Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection - Can't run internet browser


  • This topic is locked This topic is locked
26 replies to this topic

#1 autt2

autt2

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 05 June 2016 - 02:33 PM

Hi,
My computer could only run IE in safe mode, so I ran Malwarebytes.  Several things were detected and quarantined, but still couldn't run IE or Firefox.  Hope you can help me.  Thanks!

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-06-2016 02
Ran by O'Donnell (administrator) on ODONNELL-PC (05-06-2016 14:56:54)
Running from C:\Users\O'Donnell\Downloads
Loaded Profiles: O'Donnell (Available Profiles: O'Donnell)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agr64svc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(OldTimer Tools) C:\Users\O'Donnell\Downloads\OTL.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-07-08] ()
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk [2016-03-29]
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{CE2EF1AC-2F6C-4364-9FBB-5031047287A8}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4182491821-2651143417-1818612708-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2010-01-20] (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL [2016-03-29] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2010-01-20] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-4182491821-2651143417-1818612708-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler-x32: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2010-01-20] (Symantec Corporation)

FireFox:
========
FF ProfilePath: C:\Users\O'Donnell\AppData\Roaming\Mozilla\Firefox\Profiles\elfb2dnd.default
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [124928 2009-07-09] (Hewlett-Packard) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-05-18] (Hewlett-Packard Company) [File not signed]
S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 Norton Internet Security; C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [117640 2016-03-29] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 BHDrvx64; C:\Windows\System32\Drivers\NISx64\1008000.029\BHDrvx64.sys [334384 2010-01-20] (Symantec Corporation)
R1 ccHP; C:\Windows\System32\Drivers\NISx64\1008000.029\ccHPx64.sys [583296 2016-03-29] (Symantec Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2016-03-28] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2016-03-28] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20160328.001\IDSvia64.sys [767224 2016-03-28] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1008000.029\SRTSP64.SYS [476720 2016-03-29] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1008000.029\SRTSPX64.SYS [32304 2016-03-29] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1008000.029\SYMEFA64.SYS [402992 2016-03-29] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2016-03-29] (Symantec Corporation)
R3 SYMFW; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMFW.SYS [120880 2016-03-29] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [31280 2016-03-29] (Symantec Corporation)
R3 SYMNDISV; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMNDISV.SYS [56880 2016-03-29] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMTDI.SYS [278576 2016-03-29] (Symantec Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-06-05] ()
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\EX64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-05 13:15 - 2016-06-05 13:15 - 00000000 ____D C:\zoek
2016-06-05 13:07 - 2016-06-05 13:07 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\CrashDumps
2016-06-05 13:06 - 2016-06-05 13:17 - 00003232 _____ C:\runcheck.txt
2016-06-05 13:06 - 2016-06-05 13:16 - 00000000 ____D C:\zoek_backup
2016-06-05 13:06 - 2016-06-05 13:06 - 01309184 _____ C:\Users\O'Donnell\Downloads\zoek.exe
2016-06-05 13:03 - 2016-06-05 13:03 - 00023518 _____ C:\Users\O'Donnell\Downloads\Addition.txt
2016-06-05 13:02 - 2016-06-05 14:56 - 00010091 _____ C:\Users\O'Donnell\Downloads\FRST.txt
2016-06-05 13:02 - 2016-06-05 14:56 - 00000000 ____D C:\FRST
2016-06-05 13:02 - 2016-06-05 13:02 - 02384896 _____ (Farbar) C:\Users\O'Donnell\Downloads\FRST64.exe
2016-06-05 13:00 - 2016-06-05 13:00 - 00000824 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-06-05 13:00 - 2016-06-05 13:00 - 00000000 ____D C:\Program Files\CCleaner
2016-06-05 12:57 - 2016-06-05 12:57 - 00053416 _____ C:\Users\O'Donnell\Downloads\Extras.Txt
2016-06-05 12:57 - 2016-06-05 12:57 - 00048944 _____ C:\Users\O'Donnell\Downloads\OTL.Txt
2016-06-05 12:51 - 2016-06-05 12:51 - 00602112 _____ (OldTimer Tools) C:\Users\O'Donnell\Downloads\OTL.exe
2016-06-05 12:47 - 2016-06-05 12:49 - 00004088 _____ C:\Users\O'Donnell\Desktop\FSS.txt
2016-06-05 12:03 - 2016-06-05 12:15 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\Mozilla
2016-06-05 12:03 - 2016-06-05 12:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-05 12:03 - 2016-06-05 12:04 - 00000000 ____D C:\Users\O'Donnell\AppData\Roaming\Mozilla
2016-06-05 12:03 - 2016-06-05 12:03 - 00001153 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-06-05 11:47 - 2016-06-05 11:47 - 00021213 _____ C:\ComboFix.txt
2016-06-05 11:40 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2016-06-05 11:40 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2016-06-05 11:40 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2016-06-05 11:36 - 2016-06-05 11:47 - 00000000 ____D C:\Qoobox
2016-06-05 11:36 - 2016-06-05 11:46 - 00000000 ____D C:\Windows\erdnt
2016-06-05 11:17 - 2016-06-05 14:40 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-06-05 11:16 - 2016-06-05 11:25 - 00000000 ____D C:\ProgramData\RogueKiller
2016-06-05 11:16 - 2016-06-05 11:16 - 19868744 _____ C:\Users\O'Donnell\Downloads\RogueKiller.exe
2016-06-05 09:30 - 2016-06-05 14:37 - 00001894 _____ C:\Users\O'Donnell\Desktop\JRT.txt
2016-06-05 09:29 - 2016-06-05 09:29 - 01610816 _____ (Malwarebytes) C:\Users\O'Donnell\Downloads\JRT.exe
2016-06-05 09:07 - 2016-06-05 11:55 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-05 09:07 - 2016-06-05 09:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-06-05 09:07 - 2016-06-05 09:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-06-05 09:07 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-06-05 09:07 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-06-05 09:05 - 2016-06-05 09:05 - 03840240 _____ (AVAST Software) C:\Users\O'Donnell\Downloads\avast-browser-cleanup-sfx.exe
2016-06-05 09:05 - 2016-06-05 09:05 - 00000000 ____D C:\Users\O'Donnell\AppData\Roaming\Microsoft\Windows\Start Menu\avast! Browser Cleanup
2016-06-05 09:05 - 2016-06-05 09:05 - 00000000 ____D C:\Users\O'Donnell\AppData\Roaming\AVAST Software
2016-06-05 08:51 - 2016-06-05 12:47 - 00000000 ____D C:\AdwCleaner
2016-05-22 14:47 - 2016-06-05 09:07 - 00001108 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-22 14:46 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-05-22 14:45 - 2016-05-22 14:45 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\PowerCinema
2016-05-22 14:45 - 2016-05-22 14:45 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\CyberLink
2016-05-22 14:43 - 2016-06-05 09:07 - 00000000 ____D C:\ProgramData\Malwarebytes

