Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seem To be Infected with NTDOS


  • This topic is locked This topic is locked
16 replies to this topic

#1 Satelllite

Satelllite

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 23 March 2017 - 06:39 PM

Hi I am new to the forum. I have been trying to clean out my XP for the last few days. Tried following some of the forum tutorials,However I have to keep reverting back to earlier system restore points to bring up my user profile. One of the programs is making it inaccessible. Strange i have lost sound, I run super anti spyware and malware bytes. Followed one of the tutorials, ran combofix, gives me message to write down NTDOS.exe. Gmer freezes up will not complete. I ran FRST.exe per instructions and these are results. System hangs up quite a bit. 

Thanks you so much for all of your help. 

 

Here are the results from Combofix. A little further down are the two results from FRST.exe.  I could not get a report from GMER since it keeps crashing.

 

 

ComboFix 17-03-15.01 - Mark 03/16/2017  11:11:12.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.894.541 [GMT -4:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Malwarebytes *Disabled/Updated* {D4AC7077-9720-47B0-8B38-DFAF3AA21DB6}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\TEMP\Application Data\64dlls.exe
c:\documents and settings\TEMP\Application Data\intel64.exe
c:\documents and settings\TEMP\Application Data\Kernel32.exe
c:\documents and settings\TEMP\Application Data\localsys64.exe
c:\documents and settings\TEMP\Application Data\ntos.exe
c:\documents and settings\TEMP\Application Data\oembios.exe
c:\documents and settings\TEMP\Application Data\sdra64.exe
c:\documents and settings\TEMP\Application Data\sdra73.exe
c:\documents and settings\TEMP\Application Data\swin32.exe
c:\documents and settings\TEMP\Application Data\twex.exe
c:\documents and settings\TEMP\Application Data\twext.exe
c:\documents and settings\TEMP\Application Data\win32avs.exe
c:\documents and settings\TEMP\Application Data\wsnpoema.exe
.
.
(((((((((((((((((((((((((   Files Created from 2017-02-16 to 2017-03-16  )))))))))))))))))))))))))))))))
.
.
2017-03-16 13:52 . 2017-03-16 13:57    --------    d-----w-    C:\AdwCleaner
2017-03-15 14:09 . 2017-03-16 14:55    148256    ----a-w-    c:\windows\system32\drivers\MBAMChameleon.sys
2017-03-15 14:08 . 2017-03-16 14:55    39360    ----a-w-    c:\windows\system32\drivers\mbam.sys
2017-03-15 14:08 . 2017-03-16 14:54    219584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-03-15 14:07 . 2017-02-24 10:23    59968    ----a-w-    c:\windows\system32\drivers\mbae.sys
2017-03-15 14:07 . 2017-03-15 14:07    --------    d-----w-    c:\program files\Malwarebytes
2017-03-07 20:20 . 2017-03-07 20:20    32832    ----a-w-    c:\windows\system32\rnd_chunk.bin
2017-03-07 20:15 . 2017-03-07 20:50    --------    d-----w-    c:\program files\Driver Support
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-02-27 14:47 . 2012-04-09 14:28    802904    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2017-02-27 14:47 . 2011-06-15 18:27    144472    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2017-02-22 6828448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Malwarebytes TrayApp"="c:\program files\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe" [2017-01-20 2780112]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-2-6 50688]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Deskjet 3510 series.lnk]
path=c:\documents and settings\Mark\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3510 series.lnk
backup=c:\windows\pss\Monitor Ink Alerts - HP Deskjet 3510 series.lnkStartup
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\windows\system32\drivers\mbae.sys [3/15/2017 10:07 AM 59968]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [10/10/2013 6:54 PM 143776]
R2 MBAMChameleon;MBAMChameleon;c:\windows\system32\drivers\MBAMChameleon.sys [3/15/2017 10:09 AM 148256]
R2 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\MBAMService.exe [3/15/2017 10:07 AM 3303888]
R3 MBAMProtection;MBAMProtection;c:\windows\system32\drivers\mbam.sys [3/15/2017 10:08 AM 39360]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [3/15/2017 10:08 AM 219584]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ESPROTECTIONDRIVER
*NewlyCreated* - MBAMPROTECTION
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder
.
2017-03-16 c:\windows\Tasks\AdobeAAMUpdater-1.0-MAERTEN-Mark.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-07 08:44]
.
2017-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 10:28]
.
2017-03-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 10:28]
.
2017-03-16 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-07 01:59]
.
2017-03-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-07 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = Google
mStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: localhost
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\uc8rem0z.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2017-03-16 11:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_23_0_0_205_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_23_0_0_205_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2017-03-16  11:24:38
ComboFix-quarantined-files.txt  2017-03-16 15:24
ComboFix2.txt  2017-03-15 22:49
.
Pre-Run: 2,138,189,824 bytes free
Post-Run: 2,885,742,592 bytes free
.
- - End Of File - - 0C79A47BABAEB933A0CAF0C3FD9DD202
8F558EB6672622401DA993E1E865C861

 

*********************************************************************************************************************************************************

