\Downloads\FRST.txt 2016-01-18 13:33 - 2016-01-18 13:33 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST (1).exe 2016-01-18 13:32 - 2016-01-18 13:33 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST.exe 2016-01-18 13:30 - 2016-01-18 13:30 - 00077740 _____ C:\Windows\ntbtlog.txt 2016-01-18 13:25 - 2016-01-18 13:33 - 00000000 ____D C:\FRST 2016-01-14 17:43 - 2016-01-14 17:43 - 00505070 _____ C:\Users\Admin\Downloads\Top-002 (40).BMP 2016-01-14 14:26 - 2016-01-14 14:26 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (55).BMP 2016-01-13 10:34 - 2015-12-05 17:03 - 02873344 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 01567744 _____ (Microsoft Corporation) C:\Windows\system32\WMVENCOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01377792 _____ (Microsoft Corporation) C:\Windows\system32\WMVSDECD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01326080 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOE.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 01114624 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOE.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00867328 _____ (Microsoft Corporation) C:\Windows\system32\wmpmde.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00767488 _____ (Microsoft Corporation) C:\Windows\system32\WMVSENCD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00759296 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00650240 _____ (Microsoft Corporation) C:\Windows\system32\WMVXENCD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00605184 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\VIDRESZR.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00212992 _____ (Microsoft Corporation) C:\Windows\system32\RESAMPLEDMO.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\qasf.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00853504 _____ (Microsoft Corporation) C:\Windows\system32\mcmde.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00613888 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2VDEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00606208 _____ (Microsoft Corporation) C:\Windows\system32\MFWMAAEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ENC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00391680 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ADEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\MPG4DECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\MP43DECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00209920 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\COLORCNV.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax 2016-01-13 10:34 - 2015-12-05 17:02 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\MP3DMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\devenum.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\mfvdsp.dll 2016-01-13 10:34 - 2015-12-05 16:44 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys 2016-01-13 10:34 - 2015-12-05 15:24 - 02068480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2016-01-13 10:34 - 2015-11-13 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\mapistub.dll 2016-01-13 10:34 - 2015-11-13 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\mapi32.dll 2016-01-13 10:34 - 2015-11-13 15:27 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\fixmapi.exe 2016-01-13 10:33 - 2015-12-08 17:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll 2016-01-13 10:09 - 2015-12-05 17:02 - 00298496 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll 2016-01-13 10:06 - 2015-12-30 17:12 - 03609024 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2016-01-13 10:06 - 2015-12-30 17:12 - 03556800 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2016-01-12 20:03 - 2015-12-15 21:50 - 01814528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2016-01-12 20:03 - 2015-12-15 21:49 - 12388864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2016-01-12 20:03 - 2015-12-15 21:47 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec 2016-01-12 20:03 - 2015-12-15 21:46 - 09753088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2016-01-12 20:03 - 2015-12-15 21:45 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2016-01-12 20:03 - 2015-12-15 21:45 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2016-01-12 20:03 - 2015-12-15 21:44 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2016-01-12 20:03 - 2015-12-15 21:44 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2016-01-12 20:03 - 2015-12-15 21:43 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe 2016-01-12 20:03 - 2015-12-15 21:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe 2016-01-08 14:16 - 2016-01-08 14:16 - 00027785 _____ C:\Users\Admin\Downloads\J2947 VQ4.pdf 2016-01-07 16:51 - 2016-01-07 16:51 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (54).BMP 2016-01-07 12:32 - 2016-01-07 12:32 - 05414139 _____ C:\Users\Admin\Downloads\EPSON028 (1).PDF 2016-01-07 12:28 - 2016-01-07 12:28 - 05414139 _____ C:\Users\Admin\Downloads\EPSON028.PDF 2016-01-07 12:09 - 2016-01-07 12:09 - 00007508 _____ C:\Users\Admin\Downloads\INVCRD0000844169.pdf 2016-01-07 12:07 - 2016-01-07 12:07 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (5).pdf 2016-01-07 12:07 - 2016-01-07 12:07 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (4).pdf 2016-01-07 12:06 - 2016-01-07 12:06 - 00022248 _____ C:\Users\Admin\Downloads\EXPDOC0000838720 (1).pdf 2016-01-07 12:05 - 2016-01-07 12:05 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (3).pdf 2016-01-07 12:02 - 2016-01-07 12:02 - 00007198 _____ C:\Users\Admin\Downloads\INVCRD0000844170 (1).pdf 2016-01-07 12:01 - 2016-01-07 12:01 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168 (2).pdf 2016-01-07 11:59 - 2016-01-07 11:59 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168 (1).pdf 2016-01-07 09:34 - 2016-01-07 09:34 - 00505070 _____ C:\Users\Admin\Downloads\Top (100).BMP 2016-01-06 12:30 - 2016-01-06 12:30 - 03489285 _____ C:\Users\Admin\Downloads\SH numbered seat plan with door numbers new logo & E29 GT 300408.pdf 2016-01-06 12:30 - 2016-01-06 12:30 - 03489285 _____ C:\Users\Admin\Downloads\SH numbered seat plan with door numbers new logo & E29 GT 300408 (1).pdf 2016-01-05 17:44 - 2016-01-05 17:44 - 00034903 _____ C:\Users\Admin\Downloads\Attached Message Part (1) 2016-01-05 17:44 - 2016-01-05 17:44 - 00034903 _____ C:\Users\Admin\Downloads\Attached Message Part 2016-01-04 17:04 - 2016-01-04 17:04 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (2).pdf 2016-01-04 17:02 - 2016-01-04 17:02 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (1).pdf 2016-01-04 17:01 - 2016-01-04 17:01 - 00007198 _____ C:\Users\Admin\Downloads\INVCRD0000844170.pdf 2016-01-04 16:58 - 2016-01-04 16:58 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168.pdf 2016-01-04 16:25 - 2016-01-04 16:25 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722.pdf 2016-01-04 16:24 - 2016-01-04 16:24 - 00022248 _____ C:\Users\Admin\Downloads\EXPDOC0000838720.pdf 2015-12-22 19:47 - 2015-12-22 19:47 - 00095500 _____ C:\Users\Admin\Downloads\000001014768047.pdf 2015-12-22 12:45 - 2015-12-22 12:45 - 00505070 _____ C:\Users\Admin\Downloads\Top-003 (22).BMP 2015-12-22 12:44 - 2015-12-22 12:44 - 00505070 _____ C:\Users\Admin\Downloads\Top-002 (39).BMP 2015-12-22 12:44 - 2015-12-22 12:44 - 00505070 _____ C:\Users\Admin\Downloads\Top (99).BMP 2015-12-22 12:28 - 2015-12-22 12:28 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (53).BMP 2015-12-21 20:16 - 2015-12-21 20:16 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (52).BMP 2015-12-21 20:16 - 2015-12-21 20:16 - 00505070 _____ C:\Users\Admin\Downloads\Top (98).BMP 2015-12-19 14:07 - 2015-12-19 14:07 - 00000000 ____D C:\Users\Admin\AppData\Local\Apple ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-18 13:33 - 2006-11-02 11:18 - 00000000 ____D C:\Windows 2016-01-18 13:28 - 2006-11-02 13:01 - 00032622 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2016-01-18 13:28 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-01-18 13:28 - 2006-11-02 12:47 - 00004240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2016-01-18 13:28 - 2006-11-02 12:47 - 00004240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2016-01-18 13:25 - 2013-02-16 14:51 - 00000000 ____D C:\Users\Admin\AppData\Roaming\U3 2016-01-18 13:25 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\inf 2016-01-18 13:25 - 2006-11-02 10:33 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI 2016-01-13 23:26 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\rescache 2016-01-13 11:00 - 2006-11-02 12:47 - 00260016 _____ C:\Windows\system32\FNTCACHE.DAT 2016-01-13 10:33 - 2013-08-15 08:05 - 00000000 ____D C:\Windows\system32\MRT 2016-01-13 10:10 - 2006-11-02 10:24 - 141317472 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2015-12-19 09:44 - 2015-07-23 06:58 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2015-12-19 09:44 - 2015-07-23 06:58 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-12-19 09:44 - 2012-07-13 09:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job ==================== Files in the root of some directories ======= 2015-08-28 09:05 - 2015-08-28 09:05 - 6420480 _____ () C:\Program Files\GUTEBF5.tmp 2013-09-19 19:58 - 2013-09-19 19:58 - 0000680 _____ () C:\Users\Admin\AppData\Local\d3d9caps.dat 2012-08-12 15:50 - 2014-08-26 13:35 - 0005632 _____ () C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2012-10-21 10:34 - 2013-04-10 14:12 - 0034802 _____ () C:\ProgramData\hpzinstall.log ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-01-18 12:11 ==================== End of FRST.txt ============================ Quote