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-05 14:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-06-05 14:45 - 2016-04-06 15:58 - 00003212 _____ C:\Windows\System32\Tasks\HPCeeScheduleForO'Donnell
2016-06-05 14:45 - 2016-04-06 15:58 - 00000350 _____ C:\Windows\Tasks\HPCeeScheduleForO'Donnell.job
2016-06-05 14:45 - 2016-03-29 12:47 - 00000000 ____D C:\Users\O'Donnell
2016-06-05 14:39 - 2009-07-14 00:45 - 00015760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-05 14:39 - 2009-07-14 00:45 - 00015760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-05 14:38 - 2009-07-14 01:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-05 14:38 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-06-05 14:31 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-05 13:00 - 2016-03-29 11:30 - 00000000 ____D C:\Windows\Panther
2016-06-05 13:00 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\ModemLogs
2016-06-05 11:45 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
2016-06-05 09:18 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\addins
2016-06-05 07:18 - 2016-03-30 14:18 - 00000558 _____ C:\Users\O'Donnell\AppData\Roaming\wklnhst.dat
2016-06-05 07:15 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-05-06 03:00 - 2016-04-17 03:47 - 00000000 ____D C:\Windows\system32\appraiser
2016-05-06 03:00 - 2016-04-16 06:30 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2016-05-06 03:00 - 2016-04-16 06:30 - 00000000 ___SD C:\Windows\system32\GWX

==================== Files in the root of some directories =======

2016-03-30 14:18 - 2016-06-05 07:18 - 0000558 _____ () C:\Users\O'Donnell\AppData\Roaming\wklnhst.dat

Some files in TEMP:
====================
C:\Users\O'Donnell\AppData\Local\Temp\7za.exe
C:\Users\O'Donnell\AppData\Local\Temp\DaS_21.exe
C:\Users\O'Donnell\AppData\Local\Temp\dllnt_dump.dll
C:\Users\O'Donnell\AppData\Local\Temp\hijackthis.exe
C:\Users\O'Donnell\AppData\Local\Temp\NirCmd.exe
C:\Users\O'Donnell\AppData\Local\Temp\PEVZ.EXE
C:\Users\O'Donnell\AppData\Local\Temp\remove.exe
C:\Users\O'Donnell\AppData\Local\Temp\sed.exe
C:\Users\O'Donnell\AppData\Local\Temp\shortcut.exe
C:\Users\O'Donnell\AppData\Local\Temp\swreg.exe
C:\Users\O'Donnell\AppData\Local\Temp\swxcacls.exe
C:\Users\O'Donnell\AppData\Local\Temp\wget.exe
C:\Users\O'Donnell\AppData\Local\Temp\zoek-delete.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-22 16:31

==================== End of FRST.txt ============================

Attached Files


Edited by Oh My!, 07 June 2016 - 07:39 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 07 June 2016 - 07:41 PM

Greetings autt2 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please rerun a FRST scan and make sure Addition.txt is checked. Post both reports in your reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 08 June 2016 - 04:21 PM

Thanks for your help.



#4 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 08 June 2016 - 04:29 PM

Sorry - here are the logs.  You can call me Ann.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:08-06-2016
Ran by O'Donnell (administrator) on ODONNELL-PC (08-06-2016 17:27:34)
Running from C:\Users\O'Donnell\Downloads
Loaded Profiles: O'Donnell (Available Profiles: O'Donnell)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-07-08] ()
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk [2016-03-29]
ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{CE2EF1AC-2F6C-4364-9FBB-5031047287A8}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {BD8605E0-33E4-4DDE-B75B-E9A1F4FE5C84} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4182491821-2651143417-1818612708-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2010-01-20] (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL [2016-03-29] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2010-01-20] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-4182491821-2651143417-1818612708-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler-x32: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll [2010-01-20] (Symantec Corporation)