FRST.exe   SCAN RESULT

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017
Ran by Mark (administrator) on MAERTEN (23-03-2017 12:19:23)
Running from C:\Documents and Settings\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark & Amy & Serena & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(Lexmark International, Inc.) C:\WINDOWS\system32\LEXBCES.EXE
(Lexmark International, Inc.) C:\WINDOWS\system32\LEXPPS.EXE
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(SigmaTel, Inc.) C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Avanquest Software ) C:\Program Files\Digital Line Detect\DLG.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-05-10] ()
HKLM\...\Run: [Dell QuickSet] => C:\Program Files\Dell\QuickSet\quickset.exe [1228800 2007-07-20] (Dell Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1024000 2007-10-26] (Synaptics, Inc.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5ServiceManager] => C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2006-10-11] (ATI Technologies Inc.)
HKU\S-1-5-21-220523388-1767777339-839522115-1004\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6828448 2017-02-22] (SUPERAntiSpyware)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk [2011-02-06]
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Documents and Settings\Amy\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2012-10-16]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Amy\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk [2012-11-07]
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{1F24FDA6-AACB-4635-83FB-FDBAF139DD89}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-220523388-1767777339-839522115-1004\Software\Microsoft\Internet Explorer\Main,Start Page = Google
HKU\S-1-5-21-220523388-1767777339-839522115-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "www.google.com" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> DefaultScope {85A60A59-D3D8-468F-B598-FB4393789EF4} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> ToolbarSearchProviderProgress {96bd48dd-741b-41ae-ac4a-aff96ba00f7e}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2011-05-28] (RealPlayer)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-02-25] (Oracle Corporation)
BHO: Updater For XFIN_PORTAL -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-25] (Oracle Corporation)
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/B/0/6/B06D48C0-917B-44E2-92E0-6B3E159624A6/wmv9vcm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\1uxau8fc.default-1487777992140 [2017-03-23]
FF Extension: (uBlock Origin) - C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\1uxau8fc.default-1487777992140\Extensions\uBlock0@raymondhill.net.xpi [2017-03-13]
FF Extension: (Java Console) - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2017-03-10] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-02-07] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: (RealPlayer Browser Record Plugin) - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011-05-28] [not signed]
FF HKLM\...\Firefox\Extensions: [{B18B1E5C-4D81-11E1-9C00-AFEB4824019B}] - C:\Documents and Settings\Mark\Local Settings\Application Data\Sevas-S\YouTube to MP3 Converter\BrowserExtensions\Firefox => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-23] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2012-10-31] ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=12.0.1.652 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2011-05-28] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=12.0.1.652 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2011-05-28] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-20] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-20] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-220523388-1767777339-839522115-1004: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2012-11-25] (Apple Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-05-28]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [143776 2017-02-22] (SUPERAntiSpyware.com)
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [303104 2003-09-23] (Lexmark International, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3303888 2017-01-20] (Malwarebytes)
S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1253376 2007-03-16] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [36864 2006-07-01] (Advanced Micro Devices)
R1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1287552 2008-10-24] (Broadcom Corporation)
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae.sys [59968 2017-02-24] ()
R3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [211200 2007-08-02] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [989952 2007-08-02] (Conexant Systems, Inc.)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [148256 2017-03-23] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [39360 2017-03-23] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [219584 2017-03-23] (Malwarebytes)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 catchme; \??\C:\DOCUME~1\Mark\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr; no ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-23 12:19 - 2017-03-23 12:20 - 00015457 _____ C:\Documents and Settings\Mark\Desktop\FRST.txt
2017-03-23 12:18 - 2017-03-23 12:19 - 00000000 ____D C:\FRST
