Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ads by Advertise creating spam links/popups.


  • This topic is locked This topic is locked
2 replies to this topic

#1 captainswan

captainswan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 01 April 2016 - 09:53 PM

Hi, I'm helping a family member with a computer infected with Ads by Advertise. I've run a few things and am unable to remove it from Firefox. It doesn't seem to be on any other browser, and there are no unwanted programs installed. I was asked not to remove other programs they may use and to keep their profile intact, but I'm at a loss on how to remove this persistent infection.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by Emi (administrator) on SHUNSUKE (01-04-2016 19:35:33)
Running from C:\Users\Emi\Desktop
Loaded Profiles: Emi (Available Profiles: Emi)
Platform: Windows 8 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4206.722_x64__8wekyb3d8bbwe\LiveComm.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(America Online, Inc.) C:\Program Files (x86)\AIM\aim.exe
(AppEx Networks Corporation) C:\Program Files\AMD Quick Stream\AMDQuickStream.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
() C:\Users\Emi\AppData\Local\Grabilla\GrabillaTray.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_197.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_197.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7165000 2013-10-06] (Realtek Semiconductor)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-02-25] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-10-06] (RealNetworks, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-04-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-07-24] (Hewlett-Packard Company)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596528 2015-11-09] (Oracle Corporation)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [AIM] => C:\Program Files (x86)\AIM\aim.exe [67160 2005-08-05] (America Online, Inc.)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [AppEx Accelerator UI] => C:\Program Files\AMD Quick Stream\AMDQuickStream.exe [482528 2014-03-31] (AppEx Networks Corporation)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [HydraVisionDesktopManager] => C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [1967616 2014-04-17] (AMD)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [Spotify] => C:\Users\Emi\AppData\Roaming\Spotify\Spotify.exe [6342200 2014-09-22] (Spotify Ltd)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [Spotify Web Helper] => C:\Users\Emi\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1245752 2014-09-22] (Spotify Ltd)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [uTorrent] => C:\Users\Emi\AppData\Roaming\uTorrent\uTorrent.exe [2065944 2016-02-12] (BitTorrent Inc.)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [Grabilla] => C:\Users\Emi\AppData\Local\Grabilla\grabillaTray.exe [1168312 2014-10-01] ()
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [6302856 2015-11-06] (Plex, Inc.)
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\MountPoints2: {1990d194-4d41-11e3-be7d-a0481c18e397} - "F:\ToolLauncher-Bootstrap.exe"
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\MountPoints2: {6036e1a3-ba87-11e3-be84-a0481c18e397} - "F:\VZW_Software_upgrade_assistant.exe"
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\MountPoints2: {a43afce7-2314-11e4-be8c-a0481c18e397} - "F:\VZW_Software_upgrade_assistant.exe"
HKU\S-1-5-21-4010047124-100806527-1233759524-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2012-07-25] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk [2014-12-26]
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2014-12-26]
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe ()
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{9AB00EC6-8EAE-46D1-961C-227B56CB8326}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{F3B58638-6EB0-4AC0-B47E-C0110436FA0D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT13/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
SearchScopes: HKLM -> {C7499137-29E4-4073-9D0D-4B56C2790D90} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {C7499137-29E4-4073-9D0D-4B56C2790D90} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-4010047124-100806527-1233759524-1002 -> DefaultScope {4397DC76-DB6A-4860-B6EF-1DA92735BCAF} URL =
SearchScopes: HKU\S-1-5-21-4010047124-100806527-1233759524-1002 -> {C7499137-29E4-4073-9D0D-4B56C2790D90} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-4010047124-100806527-1233759524-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2014-12-26] (LastPass)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-27] (Hewlett-Packard)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO-x32: Microsoft.Search.HRSToolBar.InitToolbarBHO -> {1d970ed5-3eda-438d-bffd-715931e2775d} -> C:\Windows\SysWOW64\mscoree.dll [2012-06-02] (Microsoft Corporation)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-12-05] (Oracle Corporation)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2014-12-26] (LastPass)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-05] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-27] (Hewlett-Packard)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2014-12-26] (LastPass)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2014-12-26] (LastPass)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Bing HRS Toolbar - {c9a6357b-25cc-4bcf-96c1-78736985d414} - C:\Windows\SysWOW64\mscoree.dll [2012-06-02] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-4010047124-100806527-1233759524-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default