FireFox:
========
FF ProfilePath: C:\Users\O'Donnell\AppData\Roaming\Mozilla\Firefox\Profiles\elfb2dnd.default
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [124928 2009-07-09] (Hewlett-Packard) [File not signed]
S2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-05-18] (Hewlett-Packard Company) [File not signed]
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
S2 Norton Internet Security; C:\Program Files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [117640 2016-03-29] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S1 BHDrvx64; C:\Windows\System32\Drivers\NISx64\1008000.029\BHDrvx64.sys [334384 2010-01-20] (Symantec Corporation)
S1 ccHP; C:\Windows\System32\Drivers\NISx64\1008000.029\ccHPx64.sys [583296 2016-03-29] (Symantec Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2016-03-28] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2016-03-28] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20160328.001\IDSvia64.sys [767224 2016-03-28] (Symantec Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-07] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1008000.029\SRTSP64.SYS [476720 2016-03-29] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\NISx64\1008000.029\SRTSPX64.SYS [32304 2016-03-29] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1008000.029\SYMEFA64.SYS [402992 2016-03-29] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2016-03-29] (Symantec Corporation)
S3 SYMFW; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMFW.SYS [120880 2016-03-29] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [31280 2016-03-29] (Symantec Corporation)
S3 SYMNDISV; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMNDISV.SYS [56880 2016-03-29] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\NISx64\1008000.029\SYMTDI.SYS [278576 2016-03-29] (Symantec Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-06-05] ()
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\EX64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-08 17:19 - 2016-06-08 17:19 - 00018105 _____ C:\Users\O'Donnell\Documents\FRST_08-06-2016_17-19-59.txt
2016-06-08 17:19 - 2016-06-08 17:19 - 00000000 ____D C:\Users\O'Donnell\Downloads\FRST-OlderVersion
2016-06-05 15:13 - 2016-06-07 18:45 - 00050974 _____ C:\Windows\ntbtlog.txt
2016-06-05 14:57 - 2016-06-05 14:57 - 00018591 _____ C:\Users\O'Donnell\Documents\FRST_05-06-2016_14-57-17.txt
2016-06-05 13:15 - 2016-06-05 13:15 - 00000000 ____D C:\zoek
2016-06-05 13:07 - 2016-06-05 13:07 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\CrashDumps
2016-06-05 13:06 - 2016-06-05 13:17 - 00003232 _____ C:\runcheck.txt
2016-06-05 13:06 - 2016-06-05 13:16 - 00000000 ____D C:\zoek_backup
2016-06-05 13:06 - 2016-06-05 13:06 - 01309184 _____ C:\Users\O'Donnell\Downloads\zoek.exe
2016-06-05 13:03 - 2016-06-05 13:03 - 00023518 _____ C:\Users\O'Donnell\Documents\Addition_05-06-2016_13-03-25.txt
2016-06-05 13:03 - 2016-06-05 13:03 - 00023518 _____ C:\Users\O'Donnell\Documents\Addition.txt
2016-06-05 13:03 - 2016-06-05 13:03 - 00017096 _____ C:\Users\O'Donnell\Documents\FRST_05-06-2016_13-03-25.txt
2016-06-05 13:02 - 2016-06-08 17:27 - 00009756 _____ C:\Users\O'Donnell\Downloads\FRST.txt
2016-06-05 13:02 - 2016-06-08 17:27 - 00000000 ____D C:\FRST
2016-06-05 13:02 - 2016-06-08 17:20 - 00018105 _____ C:\Users\O'Donnell\Documents\FRST.txt
2016-06-05 13:02 - 2016-06-08 17:19 - 02385408 _____ (Farbar) C:\Users\O'Donnell\Downloads\FRST64.exe
2016-06-05 13:00 - 2016-06-05 13:00 - 00000824 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-06-05 13:00 - 2016-06-05 13:00 - 00000000 ____D C:\Program Files\CCleaner
2016-06-05 12:57 - 2016-06-05 15:01 - 00612342 _____ C:\Users\O'Donnell\Downloads\OTL.Txt
2016-06-05 12:57 - 2016-06-05 12:57 - 00053416 _____ C:\Users\O'Donnell\Downloads\Extras.Txt
2016-06-05 12:51 - 2016-06-05 12:51 - 00602112 _____ (OldTimer Tools) C:\Users\O'Donnell\Downloads\OTL.exe
2016-06-05 12:47 - 2016-06-05 12:49 - 00004088 _____ C:\Users\O'Donnell\Desktop\FSS.txt
2016-06-05 12:03 - 2016-06-05 12:15 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\Mozilla
2016-06-05 12:03 - 2016-06-05 12:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-05 12:03 - 2016-06-05 12:04 - 00000000 ____D C:\Users\O'Donnell\AppData\Roaming\Mozilla
2016-06-05 12:03 - 2016-06-05 12:03 - 00001153 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-06-05 11:47 - 2016-06-05 11:47 - 00021213 _____ C:\ComboFix.txt
2016-06-05 11:40 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2016-06-05 11:40 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2016-06-05 11:40 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2016-06-05 11:40 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2016-06-05 11:36 - 2016-06-05 11:47 - 00000000 ____D C:\Qoobox
2016-06-05 11:36 - 2016-06-05 11:46 - 00000000 ____D C:\Windows\erdnt
2016-06-05 11:17 - 2016-06-05 14:40 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-06-05 11:16 - 2016-06-05 11:25 - 00000000 ____D C:\ProgramData\RogueKiller
2016-06-05 11:16 - 2016-06-05 11:16 - 19868744 _____ C:\Users\O'Donnell\Downloads\RogueKiller.exe
2016-06-05 09:30 - 2016-06-05 14:37 - 00001894 _____ C:\Users\O'Donnell\Desktop\JRT.txt
2016-06-05 09:29 - 2016-06-05 09:29 - 01610816 _____ (Malwarebytes) C:\Users\O'Donnell\Downloads\JRT.exe
2016-06-05 09:07 - 2016-06-07 18:45 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-05 09:07 - 2016-06-05 09:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-06-05 09:07 - 2016-06-05 09:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-06-05 09:07 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-06-05 09:07 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-06-05 09:05 - 2016-06-05 09:05 - 03840240 _____ (AVAST Software) C:\Users\O'Donnell\Downloads\avast-browser-cleanup-sfx.exe
2016-06-05 09:05 - 2016-06-05 09:05 - 00000000 ____D C:\Users\O'Donnell\AppData\Roaming\Microsoft\Windows\Start Menu\avast! Browser Cleanup
2016-06-05 09:05 - 2016-06-05 09:05 - 00000000 ____D C:\Users\O'Donnell\AppData\Roaming\AVAST Software
2016-06-05 08:51 - 2016-06-05 12:47 - 00000000 ____D C:\AdwCleaner
2016-05-22 14:47 - 2016-06-05 09:07 - 00001108 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-22 14:46 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-05-22 14:45 - 2016-05-22 14:45 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\PowerCinema
2016-05-22 14:45 - 2016-05-22 14:45 - 00000000 ____D C:\Users\O'Donnell\AppData\Local\CyberLink
2016-05-22 14:43 - 2016-06-05 09:07 - 00000000 ____D C:\ProgramData\Malwarebytes

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-05 15:18 - 2009-07-14 01:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-05 15:18 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-06-05 15:12 - 2016-04-06 15:58 - 00000350 _____ C:\Windows\Tasks\HPCeeScheduleForO'Donnell.job
2016-06-05 15:12 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-05 14:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-06-05 14:45 - 2016-04-06 15:58 - 00003212 _____ C:\Windows\System32\Tasks\HPCeeScheduleForO'Donnell
2016-06-05 14:45 - 2016-03-29 12:47 - 00000000 ____D C:\Users\O'Donnell
2016-06-05 14:39 - 2009-07-14 00:45 - 00015760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-05 14:39 - 2009-07-14 00:45 - 00015760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-05 13:00 - 2016-03-29 11:30 - 00000000 ____D C:\Windows\Panther
2016-06-05 13:00 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\ModemLogs
2016-06-05 11:45 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
2016-06-05 09:18 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\addins
2016-06-05 07:18 - 2016-03-30 14:18 - 00000558 _____ C:\Users\O'Donnell\AppData\Roaming\wklnhst.dat
2016-06-05 07:15 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\system32\FxsTmp

==================== Files in the root of some directories =======

2016-03-30 14:18 - 2016-06-05 07:18 - 0000558 _____ () C:\Users\O'Donnell\AppData\Roaming\wklnhst.dat