2017-03-23 12:08 - 2017-03-23 12:09 - 01766912 _____ (Farbar) C:\Documents and Settings\Mark\Desktop\FRST.exe
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ___SD C:\Documents and Settings\TEMP.MAERTEN
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Templates(2)
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Local Settings(2)
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Application Data(2)
2017-03-23 08:42 - 2017-03-23 08:42 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Cookies(2)
2017-03-23 08:42 - 2011-02-09 05:55 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\IETldCache(2)
2017-03-23 08:24 - 2017-03-23 08:24 - 00000345 _____ C:\WINDOWS\OEWABLog.txt
2017-03-22 09:35 - 2017-03-22 09:35 - 00090112 _____ C:\WINDOWS\Minidump\Mini032217-01.dmp
2017-03-17 11:08 - 2017-03-17 11:08 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2017-03-17 10:58 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\Administrator
2017-03-17 10:58 - 2017-03-17 11:30 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2017-03-17 10:58 - 2017-03-17 11:08 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2017-03-17 10:58 - 2014-03-17 17:06 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Macromedia
2017-03-17 10:58 - 2013-03-08 09:14 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2017-03-17 10:58 - 2011-02-09 05:58 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
2017-03-17 10:58 - 2011-02-09 05:55 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2017-03-17 10:58 - 2011-02-06 21:03 - 00001599 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2017-03-17 10:58 - 2011-02-06 21:03 - 00000792 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2017-03-17 10:58 - 2011-02-06 15:52 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents
2017-03-17 10:56 - 2017-03-23 08:37 - 00343042 _____ C:\WINDOWS\ntbtlog.txt
2017-03-17 10:46 - 2017-03-17 10:46 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\Mark\Desktop\HijackThis.exe
2017-03-17 10:37 - 2017-03-17 10:37 - 00010106 _____ C:\ComboFix.txt
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\TEMP\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\Serena\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\temp
2017-03-17 09:18 - 2017-03-17 09:18 - 00380928 _____ C:\Documents and Settings\Mark\Desktop\6k4gr1q1.exe
2017-03-16 11:24 - 2017-03-16 11:24 - 00000000 ____D C:\Documents and Settings\TEMP
2017-03-16 10:21 - 2017-03-16 10:19 - 05659355 ____R (Swearware) C:\Documents and Settings\Mark\Desktop\ComboFix.exe
2017-03-16 10:16 - 2017-03-17 09:45 - 00000666 _____ C:\Documents and Settings\Mark\Desktop\JRT.txt
2017-03-16 10:08 - 2017-03-16 10:09 - 01663904 _____ (Malwarebytes) C:\Documents and Settings\Mark\Desktop\JRT.exe
2017-03-16 09:52 - 2017-03-23 09:20 - 00000000 ____D C:\AdwCleaner
2017-03-16 09:44 - 2017-03-16 09:44 - 04031440 _____ C:\Documents and Settings\Mark\Desktop\AdwCleaner.exe
2017-03-15 18:23 - 2017-03-17 10:37 - 00000000 ____D C:\Qoobox
2017-03-15 18:23 - 2011-06-26 02:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2017-03-15 18:23 - 2010-11-07 13:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2017-03-15 18:23 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00098816 _____ C:\WINDOWS\sed.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00080412 _____ C:\WINDOWS\grep.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00068096 _____ C:\WINDOWS\zip.exe
2017-03-15 18:22 - 2017-03-17 10:02 - 00000000 ____D C:\WINDOWS\erdnt
2017-03-15 13:48 - 2017-03-15 13:48 - 00046082 _____ C:\Documents and Settings\Amy\My Documents\cc_20170315_134818.reg
2017-03-15 12:45 - 2017-03-15 12:44 - 02030536 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Mark\Desktop\iExplore.exe
2017-03-15 10:09 - 2017-03-23 11:45 - 00148256 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-03-15 10:08 - 2017-03-23 11:45 - 00219584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-15 10:08 - 2017-03-23 11:45 - 00039360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-03-15 10:08 - 2017-03-23 08:36 - 00039360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam(2).sys
2017-03-15 10:07 - 2017-03-15 10:07 - 00001715 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
2017-03-15 10:07 - 2017-03-15 10:07 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-15 10:07 - 2017-03-15 10:07 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
2017-03-15 10:07 - 2017-02-24 06:23 - 00059968 _____ C:\WINDOWS\system32\Drivers\mbae.sys
2017-03-15 10:00 - 2017-03-23 09:14 - 00003234 _____ C:\Documents and Settings\Mark\Desktop\Rkill.txt
2017-03-15 09:59 - 2017-03-15 10:00 - 02030536 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Mark\Desktop\rkill.exe
2017-03-10 19:18 - 2017-03-20 11:40 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-03-07 16:20 - 2017-03-07 16:20 - 00032832 _____ C:\WINDOWS\system32\rnd_chunk.bin
2017-03-07 16:15 - 2017-03-07 16:50 - 00000000 ____D C:\Program Files\Driver Support
2017-03-06 15:53 - 2017-03-07 00:10 - 01144832 _____ C:\Documents and Settings\Mark\My Documents\receiptsFebruary2017.pub
2017-02-24 10:24 - 2017-02-24 10:24 - 00093985 _____ C:\Documents and Settings\Mark\My Documents\GCMC Inventory.pdf
2017-02-24 10:20 - 2017-02-24 10:26 - 01187840 _____ C:\Documents and Settings\Mark\My Documents\GCMC Inventory.indd