A Bit Annoyed Posted January 18, 2016 Author Posted January 18, 2016 Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:17-01-2015 Ran by Admin (administrator) on ADMIN-PC (18-01-2016 13:33:27) Running from C:\Users\Admin\Downloads Loaded Profiles: Admin (Available Profiles: Admin) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 9 (Default browser: Chrome) Boot Mode: Safe Mode (with Networking) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [NWEReboot] => [X] Winlogon\Notify\!SASWinLogon: F:\SASWINLO.DLL [X] HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\...\MountPoints2: {d38da53a-ccdc-11e1-9f4a-0016d4b23538} - H:\LaunchU3.exe -a HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [704512 2009-04-11] (Microsoft Corporation) ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - F:\SASSEH.DLL No File [ ] ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{538F1621-5099-4C03-BD04-BE2A05E2F80F}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{C581A5FF-006B-459F-9BCF-4145EA3C9B61}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.norton.com HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.skybroadband.com SearchScopes: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> DefaultScope {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NS&chn=retail&geo=GB&ver=22&locale=en_GB&gct=kwd&qsrc=2869 SearchScopes: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NS&chn=retail&geo=GB&ver=22&locale=en_GB&gct=kwd&qsrc=2869 BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited) BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-09-20] (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-09-20] (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) Toolbar: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0040-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab FireFox: ======== FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default FF NewTab: hxxp://search.babylon.com/?affID=111803&babsrc=NT_ss&mntrId=d2fdf9320000000000000019d220cce2 FF SearchEngineOrder.1: Search the web (Babylon) FF SelectedSearchEngine: Google FF Homepage: hxxp://search.babylon.com/?affID=111803&babsrc=HP_ss&mntrId=d2fdf9320000000000000019d220cce2 FF Keyword.URL: hxxp://search.babylon.com/?affID=111803&babsrc=KW_ss&mntrId=d2fdf9320000000000000019d220cce2&q= FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] () FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2011-06-10] (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] () FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.) FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\Windows\system32\npDeployJava1.dll [2013-09-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-09-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.40.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-09-20] (Oracle Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-11-30] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-11-30] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-06-26] (Adobe Systems Inc.) FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\user.js [2012-07-13] FF Extension: Adblock Plus - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-18] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-14] [not signed] FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.0.124\coFFAddon FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.0.124\coFFAddon [2016-01-13] FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-03] Chrome: ======= CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28] CHR Extension: (Adblock Plus) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-01-13] CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30] CHR Extension: (ABlock) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcchaiacddlgkccppchimljondmpikpg [2015-12-18] CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-24] CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29] CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\Exts\Chrome.crx [2015-11-05] CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx StartMenuInternet: Google Chrome.CI6XXID4S2E4GYKPJ7WETYJMDQ - C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [860160 2008-10-16] (Intel® Corporation) [File not signed] S2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89352 2014-09-15] (Hewlett-Packard Company) S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed] S2 NIS; C:\Program Files\Norton Internet Security\Engine\22.5.5.15\NIS.exe [282016 2015-11-20] (Symantec Corporation) S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed] S2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [466944 2008-10-16] (Intel® Corporation) [File not signed] S2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [167936 2005-08-08] () [File not signed] S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160114.001\BHDrvx86.sys [1193032 2015-10-08] (Symantec Corporation) S1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1605050.00F\ccSetx86.sys [137456 2015-07-11] (Symantec Corporation) S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389968 2015-11-18] (Symantec Corporation) R3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [68096 2007-08-16] (ENE Technology Inc.) S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [125264 2015-11-18] (Symantec Corporation) R3 ESDCR; C:\Windows\System32\DRIVERS\ESD7SK.sys [47104 2007-08-16] (ENE Technology Inc.) R3 ESMCR; C:\Windows\System32\DRIVERS\ESM7SK.sys [64512 2007-08-16] (ENE Technology Inc.) S1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\IPSDefs\20160116.001\IDSvix86.sys [580344 2015-12-04] (Symantec Corporation) S3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\VirusDefs\20160117.023\NAVENG.SYS [104440 2015-10-30] (Symantec Corporation) S3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\VirusDefs\20160117.023\NAVEX15.SYS [1647216 2015-10-30] (Symantec Corporation) S3 Ph3xIB32; C:\Windows\System32\DRIVERS\Ph3xIB32.sys [1131136 2007-04-03] (Philips Semiconductors GmbH) S1 SRTSP; C:\Windows\System32\Drivers\NIS\1605050.00F\SRTSP.SYS [712944 2015-11-11] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NIS\1605050.00F\SRTSPX.SYS [44792 2015-07-11] (Symantec Corporation) R0 SymEFASI; C:\Windows\System32\drivers\NIS\1605050.00F\SYMEFASI.SYS [1287408 2015-11-11] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [103152 2015-07-27] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NIS\1605050.00F\Ironx86.SYS [234744 2015-07-11] (Symantec Corporation) S1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1605050.00F\SYMTDIV.SYS [358104 2015-11-11] (Symantec Corporation) S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed] S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B}; C:\Program Files\CyberLink\PowerDVD\000.fcl [13560 2006-11-02] (Cyberlink Corp.) S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-18 13:33 - 2016-01-18 13:34 - 00013738 _____ C:\Users\Admin\Downloads\FRST.txt 2016-01-18 13:33 - 2016-01-18 13:33 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST (1).exe 2016-01-18 13:32 - 2016-01-18 13:33 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST.exe 2016-01-18 13:30 - 2016-01-18 13:30 - 00077740 _____ C:\Windows\ntbtlog.txt 2016-01-18 13:25 - 2016-01-18 13:33 - 00000000 ____D C:\FRST 2016-01-14 17:43 - 2016-01-14 17:43 - 00505070 _____ C:\Users\Admin\Downloads\Top-002 (40).BMP 2016-01-14 14:26 - 2016-01-14 14:26 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (55).BMP 2016-01-13 10:34 - 2015-12-05 17:03 - 02873344 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 01567744 _____ (Microsoft Corporation) C:\Windows\system32\WMVENCOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01377792 _____ (Microsoft Corporation) C:\Windows\system32\WMVSDECD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01326080 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOE.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 01114624 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOE.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00867328 _____ (Microsoft Corporation) C:\Windows\system32\wmpmde.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00767488 _____ (Microsoft Corporation) C:\Windows\system32\WMVSENCD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00759296 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00650240 _____ (Microsoft Corporation) C:\Windows\system32\WMVXENCD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00605184 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\VIDRESZR.