Some files in TEMP:
====================
C:\Users\O'Donnell\AppData\Local\Temp\7za.exe
C:\Users\O'Donnell\AppData\Local\Temp\DaS_21.exe
C:\Users\O'Donnell\AppData\Local\Temp\dllnt_dump.dll
C:\Users\O'Donnell\AppData\Local\Temp\hijackthis.exe
C:\Users\O'Donnell\AppData\Local\Temp\NirCmd.exe
C:\Users\O'Donnell\AppData\Local\Temp\PEVZ.EXE
C:\Users\O'Donnell\AppData\Local\Temp\remove.exe
C:\Users\O'Donnell\AppData\Local\Temp\sed.exe
C:\Users\O'Donnell\AppData\Local\Temp\shortcut.exe
C:\Users\O'Donnell\AppData\Local\Temp\swreg.exe
C:\Users\O'Donnell\AppData\Local\Temp\swxcacls.exe
C:\Users\O'Donnell\AppData\Local\Temp\wget.exe
C:\Users\O'Donnell\AppData\Local\Temp\zoek-delete.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-22 16:31

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:08-06-2016
Ran by O'Donnell (2016-06-08 17:27:55)
Running from C:\Users\O'Donnell\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2016-03-29 16:47:19)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4182491821-2651143417-1818612708-500 - Administrator - Disabled)
Guest (S-1-5-21-4182491821-2651143417-1818612708-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4182491821-2651143417-1818612708-1002 - Limited - Enabled)
O'Donnell (S-1-5-21-4182491821-2651143417-1818612708-1000 - Administrator - Enabled) => C:\Users\O'Donnell

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
AV: Norton Internet Security (Disabled - Up to date) {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
AS: Microsoft Security Essentials (Enabled - Up to date) {CDE0C533-D3CD-62A1-E772-AFADDF863628}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Up to date) {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security (Disabled) {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Activate Norton Online Backup (HKLM-x32\...\{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}) (Version: 1.1.20.0 - Symantec)
ActiveCheck component for HP Active Support Library (x32 Version: 3.0.0.1 - Hewlett-Packard) Hidden
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.0.32.18 - Adobe Systems Incorporated)
avast! Browser Cleanup (HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\...\avast! Browser Cleanup) (Version: 10.2.2218.80 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 5.12 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink DVD Suite Deluxe (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.3101 - CyberLink Corp.)
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Hardware Diagnostic Tools (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5205.31 - PC-Doctor, Inc.)
HP Advisor (HKLM-x32\...\{B53E61D7-7C80-40DF-82D2-CF5390D6D20A}) (Version: 3.2.8946.3086 - Hewlett-Packard)
HP Customer Experience Enhancements (HKLM-x32\...\{5B295588-59C1-4386-9F85-BB4BEDCB0D22}) (Version: 5.7.0.3036 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.0.71 - WildTangent)
HP MediaSmart Demo (HKLM-x32\...\{9DEF9686-CCB2-47B7-BF83-B49EA21FA016}) (Version: 1.00.0000 - Hewlett-Packard)
HP MediaSmart DVD (HKLM-x32\...\InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}) (Version: 3.0.3123 - Hewlett-Packard)
HP MediaSmart Movie Themes (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 3.0.3102 - Hewlett-Packard)
HP MediaSmart Music/Photo/Video (HKLM-x32\...\InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}) (Version: 3.0.3205 - Hewlett-Packard)
HP MediaSmart SmartMenu (HKLM\...\{26280024-DFB7-4967-90DB-7F9C6660D01E}) (Version: 3.0.28.2 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Remote Solution (HKLM-x32\...\HP Remote Solution) (Version: 1.1.9.0 - TopSeed)
HP Setup (HKLM-x32\...\{F3B912F5-EB57-45AA-B3D1-EB532BCF6EF8}) (Version: 1.2.3220.3079 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{4F46FDB9-B906-47BF-B3D5-C62E01B3C5EE}) (Version: 4.1.11.3 - Hewlett-Packard)
HP Support Information (HKLM-x32\...\{B9A03B7B-E0FF-4FB3-BA83-762E58A1B0AA}) (Version: 10.1.0002 - Hewlett-Packard)
HP Update (HKLM-x32\...\{D46D081B-F60E-467E-A7C4-117B70D76731}) (Version: 5.001.000.014 - Hewlett-Packard)
HPAsset component for HP Active Support Library (x32 Version: 3.0.0.2 - Hewlett-Packard) Hidden
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.1901 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.1901 - CyberLink Corp.) Hidden
LightScribe System Software (HKLM-x32\...\{DD6C316A-FE75-4FBB-9D22-4C1920232B72}) (Version: 1.18.5.1 - LightScribe)
LSI PCI-SV92EX Soft Modem (HKLM\...\LSI Soft Modem) (Version: 2.2.96 - LSI Corporation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Live Search Toolbar (HKLM-x32\...\{DF802C05-4660-418c-970C-B988ADB1D316}) (Version: 3.0.560.0 - Microsoft Live Search Toolbar)
Microsoft Office Home and Student 60 day trial (HKLM\...\OfficeTrial) (Version: - )
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.9.218.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Norton Internet Security (HKLM-x32\...\NIS) (Version: 16.8.0.41 - Symantec Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.5 - NVIDIA Corporation)
PictureMover (HKLM-x32\...\{1896E712-2B3D-45eb-BCE9-542742A51032}) (Version: 3.3.1.19 - Hewlett-Packard Company)
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.3101 - CyberLink Corp.)
Power2Go (x32 Version: 6.0.3101 - CyberLink Corp.) Hidden
PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 7.0.3101 - CyberLink Corp.)
PowerDirector (x32 Version: 7.0.3101 - CyberLink Corp.) Hidden
PowerRecover (x32 Version: 5.5.1923 - CyberLink Corp.) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5882 - Realtek Semiconductor Corp.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0FFEBFC0-D303-4868-AA7B-153B8417F046} - System32\Tasks\HPCeeScheduleForO'Donnell => C:\Program Files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-05-26] (Hewlett-Packard)
Task: {2E68C218-54AB-4505-A9A7-CA47A685FB17} - System32\Tasks\DVDAgent => c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [2009-07-23] (CyberLink Corp.)
Task: {3C713C37-F1A4-4BE7-877D-330BE2EDC63A} - System32\Tasks\Hewlett-Packard\HP Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2009-07-09] (Hewlett-Packard)
Task: {7AECCC64-6F2B-451C-B4D3-BB6404543414} - System32\Tasks\PCDRScheduledMaintenance => C:\Program Files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-07-02] (PC-Doctor, Inc.)
Task: {94AAFD1D-B3F0-477A-A8E0-A0F54DF7AA01} - System32\Tasks\ExtendedServicePlan => C:\Program Files (x86)\Hewlett-Packard\HP TCS\RemEngine.exe [2009-07-08] ()
Task: {9A0AD893-23AB-4A46-B053-59042C0EBC8B} - System32\Tasks\Hewlett-Packard\HP Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2009-07-09] (Hewlett-Packard)
Task: {DECCB15D-E510-480E-A121-4876E2264D7E} - System32\Tasks\CLMLSvc => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe [2009-08-05] (CyberLink)
Task: {EFDCB50B-5201-4921-9DDE-EBD0F49F18A6} - System32\Tasks\ServicePlan => C:\Program Files (x86)\Hewlett-Packard\HP TCS\RemEngine.exe [2009-07-08] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\HPCeeScheduleForO'Donnell.job => C:\Program Files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe
Task: C:\Windows\Tasks\PCDRScheduledMaintenance.job => C:\Program Files\PC-Doctor for Windows\pcdr5cuiw32.exe5-fh scripts\monthly.xml