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-23 12:20 - 2011-02-06 21:08 - 00000000 ____D C:\Documents and Settings\Mark\Local Settings\Temp
2017-03-23 11:59 - 2011-03-10 17:30 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-03-23 11:49 - 2011-02-06 15:53 - 00641070 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-23 11:46 - 2014-03-08 12:04 - 00000220 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-03-23 11:46 - 2011-03-10 17:30 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-03-23 11:45 - 2011-02-06 21:07 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-23 09:27 - 2011-02-06 21:20 - 00524288 _____ C:\WINDOWS\system32\config\ACEEvent.evt
2017-03-23 09:27 - 2011-02-06 21:08 - 00000178 ___SH C:\Documents and Settings\Mark\ntuser.ini
2017-03-23 09:27 - 2011-02-06 21:07 - 00032606 _____ C:\WINDOWS\SchedLgU.Txt
2017-03-23 09:08 - 2014-08-22 02:00 - 00000000 ____D C:\Documents and Settings\Mark\Local Settings\Application Data\Adobe
2017-03-23 09:04 - 2012-04-09 10:28 - 00802904 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2017-03-23 09:04 - 2011-06-15 14:27 - 00144472 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2017-03-23 09:04 - 2011-02-06 21:00 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-03-23 08:46 - 2011-03-30 18:40 - 00000000 ____D C:\Documents and Settings\Amy
2017-03-23 08:46 - 2011-02-11 19:12 - 00000000 ____D C:\Documents and Settings\Serena
2017-03-23 08:46 - 2011-02-06 21:08 - 00000000 ____D C:\Documents and Settings\Mark
2017-03-23 08:46 - 2011-02-06 21:07 - 00000000 __SHD C:\Documents and Settings\LocalService
2017-03-23 08:46 - 2011-02-06 21:06 - 00000000 __SHD C:\Documents and Settings\NetworkService
2017-03-23 08:46 - 2011-02-06 20:59 - 00000000 ____D C:\WINDOWS\Registration
2017-03-23 08:42 - 2011-02-06 15:51 - 00000000 ____D C:\Documents and Settings
2017-03-23 02:00 - 2011-06-15 19:45 - 00000340 _____ C:\WINDOWS\Tasks\AdobeAAMUpdater-1.0-MAERTEN-Mark.job
2017-03-22 09:35 - 2013-07-29 16:45 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-03-22 09:35 - 2013-06-07 09:11 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-22 09:35 - 2004-08-04 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-03-17 17:02 - 2011-02-06 21:08 - 00000000 ___RD C:\Documents and Settings\Mark\My Documents
2017-03-17 10:35 - 2004-08-04 06:00 - 00000227 _____ C:\WINDOWS\system.ini
2017-03-17 10:03 - 2011-02-06 15:51 - 00065536 _____ C:\WINDOWS\system32\config\SECURITY.bak
2017-03-17 10:03 - 2011-02-06 15:51 - 00028672 _____ C:\WINDOWS\system32\config\SAM.bak
2017-03-17 10:03 - 2011-02-06 15:50 - 42070016 _____ C:\WINDOWS\system32\config\software.bak
2017-03-17 10:03 - 2011-02-06 15:50 - 06815744 _____ C:\WINDOWS\system32\config\system.bak
2017-03-17 10:03 - 2011-02-06 15:50 - 00270336 _____ C:\WINDOWS\system32\config\default.bak
2017-03-16 08:31 - 2011-02-06 21:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2017-03-15 18:49 - 2011-02-06 15:51 - 00000000 ____D C:\Documents and Settings\Default User
2017-03-15 18:45 - 2011-02-06 15:51 - 00000000 ____D C:\Documents and Settings\All Users
2017-03-15 13:50 - 2011-03-30 18:40 - 00000178 ___SH C:\Documents and Settings\Amy\ntuser.ini
2017-03-15 13:48 - 2011-03-30 18:40 - 00000000 ___RD C:\Documents and Settings\Amy\My Documents
2017-03-15 13:47 - 2013-08-23 15:13 - 00000000 ____D C:\Documents and Settings\Amy\Local Settings\Temp
2017-03-15 13:45 - 2011-03-30 18:41 - 00077728 _____ C:\Documents and Settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2017-03-15 10:07 - 2011-04-05 10:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2017-03-08 16:02 - 2014-03-08 12:04 - 00000214 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2017-03-07 16:51 - 2011-04-19 18:04 - 00000000 ____D C:\Documents and Settings\Mark\Application Data\Dropbox
2017-03-07 00:25 - 2016-03-26 22:07 - 00401408 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2017-03-06 14:22 - 2016-12-20 12:18 - 00744960 _____ C:\Documents and Settings\Mark\My Documents\receiptnovemberfuel2016.pub
2017-02-24 09:45 - 2015-07-08 15:46 - 01458176 _____ C:\Documents and Settings\Mark\My Documents\invitationPOP.indd
2017-02-24 08:31 - 2011-05-13 10:28 - 00000260 _____ C:\WINDOWS\lexstat.ini
2017-02-22 11:39 - 2013-07-30 08:20 - 00000000 ____D C:\Documents and Settings\Mark\Desktop\Old Firefox Data
2017-02-22 10:40 - 2014-05-20 15:58 - 00000000 ____D C:\Program Files\SUPERAntiSpyware