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00212992 _____ (Microsoft Corporation) C:\Windows\system32\RESAMPLEDMO.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\qasf.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00853504 _____ (Microsoft Corporation) C:\Windows\system32\mcmde.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00613888 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2VDEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00606208 _____ (Microsoft Corporation) C:\Windows\system32\MFWMAAEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ENC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00391680 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ADEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\MPG4DECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\MP43DECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00209920 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\COLORCNV.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax 2016-01-13 10:34 - 2015-12-05 17:02 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\MP3DMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\devenum.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\mfvdsp.dll 2016-01-13 10:34 - 2015-12-05 16:44 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys 2016-01-13 10:34 - 2015-12-05 15:24 - 02068480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2016-01-13 10:34 - 2015-11-13 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\mapistub.dll 2016-01-13 10:34 - 2015-11-13 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\mapi32.dll 2016-01-13 10:34 - 2015-11-13 15:27 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\fixmapi.exe 2016-01-13 10:33 - 2015-12-08 17:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll 2016-01-13 10:09 - 2015-12-05 17:02 - 00298496 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll 2016-01-13 10:06 - 2015-12-30 17:12 - 03609024 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2016-01-13 10:06 - 2015-12-30 17:12 - 03556800 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2016-01-12 20:03 - 2015-12-15 21:50 - 01814528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2016-01-12 20:03 - 2015-12-15 21:49 - 12388864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2016-01-12 20:03 - 2015-12-15 21:47 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec 2016-01-12 20:03 - 2015-12-15 21:46 - 09753088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2016-01-12 20:03 - 2015-12-15 21:45 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2016-01-12 20:03 - 2015-12-15 21:45 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2016-01-12 20:03 - 2015-12-15 21:44 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2016-01-12 20:03 - 2015-12-15 21:44 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2016-01-12 20:03 - 2015-12-15 21:43 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe 2016-01-12 20:03 - 2015-12-15 21:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe 2016-01-08 14:16 - 2016-01-08 14:16 - 00027785 _____ C:\Users\Admin\Downloads\J2947 VQ4.pdf 2016-01-07 16:51 - 2016-01-07 16:51 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (54).BMP 2016-01-07 12:32 - 2016-01-07 12:32 - 05414139 _____ C:\Users\Admin\Downloads\EPSON028 (1).PDF 2016-01-07 12:28 - 2016-01-07 12:28 - 05414139 _____ C:\Users\Admin\Downloads\EPSON028.PDF 2016-01-07 12:09 - 2016-01-07 12:09 - 00007508 _____ C:\Users\Admin\Downloads\INVCRD0000844169.pdf 2016-01-07 12:07 - 2016-01-07 12:07 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (5).pdf 2016-01-07 12:07 - 2016-01-07 12:07 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (4).pdf 2016-01-07 12:06 - 2016-01-07 12:06 - 00022248 _____ C:\Users\Admin\Downloads\EXPDOC0000838720 (1).pdf 2016-01-07 12:05 - 2016-01-07 12:05 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (3).pdf 2016-01-07 12:02 - 2016-01-07 12:02 - 00007198 _____ C:\Users\Admin\Downloads\INVCRD0000844170 (1).pdf 2016-01-07 12:01 - 2016-01-07 12:01 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168 (2).pdf 2016-01-07 11:59 - 2016-01-07 11:59 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168 (1).pdf 2016-01-07 09:34 - 2016-01-07 09:34 - 00505070 _____ C:\Users\Admin\Downloads\Top (100).BMP 2016-01-06 12:30 - 2016-01-06 12:30 - 03489285 _____ C:\Users\Admin\Downloads\SH numbered seat plan with door numbers new logo & E29 GT 300408.pdf 2016-01-06 12:30 - 2016-01-06 12:30 - 03489285 _____ C:\Users\Admin\Downloads\SH numbered seat plan with door numbers new logo & E29 GT 300408 (1).pdf 2016-01-05 17:44 - 2016-01-05 17:44 - 00034903 _____ C:\Users\Admin\Downloads\Attached Message Part (1) 2016-01-05 17:44 - 2016-01-05 17:44 - 00034903 _____ C:\Users\Admin\Downloads\Attached Message Part 2016-01-04 17:04 - 2016-01-04 17:04 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (2).pdf 2016-01-04 17:02 - 2016-01-04 17:02 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (1).pdf 2016-01-04 17:01 - 2016-01-04 17:01 - 00007198 _____ C:\Users\Admin\Downloads\INVCRD0000844170.pdf 2016-01-04 16:58 - 2016-01-04 16:58 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168.pdf 2016-01-04 16:25 - 2016-01-04 16:25 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722.pdf 2016-01-04 16:24 - 2016-01-04 16:24 - 00022248 _____ C:\Users\Admin\Downloads\EXPDOC0000838720.pdf 2015-12-22 19:47 - 2015-12-22 19:47 - 00095500 _____ C:\Users\Admin\Downloads\000001014768047.pdf 2015-12-22 12:45 - 2015-12-22 12:45 - 00505070 _____ C:\Users\Admin\Downloads\Top-003 (22).BMP 2015-12-22 12:44 - 2015-12-22 12:44 - 00505070 _____ C:\Users\Admin\Downloads\Top-002 (39).BMP 2015-12-22 12:44 - 2015-12-22 12:44 - 00505070 _____ C:\Users\Admin\Downloads\Top (99).BMP 2015-12-22 12:28 - 2015-12-22 12:28 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (53).BMP 2015-12-21 20:16 - 2015-12-21 20:16 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (52).BMP 2015-12-21 20:16 - 2015-12-21 20:16 - 00505070 _____ C:\Users\Admin\Downloads\Top (98).BMP 2015-12-19 14:07 - 2015-12-19 14:07 - 00000000 ____D C:\Users\Admin\AppData\Local\Apple ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-18 13:33 - 2006-11-02 11:18 - 00000000 ____D C:\Windows 2016-01-18 13:28 - 2006-11-02 13:01 - 00032622 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2016-01-18 13:28 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-01-18 13:28 - 2006-11-02 12:47 - 00004240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2016-01-18 13:28 - 2006-11-02 12:47 - 00004240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2016-01-18 13:25 - 2013-02-16 14:51 - 00000000 ____D C:\Users\Admin\AppData\Roaming\U3 2016-01-18 13:25 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\inf 2016-01-18 13:25 - 2006-11-02 10:33 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI 2016-01-13 23:26 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\rescache 2016-01-13 11:00 - 2006-11-02 12:47 - 00260016 _____ C:\Windows\system32\FNTCACHE.DAT 2016-01-13 10:33 - 2013-08-15 08:05 - 00000000 ____D C:\Windows\system32\MRT 2016-01-13 10:10 - 2006-11-02 10:24 - 141317472 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2015-12-19 09:44 - 2015-07-23 06:58 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2015-12-19 09:44 - 2015-07-23 06:58 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-12-19 09:44 - 2012-07-13 09:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job ==================== Files in the root of some directories ======= 2015-08-28 09:05 - 2015-08-28 09:05 - 6420480 _____ () C:\Program Files\GUTEBF5.tmp 2013-09-19 19:58 - 2013-09-19 19:58 - 0000680 _____ () C:\Users\Admin\AppData\Local\d3d9caps.dat 2012-08-12 15:50 - 2014-08-26 13:35 - 0005632 _____ () C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2012-10-21 10:34 - 2013-04-10 14:12 - 0034802 _____ () C:\ProgramData\hpzinstall.log ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-01-18 12:11 ==================== End of FRST.txt ============================ Quote