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys => ""="FSFilter Activity Monitor"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SymEFA.sys => ""="FSFilter Activity Monitor"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\O'Donnell\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: NortonOnlineBackupReminder => "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
MSCONFIG\startupreg: Report => C:\AdwCleaner\AdwCleaner[C3].txt

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{5BA18E0E-18E2-4EED-80C8-1D59460911B7}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDirector\PDR.EXE
FirewallRules: [{A7D4AC79-7F72-438D-BA4B-350EC8ED8C99}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartMusic.exe
FirewallRules: [{AE32F72B-FD2D-44FF-958E-82D7019F1B3B}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartPhoto.exe
FirewallRules: [{29CA2C8E-8E97-41AE-841A-9891896B40FD}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartVideo.exe
FirewallRules: [{60EA14B5-C582-46B1-A208-E74F1E3E3C76}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\TSMAgent.exe
FirewallRules: [{92C80290-02B5-4D87-8D61-5CEA8C4AAAFB}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\CLML\CLMLSvc.exe
FirewallRules: [{ADE3A38F-43DF-44E0-B5A5-3B29C89F851D}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPDVDSmart.exe
FirewallRules: [{786552EF-34A1-4C04-A95F-0D272E4F2402}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\HPTouchSmartMusic.exe
FirewallRules: [{F9B47F30-3C96-495F-A441-0CDB2AAB381A}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\HPTouchSmartPhoto.exe
FirewallRules: [{47D2A6ED-6A5A-43E1-8FBC-0FE6F8013A29}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\HPTouchSmartVideo.exe
FirewallRules: [{41C47DFA-9158-4609-8510-627CD39CA618}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
FirewallRules: [{5CD5D1D0-6066-45F7-A6EE-FDCAD933FEAF}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
FirewallRules: [{C7D8F44A-4C44-4D72-B196-D5179E3B80C2}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EF3069F1-8F85-42B1-B23F-7C28E5C310E4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Restore Points =========================

21-04-2016 21:58:51 Windows Modules Installer
21-04-2016 21:59:53 Windows Modules Installer
28-04-2016 21:36:42 Windows Modules Installer
28-04-2016 21:39:12 Windows Modules Installer
30-04-2016 11:38:37 Windows Update
01-05-2016 17:10:16 HPSF Restore Point
01-05-2016 17:13:00 Windows Modules Installer
01-05-2016 17:14:51 Windows Modules Installer
03-05-2016 17:35:38 Windows Update
06-05-2016 03:00:11 Windows Update
22-05-2016 14:56:16 Windows Modules Installer
22-05-2016 14:59:28 Windows Modules Installer
05-06-2016 08:13:12 Windows Update
05-06-2016 14:34:03 JRT Pre-Junkware Removal
05-06-2016 14:43:44 Windows Modules Installer
05-06-2016 14:45:21 Windows Modules Installer

==================== Faulty Device Manager Devices =============

Name: Symantec Network Dispatch Driver
Description: Symantec Network Dispatch Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: SYMTDI
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
Element not found. (HRESULT : 0x80070490) (0x80070490)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (HRESULT : 0x8004117f) (0x8004117f)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=1100}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/05/2016 02:31:10 PM) (Source: Windows Search Service) (EventID: 9000) (User: )
Description: The Windows Search Service cannot open the Jet property store.

Details:
0x%08x (0x8004117f - The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (HRESULT : 0x8004117f))

Error: (06/05/2016 02:31:03 PM) (Source: ESENT) (EventID: 455) (User: )
Description: taskhost (1576) WebCacheLocal: Error -1811 occurred while opening logfile C:\Users\O'Donnell\AppData\Local\Microsoft\Windows\WebCache\V010002E.log.


System errors:
=============
Error: (06/08/2016 05:18:52 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (06/08/2016 03:24:18 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 0.0.0.0

Update Source: %NT AUTHORITY51

Update Stage: 4.9.0218.00

Source Path: 4.9.0218.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/08/2016 03:24:12 PM) (Source: Microsoft Antimalware) (EventID: 2003) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update the engine.

New Engine Version:

Previous Engine Version: 2.1.11804.0

Engine Type: %NT AUTHORITY604

User: NT AUTHORITY\NETWORK SERVICE

Error Code: %NT AUTHORITY601

Error description: %NT AUTHORITY602

Error: (06/08/2016 03:24:12 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 115.63.0.0

Update Source: %NT AUTHORITY15

Update Stage: 4.9.0218.00

Source Path: 4.9.0218.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/08/2016 03:23:53 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.223.976.0

Update Source: %NT AUTHORITY59

Update Stage: 4.9.0218.00

Source Path: 4.9.0218.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/08/2016 03:23:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (06/08/2016 03:14:02 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (06/07/2016 06:45:43 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (06/07/2016 03:24:15 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 0.0.0.0

Update Source: %NT AUTHORITY51

Update Stage: 4.9.0218.00

Source Path: 4.9.0218.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (06/07/2016 03:24:09 PM) (Source: Microsoft Antimalware) (EventID: 2003) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update the engine.