==================== Files in the root of some directories =======

2011-05-28 16:35 - 2015-08-21 17:57 - 0000132 _____ () C:\Documents and Settings\Mark\Application Data\Adobe PNG Format CS5 Prefs
2011-09-08 22:43 - 2011-09-08 23:07 - 0024214 _____ () C:\Documents and Settings\Mark\Application Data\Comma Separated Values (Windows).ADR
2011-05-28 16:57 - 2012-04-20 15:56 - 0001456 _____ () C:\Documents and Settings\Mark\Local Settings\Application Data\Adobe Save for Web 12.0 Prefs
2011-02-22 18:16 - 2017-01-07 21:40 - 0130560 _____ () C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-09-30 14:23 - 2011-09-30 14:23 - 0000000 _____ () C:\Documents and Settings\Mark\Local Settings\Application Data\{A56D9013-44D2-4189-A520-865002FE185E}
2012-07-02 10:28 - 2013-05-25 12:29 - 0004171 _____ () C:\Documents and Settings\All Users\lxdd
2014-07-03 09:20 - 2014-07-03 09:20 - 0000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by Mark (23-03-2017 12:21:14)
Running from C:\Documents and Settings\Mark\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) (2011-02-07 01:05:50)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-220523388-1767777339-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Amy (S-1-5-21-220523388-1767777339-839522115-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Amy
ASPNET (S-1-5-21-220523388-1767777339-839522115-1007 - Limited - Enabled)
Guest (S-1-5-21-220523388-1767777339-839522115-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-220523388-1767777339-839522115-1000 - Limited - Disabled)
Mark (S-1-5-21-220523388-1767777339-839522115-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Mark
Serena (S-1-5-21-220523388-1767777339-839522115-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Serena
SUPPORT_388945a0 (S-1-5-21-220523388-1767777339-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {D4AC7077-9720-47B0-8B38-DFAF3AA21DB6}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 4.0.0.1390 - Adobe Systems Incorporated)
Adobe Community Help (HKLM\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.0.0.400 - Adobe Systems Incorporated)
Adobe Creative Suite 5 Design Premium (HKLM\...\{A1BC7068-C1BA-410F-8B9A-DB807C803DE2}) (Version: 5.0 - Adobe Systems Incorporated)
Adobe Digital Editions 2.0 (HKLM\...\Adobe Digital Editions 2.0) (Version: 2.0 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Adobe Flash Player 25 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated)
Adobe Media Player (HKLM\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Alarm Clock v1.0 (HKLM\...\Alarm Clock_is1) (Version:  - Moore Design Lmt.)
AMD Processor Driver (HKLM\...\{C151CE54-E7EA-4804-854B-F515368B0798}) (Version: 1.3.2. - )
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1016 - )
ATI Catalyst Control Center (HKLM\...\{EF40BAC3-372B-46F4-A32D-B37CF4217CE7}) (Version: 1.2.2475.36837 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.31-061011a-053721C-Dell - )
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom 440x 10/100 Integrated Controller (HKLM\...\{612B9183-67A9-4B44-9877-2F059E35B86A}) (Version: 10.04.02 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.07 - Piriform)
Conexant HDA D330 MDC V.92 Modem (HKLM\...\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F) (Version:  - )
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 10.1.2.0 - Synaptics)
Dell Wireless WLAN Card (HKLM\...\Broadcom 802.11b Network Adapter) (Version: 4.100.15.8 - Dell Inc.)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.21 - BVRP Software, Inc)
Google Earth Plug-in (HKLM\...\{57BB4801-61C8-4E74-9672-2160728A461E}) (Version: 7.1.5.1557 - Google)
Google Talk (remove only) (HKLM\...\{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk) (Version:  - )
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.32.7 - Google Inc.) Hidden
GoToMeeting 5.7.0.1172 (HKU\S-1-5-21-220523388-1767777339-839522115-1004\...\GoToMeeting) (Version: 5.7.0.1172 - CitrixOnline)
GPL Ghostscript 9.00 (HKLM\...\GPL Ghostscript 9.00) (Version:  - )
iTunes (HKLM\...\{B0261E53-B6F1-474A-864B-E7C3CBF468E0}) (Version: 11.0.1.12 - Apple Inc.)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Java™ 6 Update 22 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216022F0}) (Version: 6.0.220 - Oracle)
Lexmark X6100 Series (HKLM\...\Lexmark X6100 Series) (Version:  - )
LG United Mobile Drivers (HKLM\...\{5DB849D6-9392-4FB7-9ABB-87ED433152E5}) (Version: 3.8.1 - LG Electronics)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (HKLM\...\{90120000-00B2-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Modem Diagnostic Tool (HKLM\...\{F63A3748-B93D-4360-9AD4-B064481A5C7B}) (Version: 1.0.20.0 - Dell)
Mozilla Firefox 52.0.1 ESR (x86 en-US) (HKLM\...\Mozilla Firefox 52.0.1 ESR (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
OpenOffice 4.0.1 (HKLM\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
PDF Settings CS5 (Version: 10.0 - Adobe Systems Incorporated) Hidden
QuickSet (HKLM\...\{C5074CC4-0E26-4716-A307-960272A90040}) (Version: 8.3.11 - Dell Computer Corporation)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.5210.0 - SigmaTel)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1018 - SUPERAntiSpyware.com)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04) (HKLM\...\4569969E1360D2854474C661EF9B4D54F143EB16) (Version: 11/14/2006 6.00.01.04 - Ricoh Company)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{33b07fd4-5917-43e1-968d-4c79231836bf}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{795B06EA-58E8-482C-AF11-A7E4E34DA16F}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{7A162288-DE78-473C-A6BA-23FF17F768E9}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{8CC82228-2200-4D22-9859-B762582F6D31}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{A8F086C3-2497-4229-82FE-586F2D326F95}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{E169D2B5-9411-47B9-A473-345A3FB57090}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\AdobeAAMUpdater-1.0-MAERTEN-Mark.job => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Sevas-S\Official Home Page.lnk -> hxxp://www.youtube-to-mp3-converter.org