A Bit Annoyed Posted January 18, 2016 Author Posted January 18, 2016 Additional scan result of Farbar Recovery Scan Tool (x86) Version:17-01-2015 Ran by Admin (2016-01-18 13:35:01) Running from C:\Users\Admin\Downloads Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) (2012-07-11 14:16:55) Boot Mode: Safe Mode (with Networking) ========================================================== ==================== Accounts: ============================= Admin (S-1-5-21-1000093575-2614507329-1950583498-1000 - Administrator - Enabled) => C:\Users\Admin Administrator (S-1-5-21-1000093575-2614507329-1950583498-500 - Administrator - Disabled) Guest (S-1-5-21-1000093575-2614507329-1950583498-501 - Limited - Disabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Norton Internet Security (Enabled - Out of date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB} AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Norton Internet Security (Enabled - Out of date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66} FW: Norton Internet Security (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated) Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated) Adobe Reader X (10.1.15) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.15 - Adobe Systems Incorporated) Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.) Apple Application Support (32-bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{E1DB0812-2D60-43DB-AE09-6C7027D93B28}) (Version: 8.1.1.3 - Apple Inc.) Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.) Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version: - ) Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.) CCleaner (HKLM\...\CCleaner) (Version: 4.05 - Piriform) EZ Vinyl Converter by MixMeister 1.0.5 (HKLM\...\EZ Vinyl Converter by MixMeister_is1) (Version: - MixMeister Technology LLC) Google Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.) Google Update Helper (Version: 1.3.29.1 - Google Inc.) Hidden HDAUDIO Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118) (Version: - ) HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP) HP Support Solutions Framework (HKLM\...\{44157EB3-D8D0-4BB1-B0F5-AD2C38814ED1}) (Version: 11.51.0027 - Hewlett-Packard Company) HP Update (HKLM\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard) HPSSupply (HKLM\...\{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}) (Version: 2.1.3.0000 - Hewlett Packard Development Company L.P.) Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - ) Intel® PROSet/Wireless WiFi Software (HKLM\...\{35C0A1E4-D02A-412C-841F-266DBB116ABB}) (Version: 12.02.0000 - Intel® Corporation) iTunes (HKLM\...\{CE1F04C7-79BC-4219-BE6A-BA490224D4B5}) (Version: 12.1.2.27 - Apple Inc.) Java 7 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.400 - Oracle) K-Lite Codec Pack 3.8.0 Basic (HKLM\...\KLiteCodecPack_is1) (Version: 3.8.0 - ) Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation) Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Mozilla Firefox 38.0.5 (x86 en-GB) (HKLM\...\Mozilla Firefox 38.0.5 (x86 en-GB)) (Version: 38.0.5 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 38.0.1 - Mozilla) Mozilla Thunderbird (3.0.4) (HKLM\...\Mozilla Thunderbird (3.0.4)) (Version: 3.0.4 (en-GB) - Mozilla) MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) Norton Internet Security (HKLM\...\NIS) (Version: 22.5.5.15 - Symantec Corporation) OpenOffice.org 3.3 (HKLM\...\{82AF3E91-57E1-4754-84D0-40A46E2479AB}) (Version: 3.3.9567 - OpenOffice.org) Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.) PowerDVD (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.2.2414.0 - CyberLink Corporation) QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.) Scrabble™ Interactive 2009 Edition (HKLM\...\Scrabble™ Interactive 2009 Edition_is1) (Version: - ) Sky Broadband (HKLM\...\{14C35072-D7D0-4B29-B5BF-C94E426D77E9}) (Version: 1.0.0 - Sky Broadband) Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited) swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - ) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {13E55A93-7D69-45AC-B477-3AE6030275AE} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\WSCStub.exe [2015-11-20] (Symantec Corporation) Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM Task: {26C02969-3FAC-428B-A511-9112B85C0884} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-07-23] (Google Inc.) Task: {361387E9-F382-4C1E-AA6F-D937C684813A} - System32\Tasks\WebReg Photosmart 2570 series => C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe Task: {3C24B91F-DA21-4400-977A-FABE57D55681} - System32\Tasks\{0216116A-7830-4DB7-B174-E4592BE8F1FC} => pcalua.exe -a E:\setup.exe -d E:\ Task: {4027A9A6-D0A2-40B6-9409-AB044AEB6249} - \DealPly -> No File <==== ATTENTION Task: {76C3F2E1-E302-4331-B6E6-43B8C276DABF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-07-23] (Google Inc.) Task: {9C622FCB-B48F-431C-B78D-5C8021F68906} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\SymErr.exe [2015-11-05] (Symantec Corporation) Task: {B638BB1B-99B3-428A-8192-9E15EB5FADC1} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated) Task: {BB67E233-ACCB-4F24-89A5-9D8130B83623} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-09] (Adobe Systems Incorporated) Task: {BF49F21E-AE83-4A4F-A75C-748336DCB1C4} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\SymErr.exe [2015-11-05] (Symantec Corporation) Task: {C168A01B-BA0C-4142-B1DE-33153C4705EA} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.) Task: {F3C94791-39E7-40E9-9F28-81907E0C6AF4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-08-21] (Piriform Ltd) Task: {F55F85D3-8FDE-479E-82E0-A9BB339AA8E2} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2" ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2006-11-02 10:23 - 2006-09-18 21:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg DNS Servers: 192.168.0.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1) Windows Firewall is disabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\Services: AdobeARMservice => 2 MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3 MSCONFIG\Services: gupdate => 2 MSCONFIG\Services: gupdatem => 3 MSCONFIG\Services: gusvc => 3 MSCONFIG\Services: MozillaMaintenance => 3 MSCONFIG\startupfolder: C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk => C:\Windows\pss\OpenOffice.org 3.3.lnk.Startup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" MSCONFIG\startupreg: ehTray.exe => C:\Windows\ehome\ehTray.exe MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe" MSCONFIG\startupreg: LanguageShortcut => "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime MSCONFIG\startupreg: RemoteControl => "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" MSCONFIG\startupreg: Sidebar => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe" MSCONFIG\startupreg: Windows Defender => %ProgramFiles%\Windows Defender\MSASCui.exe -hide MSCONFIG\startupreg: WMPNSCFG => C:\Program Files\Windows Media Player\WMPNSCFG.exe ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe FirewallRules: [{D941D196-2017-4DBC-ABE9-4361D69D453A}] => (Allow) LPort=80 FirewallRules: [{F848ABCE-8030-4BF5-98F6-9B033AA7E043}] => (Allow) LPort=80 FirewallRules: [{2953DFCC-EB53-4798-8185-9529FD204347}] => (Allow) LPort=80 FirewallRules: [{402D8B00-2C88-429B-B3A6-CE3C62FBEF29}] => (Allow) C:\Program Files\Ubisoft\Scrabble2009\ScrabblePCR.exe FirewallRules: [{8F934D5F-241A-4DA8-9395-1822F0E3B5F6}] => (Allow) C:\Program Files\Ubisoft\Scrabble2009\ScrabblePCR.exe FirewallRules: [{FB1F94EC-3421-4554-93CF-25037893159D}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{C33AFD6D-1972-421A-B523-2CA0CFFA5C98}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{0BF1D1E1-7351-4615-8B65-0AFB7F25C4C1}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe FirewallRules: [{172A7052-D107-40F1-9688-2D9E24AA629F}] => (Allow) C:\Program Files\iTunes\iTunes.exe FirewallRules: [{5BD104A6-93ED-48E2-9A00-EE2EC56D26FF}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{89C19AE9-8F97-453F-8524-28DBF1FB9C7C}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{1AEB1AFB-1B9C-4795-855C-781C78332E39}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe DomainProfile\AuthorizedApplications: [C:\Program Files\Ubisoft\Scrabble2009\ScrabblePCR.exe] => Enabled:ScrabblePCR StandardProfile\AuthorizedApplications: [C:\Program Files\Ubisoft\Scrabble2009\ScrabblePCR.exe] => Enabled:ScrabblePCR ==================== Restore Points ========================= 10-01-2016 20:55:57 Scheduled Checkpoint 11-01-2016 09:29:46 Scheduled Checkpoint 13-01-2016 10:04:22 Windows Update 14-01-2016 12:22:18 Scheduled Checkpoint 15-01-2016 19:33:01 Scheduled Checkpoint 17-01-2016 16:24:27 Scheduled Checkpoint ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (01/18/2016 01:31:10 PM) (Source: EventSystem) (EventID: 4609) (User: ) Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c Error: (01/17/2016 06:34:21 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 4621140 Error: (01/17/2016 06:34:21 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 4621140 Error: (01/17/2016 06:34:20 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (01/15/2016 08:26:12 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 2724354 Error: (01/15/2016 08:26:12 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 2724354 Error: (01/15/2016 08:26:12 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (01/13/2016 10:33:03 AM) (Source: Perflib) (EventID: 1008) (User: ) Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4 Error: (01/13/2016 10:33:02 AM) (Source: Perflib) (EventID: 1010) (User: ) Description: EmdCacheC:\Windows\system32\emdmgmt.dll4 Error: (01/11/2016 05:31:56 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 13467816 System errors: ============= Error: (01/18/2016 01:31:32 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: BHDrvx86 ccSet_NIS eeCtrl IDSVix86 spldr SRTSP SRTSPX SymIRON SYMTDIv Wanarpv6 Error: (01/18/2016 01:31:32 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: Computer BrowserServer%%1068 Error: (01/18/2016 01:31:17 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY) Description: C:\Windows\System32\IWMSSvc.dll21 Error: (01/18/2016 01:31:16 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} Error: (01/18/2016 01:31:15 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030} Error: (01/18/2016 01:31:13 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF} Error: (01/18/2016 01:31:10 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF} Error: (01/18/2016 01:31:02 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC} Error: (01/15/2016 02:16:49 PM) (Source: ACPI) (EventID: 13) (User: ) Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly. Error: (01/14/2016 09:54:52 PM) (Source: ACPI) (EventID: 13) (User: ) Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly. CodeIntegrity: =================================== Date: 2016-01-18 13:33:58.383 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:57.946 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:57.509 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:57.057 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:37.641 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160114.