New Engine Version:

Previous Engine Version: 2.1.11804.0

Engine Type: %NT AUTHORITY604

User: NT AUTHORITY\NETWORK SERVICE

Error Code: %NT AUTHORITY601

Error description: %NT AUTHORITY602


==================== Memory info ===========================

Processor: AMD Athlon™ II X4 620 Processor
Percentage of memory in use: 24%
Total physical RAM: 5887.23 MB
Available physical RAM: 4468.31 MB
Total Virtual: 11772.66 MB
Available Virtual: 10541.67 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:1850.81 GB) (Free:1802.55 GB) NTFS
Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.11 GB) (Free:2.2 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 1863 GB) (Disk ID: 238D3765)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1850.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=12.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 08 June 2016 - 05:50 PM.


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 08 June 2016 - 06:08 PM

Greetings Ann and thank you for the information.

Although Norton is installed I see Microsoft Security Essentials is Enabled and Norton is Disabled. For now I would like to uninstall Norton. If you prefer this antivirus program we can reinstall it in a bit.
 

but still couldn't run IE or Firefox

Could you explain this a bit? They won't launch, won't load, can't surf different web pages, etc. Is it the same in Normal Boot and Safe Mode?

===================================================

Uninstalling Programs Using Revo Uninstaller Free

--------------------

I recommend uninstalling the below listed program(s) from your computer.

Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.

Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of a previous uninstall. If that is the case simply stop and let me know.
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
Activate Norton Online Backup
Norton Internet Security
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next.
  • Check the items in bold only on the list then click Delete. You may have to expand some folders by clicking the "+" mark.
  • When prompted click on Yes and then on Next.
  • Click on Select all then click Delete
  • When prompted select Yes then Next
  • Once done click Finish
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-4182491821-2651143417-1818612708-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-06-05] ()
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\EX64.SYS [X]
C:\Users\O'Donnell\AppData\Local\Temp\7za.exe
C:\Users\O'Donnell\AppData\Local\Temp\DaS_21.exe
C:\Users\O'Donnell\AppData\Local\Temp\dllnt_dump.dll
C:\Users\O'Donnell\AppData\Local\Temp\hijackthis.exe
C:\Users\O'Donnell\AppData\Local\Temp\NirCmd.exe
C:\Users\O'Donnell\AppData\Local\Temp\PEVZ.EXE
C:\Users\O'Donnell\AppData\Local\Temp\remove.exe
C:\Users\O'Donnell\AppData\Local\Temp\sed.exe
C:\Users\O'Donnell\AppData\Local\Temp\shortcut.exe
C:\Users\O'Donnell\AppData\Local\Temp\swreg.exe
C:\Users\O'Donnell\AppData\Local\Temp\swxcacls.exe
C:\Users\O'Donnell\AppData\Local\Temp\wget.exe
C:\Users\O'Donnell\AppData\Local\Temp\zoek-delete.exe
CMD: type "C:\ComboFix.txt"
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Test all 3 browsers
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did Norton uninstall?
  • Fixlog
  • Update on browser performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#6 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 09 June 2016 - 04:23 PM

Here is the log from FRST:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:09-06-2016
Ran by O'Donnell (2016-06-09 17:16:08) Run:1
Running from C:\Users\O'Donnell\Downloads
Loaded Profiles: O'Donnell (Available Profiles: O'Donnell)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-4182491821-2651143417-1818612708-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-06-05] ()
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20160329.004\EX64.SYS [X]
C:\Users\O'Donnell\AppData\Local\Temp\7za.exe
C:\Users\O'Donnell\AppData\Local\Temp\DaS_21.exe
C:\Users\O'Donnell\AppData\Local\Temp\dllnt_dump.dll
C:\Users\O'Donnell\AppData\Local\Temp\hijackthis.exe
C:\Users\O'Donnell\AppData\Local\Temp\NirCmd.exe
C:\Users\O'Donnell\AppData\Local\Temp\PEVZ.EXE
C:\Users\O'Donnell\AppData\Local\Temp\remove.exe
C:\Users\O'Donnell\AppData\Local\Temp\sed.exe
C:\Users\O'Donnell\AppData\Local\Temp\shortcut.exe
C:\Users\O'Donnell\AppData\Local\Temp\swreg.exe
C:\Users\O'Donnell\AppData\Local\Temp\swxcacls.exe
C:\Users\O'Donnell\AppData\Local\Temp\wget.exe
C:\Users\O'Donnell\AppData\Local\Temp\zoek-delete.exe
CMD: type "C:\ComboFix.txt"
*****************

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-4182491821-2651143417-1818612708-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
AppMgmt => service removed successfully
TrueSight => service removed successfully
NAVENG => service removed successfully
NAVEX15 => service removed successfully
C:\Users\O'Donnell\AppData\Local\Temp\7za.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\DaS_21.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\hijackthis.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\NirCmd.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\PEVZ.EXE => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\remove.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\sed.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\shortcut.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\swreg.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\swxcacls.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\wget.exe => moved successfully
C:\Users\O'Donnell\AppData\Local\Temp\zoek-delete.exe => moved successfully