FF DefaultSearchEngine: eShield Safe Web
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: eShield Safe Web
FF Homepage: hxxp://google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_197.dll [2016-03-24] ()
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2014-12-26] (LastPass)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-03-24] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll [2012-08-08] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-12-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-05] (Oracle Corporation)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2014-12-26] (LastPass)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2014-02-09] (Pando Networks)
FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll [2013-10-06] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll [2013-10-06] (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4010047124-100806527-1233759524-1002: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2014-02-09] (Pando Networks)
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\adblockpopups@jessehakanen.net.xpi [2015-05-30]
FF Extension: Imgur Uploader - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\giorgio@gilestro.tk.xpi [2015-05-30]
FF Extension: Lazarus: Form Recovery - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\lazarus@interclue.com.xpi [2015-05-30]
FF Extension: Multi Links - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\multilinks@plugin.xpi [2015-05-30]
FF Extension: Session Manager Export Tool - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\sessionmanagerexporttool@tijtij.com.xpi [2015-05-30]
FF Extension: Thumbnail Zoom Plus - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\thumbnailZoom@dadler.github.com.xpi [2015-07-29]
FF Extension: Web Developer - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi [2015-05-30]
FF Extension: Resurrect Pages - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}.xpi [2015-09-14]
FF Extension: NetVideoHunter - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\netvideohunter@netvideohunter.com [2015-11-11]
FF Extension: RightToClick - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi [2015-11-30]
FF Extension: DownThemAll! - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2015-12-05]
FF Extension: X-notifier - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}.xpi [2016-01-14] [not signed]
FF Extension: Stylish - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2016-01-29]
FF Extension: Image Search Options - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{4a313247-8330-4a81-948e-b79936516f78}.xpi [2016-03-04]
FF Extension: Greasemonkey - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2016-03-04]
FF Extension: LastPass - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\support@lastpass.com [2016-03-10]
FF Extension: Classic Theme Restorer - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-03-14]
FF Extension: Screengrab (fix version) - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\{02450914-cdd9-410f-b1da-db004e18c671}.xpi [2016-03-16]
FF Extension: Xmarks - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\extensions\foxmarks@kei.com [2016-03-16]
FF Extension: New XKit - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\@new-xkit.xpi [2015-10-17] [not signed]
FF Extension: BetterStop - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\betterstop@dagger2-addons.mozilla.org.xpi [2015-05-28]
FF Extension: Translate This! - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\jid0-k75TfRGfOXPHfEZmJ9cKu5eCgLc@jetpack.xpi [2015-11-07]
FF Extension: Reddit Enhancement Suite - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2016-03-17]
FF Extension: Speed Manager - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{017720d0-b8ea-45fa-bf75-42b724eb7054}.xpi [2015-12-18] [not signed]
FF Extension: Session Manager - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2016-03-18]
FF Extension: PDF Print Converter Light - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{1addd0ed-345d-4d82-8471-18447e7a1627}.xpi [2016-03-14] [not signed]
FF Extension: Download Status Bar - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{6c28e999-e900-4635-a39d-b1ec90ba0c0f}.xpi [2016-03-11]
FF Extension: Adblock Plus - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-02-23]
FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-10-06] [not signed]