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:37.173 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160114.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:36.705 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160114.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2016-01-18 13:33:36.253 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160114.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2016-01-15 09:35:11.559 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160104.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2016-01-15 09:35:11.230 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160104.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Genuine Intel® CPU T2300 @ 1.66GHz Percentage of memory in use: 45% Total physical RAM: 1525.38 MB Available physical RAM: 834.75 MB Total Virtual: 3304.57 MB Available Virtual: 2727.7 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:52.14 GB) (Free:16.16 GB) NTFS ==>[drive with boot components (obtained from BCD)] Drive d: (DATA) (Fixed) (Total:51.84 GB) (Free:41.01 GB) NTFS Drive g: (Cruzer) (Removable) (Total:7.47 GB) (Free:3.74 GB) FAT32 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 111.8 GB) (Disk ID: 83DF4CFC) Partition 1: (Not Active) - (Size=7.8 GB) - (Type=27) Partition 2: (Active) - (Size=52.1 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=51.8 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000) Partition: GPT. ==================== End of Additi Quote
ExTS Admin Starbuck Posted January 18, 2016 ExTS Admin Posted January 18, 2016 Hi there, A few things we need to deal with: Step 1 Spybot - Search & Destroy We stopped recommending this awhile back due to poor scanning results. Plus, Tea Timer is more trouble than it's worth. I recommend that you uninstall it. But for the uninstall to complete you will need to re-enable TeaTimer in MsConfig. MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe Once re-enabled you will have to stop it properly. Open Spybot and click on 'Mode' then click 'Advanced Mode'. Click on 'Tools' in bottom left hand corner. Click on the 'System Startup' icon. Uncheck 'Teatimer' box and/or uncheck 'Resident'. Then, check next to the computer clock to see if the icon for Spybot is still there. If it is, right click it and choose 'exit Spybot-S&D Resident'. Reboot the computer. Then run the uninstaller from Add or Remove Programs in the Control Panel. Step 2 Let's clean out some traces of Adware: Please download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers. Double click on adwcleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator. Click I agree to the Terms of Use. Click on the Scan button. AdwCleaner will begin to scan your computer. After the scan has finished... Click on the Cleaning button. Press OK when asked to close all programs and follow the onscreen prompts. Press OK again to allow AdwCleaner to restart the computer and complete the removal process. After rebooting, a logfile report (AdwCleaner[C0].txt) will open automatically. Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\ folder. Step 3 Unfortunately we don't get a full of set of reports from FRST when run in Safe Mode. Boot Mode: Safe Mode (with Networking) After running the above steps, please re-run FRST using the instructions below (then i'll be able to deal with what is left over) Please re-run FRST. Make sure that Addition.txt is selected at the bottom Then press the Scan button. http://img.photobucket.com/albums/v708/starbuck50/newfrst_zpsa63ffa3d.png It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. It will also make another log (Addition.txt). Please copy and paste it to your reply also. In your next reply, please submit: AdwCleaner report and the new set of reports from FRST. Also.... why is Norton out of date? is this because the system has been offline? Thanks. Quote Member of:UNITE
A Bit Annoyed Posted January 18, 2016 Author Posted January 18, 2016 Thank you so much for your quick reply. Next time I can get to Dads, I will do everything you sugg Quote
A Bit Annoyed Posted January 18, 2016 Author Posted January 18, 2016 est. Not sure about Norton. It wouldn't let me run the FRST, which is why I ended up in Safe mode, but I will double check that one. To be honest, I never wanted him to have Norton but he had signed up to it before I had a say in it. So glad I found this forum, thank you for helping me out. Quote
ExTS Admin Starbuck Posted January 18, 2016 ExTS Admin Posted January 18, 2016 Hi, Yes Norton doesn't like FRST. Best disable Norton before running FRST. Also I forgot to mention... please run AdwCleaner in normal mode. No rush, just post when you can. Quote Member of:UNITE
A Bit Annoyed Posted January 22, 2016 Author Posted January 22, 2016 # AdwCleaner v5.030 - Logfile created 22/01/2016 at 14:53:20 # Updated 17/01/2016 by Xplode # Database : 2016-01-19.2 [server] # Operating system : Windows Vista Home Premium Service Pack 2 (x86) # Username : Admin - ADMIN-PC # Running from : G:\antimalware products\AdwCleaner.exe # Option : Cleaning # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** [-] Folder Deleted : C:\Users\Admin\AppData\LocalLow\BabylonToolbar ***** [ Files ] ***** [-] File Deleted : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\user.js ***** [ DLLs ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** [-] Task Deleted : Dealply ***** [ Registry ] ***** [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} [-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] ***** [ Web browsers ] ***** [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=111803&babsrc=NT_ss&mntrId=d2fdf9320000000000000019d220cce2"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://search.babylon.com/?affID=111803&babsrc=HP_ss&mntrId=d2fdf9320000000000000019d220cce2"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.babExt", ""); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111803"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "d2fdf9320000000000000019d220cce2"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.id", "d2fdf9320000000000000019d220cce2"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15534"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=111803&babsrc=NT_ss&mntrId=d2fdf9320000000000000019d220cce2"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1710:07:26"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.channel", "vitafilewin"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.firstUseDate", "1342170448176"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.installId", "v23500251870085901197612012071310071228"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.installIdSource", "inst"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.lastHeartBitDate", "2013_6_19"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.partner", "vita"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.ranIM1", "1"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("extensions.dealply.sampleGroup", "8"); [-] [C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\prefs.js] [Preference] Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=111803&babsrc=KW_ss&mntrId=d2fdf9320000000000000019d220cce2&q="); [-] [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bopakagnckmlgajfccecajhnimjiiedh [-] [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : dhkplhfnhceodhffomolpfigojocbpcb ************************* :: "Tracing" keys removed :: Winsock settings cleared ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [6865 bytes] ########## Quote
