Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-04-2016 Ran by gismeu (administrator) on GIAMEU (01-05-2016 08:07:53) Running from C:\Users\gismeu\Downloads Loaded Profiles: gismeu (Available Profiles: gismeu) Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Safe Mode (with Networking) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [AcWin7Hlpr] => C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [63376 2012-09-07] (Lenovo) HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation) HKLM-x32\...\RunOnce: [AvgRemover] => C:\Users\gismeu\Downloads\avg_remover_stf_x64_2015_5501.exe /run_number=2 /ndis_nextstep=4 Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\RunOnce: [Report] => C:\AdwCleaner\AdwCleaner[C1].txt HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\MountPoints2: D - D:\Setup.exe HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\MountPoints2: {52d012e3-d5ad-11e1-b991-e89a8f581443} - E:\AutoRun.exe HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\MountPoints2: {64e851e3-d31e-11e1-b5fa-e89a8f581443} - E:\AutoRun.exe HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\MountPoints2: {64e851ea-d31e-11e1-b5fa-e89a8f581443} - E:\AutoRun.exe HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\MountPoints2: {84b1a606-d4a6-11e1-a63d-e89a8f581443} - E:\setup_vmb_lite.exe /checkApplicationPresence HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\...\MountPoints2: {84b1a654-d4a6-11e1-a63d-e89a8f581443} - F:\setup_vmb_lite.exe /checkApplicationPresence Lsa: [Notification Packages] scecli ACGina ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 Tcpip\..\Interfaces\{9263A1A0-B92C-4A32-87A0-3F9C7A675475}: [DhcpNameServer] 75.75.75.75 75.75.76.76 Tcpip\..\Interfaces\{A31D1DA5-74DD-4E3C-9A96-BBE8F48E25EA}: [DhcpNameServer] 75.75.75.75 75.75.76.76 Internet Explorer: ================== HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo.msn.com HKU\S-1-5-21-4102688973-2130496443-4087980055-1000\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com/welcome/thinkpad SearchScopes: HKLM -> {7509B7B2-6F1B-4301-A12D-B8FA3B44D1C9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox SearchScopes: HKLM-x32 -> {BB319545-1E2A-4CCE-B6B8-B88FFC6327EC} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LEMDF8&pc=MALC&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-4102688973-2130496443-4087980055-1000 -> DefaultScope {7509B7B2-6F1B-4301-A12D-B8FA3B44D1C9} URL = SearchScopes: HKU\S-1-5-21-4102688973-2130496443-4087980055-1000 -> {7509B7B2-6F1B-4301-A12D-B8FA3B44D1C9} URL = SearchScopes: HKU\S-1-5-21-4102688973-2130496443-4087980055-1000 -> {F50431DE-C870-49C9-B89B-3F6947D72D32} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20140102,20028,0,85,0 DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - No File FireFox: ======== FF ProfilePath: C:\Users\gismeu\AppData\Roaming\Mozilla\Firefox\Profiles\jtgxwkla.default-1436799463323 FF Homepage: hxxp://finance.yahoo.com/ FF Plugin: @java.com/DTPlugin,version=10.4.0 -> C:\Windows\system32\npDeployJava1.dll [2013-04-22] (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [No File] FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File] FF Plugin HKU\S-1-5-21-4102688973-2130496443-4087980055-1000: @citrixonline.com/appdetectorplugin -> C:\Users\gismeu\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-06-17] (Citrix Online) FF Plugin HKU\S-1-5-21-4102688973-2130496443-4087980055-1000: tdameritrade.com/thinkorswim -> C:\Program Files (x86)\thinkorswim\npthinkorswim.dll [2016-04-29] (TD Ameritrade) FF Plugin HKU\S-1-5-21-4102688973-2130496443-4087980055-1000: tdameritrade.com/tossc -> C:\Program Files (x86)\thinkorswim\nptossc.dll [2016-04-29] (TD Ameritrade) FF Plugin ProgramFiles/Appdata: C:\Users\gismeu\AppData\Roaming\mozilla\plugins\npatgpc.dll [2011-12-18] (Cisco WebEx LLC) FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-04-15] [not signed] FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2016-04-15] [not signed] FF HKLM-x32\...\Firefox\Extensions: [firefox@passwordbox.com] - C:\Program Files (x86)\PasswordBox\Firefox FF Extension: PasswordBox - C:\Program Files (x86)\PasswordBox\Firefox [2013-11-21] [not signed] Chrome: ======= CHR Profile: C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Slides) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-06] CHR Extension: (Google Docs) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-06] CHR Extension: (Google Drive) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-06] CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-13] CHR Extension: (YouTube) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-06] CHR Extension: (Google Search) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-06] CHR Extension: (Google Sheets) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-06] CHR Extension: (Google Wallet) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-13] CHR Extension: (Gmail) - C:\Users\gismeu\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-06] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-12] (Lenovo Group Limited) S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2909472 2015-07-30] (IObit) S2 lxdu_device; C:\Windows\system32\lxducoms.exe [1039360 