Chrome:
=======
CHR DefaultSearchKeyword: Default -> lp
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.110\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-06]
CHR Extension: (Adblock Plus) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-15]
CHR Extension: (Stylish) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2015-10-02]
CHR Extension: (XKit) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpfgeeomkfdefkckijiabdbogjkdaecd [2015-05-04]
CHR Extension: (Google Docs Offline) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2016-04-01]
CHR Extension: (RealDownloader) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-09-26]
CHR Extension: (Super Auto Refresh) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkhjakkgopekjlempoplnjclgedabddk [2016-04-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-03]
CHR Extension: (Duplicate Tab Shortcut Key) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pfippblampohahkkdoomekekmfbjkimg [2015-03-17]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [26680 2016-02-18] (Hewlett-Packard Company)
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-02-01] (Hewlett-Packard Development Company, L.P.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [3916368 2016-01-09] (INCA Internet Co., Ltd.)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-02-19] (Realtek Semiconductor)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [14920 2013-07-02] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)
R3 anvsnddrv; C:\Windows\system32\drivers\anvsnddrv.sys [33872 2011-11-28] (AnvSoft Inc.)
R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [225504 2014-03-28] (AppEx Networks Corporation)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [215040 2013-12-19] (Advanced Micro Devices)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2013-07-02] (Broadcom Corporation)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-03-18] (REALiX™)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [288328 2013-01-23] (Realtek Semiconductor Corp.)
S3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [448072 2013-02-01] (RTS Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3029208 2013-07-12] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [28400 2013-02-05] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [31984 2013-02-05] (Synaptics Incorporated)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [35232 2013-07-02] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [230904 2013-07-02] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-01 19:35 - 2016-04-01 19:35 - 00031269 _____ C:\Users\Emi\Desktop\FRST.txt
2016-04-01 19:35 - 2016-04-01 19:35 - 00000000 ____D C:\FRST
2016-04-01 19:34 - 2016-04-01 19:35 - 02374144 _____ (Farbar) C:\Users\Emi\Desktop\FRST64.exe
2016-04-01 19:33 - 2016-04-01 19:33 - 00003336 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-4010047124-100806527-1233759524-1002
2016-04-01 19:33 - 2016-04-01 19:33 - 00003198 _____ C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-4010047124-100806527-1233759524-1002
2016-04-01 19:05 - 2016-04-01 19:05 - 00064726 _____ C:\ComboFix.txt
2016-04-01 18:21 - 2016-04-01 19:23 - 00000000 ____D C:\Windows\erdnt
2016-04-01 18:21 - 2016-04-01 19:06 - 00000000 ____D C:\Qoobox
2016-04-01 17:49 - 2016-04-01 19:24 - 00000000 ____D C:\Users\Emi\Documents\Troubleshooting Information_files
2016-04-01 17:49 - 2016-04-01 17:49 - 00034387 _____ C:\Users\Emi\Documents\Troubleshooting Information.xht
2016-04-01 16:11 - 2016-04-01 19:25 - 00000000 ____D C:\AdwCleaner
2016-04-01 16:07 - 2016-04-01 16:07 - 00042831 _____ C:\Users\Emi\Desktop\JRT.txt
2016-03-25 04:14 - 2016-03-25 04:14 - 00000343 _____ C:\Users\Emi\Documents\misc 2016.txt
2016-03-23 12:17 - 2016-03-23 12:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-03-22 00:01 - 2016-03-22 00:02 - 67485696 _____ C:\Users\Emi\Downloads\calibre-2.53.0.msi
2016-03-16 19:49 - 2016-03-16 19:49 - 00197408 _____ C:\Users\Emi\Documents\PhotoOps-Order-2332336.pdf
2016-03-15 09:39 - 2016-03-15 09:39 - 06342352 _____ (Tim Kosse) C:\Users\Emi\Downloads\FileZilla_3.16.0_win32-setup.exe
2016-03-04 10:02 - 2016-03-09 15:49 - 00000000 ____D C:\Program Files (x86)\Transcription iSS
2016-03-04 10:02 - 2016-03-04 10:02 - 00001012 _____ C:\Users\Public\Desktop\Transcription iSS.lnk
2016-03-04 10:02 - 2016-03-04 10:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Transcription iSS
2016-03-04 10:00 - 2016-03-04 10:00 - 00000000 ____D C:\Users\Emi\AppData\Roaming\ISS
2016-03-03 22:56 - 2016-03-03 23:50 - 00000000 ____D C:\Users\Emi\Downloads\iSS.TC.SM-4.0.16
2016-03-03 22:55 - 2016-03-03 22:55 - 19003471 _____ C:\Users\Emi\Downloads\iSS.TC.SM-4.0.16.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-01 19:35 - 2013-10-06 03:26 - 00000000 ____D C:\Users\Emi\AppData\Roaming\Skype
