detsi

Members
  • Content count

    62
  • Joined

  • Last visited

About detsi

  • Rank
    Regular Member

Contact Methods

  • ICQ
    0
  1. Ok David, thanks for taking the time to try and help me.
  2. It was just my usual Gmail account. No client.
  3. Hi David, thanks for your reply. What further info do you need?
  4. While checking my emails from my son's laptop I found a message in Spam that Google warned me was phishing. Before I finished reading the warning the message suddenly disappeared. I did not consciously click any links or even read the message but I would like to recover it to delete it. I would like to know : a) could the message have been removed after opening by my son's malware protection software (McAfee)? 2) could my son's machine or email account be compromised even though he does not use Gmail? 3) could my gmail account be compromised even though I opened the email on a different machine?
  5. Update: The sites that were an issue now seem to be okay following clearing the browser's cache. I would still appreciate any comment on the scan results. Thanks.
  6. Edit to the above post: "After posting your new post, make sure under options, you select Follow this topic button and choose Immediate Email Notification" Sorry I am unable to find 'options'
  7. Some sites behaving a bit odd over the last day or so. Can you check it out for me, thanks. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-05-2016 02 Ran by TEDISTED (administrator) on TEDISTED-PC (27-05-2016 22:30:31) Running from C:\Users\TEDISTED\Desktop\Desktop Loaded Profiles: TEDISTED (Available Profiles: TEDISTED) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 9 (Default browser: "C:\Program Files\Pale Moon\palemoon.exe" -osint -url "%1") Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe (Microsoft Corporation) C:\Windows\System32\SLsvc.exe (ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft) C:\Program Files\Heimdal\HeimdalSecureDNS\DNSService.exe (CSIS Security Group) C:\Program Files\Heimdal\Service\HeimdalAgentService.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe (RaMMicHaeL) C:\Program Files\Unchecky\bin\unchecky_svc.exe (RaMMicHaeL) C:\Program Files\Unchecky\bin\unchecky_bg.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe (Realtek Semiconductor) C:\Windows\RtHDVCpl.exe (Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe (TOSHIBA) C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (Microsoft Corporation) C:\Windows\ehome\ehtray.exe (CSIS Security Group) C:\Program Files\Heimdal\Client\HeimdalAgent.exe (Microsoft Corporation) C:\Windows\ehome\ehmsas.exe (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe (Moonchild Productions) C:\Program Files\Pale Moon\palemoon.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation) HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [6037504 2008-04-08] (Realtek Semiconductor) HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.) HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.) HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2623456 2016-04-15] (Malwarebytes Corporation) HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7400576 2016-05-12] (AVAST Software) HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\Run: [TOSCDSPD] => TOSCDSPD.EXE HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation) HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation) ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-05-11] (AVAST Software) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Heimdal.lnk [2015-08-17] ShortcutTarget: Heimdal.lnk -> C:\Program Files\Heimdal\Client\HeimdalAgent.exe (CSIS Security Group) CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{05C66536-4798-4088-90FA-F1B04232753D}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEE&bmod=TSEE HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEE&bmod=TSEE HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/webhp?gws_rd=ssl SearchScopes: HKLM -> DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=avast&hsimp=yhs-001&type={partner_id}&p={searchTerms} SearchScopes: HKLM -> {140260F3-37F5-4B5B-A63C-64B6BA0E6B0C} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSEE; SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=avast&hsimp=yhs-001&type={partner_id}&p={searchTerms} SearchScopes: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000 -> DefaultScope {4FB71FDE-5D44-4D92-B66A-5ADCB30894A7} URL = hxxps://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000 -> {140260F3-37F5-4B5B-A63C-64B6BA0E6B0C} URL = SearchScopes: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000 -> {4FB71FDE-5D44-4D92-B66A-5ADCB30894A7} URL = hxxps://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation) BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-05-11] (AVAST Software) BHO: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files\WOT\WOT.dll [2013-09-02] () BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH) Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2013-09-02] () Toolbar: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2013-09-02] () Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation) Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll [2013-09-02] () FireFox: ======== FF ProfilePath: C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050 FF Homepage: hxxp://www.bbc.co.uk/news/uk/ FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-12] () FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.) FF Extension: British English Dictionary - C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050\extensions\en-GB@dictionaries.addons.mozilla.org [2015-02-19] [not signed] FF Extension: WOT - C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-02-19] [not signed] FF Extension: FastestFox - C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050\extensions\smarterwiki@wikiatic.com.xpi [2015-02-20] [not signed] FF Extension: Gmail Notifier (restartless) - C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050\Extensions\jid0-GjwrPchS3Ugt7xydvqVK4DQk8Ls@jetpack.xpi [2015-04-12] [not signed] FF Extension: Adblock Plus - C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-06] [not signed] FF Extension: Adblock Edge - C:\Users\TEDISTED\AppData\Roaming\Mozilla\Firefox\Profiles\q1t4d00b.default-1424371690050\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2015-04-06] [not signed] FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-05-27] FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-05-27] Chrome: ======= CHR Profile: C:\Users\TEDISTED\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (No Name) - C:\Users\TEDISTED\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-25] CHR Extension: (No Name) - C:\Users\TEDISTED\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-25] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-08-20] (SUPERAntiSpyware.com) R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-05-11] (AVAST Software) R2 HeimdalSecureDNS; C:\Program Files\Heimdal\HeimdalSecureDNS\DnsService.exe [93776 2015-08-14] (Microsoft) [File not signed] R2 HeimdalService; C:\Program Files\Heimdal\Service\HeimdalAgentService.exe [132688 2015-08-14] (CSIS Security Group) [File not signed] S3 jswpsapi; C:\Program Files\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.) [File not signed] R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [742368 2016-04-15] (Malwarebytes Corporation) S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [32568 2014-06-05] (The OpenVPN Project) R2 Unchecky; C:\Program Files\Unchecky\bin\unchecky_svc.exe [254904 2016-03-19] (RaMMicHaeL) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-21] (Microsoft Corporation) S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [32792 2016-05-11] (AVAST Software) R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [91168 2016-05-11] (AVAST Software) R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [64272 2016-05-11] (AVAST Software) R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [58776 2016-05-11] (AVAST Software) R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [815792 2016-05-11] (AVAST Software) R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449640 2016-05-11] (AVAST Software) R3 aswStmXP; C:\Windows\system32\drivers\aswStmXP.sys [187208 2016-05-11] (AVAST Software) S3 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [67216 2016-05-11] (AVAST Software) R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [221368 2016-05-11] (AVAST Software) R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [50016 2016-04-15] () S3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [141408 2008-02-27] (Realtek Semiconductor Corp.) R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2013-08-22] (The OpenVPN Project) S3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [17960 2008-07-15] (Chicony Electronics Co., Ltd.) S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 MFE_RR; \??\C:\Users\TEDISTED\AppData\Local\Temp\mfe_rr.