==================== Loaded Modules (Whitelisted) ==============

2011-02-06 21:28 - 2007-03-16 19:10 - 00020480 _____ () C:\WINDOWS\System32\WLTRYSVC.EXE
2011-02-06 21:28 - 2007-03-16 19:10 - 00757760 _____ () C:\WINDOWS\System32\bcm1xsup.dll
2011-05-13 10:27 - 2003-07-21 10:13 - 00078336 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\LXBFPP5C.dll
2011-05-13 10:27 - 2002-12-16 16:00 - 00049152 _____ () C:\Program Files\Lexmark X6100 Series\ConvDIB.dll
2017-03-15 10:07 - 2017-02-24 06:23 - 01732896 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2011-02-06 21:23 - 2005-10-13 14:53 - 00090223 _____ () C:\Program Files\Dell\QuickSet\preflibcl.dll
2011-02-06 21:28 - 2007-03-16 19:10 - 00086016 _____ () C:\WINDOWS\system32\preflib.dll
2011-02-06 21:23 - 2007-07-20 17:56 - 00098304 _____ () C:\Program Files\Dell\QuickSet\dadkeyb.dll
2004-08-04 06:00 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-220523388-1767777339-839522115-1004\...\localhost -> localhost

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 06:00 - 2017-03-17 10:34 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-220523388-1767777339-839522115-1004\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 75.75.75.75 - 75.75.76.76
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Deskjet 3510 series.lnk => C:\WINDOWS\pss\Monitor Ink Alerts - HP Deskjet 3510 series.lnkStartup

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Lexmark 2500 Series\app4r.exe] => C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\GROOVE.EXE] => Enabled:Microsoft Office Groove
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE] => Enabled:Microsoft Office OneNote
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Google Earth\plugin\geplugin.exe] => Enabled:Google Earth
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Google Talk\googletalk.exe] => Enabled:Google Talk
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\LEXPPS.EXE] => Disabled:LEXPPS.EXE
StandardProfile\AuthorizedApplications: [C:\Program Files\iTunes\iTunes.exe] => Enabled:iTunes
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008

==================== Restore Points =========================

03-03-2017 07:31:02 System Checkpoint
04-03-2017 07:52:58 System Checkpoint
05-03-2017 07:53:15 System Checkpoint
06-03-2017 08:54:13 System Checkpoint
07-03-2017 16:49:35 System Checkpoint
08-03-2017 18:18:56 System Checkpoint
09-03-2017 19:04:29 System Checkpoint
10-03-2017 20:04:34 System Checkpoint
11-03-2017 21:06:22 System Checkpoint
12-03-2017 22:04:09 System Checkpoint
13-03-2017 22:04:46 System Checkpoint
14-03-2017 22:05:30 System Checkpoint
16-03-2017 08:17:36 Software Distribution Service 3.0
16-03-2017 08:34:26 Restore Operation
16-03-2017 10:14:39 JRT Pre-Junkware Removal
17-03-2017 09:44:16 JRT Pre-Junkware Removal
18-03-2017 10:33:16 System Checkpoint
19-03-2017 11:32:05 System Checkpoint
20-03-2017 11:44:25 System Checkpoint
22-03-2017 11:14:13 System Checkpoint
23-03-2017 08:43:06 Restore Operation
23-03-2017 08:44:59 Restore Operation

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/23/2017 12:20:13 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (03/23/2017 12:20:13 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (03/23/2017 08:42:40 AM) (Source: Userenv) (EventID: 1511) (User: MAERTEN)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (03/23/2017 08:42:39 AM) (Source: Userenv) (EventID: 1515) (User: MAERTEN)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (03/23/2017 08:42:39 AM) (Source: Userenv) (EventID: 1502) (User: MAERTEN)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - The process cannot access the file because it is being used by another process.

Error: (03/23/2017 08:42:25 AM) (Source: Userenv) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.


DETAIL - The process cannot access the file because it is being used by another process.  for C:\Documents and Settings\Mark\ntuser.dat

Error: (03/23/2017 08:23:51 AM) (Source: Userenv) (EventID: 1511) (User: MAERTEN)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (03/23/2017 08:23:50 AM) (Source: Userenv) (EventID: 1515) (User: MAERTEN)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (03/23/2017 08:23:50 AM) (Source: Userenv) (EventID: 1502) (User: MAERTEN)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - The process cannot access the file because it is being used by another process.

Error: (03/23/2017 08:23:40 AM) (Source: Userenv) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.


DETAIL - The process cannot access the file because it is being used by another process.  for C:\Documents and Settings\Mark\ntuser.dat


System errors:
=============
Error: (03/23/2017 12:10:57 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.

Error: (03/23/2017 11:51:02 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.

Error: (03/23/2017 09:13:12 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Dell Wireless WLAN Tray Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (03/23/2017 09:02:41 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.

Error: (03/23/2017 08:52:42 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the SENS service.

Error: (03/23/2017 08:39:39 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/23/2017 08:36:24 AM) (Source: DCOM) (EventID: 10005) (User: MAERTEN)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (03/23/2017 08:35:28 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/23/2017 08:35:13 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
AmdK8
APPDRV
ESProtectionDriver
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
WS2IFSL

Error: (03/23/2017 08:35:13 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.


==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual-Core Processor TK-57
Percentage of memory in use: 86%
Total physical RAM: 893.97 MB
Available physical RAM: 118.03 MB
Total Virtual: 2165.66 MB
Available Virtual: 1269.14 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:87.89 GB) (Free:2.71 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:61.15 GB) (Free:46.61 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: 4630462F)
Partition 1: (Active) - (Size=87.9 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=61.2 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:21 PM

Posted 25 March 2017 - 01:50 PM

Greetings Satelllite and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

This issue is most likely related to the insufficient amount of memory on the computer.
 