2016-04-01 19:34 - 2013-10-06 04:36 - 00000000 ____D C:\Program Files (x86)\Opera
2016-04-01 19:34 - 2012-07-26 00:28 - 00941114 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-01 19:34 - 2012-07-25 22:37 - 00000000 ____D C:\Windows\Inf
2016-04-01 19:31 - 2014-04-11 23:28 - 00000000 ____D C:\Users\Emi\AppData\LocalLow\LastPass
2016-04-01 19:29 - 2013-10-06 04:38 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-01 19:29 - 2013-10-05 15:20 - 00000000 ____D C:\Users\Emi\AppData\Roaming\ClassicShell
2016-04-01 19:28 - 2015-06-10 08:00 - 00000342 _____ C:\Windows\Tasks\HPCeeScheduleForEmi.job
2016-04-01 19:28 - 2013-10-05 14:58 - 00000000 ____D C:\Users\Emi
2016-04-01 19:28 - 2012-07-26 00:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-01 19:27 - 2014-08-23 01:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-01 19:27 - 2014-07-13 05:38 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2016-04-01 19:26 - 2015-03-18 19:41 - 00000000 ____D C:\ProgramData\ProductData
2016-04-01 19:26 - 2014-02-01 19:18 - 00000000 ____D C:\Users\Emi\AppData\Local\Grabilla
2016-04-01 19:26 - 2013-10-06 02:47 - 00000000 ____D C:\Users\Emi\AppData\Roaming\vlc
2016-04-01 19:26 - 2013-10-05 17:20 - 00000000 ____D C:\Users\Emi\AppData\Roaming\NoteTab Light
2016-04-01 19:25 - 2014-08-23 01:55 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-01 19:25 - 2013-10-06 04:24 - 00000000 ____D C:\ProgramData\Licenses
2016-04-01 19:23 - 2015-03-18 19:41 - 00000000 ____D C:\Users\Emi\AppData\Roaming\IObit
2016-04-01 19:23 - 2013-11-15 21:52 - 00000000 ____D C:\Users\Emi\Documents\!!External Backup
2016-04-01 19:23 - 2013-10-06 03:44 - 00000000 ____D C:\ProgramData\Real
2016-04-01 19:23 - 2013-10-05 20:20 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2016-04-01 19:23 - 2013-10-05 20:20 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2016-04-01 19:23 - 2013-10-05 15:27 - 00000000 ____D C:\ProgramData\Viewpoint
2016-04-01 19:23 - 2013-10-05 15:27 - 00000000 ____D C:\Program Files (x86)\Viewpoint
2016-04-01 19:23 - 2013-10-05 15:07 - 00000000 ____D C:\Users\Emi\AppData\Roaming\Macromedia
2016-04-01 19:23 - 2013-08-09 09:58 - 00000000 ____D C:\ProgramData\Temp
2016-04-01 19:23 - 2012-07-26 01:12 - 00000000 ____D C:\Windows\registration
2016-04-01 15:57 - 2015-06-22 00:33 - 00000000 ____D C:\Users\Emi\AppData\Local\FirestormOS
2016-04-01 03:36 - 2013-10-05 22:55 - 00000000 ____D C:\Users\Emi\Documents\Calibre Library
2016-03-30 15:30 - 2013-10-05 21:37 - 00000000 ____D C:\Users\Emi\Documents\Grabilla Captures
2016-03-29 01:06 - 2013-10-06 03:29 - 00000000 ____D C:\Users\Emi\AppData\Roaming\FileZilla
2016-03-28 03:20 - 2015-07-29 16:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-28 03:01 - 2013-10-06 04:38 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-27 07:06 - 2015-06-10 08:00 - 00003152 _____ C:\Windows\System32\Tasks\HPCeeScheduleForEmi
2016-03-25 04:39 - 2015-03-02 15:16 - 00000000 ____D C:\KMPlayer
2016-03-25 04:12 - 2015-09-12 06:47 - 00001333 _____ C:\Users\Emi\Documents\Jen, Helen, etc info.txt
2016-03-24 01:20 - 2015-07-29 16:21 - 00003718 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-03-23 12:17 - 2014-04-06 11:05 - 00000000 ____D C:\Users\Emi\AppData\Local\Skype
2016-03-23 12:17 - 2013-10-06 03:26 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-03-23 12:17 - 2013-10-06 03:26 - 00000000 ____D C:\ProgramData\Skype
2016-03-22 00:03 - 2013-10-06 03:48 - 00000927 _____ C:\Users\Public\Desktop\calibre - E-book management.lnk
2016-03-22 00:03 - 2013-10-06 03:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2016-03-22 00:03 - 2013-10-06 03:48 - 00000000 ____D C:\Program Files (x86)\Calibre2
2016-03-20 09:11 - 2013-10-05 17:49 - 00000000 ____D C:\Users\Emi\Documents\Second Life
2016-03-19 14:02 - 2013-10-05 23:11 - 00000000 ____D C:\Users\Emi\Documents\Icons
2016-03-17 09:58 - 2014-11-05 23:02 - 00003846 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1381059377
2016-03-17 09:58 - 2013-10-06 04:36 - 00001018 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2016-03-16 19:39 - 2013-10-08 08:08 - 00001456 _____ C:\Users\Emi\AppData\Local\Adobe Save for Web 12.0 Prefs
2016-03-15 10:59 - 2014-01-07 22:51 - 00000132 _____ C:\Users\Emi\AppData\Roaming\Adobe PNG Format CS5 Prefs
2016-03-14 15:02 - 2013-10-06 04:39 - 00002162 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-03-13 03:54 - 2014-08-23 01:55 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-09 15:56 - 2015-12-05 04:28 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-03-08 09:17 - 2012-07-26 01:12 - 00000000 ____D C:\Windows\AUInstallAgent
2016-03-08 09:16 - 2012-07-26 01:12 - 00000000 ___HD C:\Program Files\WindowsApps
2016-03-04 10:02 - 2014-02-09 19:08 - 00000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin
2016-03-03 22:57 - 2015-07-22 01:05 - 00000000 ____D C:\Users\Emi\Documents\Work stuff