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-05-27 22:03 - 2016-05-11 22:22 - 00449640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswC8C8.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00221368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswCB59.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00187208 _____ (AVAST Software) C:\Windows\system32\Drivers\aswD74B.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00091168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswC28F.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00067216 _____ (AVAST Software) C:\Windows\system32\Drivers\aswD940.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00064272 _____ (AVAST Software) C:\Windows\system32\Drivers\aswBD50.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00058776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswC4F1.tmp 2016-05-27 22:03 - 2016-05-11 22:22 - 00032792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswBF73.tmp 2016-05-27 22:03 - 2016-05-11 22:19 - 00815792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswB939.tmp 2016-05-27 22:02 - 2016-05-11 22:20 - 00334280 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe 2016-05-26 20:35 - 2016-05-27 15:46 - 00000000 ____D C:\AdwCleaner 2016-05-12 17:58 - 2016-04-09 22:22 - 00638184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys 2016-05-12 17:58 - 2016-04-09 22:16 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll 2016-05-12 17:52 - 2016-04-09 21:32 - 00299008 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll 2016-05-12 15:07 - 2016-04-09 20:00 - 02071040 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2016-05-12 15:06 - 2016-04-09 22:17 - 00975360 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll 2016-05-12 13:19 - 2016-05-24 07:56 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2016-05-12 13:19 - 2016-05-12 13:19 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2016-05-12 13:19 - 2016-05-12 13:19 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl 2016-05-12 12:51 - 2016-04-09 21:37 - 03608808 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2016-05-12 12:51 - 2016-04-09 21:37 - 03556584 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2016-05-12 12:50 - 2016-03-10 18:07 - 00501760 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll 2016-05-12 12:46 - 2016-04-09 19:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll 2016-05-12 12:45 - 2016-04-23 18:03 - 12858880 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2016-05-12 12:45 - 2016-04-23 18:03 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec 2016-05-12 12:45 - 2016-04-23 18:01 - 09729536 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2016-05-12 12:45 - 2016-04-23 18:00 - 01831424 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2016-05-12 12:45 - 2016-04-23 18:00 - 01436160 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2016-05-12 12:45 - 2016-04-23 18:00 - 01094656 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2016-05-12 12:45 - 2016-04-23 18:00 - 01089024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2016-05-12 12:45 - 2016-04-23 18:00 - 00232960 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2016-05-12 12:45 - 2016-04-23 18:00 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2016-05-12 12:45 - 2016-04-23 17:59 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2016-05-12 12:45 - 2016-04-23 17:59 - 01789952 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00711168 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00615424 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00358912 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00217088 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00064512 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll 2016-05-12 12:45 - 2016-04-23 17:59 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe 2016-05-12 12:45 - 2016-04-23 17:59 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe 2016-05-12 12:44 - 2016-04-09 20:07 - 00486912 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll 2016-05-11 22:26 - 2016-05-11 22:26 - 00000000 ____D C:\Users\TEDISTED\AppData\Roaming\AVAST Software 2016-05-11 22:25 - 2016-05-11 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software 2016-05-11 22:23 - 2016-05-11 22:22 - 00449640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00221368 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00187208 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStmXP.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00091168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00067216 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00064272 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00058776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys 2016-05-11 22:23 - 2016-05-11 22:22 - 00032792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys 2016-05-11 22:23 - 2016-05-11 22:19 - 00815792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys 2016-05-11 22:20 - 2016-05-11 22:20 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr 2016-05-11 22:13 - 2016-05-11 22:36 - 00000000 ____D C:\Program Files\AVAST Software ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-05-27 22:30 - 2014-06-13 09:20 - 00000000 ____D C:\FRST 2016-05-27 22:07 - 2014-04-16 20:45 - 00000000 ____D C:\Users\TEDISTED\Desktop\teds stuff 2016-05-27 22:00 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-05-27 22:00 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2016-05-27 22:00 - 2006-11-02 13:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2016-05-27 21:59 - 2006-11-02 11:22 - 47972352 _____ C:\Windows\system32\config\software_previous 2016-05-27 21:59 - 2006-11-02 11:22 - 46923776 _____ C:\Windows\system32\config\system_previous 2016-05-27 21:59 - 2006-11-02 11:22 - 43253760 _____ C:\Windows\system32\config\components_previous 2016-05-27 21:59 - 2006-11-02 11:22 - 01048576 _____ C:\Windows\system32\config\default_previous 2016-05-27 21:59 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\security_previous 2016-05-27 21:59 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\sam_previous 2016-05-27 21:58 - 2015-09-29 12:49 - 00000000 ____D C:\Users\detsi 2016-05-27 21:58 - 2015-01-05 20:26 - 00000000 ____D C:\Program Files\Passage3 2016-05-27 21:58 - 2014-04-24 18:36 - 00000000 ____D C:\ProgramData\Licenses 2016-05-27 21:58 - 2014-04-24 18:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster 2016-05-27 21:58 - 2014-04-24 18:35 - 00000000 ____D C:\Program Files\SpywareBlaster 2016-05-27 21:58 - 2014-04-15 20:58 - 00000000 ____D C:\Users\TEDISTED 2016-05-27 21:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\spool 2016-05-27 21:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration 2016-05-27 21:58 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\inf 2016-05-27 20:42 - 2014-09-26 23:20 - 00000000 ____D C:\Users\TEDISTED\AppData\Local\Adobe 2016-05-25 17:28 - 2014-04-24 18:36 - 00000000 ____D C:\ProgramData\TEMP 2016-05-21 10:47 - 2014-04-17 22:06 - 00000000 ____D C:\Users\TEDISTED\AppData\Roaming\Skype 2016-05-21 10:43 - 2014-04-17 22:06 - 00000000 ____D C:\ProgramData\Skype 2016-05-20 12:04 - 2014-04-17 08:53 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2016-05-19 12:27 - 2014-10-18 09:46 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit 2016-05-18 21:10 - 2014-04-16 20:46 - 00000000 ____D C:\Users\TEDISTED\Desktop\unused 2016-05-12 18:12 - 2006-11-02 11:33 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI 2016-05-12 18:02 - 2006-11-02 14:01 - 00032634 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2016-05-12 18:01 - 2006-11-02 13:37 - 00000000 ____D C:\Program Files\Windows Journal 2016-05-12 17:05 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\rescache 2016-05-12 16:25 - 2014-04-17 12:10 - 00000000 ____D C:\ProgramData\AVAST Software 2016-05-12 16:16 - 2006-11-02 13:47 - 00397568 _____ C:\Windows\system32\FNTCACHE.DAT 2016-05-12 15:06 - 2014-04-15 22:43 - 00000000 ____D C:\Windows\system32\MRT 2016-05-12 13:33 - 2006-11-02 11:24 - 136686448 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2016-05-11 22:25 - 2015-01-05 23:06 - 00000000 ____D C:\ProgramData\Unchecky 2016-05-11 21:26 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\Msdtc 2016-05-11 09:36 - 2015-02-24 22:53 - 00000000 ____D C:\Program Files\Pale Moon 2016-05-11 09:36 - 2014-04-24 17:50 - 00000000 ____D C:\Program Files\SUPERAntiSpyware 2016-05-06 10:36 - 2015-07-30 15:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit 2016-05-06 10:36 - 2015-02-24 20:15 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit 2016-05-03 08:12 - 2016-03-21 18:35 - 00000000 ___RD C:\Program Files\Skype ==================== Files in the root of some directories ======= 2014-10-14 10:09 - 2015-01-18 14:59 - 0001356 _____ () C:\Users\TEDISTED\AppData\Local\d3d9caps.dat 2014-04-18 12:39 - 2014-05-14 21:23 - 0004608 _____ () C:\Users\TEDISTED\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2014-04-21 17:28 - 2014-04-21 17:28 - 0220969 _____ () C:\ProgramData\1398097347.bdinstall.bin ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-05-27 22:18 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x86) Version:25-05-2016 02 Ran by TEDISTED (2016-05-27 22:31:59) Running from C:\Users\TEDISTED\Desktop\Desktop Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) (2014-04-15 16:43:26) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-3306118321-2799461415-1222813793-500 - Administrator - Disabled) Guest (S-1-5-21-3306118321-2799461415-1222813793-501 - Limited - Disabled) TEDISTED (S-1-5-21-3306118321-2799461415-1222813793-1000 - Administrator - Enabled) => C:\Users\TEDISTED ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adblock Plus for IE (32-bit) (HKLM\...\{E93152F1-E3AE-4B2A-9BAC-F770203F67E5}) (Version: 1.5 - Eyeo GmbH) Adobe Flash Player 21 NPAPI (HKLM\...\{C4E4BF86-4E27-4B8B-8BF9-A5BF1C7573A4}) (Version: 21.0.0.242 - Adobe Systems Incorporated) Adobe Reader XI (11.0.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated) Atheros Driver Installation Program (HKLM\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 5.2 - Atheros) Atheros Wi-Fi Protected Setup Library (HKLM\...\{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}) (Version: - Atheros) ATI Catalyst Install Manager (HKLM\...\{A7F27ADB-3C56-0F2B-6B4B-0B8E02A49186}) (Version: 3.0.664.0 - ATI Technologies, Inc.) Avast Free Antivirus (HKLM\...\Avast) (Version: 11.2.2262 - AVAST Software) Catalyst Control Center - Branding (HKLM\...\{69E5255D-9D43-4CFF-8984-843ABD7753B7}) (Version: 1.00.0000 - ATI) ccc-core-static (Version: 2008.0422.2139.36895 - ATI) Hidden CCleaner (HKLM\...\CCleaner) (Version: 5.10 - Piriform) CD/DVD Drive Acoustic Silencer (HKLM\...\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}) (Version: 2.02.03 - TOSHIBA) Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden Heimdal (HKLM\...\Heimdal) (Version: 1.10.5.0 - CSIS Security Group) herdProtect Anti-Malware Scanner (HKLM\...\herdProtectScan) (Version: 1.0 - Reason Company Software Inc.) Malwarebytes Anti-Exploit version 1.8.1.1196 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.8.1.1196 - Malwarebytes) Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes) Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation) MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation) OpenVPN 2.3.4-I002 (HKLM\...\OpenVPN) (Version: 2.3.4-I002 - ) Pale Moon 26.2.2 (x86 en-US) (HKLM\...\Pale Moon 26.2.2 (x86 en-US)) (Version: 26.2.2 - Moonchild Productions) PASSAGE 3 (English version) (HKLM\...\P3E) (Version: - ) Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9.141.259 - Google, Inc.) Realtek 8169 8168 8101E 8102E Ethernet Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0000 - Realtek) Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5599 - Realtek Semiconductor Corp.) Realtek USB 2.0 Card Reader (HKLM\...\{DC24971E-1946-445D-8A82-CE685433FA7D}) (Version: - Realtek Semiconductor Corp.) Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group) Skins (Version: 2008.0422.2139.36895 - ATI) Hidden Skype™ 7.24 (HKLM\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.24.104 - Skype Technologies S.A.) Speccy (HKLM\...\Speccy) (Version: 1.29 - Piriform) SpywareBlaster 5.4 (HKLM\...\SpywareBlaster_is1) (Version: 5.4.0 - BrightFort LLC) SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1018 - SUPERAntiSpyware.com) swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.2.4.0 - Synaptics) TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - ) TRORDCLauncher (Version: 1.0.0.1 - TOSHIBA) Hidden Unchecky v0.4.3 (HKLM\...\Unchecky) (Version: 0.4.3 - RaMMicHaeL) Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.) Windows Media Encoder 9 Series (HKLM\...\Windows Media Encoder 9) (Version: - ) WOT for Internet Explorer (HKLM\...\{373B90E1-A28C-434C-92B6-7281AFA6115A}) (Version: 13.9.2.0 - WOT Services Oy) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {1C5FE383-36FC-4489-B8E5-C133C3CB938D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-12] (Adobe Systems Incorporated) Task: {9BFFCFC0-B785-4524-A0C5-3712B22ED74E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated) Task: {A5D08630-9D9E-4505-B379-45FF153F40D7} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-09-16] (Piriform Ltd) Task: {A989470D-7E9E-4BB7-931D-D300263BCB0D} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-05-11] (AVAST Software) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2016-05-11 22:20 - 2016-05-11 22:20 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll 2016-05-11 22:19 - 2016-05-11 22:19 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll 2016-05-23 17:53 - 2016-05-23 17:53 - 02977376 _____ () C:\Program Files\AVAST Software\Avast\defs\16052301\algo.dll 2016-05-11 22:20 - 2016-05-11 22:20 - 00309912 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll 2016-05-11 22:20 - 2016-05-11 22:20 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll 2016-05-27 22:05 - 2016-05-27 22:05 - 02982040 _____ () C:\Program Files\AVAST Software\Avast\defs\16052701\algo.dll 2008-10-08 10:24 - 2008-04-22 21:05 - 00159744 _____ () C:\Windows\system32\atitmmxx.dll 2016-05-11 22:21 - 2016-05-11 22:22 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll 2015-02-24 22:53 - 2016-05-10 14:03 - 03060736 _____ () C:\Program Files\Pale Moon\mozjs.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125] ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\secunia.com. -> hxxps://secunia.com. IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\008k.com -> 008k.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\00hq.com -> 00hq.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0190-dialers.com -> 0190-dialers.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\01i.info -> 01i.info IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0411dd.com -> 0411dd.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0511zfhl.com -> 0511zfhl.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\05p.com -> 05p.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0632qyw.com -> 0632qyw.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0calories.net -> 0calories.net IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0cj.net -> 0cj.net IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\0scan.com -> 0scan.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\1-domains-registrations.com -> 1-domains-registrations.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\1-se.com -> 1-se.com IE restricted site: HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\...\1001movie.com -> 1001movie.com There are 6091 more sites. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2006-11-02 11:23 - 2016-05-27 22:00 - 00001961 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com 0.0.0.0 media.opencandy.com 0.0.0.0 cdn.opencandy.com 0.0.0.0 tracking.opencandy.com 0.0.0.0 api.opencandy.com 0.0.0.0 api.recommendedsw.com 0.0.0.0 installer.betterinstaller.com 0.0.0.0 installer.filebulldog.com 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net 0.0.0.0 inno.bisrv.com 0.0.0.0 nsis.bisrv.com 0.0.0.0 cdn.file2desktop.com 0.0.0.0 cdn.goateastcach.us 0.0.0.0 cdn.guttastatdk.us 0.0.0.0 cdn.inskinmedia.com 0.0.0.0 cdn.insta.oibundles2.com 0.0.0.0 cdn.insta.playbryte.com 0.0.0.0 cdn.llogetfastcach.us 0.0.0.0 cdn.montiera.com 0.0.0.0 cdn.msdwnld.com 0.0.0.0 cdn.mypcbackup.com 0.0.0.0 cdn.ppdownload.com 0.0.0.0 cdn.riceateastcach.us 0.0.0.0 cdn.shyapotato.us 0.0.0.0 cdn.solimba.com 0.0.0.0 cdn.tuto4pc.com 0.0.0.0 cdn.appround.biz 0.0.0.0 cdn.bigspeedpro.com 0.0.0.0 cdn.bispd.com There are 5 more lines. ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\TEDISTED\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg DNS Servers: 192.168.0.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) MSCONFIG\startupfolder: C:^Users^TEDISTED^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^TRDCReminder.lnk => C:\Windows\pss\TRDCReminder.lnk.Startup MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" MSCONFIG\startupreg: BingSvc => C:\Users\TEDISTED\AppData\Local\Microsoft\BingSvc\BingSvc.exe MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR MSCONFIG\startupreg: Google Desktop Search => "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" MSCONFIG\startupreg: jswtrayutil => "C:\Program Files\Jumpstart\jswtrayutil.exe" MSCONFIG\startupreg: Skype => "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun MSCONFIG\startupreg: StartCCC => "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSCONFIG\startupreg: Toshiba Registration => C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe MSCONFIG\startupreg: Viber => "C:\Users\TEDISTED\AppData\Local\Viber\Viber.exe" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe FirewallRules: [{7096B345-2D9B-49E7-9B9B-C85072DAF534}] => (Allow) LPort=80 FirewallRules: [{F64AC4EF-84E3-4FBF-B576-ECD4E87010E4}] => (Allow) LPort=80 FirewallRules: [{EDDE3260-3142-47E7-B2A5-EEB5174BB845}] => (Allow) LPort=80 FirewallRules: [{62289433-FB98-42AB-B6B6-94F349FD08FE}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe FirewallRules: [{4751F492-A82F-4BA7-BD38-F20037D87A50}] => (Allow) C:\Users\TEDISTED\AppData\Local\Temp\nsdEF91.tmp\CnetInstaller-10030584.exe FirewallRules: [{DD050E0C-4700-4BFF-AD33-1E7149434461}] => (Allow) C:\Users\TEDISTED\AppData\Local\Temp\nsdEF91.tmp\CnetInstaller-10030584.exe FirewallRules: [{0C1F7241-137F-407C-BB9D-CF17F1C66CB9}] => (Allow) C:\Users\TEDISTED\AppData\Local\Temp\nscC6BC.tmp\CnetInstaller-10030584.exe FirewallRules: [{FFD01E2E-5DA3-4AA9-B748-4966A186A8E0}] => (Allow) C:\Users\TEDISTED\AppData\Local\Temp\nscC6BC.tmp\CnetInstaller-10030584.exe FirewallRules: [{E54350B6-9A13-424D-B7DB-B61BD712D02B}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe FirewallRules: [{7ECAC347-C091-45CD-BDD4-30A4A65D3E87}] => (Allow) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe FirewallRules: [{694C253B-9456-4734-B091-57B7519A66D5}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe ==================== Restore Points ========================= 24-05-2016 07:56:06 Windows Update 25-05-2016 14:28:49 Scheduled Checkpoint 27-05-2016 09:25:47 Scheduled Checkpoint 27-05-2016 21:54:06 Restore Operation 27-05-2016 22:16:48 Windows Update ==================== Faulty Device Manager Devices ============= Name: Microsoft Tun Miniport Adapter #2 Description: Microsoft Tun Miniport Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunmp Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. Name: Microsoft Tun Miniport Adapter #3 Description: Microsoft Tun Miniport Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunmp Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. ==================== Event log errors: ========================= Application errors: ================== Error: (05/27/2016 10:22:50 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\9> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:50 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\9> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:49 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\8> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:49 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\8> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:48 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\7> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:48 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\7> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:47 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\6> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:47 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\6> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:46 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\5> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error: (05/27/2016 10:22:46 PM) (Source: Windows Search Service) (EventID: 3013) (User: ) Description: The entry <C:\USERS\TEDISTED\APPDATA\LOCAL\MOONCHILD PRODUCTIONS\PALE MOON\PROFILES\7YLEPXZC.DEFAULT-1456868378918\CACHE\5> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) System errors: ============= Error: (05/27/2016 10:22:01 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY) Description: 0x80070643Definition Update for Windows Defender - KB915597 (Definition 1.221.745.0){022822CB-C608-4789-8516-D9D87910F353}200 Error: (05/27/2016 10:19:03 PM) (Source: WinDefend) (EventID: 2004) (User: ) Description: %%%82527 has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: %%%82524 Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: %%825 Loading signature version: 1.221.457.0 Loading engine version: %%%825270 Error: (05/27/2016 10:00:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: VBoxAsw Support Driver%%3 Error: (05/27/2016 07:39:59 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: VBoxAsw Support Driver%%3 Error: (05/27/2016 07:39:26 AM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 07:38:20 on 27/05/2016 was unexpected. Error: (05/26/2016 01:59:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: VBoxAsw Support Driver%%3 Error: (05/26/2016 01:58:53 PM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 13:55:31 on 26/05/2016 was unexpected. Error: (05/19/2016 09:17:02 AM) (Source: Print) (EventID: 6161) (User: NT AUTHORITY) Description: The document Picasa, owned by TEDISTED, failed to print on printer HP DeskJet 840C/841C/842C/843C. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 6684672. Number of bytes printed: 3926368. