Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-06-2017 01 Ran by essemtec (administrator) on PANX-PC1462 (10-06-2017 22:59:04) Running from F:\ Loaded Profiles: essemtec (Available Profiles: essemtec & Administrator) Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_service.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe (Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_comm_customer.exe (Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_system_customer.exe (Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_user_customer.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation) HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated) HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes) Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2010-11-25] (ATI Technologies Inc.) Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_winlogon.dll [2017-01-02] (Citrix Systems, Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\..\Interfaces\{B65B88C2-C154-4217-A484-465A9FFEA504}: [DhcpNameServer] 192.168.129.2 192.168.130.1 Internet Explorer: ================== HKU\S-1-5-21-2646437663-3650158834-333150697-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.essemtec.com/ HKU\S-1-5-21-2646437663-3650158834-333150697-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated) FireFox: ======== FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-12-13] [not signed] FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation) FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation) ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_service.exe [607240 2017-01-02] (Citrix Systems, Inc.) S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation) R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3398608 2017-05-09] (Malwarebytes) [File not signed] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative) S3 asmthub3; C:\WINDOWS\System32\DRIVERS\asmthub3.sys [101352 2011-06-02] (ASMedia Technology Inc) S3 asmtxhci; C:\WINDOWS\System32\DRIVERS\asmtxhci.sys [317416 2011-06-02] (ASMedia Technology Inc) S3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [101904 2010-11-17] (Advanced Micro Devices) R2 BT848; C:\WINDOWS\System32\DRIVERS\BT848.sys [371349 2014-05-15] (Illusion & Hope.) [File not signed] S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation) R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [220576 2017-06-10] (Malwarebytes) [File not signed] R3 MCAPI; C:\WINDOWS\System32\drivers\mcapi.sys [19584 2003-10-31] (Precision MicroControl Corp.) [File not signed] R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation) S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.) R3 mxser; C:\WINDOWS\System32\DRIVERS\mxser.sys [25216 2009-08-05] (Moxa Inc.) R3 mxsport2; C:\WINDOWS\System32\DRIVERS\mxsport2.sys [90368 2009-08-05] (Moxa Inc.) S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-10 21:53 - 2017-06-10 22:58 - 00220576 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2017-06-10 21:53 - 2017-06-10 21:53 - 00001729 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk 2017-06-10 21:53 - 2017-06-10 21:53 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes 2017-06-10 21:52 - 2017-06-10 21:52 - 00000000 ____D C:\Program Files\Malwarebytes 2017-06-10 21:52 - 2017-06-10 21:52 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2017-06-10 21:52 - 2017-05-25 11:58 - 00059936 _____ C:\WINDOWS\system32\Drivers\mbae.sys 2017-06-10 09:02 - 2017-06-10 22:59 - 00000000 ____D C:\FRST 2017-06-10 08:16 - 2017-06-10 09:01 - 00190398 _____ C:\WINDOWS\ntbtlog.txt ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-10 22:59 - 2014-05-15 09:47 - 00000000 ____D C:\Documents and Settings\essemtec\Local Settings\Temp 2017-06-10 22:58 - 2014-06-03 08:30 - 00000228 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job 2017-06-10 22:58 - 2011-12-13 13:41 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-06-10 22:57 - 2014-05-15 09:47 - 00000178 ___SH C:\Documents and Settings\essemtec\ntuser.ini 2017-06-10 22:57 - 2012-01-11 10:19 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{4A315A59-94E5-49D1-9D9C-3EB9F1D2438B}.job 2017-06-10 22:57 - 2011-12-13 13:41 - 00032390 _____ C:\WINDOWS\SchedLgU.Txt 2017-06-10 22:56 - 2016-09-03 06:33 - 00000000 ____D C:\WINDOWS\ShellNew 2017-06-10 21:53 - 2011-12-13 14:00 - 00590608 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-06-10 21:48 - 2011-12-13 13:59 - 00000000 ____D C:\Documents and Settings\All Users 2017-06-10 21:48 - 2011-12-13 13:54 - 00000008 __RSH C:\Documents and Settings\All Users\ntuser.pol 2017-06-10 21:44 - 2011-12-13 13:59 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\Temp 2017-06-10 21:44 - 2011-12-13 13:41 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Temp 2017-06-10 21:44 - 2011-12-13 13:41 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp 2017-06-10 21:43 - 2011-12-13 13:53 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy 2017-06-10 21:39 - 2011-12-13 13:52 - 00012328 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2017-06-10 21:38 - 2011-12-13 13:59 - 00093480 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2017-06-10 21:38 - 2011-12-13 13:39 - 00000007 ___SH C:\AUTOEXEC.BAT 2017-06-09 17:56 - 2011-12-13 13:54 - 00000000 RSHDC C:\WINDOWS\system32\dllcache 2017-06-09 10:47 - 2008-04-14 14:00 - 00011936 _____ C:\WINDOWS\system32\wpa.dbl 2017-06-09 10:40 - 2014-05-15 10:13 - 00315808 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of FRST.txt ============================