2009-10-16] ( ) R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation) S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation) S2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed] S2 pcCMService; C:\Program Files (x86)\Common Files\Motive\pcCMService.exe [369152 2013-05-07] (Alcatel-Lucent) [File not signed] S2 pcCMService64; C:\Program Files\Common Files\Motive\pcCMService.exe [460288 2013-05-07] (Alcatel-Lucent) [File not signed] S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2255128 2015-08-04] (IBM Corp.) S4 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [199272 2010-07-15] (Realtek Semiconductor) S4 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [24120 2014-02-21] () S4 ThinkVantage Registry Monitor Service; C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe [1019904 2009-08-28] (Lenovo Group Limited) [File not signed] S4 TVT Backup Service; C:\Program Files (x86)\Lenovo\Rescue and Recovery\rrservice.exe [1475896 2010-07-29] (Lenovo Group Limited) S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-14] (AVG Technologies) S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) S1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-11-01] (REALiX(tm)) S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation) S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed] S3 MREMP50a64; C:\Program Files\Common Files\Motive\MREMP50a64.SYS [43008 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA)) S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed] S3 MRESP50a64; C:\Program Files\Common Files\Motive\MRESP50a64.SYS [40960 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA)) S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation) S1 RapportCerberus_1507065; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1507065.sys [958744 2015-11-11] (IBM Corp.) S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [500184 2015-08-04] (IBM Corp.) S0 RapportHades64; C:\Windows\System32\Drivers\RapportHades64.sys [139896 2015-08-04] (IBM Corp.) S3 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [394584 2015-08-04] (IBM Corp.) S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [489240 2015-08-04] (IBM Corp.) R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [33448 2015-11-01] (Synaptics Incorporated) S1 TPPWRIF; C:\Windows\System32\drivers\Tppwr64v.sys [13104 2010-08-24] () S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X] S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X] S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-05-01 08:07 - 2016-05-01 08:09 - 00012382 _____ C:\Users\gismeu\Downloads\FRST.txt 2016-05-01 08:05 - 2016-05-01 08:05 - 02377216 _____ (Farbar) C:\Users\gismeu\Downloads\FRST64.exe 2016-04-30 17:25 - 2016-04-30 17:25 - 00070924 _____ C:\Users\gismeu\F4.DAT 2016-04-28 23:41 - 2016-04-28 23:41 - 00008649 _____ C:\Users\gismeu\Desktop\COMCAST.odt 2016-04-15 20:39 - 2016-04-22 17:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-05-01 08:07 - 2015-11-17 09:15 - 00000000 ____D C:\FRST 2016-05-01 08:03 - 2009-07-14 01:13 - 00863826 _____ C:\Windows\system32\PerfStringBackup.INI 2016-05-01 08:03 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf 2016-05-01 07:59 - 2014-12-31 09:44 - 30129250 _____ C:\Windows\ntbtlog.txt 2016-04-30 17:26 - 2012-10-12 13:00 - 00000265 _____ C:\Users\gismeu\MASTER 2016-04-30 17:26 - 2012-09-29 00:48 - 00000960 _____ C:\Users\gismeu\EMASTER 2016-04-30 17:26 - 2011-07-29 00:47 - 00000000 ____D C:\Users\gismeu 2016-04-30 17:25 - 2016-03-05 20:25 - 00080696 _____ C:\Users\gismeu\F3.DAT 2016-04-30 17:25 - 2016-01-29 18:37 - 00256060 _____ C:\Users\gismeu\F2.DAT 2016-04-30 17:25 - 2015-01-24 21:35 - 00096992 _____ C:\Users\gismeu\F1.DAT 2016-04-29 06:37 - 2013-04-14 21:45 - 00000000 ____D C:\Users\gismeu\.thinkorswim 2016-04-29 06:37 - 2011-07-29 01:31 - 00000000 ____D C:\Program Files (x86)\thinkorswim 2016-04-28 23:01 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-04-25 16:51 - 2014-05-09 18:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service ==================== Files in the root of some directories ======= 2011-08-04 14:21 - 2011-06-07 15:49 - 0004871 _____ () C:\Program Files (x86)\SLV 11.portfolio 2014-12-17 20:54 - 2014-12-17 20:54 - 0037607 _____ () C:\Program Files (x86)\Common Files\license.rtf 2014-12-17 20:54 - 2014-12-17 20:54 - 0008046 _____ () C:\Program Files (x86)\Common Files\setupBanner.jpg 2013-07-05 11:45 - 2013-07-07 20:50 - 0000960 _____ () C:\Users\gismeu\AppData\Roaming\.starmoon_kst.cfg 2013-02-12 09:56 - 2013-02-12 09:56 - 0007606 _____ () C:\Users\gismeu\AppData\Local\Resmon.ResmonCfg 2014-09-12 04:27 - 2014-09-12 04:27 - 0000000 _____ () C:\Users\gismeu\AppData\Local\{9A0E4B64-F871-4096-9115-58A4617EFA3B} 2013-09-05 14:30 - 2013-09-05 14:30 - 0000057 _____ () C:\ProgramData\Ament.ini 2013-08-24 20:33 - 2013-08-24 20:33 - 0000115 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.64.bc 2012-09-27 21:35 - 2012-09-27 21:35 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt Files to move or delete: ==================== C:\Users\gismeu\F1.DAT C:\Users\gismeu\F2.DAT C:\Users\gismeu\F3.DAT C:\Users\gismeu\F4.DAT ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-04-07 12:22 ==================== End of FRST.txt ============================