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\TEDISTED-PC. Win32 error code returned by the print processor: Picasa0. Picasa1 Error: (05/19/2016 09:16:43 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: VBoxAsw Support Driver%%3 Error: (05/19/2016 09:16:03 AM) (Source: EventLog) (EventID: 6008) (User: ) Description: The previous system shutdown at 09:12:06 on 19/05/2016 was unexpected. CodeIntegrity: =================================== Date: 2016-05-26 15:56:44.018 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:43.175 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:42.349 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:41.397 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportIaso.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:40.211 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80128.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:39.338 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80128.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:38.464 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80128.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:37.622 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80128.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:36.732 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80120.sys because the set of per-page image hashes could not be found on the system. Date: 2016-05-26 15:56:35.890 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80120.sys because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: AMD Sempron(tm) SI-40 Percentage of memory in use: 60% Total physical RAM: 1789.1 MB Available physical RAM: 704.92 MB Total Virtual: 3830.68 MB Available Virtual: 2375.83 MB ==================== Drives ================================ Drive c: (Vista) (Fixed) (Total:74.22 GB) (Free:25.29 GB) NTFS ==>[drive with boot components (obtained from BCD)] Drive e: (Data) (Fixed) (Total:73.36 GB) (Free:68.54 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149.1 GB) (Disk ID: E2DB62BC) Partition 1: (Not Active) - (Size=1.5 GB) - (Type=07 NTFS) Partition 2: (Active) - (Size=74.2 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=73.4 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================
  8. Please see the log file following a scan with AdwCleaner. I would be very grateful for some advice as to what, if anything, I should remove : # AdwCleaner v5.118 - Logfile created 27/05/2016 at 09:45:35 # Updated 23/05/2016 by Xplode # Database : 2016-05-26.2 [Server] # Operating system : Windows Vista (TM) Home Premium Service Pack 2 (X86) # Username : TEDISTED - TEDISTED-PC # Running from : C:\Users\TEDISTED\Desktop\teds stuff\adwcleaner_5.118.exe # Option : Scan # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** Folder Found : C:\Users\TEDISTED\AppData\Roaming\DesktopIconForAmazon ***** [ Files ] ***** ***** [ DLL ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C} Key Found : HKCU\Software\OCS Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner Key Found : HKU\S-1-5-21-3306118321-2799461415-1222813793-1000\Software\OCS Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB} Data Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} ***** [ Web browsers ] ***** ************************* C:\AdwCleaner\AdwCleaner[S1].txt - [1434 bytes] - [26/05/2016 20:35:39] C:\AdwCleaner\AdwCleaner[S2].txt - [1507 bytes] - [26/05/2016 21:11:34] C:\AdwCleaner\AdwCleaner[S3].txt - [1431 bytes] - [27/05/2016 09:45:35] ########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1504 bytes] ##########
  9. Hi Kevin. I followed your instructions but when I tried to delete it I was told 'Destination Denied' But I have been able to delete its contents and' Kill Processed' it in Process Explorer. Thank you for your time and advice.
  10. Sorry, to continue. When I Googled a solution it mentioned a program called UnHackme. what do you think?
  11. Ok, Keven, will do. How do you suggest I remove it?
  12. Kevin , may I just add that as opposed to clearing this malware I would prefer remomoving the Bing Svc file completely, as I do not need it. But I will follow your advice.
  13. The above post is the results of the scan on BingSvc. Bing Processof file was clear Bing Update Config was clear BSvc Updater scan shows: ClamAV Win.Worm.Chir-2873 20160112
  14. Thanks again Kevin. Not too sure I'm doing this as I should but this is the result of the scan that prompted me to make my original post: Jiangmin Variant.Symmi.ace 20160112 Zillya Trojan.Injector.Win32.345016 20160112
  15. SystemLook.txt