A Bit Annoyed Posted January 22, 2016 Author Posted January 22, 2016 Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:18-01-2016 Ran by Admin (administrator) on ADMIN-PC (22-01-2016 15:12:04) Running from C:\Users\Admin\Downloads Loaded Profiles: Admin (Available Profiles: Admin) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 9 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Windows\System32\SLsvc.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Hewlett-Packard Company) C:\Program Files\HP\Common\HPSupportSolutionsFrameworkService.exe (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Intel Corporation) C:\Windows\System32\igfxsrvc.exe (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation) C:\Windows\ehome\ehtray.exe (Microsoft Corporation) C:\Windows\ehome\ehmsas.exe (Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\22.5.5.15\nis.exe (Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe () C:\Program Files\CyberLink\Shared Files\RichVideo.exe (Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\22.5.5.15\nis.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Farbar) C:\Users\Admin\Downloads\FRST (2).exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [NWEReboot] => [X] HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation) HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [998104 2015-07-07] (Adobe Systems Incorporated) Winlogon\Notify\!SASWinLogon: F:\SASWINLO.DLL [X] HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation) HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation) HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\...\MountPoints2: {d38da53a-ccdc-11e1-9f4a-0016d4b23538} - H:\LaunchU3.exe -a HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [704512 2009-04-11] (Microsoft Corporation) ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - F:\SASSEH.DLL No File [ ] ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Internet Security\Engine\22.5.5.15\buShell.dll [2015-11-05] (Symantec Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{538F1621-5099-4C03-BD04-BE2A05E2F80F}: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{C581A5FF-006B-459F-9BCF-4145EA3C9B61}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.norton.com HKU\S-1-5-21-1000093575-2614507329-1950583498-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.skybroadband.com SearchScopes: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited) BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-09-20] (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-09-20] (Oracle Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) Toolbar: HKU\S-1-5-21-1000093575-2614507329-1950583498-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\coIEPlg.dll [2015-11-05] (Symantec Corporation) DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0040-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_40-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab FireFox: ======== FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default FF SelectedSearchEngine: Google FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] () FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2011-06-10] (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] () FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.) FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\Windows\system32\npDeployJava1.dll [2013-09-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-09-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.40.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-09-20] (Oracle Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-11-30] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-11-30] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-06-26] (Adobe Systems Inc.) FF Extension: Adblock Plus - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qrmtdt7e.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-18] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-14] [not signed] FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.0.124\coFFAddon FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.0.124\coFFAddon [2016-01-13] FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-03] Chrome: ======= CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28] CHR Extension: (Adblock Plus) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-01-13] CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30] CHR Extension: (ABlock) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcchaiacddlgkccppchimljondmpikpg [2015-12-18] CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-24] CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-29] CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Internet Security\Engine\22.5.5.15\Exts\Chrome.crx [2015-11-05] CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx StartMenuInternet: Google Chrome.CI6XXID4S2E4GYKPJ7WETYJMDQ - C:\Users\Admin\AppData\Local\Google\Chrome\Application\chrome.exe ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [860160 2008-10-16] (Intel® Corporation) [File not signed] R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89352 2014-09-15] (Hewlett-Packard Company) R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed] R2 NIS; C:\Program Files\Norton Internet Security\Engine\22.5.5.15\NIS.exe [282016 2015-11-20] (Symantec Corporation) R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed] R2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [466944 2008-10-16] (Intel® Corporation) [File not signed] R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [167936 2005-08-08] () [File not signed] S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\BASHDefs\20160119.001\BHDrvx86.sys [1193032 2015-10-08] (Symantec Corporation) R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1605050.00F\ccSetx86.sys [137456 2015-07-11] (Symantec Corporation) R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389968 2015-11-18] (Symantec Corporation) R3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [68096 2007-08-16] (ENE Technology Inc.) R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [125264 2015-11-18] (Symantec Corporation) R3 ESDCR; C:\Windows\System32\DRIVERS\ESD7SK.sys [47104 2007-08-16] (ENE Technology Inc.) R3 ESMCR; C:\Windows\System32\DRIVERS\ESM7SK.sys [64512 2007-08-16] (ENE Technology Inc.) R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\IPSDefs\20160120.001\IDSvix86.sys [580344 2015-12-04] (Symantec Corporation) R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\VirusDefs\20160121.049\NAVENG.SYS [104440 2015-10-30] (Symantec Corporation) R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\22.5.0.124\Definitions\VirusDefs\20160121.049\NAVEX15.SYS [1647216 2015-10-30] (Symantec Corporation) S3 Ph3xIB32; C:\Windows\System32\DRIVERS\Ph3xIB32.sys [1131136 2007-04-03] (Philips Semiconductors GmbH) R3 SRTSP; C:\Windows\System32\Drivers\NIS\1605050.00F\SRTSP.SYS [712944 2015-11-11] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\NIS\1605050.00F\SRTSPX.SYS [44792 2015-07-11] (Symantec Corporation) R0 SymEFASI; C:\Windows\System32\drivers\NIS\1605050.00F\SYMEFASI.SYS [1287408 2015-11-11] (Symantec Corporation) R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [103152 2015-07-27] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\NIS\1605050.00F\Ironx86.SYS [234744 2015-07-11] (Symantec Corporation) R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1605050.00F\SYMTDIV.SYS [358104 2015-11-11] (Symantec Corporation) S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed] R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B}; C:\Program Files\CyberLink\PowerDVD\000.fcl [13560 2006-11-02] (Cyberlink Corp.) S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-22 15:11 - 2016-01-22 15:12 - 00000000 ____D C:\FRST 2016-01-22 15:11 - 2016-01-22 15:11 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST (2).exe 2016-01-22 14:39 - 2016-01-22 14:53 - 00000000 ____D C:\AdwCleaner 2016-01-21 12:33 - 2016-01-21 12:34 - 05459456 _____ C:\Users\Admin\Downloads\Speciaaltjes1.pps 2016-01-20 17:20 - 2016-01-20 17:20 - 00505070 _____ C:\Users\Admin\Downloads\Top-002 (41).BMP 2016-01-20 10:00 - 2016-01-20 10:00 - 00129165 _____ C:\Users\Admin\Downloads\SI118713.pdf 2016-01-20 09:47 - 2016-01-20 09:47 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (56).BMP 2016-01-20 09:47 - 2016-01-20 09:47 - 00505070 _____ C:\Users\Admin\Downloads\SAROUK Print.bmp 2016-01-20 08:44 - 2016-01-20 08:45 - 00505070 _____ C:\Users\Admin\Downloads\Top.BMP 2016-01-18 19:47 - 2016-01-18 19:47 - 00166314 _____ C:\Users\Admin\Downloads\attachments_2016_01_18 (1).zip 2016-01-18 19:42 - 2016-01-18 19:42 - 00166314 _____ C:\Users\Admin\Downloads\attachments_2016_01_18.zip 2016-01-18 13:35 - 2016-01-18 13:35 - 00023498 _____ C:\Users\Admin\Downloads\Addition.txt 2016-01-18 13:33 - 2016-01-22 15:12 - 00015258 _____ C:\Users\Admin\Downloads\FRST.txt 2016-01-18 13:33 - 2016-01-18 13:33 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST (1).exe 2016-01-18 13:32 - 2016-01-18 13:33 - 01721856 _____ (Farbar) C:\Users\Admin\Downloads\FRST.exe 2016-01-18 13:30 - 2016-01-18 13:30 - 00077740 _____ C:\Windows\ntbtlog.txt 2016-01-14 17:43 - 2016-01-14 17:43 - 00505070 _____ C:\Users\Admin\Downloads\Top-002 (40).BMP 2016-01-14 14:26 - 2016-01-14 14:26 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (55).BMP 2016-01-13 10:34 - 2015-12-05 17:03 - 02873344 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 01567744 _____ (Microsoft Corporation) C:\Windows\system32\WMVENCOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01377792 _____ (Microsoft Corporation) C:\Windows\system32\WMVSDECD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01326080 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOE.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 01114624 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOE.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00867328 _____ (Microsoft Corporation) C:\Windows\system32\wmpmde.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00767488 _____ (Microsoft Corporation) C:\Windows\system32\WMVSENCD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00759296 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00650240 _____ (Microsoft Corporation) C:\Windows\system32\WMVXENCD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00605184 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll 2016-01-13 10:34 - 2015-12-05 17:03 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\VIDRESZR.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00212992 _____ (Microsoft Corporation) C:\Windows\system32\RESAMPLEDMO.DLL 2016-01-13 10:34 - 2015-12-05 17:03 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\qasf.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00853504 _____ (Microsoft Corporation) C:\Windows\system32\mcmde.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00613888 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2VDEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00606208 _____ (Microsoft Corporation) C:\Windows\system32\MFWMAAEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ENC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00480256 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00391680 _____ (Microsoft Corporation) C:\Windows\system32\MSMPEG2ADEC.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\MPG4DECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\MP43DECD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00209920 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\COLORCNV.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax 2016-01-13 10:34 - 2015-12-05 17:02 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\MP3DMOD.DLL 2016-01-13 10:34 - 2015-12-05 17:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\devenum.dll 2016-01-13 10:34 - 2015-12-05 17:02 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\mfvdsp.dll 2016-01-13 10:34 - 2015-12-05 16:44 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys 2016-01-13 10:34 - 2015-12-05 15:24 - 02068480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2016-01-13 10:34 - 2015-11-13 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\mapistub.dll 2016-01-13 10:34 - 2015-11-13 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\mapi32.dll 2016-01-13 10:34 - 2015-11-13 15:27 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\fixmapi.exe 2016-01-13 10:33 - 2015-12-08 17:01 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll 2016-01-13 10:09 - 2015-12-05 17:02 - 00298496 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll 2016-01-13 10:06 - 2015-12-30 17:12 - 03609024 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2016-01-13 10:06 - 2015-12-30 17:12 - 03556800 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2016-01-12 20:03 - 2015-12-15 21:50 - 01814528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2016-01-12 20:03 - 2015-12-15 21:49 - 12388864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2016-01-12 20:03 - 2015-12-15 21:47 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec 2016-01-12 20:03 - 2015-12-15 21:46 - 09753088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2016-01-12 20:03 - 2015-12-15 21:45 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2016-01-12 20:03 - 2015-12-15 21:45 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2016-01-12 20:03 - 2015-12-15 21:44 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2016-01-12 20:03 - 2015-12-15 21:44 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2016-01-12 20:03 - 2015-12-15 21:44 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2016-01-12 20:03 - 2015-12-15 21:43 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll 2016-01-12 20:03 - 2015-12-15 21:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe 2016-01-12 20:03 - 2015-12-15 21:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe 2016-01-08 14:16 - 2016-01-08 14:16 - 00027785 _____ C:\Users\Admin\Downloads\J2947 VQ4.pdf 2016-01-07 16:51 - 2016-01-07 16:51 - 00505070 _____ C:\Users\Admin\Downloads\Top-001 (54).BMP 2016-01-07 12:32 - 2016-01-07 12:32 - 05414139 _____ C:\Users\Admin\Downloads\EPSON028 (1).PDF 2016-01-07 12:28 - 2016-01-07 12:28 - 05414139 _____ C:\Users\Admin\Downloads\EPSON028.PDF 2016-01-07 12:09 - 2016-01-07 12:09 - 00007508 _____ C:\Users\Admin\Downloads\INVCRD0000844169.pdf 2016-01-07 12:07 - 2016-01-07 12:07 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (5).pdf 2016-01-07 12:07 - 2016-01-07 12:07 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (4).pdf 2016-01-07 12:06 - 2016-01-07 12:06 - 00022248 _____ C:\Users\Admin\Downloads\EXPDOC0000838720 (1).pdf 2016-01-07 12:05 - 2016-01-07 12:05 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (3).pdf 2016-01-07 12:02 - 2016-01-07 12:02 - 00007198 _____ C:\Users\Admin\Downloads\INVCRD0000844170 (1).pdf 2016-01-07 12:01 - 2016-01-07 12:01 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168 (2).pdf 2016-01-07 11:59 - 2016-01-07 11:59 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168 (1).pdf 2016-01-07 09:34 - 2016-01-07 09:34 - 00505070 _____ C:\Users\Admin\Downloads\Top (100).BMP 2016-01-06 12:30 - 2016-01-06 12:30 - 03489285 _____ C:\Users\Admin\Downloads\SH numbered seat plan with door numbers new logo & E29 GT 300408.pdf 2016-01-06 12:30 - 2016-01-06 12:30 - 03489285 _____ C:\Users\Admin\Downloads\SH numbered seat plan with door numbers new logo & E29 GT 300408 (1).pdf 2016-01-05 17:44 - 2016-01-05 17:44 - 00034903 _____ C:\Users\Admin\Downloads\Attached Message Part (1) 2016-01-05 17:44 - 2016-01-05 17:44 - 00034903 _____ C:\Users\Admin\Downloads\Attached Message Part 2016-01-04 17:04 - 2016-01-04 17:04 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (2).pdf 2016-01-04 17:02 - 2016-01-04 17:02 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722 (1).pdf 2016-01-04 17:01 - 2016-01-04 17:01 - 00007198 _____ C:\Users\Admin\Downloads\INVCRD0000844170.pdf 2016-01-04 16:58 - 2016-01-04 16:58 - 00007185 _____ C:\Users\Admin\Downloads\INVCRD0000844168.pdf 2016-01-04 16:25 - 2016-01-04 16:25 - 00022257 _____ C:\Users\Admin\Downloads\EXPDOC0000838722.pdf 2016-01-04 16:24 - 2016-01-04 16:24 - 00022248 _____ C:\Users\Admin\Downloads\EXPDOC0000838720.pdf ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-01-22 15:11 - 2006-11-02 11:18 - 00000000 ____D C:\Windows 2016-01-22 14:56 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-01-22 14:56 - 2006-11-02 12:47 - 00004240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2016-01-22 14:56 - 2006-11-02 12:47 - 00004240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2016-01-22 14:55 - 2006-11-02 13:01 - 00032622 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2016-01-22 14:38 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\inf 2016-01-22 14:38 - 2006-11-02 10:33 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI 2016-01-22 14:37 - 2013-02-16 14:51 - 00000000 ____D C:\Users\Admin\AppData\Roaming\U3 2016-01-22 14:23 - 2012-07-11 14:37 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy 2016-01-13 23:26 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\rescache 2016-01-13 11:00 - 2006-11-02 12:47 - 00260016 _____ C:\Windows\system32\FNTCACHE.DAT 2016-01-13 10:33 - 2013-08-15 08:05 - 00000000 ____D C:\Windows\system32\MRT 2016-01-13 10:10 - 2006-11-02 10:24 - 141317472 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe ==================== Files in the root of some directories ======= 2015-08-28 09:05 - 2015-08-28 09:05 - 6420480 _____ () C:\Program Files\GUTEBF5.tmp 2013-09-19 19:58 - 2013-09-19 19:58 - 0000680 _____ () C:\Users\Admin\AppData\Local\d3d9caps.dat 2012-08-12 15:50 - 2014-08-26 13:35 - 0005632 _____ () C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2012-10-21 10:34 - 2013-04-10 14:12 - 0034802 _____ () C:\ProgramData\hpzinstall.log Some files in TEMP: ==================== C:\Users\Admin\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-01-22 15:06 ==================== End of FRST.txt ============================ Quote
A Bit Annoyed Posted January 22, 2016 Author Posted January 22, 2016 I can't seem to do anything with the Spybot. It keeps saying I need administrator rights to make any changes to it, but that is how I am running the computer! I remember now why I haven't been able to uninstall it previously Quote