=========  type "C:\ComboFix.txt" =========

ComboFix 16-06-01.01 - O'Donnell 06/05/2016  11:41:52.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5887.4901 [GMT -4:00]
Running from: c:\users\O'Donnell\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\18P86RA8\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Microsoft Security Essentials *Enabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2016-05-05 to 2016-06-05  )))))))))))))))))))))))))))))))
.
.
2016-06-05 15:45 . 2016-06-05 15:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-06-05 15:36 . 2016-06-05 15:36 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6146638A-AE93-4E96-B0E0-94FF0216417C}\offreg.760.dll
2016-06-05 15:27 . 2016-06-05 15:27 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6146638A-AE93-4E96-B0E0-94FF0216417C}\offreg.736.dll
2016-06-05 15:17 . 2016-06-05 15:17 24688 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2016-06-05 15:16 . 2016-06-05 15:25 -------- d-----w- c:\programdata\RogueKiller
2016-06-05 13:40 . 2016-05-26 17:28 11895896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6146638A-AE93-4E96-B0E0-94FF0216417C}\mpengine.dll
2016-06-05 13:07 . 2016-06-05 15:39 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-30 15:39 . 2016-05-06 01:51 1190000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{387C8B1F-DBB0-4FC4-ADB2-D621293C1075}\gapaengine.dll
2016-04-30 15:39 . 2016-05-02 21:36 1190000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2016-04-22 00:30 . 2016-03-29 15:08 453288 ------w- c:\windows\system32\MpSigStub.exe
2016-04-17 07:18 . 2016-04-17 07:18 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2016-04-17 07:18 . 2016-04-17 07:18 942592 ----a-w- c:\windows\system32\jsIntl.dll
2016-04-17 07:18 . 2016-04-17 07:18 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2016-04-17 07:18 . 2016-04-17 07:18 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2016-04-17 07:18 . 2016-04-17 07:18 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2016-04-17 07:18 . 2016-04-17 07:18 81408 ----a-w- c:\windows\system32\icardie.dll
2016-04-17 07:18 . 2016-04-17 07:18 77312 ----a-w- c:\windows\system32\tdc.ocx
2016-04-17 07:18 . 2016-04-17 07:18 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2016-04-17 07:18 . 2016-04-17 07:18 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2016-04-17 07:18 . 2016-04-17 07:18 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2016-04-17 07:18 . 2016-04-17 07:18 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2016-04-17 07:18 . 2016-04-17 07:18 62464 ----a-w- c:\windows\system32\pngfilt.dll
2016-04-17 07:18 . 2016-04-17 07:18 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2016-04-17 07:18 . 2016-04-17 07:18 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2016-04-17 07:18 . 2016-04-17 07:18 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2016-04-17 07:18 . 2016-04-17 07:18 48640 ----a-w- c:\windows\system32\mshtmler.dll
2016-04-17 07:18 . 2016-04-17 07:18 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2016-04-17 07:18 . 2016-04-17 07:18 30208 ----a-w- c:\windows\system32\licmgr10.dll
2016-04-17 07:18 . 2016-04-17 07:18 247808 ----a-w- c:\windows\system32\msls31.dll
2016-04-17 07:18 . 2016-04-17 07:18 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2016-04-17 07:18 . 2016-04-17 07:18 235520 ----a-w- c:\windows\system32\url.dll
2016-04-17 07:18 . 2016-04-17 07:18 235008 ----a-w- c:\windows\system32\elshyph.dll
2016-04-17 07:18 . 2016-04-17 07:18 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2016-04-17 07:18 . 2016-04-17 07:18 167424 ----a-w- c:\windows\system32\iexpress.exe
2016-04-17 07:18 . 2016-04-17 07:18 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2016-04-17 07:18 . 2016-04-17 07:18 143872 ----a-w- c:\windows\system32\wextract.exe
2016-04-17 07:18 . 2016-04-17 07:18 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2016-04-17 07:18 . 2016-04-17 07:18 13824 ----a-w- c:\windows\system32\mshta.exe
2016-04-17 07:18 . 2016-04-17 07:18 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2016-04-17 07:18 . 2016-04-17 07:18 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2016-04-17 07:18 . 2016-04-17 07:18 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2016-04-17 07:18 . 2016-04-17 07:18 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2016-04-17 07:18 . 2016-04-17 07:18 105984 ----a-w- c:\windows\system32\iesysprep.dll
2016-04-17 07:18 . 2016-04-17 07:18 48128 ----a-w- c:\windows\system32\imgutil.dll
2016-04-17 07:18 . 2016-04-17 07:18 135680 ----a-w- c:\windows\system32\iepeers.dll
2016-04-17 07:16 . 2016-04-17 07:16 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2016-04-17 07:16 . 2016-04-17 07:16 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2016-04-17 07:16 . 2016-04-17 07:16 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2016-04-17 07:16 . 2016-04-17 07:16 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2016-04-17 07:16 . 2016-04-17 07:16 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2016-04-17 07:16 . 2016-04-17 07:16 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2016-04-17 07:16 . 2016-04-17 07:16 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2016-04-17 07:16 . 2016-04-17 07:16 363008 ----a-w- c:\windows\system32\dxgi.dll
2016-04-17 07:16 . 2016-04-17 07:16 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2016-04-17 07:16 . 2016-04-17 07:16 296960 ----a-w- c:\windows\system32\d3d10core.dll
2016-04-17 07:16 . 2016-04-17 07:16 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2016-04-17 07:16 . 2016-04-17 07:16 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2016-04-17 07:16 . 2016-04-17 07:16 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2016-04-17 07:16 . 2016-04-17 07:16 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2016-04-17 07:16 . 2016-04-17 07:16 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2016-04-17 07:16 . 2016-04-17 07:16 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2016-04-17 07:16 . 2016-04-17 07:16 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2016-04-17 07:16 . 2016-04-17 07:16 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2016-04-17 07:16 . 2016-04-17 07:16 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2016-04-17 07:16 . 2016-04-17 07:16 1238528 ----a-w- c:\windows\system32\d3d10.dll
2016-04-17 07:16 . 2016-04-17 07:16 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2016-04-04 18:14 . 2016-04-16 11:15 38120 ----a-w- c:\windows\system32\CompatTelRunner.exe
2016-04-04 18:02 . 2016-04-16 11:15 1169408 ----a-w- c:\windows\system32\aeinv.dll
2016-04-02 13:08 . 2016-04-16 11:15 1386496 ----a-w- c:\windows\system32\appraiser.dll
2016-03-31 19:25 . 2016-04-18 07:28 394952 ----a-w- c:\windows\system32\iedkcs32.dll
2016-03-31 00:54 . 2016-04-18 07:28 25817600 ----a-w- c:\windows\system32\mshtml.dll
2016-03-31 00:40 . 2016-04-18 07:28 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2016-03-31 00:40 . 2016-04-18 07:28 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2016-03-31 00:31 . 2016-04-18 07:28 2892800 ----a-w- c:\windows\system32\iertutil.dll
2016-03-31 00:28 . 2016-04-18 07:28 571904 ----a-w- c:\windows\system32\vbscript.dll
2016-03-31 00:28 . 2016-04-18 07:28 66560 ----a-w- c:\windows\system32\iesetup.dll
2016-03-31 00:27 . 2016-04-18 07:28 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2016-03-31 00:27 . 2016-04-18 07:28 417792 ----a-w- c:\windows\system32\html.iec
2016-03-31 00:27 . 2016-04-18 07:28 88064 ----a-w- c:\windows\system32\MshtmlDac.dll
2016-03-31 00:25 . 2016-04-18 07:28 6052352 ----a-w- c:\windows\system32\jscript9.dll
2016-03-31 00:22 . 2016-04-18 07:28 54784 ----a-w- c:\windows\system32\jsproxy.dll
2016-03-31 00:21 . 2016-04-18 07:28 34304 ----a-w- c:\windows\system32\iernonce.dll
2016-03-31 00:19 . 2016-04-18 07:28 615936 ----a-w- c:\windows\system32\ieui.dll
2016-03-31 00:17 . 2016-04-18 07:28 114688 ----a-w- c:\windows\system32\ieetwcollector.exe
2016-03-31 00:17 . 2016-04-18 07:28 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2016-03-31 00:17 . 2016-04-18 07:28 817664 ----a-w- c:\windows\system32\jscript.dll
2016-03-31 00:17 . 2016-04-18 07:28 814080 ----a-w- c:\windows\system32\jscript9diag.dll
2016-03-31 00:11 . 2016-04-18 07:28 968704 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2016-03-31 00:08 . 2016-04-18 07:28 489984 ----a-w- c:\windows\system32\dxtmsft.dll
2016-03-31 00:02 . 2016-04-18 07:28 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-05-26 656896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
R1 BHDrvx64;Symantec Heuristics Driver;c:\windows\System32\Drivers\NISx64\1008000.029\BHDrvx64.sys;c:\windows\SYSNATIVE\Drivers\NISx64\1008000.029\BHDrvx64.sys [x]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NISx64\1008000.029\ccHPx64.sys;c:\windows\SYSNATIVE\Drivers\NISx64\1008000.029\ccHPx64.sys [x]
R1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20160328.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20160328.001\IDSvia64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NISx64\1008000.029\SYMNDISV.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1008000.029\SYMNDISV.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1008000.029\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1008000.029\SYMEFA64.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    SSDPSRV upnphost SCardSvr QWAVE wcncsvc
.
Contents of the 'Scheduled Tasks' folder
.
2016-06-05 c:\windows\Tasks\HPCeeScheduleForO'Donnell.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2016-03-29 21:38]
.
2016-04-06 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-06-10 11:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-08 610360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-18 16334368]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-01-29 1340192]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-06-05  11:47:17
ComboFix-quarantined-files.txt  2016-06-05 15:47
.
Pre-Run: 1,937,016,606,720 bytes free
Post-Run: 1,936,670,527,488 bytes free
.
- - End Of File - - 83635546A6CCA5CA6ABA9FD64B85B65A
ED6A1AC36E6608089F7D4ED0A503557E