==================== Memory info ===========================

Processor: AMD Athlon 64 X2 Dual-Core Processor TK-57
Percentage of memory in use: 86%
Total physical RAM: 893.97 MB
Available physical RAM: 118.03 MB
Total Virtual: 2165.66 MB
Available Virtual: 1269.14 MB


Error: (03/23/2017 08:23:40 AM) (Source: Userenv) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.


How does your computer behave in Safe Mode?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 25 March 2017 - 02:18 PM

Thanks so much for your help Gary. I just started the system in safe mode and it is still really sluggish. Though the cursor seems to fly. I partitioned this hard drive a while ago, I wonder if that needs to be undone, since my c drive is smaller than D. Definitely slow no matter what I do. Feels like I have to constantly flush the cache every 10 minutes.

#4 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 25 March 2017 - 02:23 PM

I just went back to start in regular mode, my personal profile would not load. Brought me to a stripped down desktop almost as if I am new user.

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:21 PM

Posted 25 March 2017 - 02:38 PM

Thanks for the info.

Please run a FRST scan in Safe Mode and post both logs.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 25 March 2017 - 04:17 PM

Here are the two logs from safe mode.  Couple of things to point out, I restarted system and was able to go back into my normal profile both in safe mode and regular mode. Restarted again, received blue screen Multiple_IRP_Complete_Requests error. I took photo using my ipad.  I have received this message the last few times I go to power down, but not every time. Strange. I can include the image if you would like.  But second time I restarted, would not load my normal profile.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017
Ran by Mark (administrator) on MAERTEN (25-03-2017 16:23:07)
Running from C:\Documents and Settings\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark & Amy & Serena & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-05-10] ()
HKLM\...\Run: [Dell QuickSet] => C:\Program Files\Dell\QuickSet\quickset.exe [1228800 2007-07-20] (Dell Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1024000 2007-10-26] (Synaptics, Inc.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5ServiceManager] => C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SwitchBoard] => C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2006-10-11] (ATI Technologies Inc.)
HKU\S-1-5-21-220523388-1767777339-839522115-1004\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6828448 2017-02-22] (SUPERAntiSpyware)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk [2011-02-06]
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Documents and Settings\Amy\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2012-10-16]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Amy\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk [2012-11-07]
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{1F24FDA6-AACB-4635-83FB-FDBAF139DD89}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-220523388-1767777339-839522115-1004\Software\Microsoft\Internet Explorer\Main,Start Page = Google
HKU\S-1-5-21-220523388-1767777339-839522115-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "www.google.com" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> DefaultScope {85A60A59-D3D8-468F-B598-FB4393789EF4} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> ToolbarSearchProviderProgress {96bd48dd-741b-41ae-ac4a-aff96ba00f7e}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2011-05-28] (RealPlayer)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-02-25] (Oracle Corporation)
BHO: Updater For XFIN_PORTAL -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-02-25] (Oracle Corporation)
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/B/0/6/B06D48C0-917B-44E2-92E0-6B3E159624A6/wmv9vcm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\1uxau8fc.default-1487777992140 [2017-03-25]
FF Extension: (uBlock Origin) - C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\1uxau8fc.default-1487777992140\Extensions\uBlock0@raymondhill.net.xpi [2017-03-13]
FF Extension: (Java Console) - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2017-03-10] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-02-07] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: (RealPlayer Browser Record Plugin) - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011-05-28] [not signed]
FF HKLM\...\Firefox\Extensions: [{B18B1E5C-4D81-11E1-9C00-AFEB4824019B}] - C:\Documents and Settings\Mark\Local Settings\Application Data\Sevas-S\YouTube to MP3 Converter\BrowserExtensions\Firefox => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-23] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2012-10-31] ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=12.0.1.652 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2011-05-28] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=12.0.1.652 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2011-05-28] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-20] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-20] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-220523388-1767777339-839522115-1004: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2012-11-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2012-11-25] (Apple Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2011-05-28]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [143776 2017-02-22] (SUPERAntiSpyware.com)
S2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [303104 2003-09-23] (Lexmark International, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3303888 2017-01-20] (Malwarebytes)
S3 SwitchBoard; C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1253376 2007-03-16] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 AmdK8; C:\WINDOWS\System32\DRIVERS\AmdK8.sys [36864 2006-07-01] (Advanced Micro Devices)