ExTS Admin Starbuck Posted January 22, 2016 ExTS Admin Posted January 22, 2016 Hi there, remember now why I haven't been able to uninstall it previously Ok, no problem I'll add spybot to the fix (this will remove it) Step 1 Please download the attached fixlist.txt file (bottom of this post) and save it to the Download folder. NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait. http://img.photobucket.com/albums/v708/starbuck50/frstfix_zps7db0c905.png The tool will make a log in the Download folder (Fixlog.txt). Please post this in your next reply. Step 2 Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:Download the latest version of Java SE 8u71 / 8u72 and save it to your desktop. Scroll down to where it says "Java SE 8u71 / 8u72". Click the "Download JRE " button. Accept the license agreement. select 'Windows x86'offline from the list. Save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on downloaded icon to install the newest version. In your next reply, please submit: fixlog.txt and let me know how the system is running.... any problems. Thanksfixlist.txt Quote Member of:UNITE
A Bit Annoyed Posted January 22, 2016 Author Posted January 22, 2016 Thank you so much For everything Quote
A Bit Annoyed Posted January 24, 2016 Author Posted January 24, 2016 I meant to ask, is this fix something I can do within a lunch hour, or should I wait until I have more time to check it? Quote
ExTS Admin Starbuck Posted January 24, 2016 ExTS Admin Posted January 24, 2016 Hi there, The FRST fix should take less than 30 seconds. Updating Java should take about 5 mins from start to finish. Quote Member of:UNITE
A Bit Annoyed Posted January 25, 2016 Author Posted January 25, 2016 Hi there, The FRST fix should take less than 30 seconds. Updating Java should take about 5 mins from start to finish. Fix result of Farbar Recovery Scan Tool (x86) Version:17-01-2015 Ran by Admin (2016-01-25 13:20:50) Run:1 Running from C:\Users\Admin\Downloads Loaded Profiles: Admin (Available Profiles: Admin) Boot Mode: Normal ============================================== fixlist content: ***************** HKLM\...\Run: [NWEReboot] => [X] Winlogon\Notify\!SASWinLogon: F:\SASWINLO.DLL [X] ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - F:\SASSEH.DLL No File [ ] BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited) BHO: No Name -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] 2016-01-22 14:23 - 2012-07-11 14:37 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy 2015-08-28 09:05 - 2015-08-28 09:05 - 6420480 _____ () C:\Program Files\GUTEBF5.tmp Task: {3C24B91F-DA21-4400-977A-FABE57D55681} - System32\Tasks\{0216116A-7830-4DB7-B174-E4592BE8F1FC} => pcalua.exe -a E:\setup.exe -d E:\ Task: {4027A9A6-D0A2-40B6-9409-AB044AEB6249} - \DealPly -> No File <==== ATTENTION C:\Program Files\Spybot - Search & Destroy CMD: ipconfig /flushdns CMD: bitsadmin /reset /allusers Hosts: EmptyTemp: ***************** HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot => value removed successfully. "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon" => key removed successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} => value removed successfully. "HKCR\CLSID\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}" => key removed successfully. "HKCR\CLSID\{53707962-6F74-2D53-2644-206D7942484F}" => key removed successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => key not found. HKCR\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => key not found. IpInIp => service removed successfully. NwlnkFlt => service removed successfully. NwlnkFwd => service removed successfully. C:\ProgramData\Spybot - Search & Destroy => moved successfully C:\Program Files\GUTEBF5.tmp => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C24B91F-DA21-4400-977A-FABE57D55681}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C24B91F-DA21-4400-977A-FABE57D55681}" => key removed successfully. C:\Windows\System32\Tasks\{0216116A-7830-4DB7-B174-E4592BE8F1FC} => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0216116A-7830-4DB7-B174-E4592BE8F1FC}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4027A9A6-D0A2-40B6-9409-AB044AEB6249}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4027A9A6-D0A2-40B6-9409-AB044AEB6249}" => key removed successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DealPly" => key removed successfully. C:\Program Files\Spybot - Search & Destroy => moved successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= ========= bitsadmin /reset /allusers ========= BITSADMIN version 3.0 [ 7.0.6001 ] BITS administration utility. © Copyright 2000-2006 Microsoft Corp. 0 out of 0 jobs canceled. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. EmptyTemp: => 384.2 MB temporary data Removed. The system needed a reboot. ==== End of Fixlog 13:23:07 ==== Quote
ExTS Admin Starbuck Posted January 25, 2016 ExTS Admin Posted January 25, 2016 The fix ran fine. How's the system running? any problems? Quote Member of:UNITE
A Bit Annoyed Posted January 25, 2016 Author Posted January 25, 2016 It seems to be running fine. I had to leave Dad with it and told him to call me if he found any problems, but I tried it out and everything seemed fine, it all loaded really quickly. I can't thank you enough for all your help, it has really set my Dad at ease, not to mention myself!!!! Quote
ExTS Admin Starbuck Posted January 25, 2016 ExTS Admin Posted January 25, 2016 I'm glad the system is back to normal now. There wasn't any sign of malicious programs, just Adware. (PuP's ) (Potentially Unwanted Program) An application that is installed along with the desired application the user actually asked for. Also called a "barnacle," in most cases, the PUP is spyware, adware or some other unwanted software. However, what makes spyware or adware a PUP rather than pure malware is the fact that the end user license agreement (EULA) does inform the user that this additional program is being installed. Considering hardly anyone ever reads the license agreement, the distinction is a subtle one. Try to get your father to read all of the install pages when installing any 'free' program. Always reject any addition (or 3rd party ) program that's either offered or recommended. Getting you to add these 3rd party programs is how most vendors make their money. A good program to have on hand is MalwareBytes AntiMalware. I see that this is already installed, but is very out of date: Malwarebytes Anti-Malware version 1.75.0.1300 The latest version is 2.2.0.1024 The best way to update this is to remove MBAM and install a fresh copy. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel. Restart your computer (very important). Download mbam clean and save to your Desktop. Please close all open applications and temporarily shutdown your antivirus to avoid any conflicts when running the tool. Locate the file mbam-clean.exe and double-click to run it... Vista/Windows 7/8 users right-click and select Run As Administrator.. and follow the onscreen prompts. It will ask to restart your computer, please allow it to do so (very important) After the computer restarts.......... Ensure that your antivirus is enabled and download the latest version of Malwarebytes Anti-Malware from Here and save it to your desktop. Now close all open applications including your browser and again temporarily disable your antivirus as before and launch the Malwarebytes installer you just downloaded. When installation is complete....Make sure you re-enabled your Anti-Virus/Internet-Security applications. Note: A 14 day trial of the Premium features is pre-selected on the finally install page. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program I recommend that you UNtick this option. (this then gives you the 'free' version instead of the trial version) http://img.photobucket.com/albums/v708/starbuck50/new%20mbam/mbamset11_zpsfd9227e8.png I do have a tutorial on the full install Here if you need it. Just run a manual update once a week and run MBAM to clean out any Adware etc that may have sneaked through. Let's finish the cleaning process and remove the tools we have used. We'll also set you a fresh restore point. Download Delfix and save it to your desktop. Ensure Remove disinfection tools is checked. Also place a checkmark next to: Create registry backup Purge system restore http://img.photobucket.com/albums/v708/starbuck50/delf_zpsb39a5ff3.png . Click the Run button. When the tool has finished, please reboot your system to finalize the cleanup procedure. A log will open in notepad.... but i don't actually need this report Glad I was able to help. Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif Quote Member of:UNITE
A Bit Annoyed Posted January 25, 2016 Author Posted January 25, 2016 You have been a tremendous help. So, so glad I found this forum. Thank you once again Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.