==================== Files in the root of some directories =======

2014-04-11 23:28 - 2014-12-26 19:19 - 14147584 _____ () C:\Program Files (x86)\Common Files\lpuninstall.exe
2014-01-07 22:51 - 2016-03-15 10:59 - 0000132 _____ () C:\Users\Emi\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-10-24 05:09 - 2013-12-15 20:42 - 0000132 _____ () C:\Users\Emi\AppData\Roaming\Adobe Targa Format CS5 Prefs
2013-10-08 08:08 - 2016-03-16 19:39 - 0001456 _____ () C:\Users\Emi\AppData\Local\Adobe Save for Web 12.0 Prefs
2016-02-25 01:03 - 2016-02-25 01:07 - 0000600 _____ () C:\Users\Emi\AppData\Local\PUTTY.RND
2015-08-15 01:29 - 2015-08-15 01:29 - 0005050 _____ () C:\ProgramData\wmzddnmb.cix

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-27 03:00

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:34 AM

Posted 02 April 2016 - 09:22 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-4010047124-100806527-1233759524-1002\...\Run: [AdobeBridge] => [X]
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-4010047124-100806527-1233759524-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF DefaultSearchEngine: eShield Safe Web
FF SelectedSearchEngine: eShield Safe Web
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
FF Extension: Speed Manager - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{017720d0-b8ea-45fa-bf75-42b724eb7054}.xpi [2015-12-18] [not signed]
FF Extension: PDF Print Converter Light - C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{1addd0ed-345d-4d82-8471-18447e7a1627}.xpi [2016-03-14] [not signed]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.110\PepperFlash\pepflashplayer.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-03]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{017720d0-b8ea-45fa-bf75-42b724eb7054}.xpi 
C:\Users\Emi\AppData\Roaming\Mozilla\Firefox\Profiles\35sf27ob.default\Extensions\{1addd0ed-345d-4d82-8471-18447e7a1627}.xpi
C:\Users\Emi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

In your next reply please paste the Addition.txt file that was created by running the Farbar tool.
We may have some additional work to do.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:34 AM

Posted 08 April 2016 - 08:08 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users