------------------------------

 

When I say the browsers don't work - they load but act as if internet is not available.  I tested with my ISP and can ping their servers so I know I have a connection, plus I can connect in the browsers via safe mode.

 

I did uninstall Norton.

 

Browsers still not seeing internet.


Edited by autt2, 09 June 2016 - 04:31 PM.


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 09 June 2016 - 05:24 PM

Just to clarify please. When you say "Safe Mode" you are talking about booting your computer into that condition rather than running a browser in its safe mode setting, correct?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#8 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 09 June 2016 - 05:30 PM

Yes, I'm booting in safe mode.

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 09 June 2016 - 05:30 PM

Thank you,

Please do this.

===================================================

Clean Boot

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msconfig and press Enter
  • If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation
  • Click the General tab then click Selective Startup
  • Check Load system services
  • Uncheck Load Startup Items
  • Click the Services tab
  • Click to select the Hide All Microsoft Services check box
  • Click Disable All, and then click OK
  • When you are prompted, click Restart and boot into Normal Mode
  • Check your computer performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 09 June 2016 - 06:00 PM

Done. Rebooted. Browser still not connecting. Ie message says page cannot be displayed. Firefox says unable to connect.

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 09 June 2016 - 08:49 PM

OK, Please do this.

===================================================

Comparing HijackThis Startup Lists for Clean Boot and Safe Mode

--------------------
  • Download HijackThis and save it to your desktop
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msconfig and press Enter
  • If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation
  • Click the General tab then click Selective Startup
  • Check Load system services
  • Uncheck Load Startup Items
  • Click the Services tab
  • Click to select the Hide All Microsoft Services check box
  • Click Disable All, and then click OK
  • When you are prompted, click Restart and boot into Normal Mode
  • Double click the HijackThis icon, then select Run
  • If prompted select I Accept
  • Click on Open the Misc Tools Section.
  • Then press Generate StartupList log, making sure that both boxes next to it are checked.
  • Select Yes at the prompt.
  • Save the report file onto your desktop as HJTCleanBoot.txt
  • Click the Boot tab
  • Check Safe boot and Network
  • Click Apply, OK, then Restart to boot your computer into Safe Mode with Networking
  • Double click the HijackThis icon, then select Run
  • If prompted select I Accept
  • Click on Open the Misc Tools Section.
  • Then press Generate StartupList log, making sure that both boxes next to it are checked.
  • Select Yes at the prompt.
  • Save the report file onto your desktop as HJTSafeMode.txt
  • Close the HijackThis window
  • Attach both files to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Attached HJT logs

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#12 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 10 June 2016 - 10:56 AM

Hello -

 

As requested, I have attached both of the requested files, HJTCleanBoot.txt and HJTSafeMode.txt.

 

Attached File  HJTCleanBoot.txt   48.9KB   1 downloadsAttached File  HJTSafeMode.txt   48.75KB   1 downloads

 

Ann



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 10 June 2016 - 11:30 AM

Thank you Ann,

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Move: c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe.old
Move: c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe.old
reboot:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • Your computer will automatically reboot
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Check your Internet in Normal Boot
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Internet?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 autt2

autt2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 AM

Posted 10 June 2016 - 04:40 PM

No internet yet.

Here's the log:

Fix result of Farbar Recovery Scan Tool (x64) Version:10-06-2016
Ran by O'Donnell (2016-06-10 17:32:30) Run:2
Running from C:\Users\O'Donnell\Downloads
Loaded Profiles: O'Donnell (Available Profiles: O'Donnell)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
Move: c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe.old
Move: c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe.old
reboot:
*****************

"c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" moved successfully to c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe.old
"c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" moved successfully to c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe.old

The system needed a reboot.

==== End of Fixlog 17:32:30 ====



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,368 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:01 AM

Posted 10 June 2016 - 06:25 PM

Thank you, please do this in Normal Boot.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
Move: c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe.old c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe 
Move: c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe.old c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
cmd: ipconfig /all
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: ping 172.217.1.46
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Please rerun a FRST scan and make sure Addition.txt is checked. Copy and paste both logs in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • FRST.txt
  • Addition.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users