S1 APPDRV; C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc) [File not signed]
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1287552 2008-10-24] (Broadcom Corporation)
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
S1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae.sys [59968 2017-02-24] ()
S3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [211200 2007-08-02] (Conexant Systems, Inc.)
S3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [989952 2007-08-02] (Conexant Systems, Inc.)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [148256 2017-03-25] (Malwarebytes)
S3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [39360 2017-03-25] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [219584 2017-03-25] (Malwarebytes)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 catchme; \??\C:\DOCUME~1\Mark\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr; no ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-25 16:23 - 2017-03-25 16:23 - 00014439 _____ C:\Documents and Settings\Mark\Desktop\FRST.txt
2017-03-23 12:21 - 2017-03-23 12:22 - 00024343 _____ C:\Documents and Settings\Mark\Desktop\Addition.txt
2017-03-23 12:18 - 2017-03-25 16:23 - 00000000 ____D C:\FRST
2017-03-23 12:08 - 2017-03-23 12:09 - 01766912 _____ (Farbar) C:\Documents and Settings\Mark\Desktop\FRST.exe
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ___SD C:\Documents and Settings\TEMP.MAERTEN
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Templates(2)
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Local Settings(2)
2017-03-23 08:42 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Application Data(2)
2017-03-23 08:42 - 2017-03-23 08:42 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\Cookies(2)
2017-03-23 08:42 - 2011-02-09 05:55 - 00000000 ____D C:\Documents and Settings\TEMP.MAERTEN\IETldCache(2)
2017-03-23 08:24 - 2017-03-25 15:21 - 00000690 _____ C:\WINDOWS\OEWABLog.txt
2017-03-22 09:35 - 2017-03-22 09:35 - 00090112 _____ C:\WINDOWS\Minidump\Mini032217-01.dmp
2017-03-17 11:08 - 2017-03-17 11:08 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2017-03-17 10:58 - 2017-03-23 08:46 - 00000000 ____D C:\Documents and Settings\Administrator
2017-03-17 10:58 - 2017-03-17 11:30 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2017-03-17 10:58 - 2017-03-17 11:08 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2017-03-17 10:58 - 2014-03-17 17:06 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Macromedia
2017-03-17 10:58 - 2013-03-08 09:14 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\TuneUp Software
2017-03-17 10:58 - 2011-02-09 05:58 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
2017-03-17 10:58 - 2011-02-09 05:55 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2017-03-17 10:58 - 2011-02-06 21:03 - 00001599 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2017-03-17 10:58 - 2011-02-06 21:03 - 00000792 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2017-03-17 10:58 - 2011-02-06 15:52 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents
2017-03-17 10:56 - 2017-03-25 16:20 - 00529138 _____ C:\WINDOWS\ntbtlog.txt
2017-03-17 10:46 - 2017-03-17 10:46 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\Mark\Desktop\HijackThis.exe
2017-03-17 10:37 - 2017-03-17 10:37 - 00010106 _____ C:\ComboFix.txt
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\TEMP\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\Serena\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2017-03-17 10:37 - 2017-03-17 10:37 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\temp
2017-03-17 09:18 - 2017-03-17 09:18 - 00380928 _____ C:\Documents and Settings\Mark\Desktop\6k4gr1q1.exe
2017-03-16 11:24 - 2017-03-16 11:24 - 00000000 ____D C:\Documents and Settings\TEMP
2017-03-16 10:21 - 2017-03-16 10:19 - 05659355 ____R (Swearware) C:\Documents and Settings\Mark\Desktop\ComboFix.exe
2017-03-16 10:16 - 2017-03-17 09:45 - 00000666 _____ C:\Documents and Settings\Mark\Desktop\JRT.txt
2017-03-16 10:08 - 2017-03-16 10:09 - 01663904 _____ (Malwarebytes) C:\Documents and Settings\Mark\Desktop\JRT.exe
2017-03-16 09:52 - 2017-03-23 09:20 - 00000000 ____D C:\AdwCleaner
2017-03-16 09:44 - 2017-03-16 09:44 - 04031440 _____ C:\Documents and Settings\Mark\Desktop\AdwCleaner.exe
2017-03-15 18:23 - 2017-03-17 10:37 - 00000000 ____D C:\Qoobox
2017-03-15 18:23 - 2011-06-26 02:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2017-03-15 18:23 - 2010-11-07 13:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2017-03-15 18:23 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00098816 _____ C:\WINDOWS\sed.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00080412 _____ C:\WINDOWS\grep.exe
2017-03-15 18:23 - 2000-08-30 20:00 - 00068096 _____ C:\WINDOWS\zip.exe
2017-03-15 18:22 - 2017-03-17 10:02 - 00000000 ____D C:\WINDOWS\erdnt
2017-03-15 13:48 - 2017-03-15 13:48 - 00046082 _____ C:\Documents and Settings\Amy\My Documents\cc_20170315_134818.reg
2017-03-15 12:45 - 2017-03-15 12:44 - 02030536 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Mark\Desktop\iExplore.exe
2017-03-15 10:09 - 2017-03-25 15:11 - 00148256 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-03-15 10:08 - 2017-03-25 16:21 - 00039360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-03-15 10:08 - 2017-03-25 16:20 - 00219584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-15 10:08 - 2017-03-23 08:36 - 00039360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam(2).sys
2017-03-15 10:07 - 2017-03-15 10:07 - 00001715 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
2017-03-15 10:07 - 2017-03-15 10:07 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-15 10:07 - 2017-03-15 10:07 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
2017-03-15 10:07 - 2017-02-24 06:23 - 00059968 _____ C:\WINDOWS\system32\Drivers\mbae.sys
2017-03-15 10:00 - 2017-03-23 09:14 - 00003234 _____ C:\Documents and Settings\Mark\Desktop\Rkill.txt
2017-03-15 09:59 - 2017-03-15 10:00 - 02030536 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Mark\Desktop\rkill.exe
2017-03-10 19:18 - 2017-03-20 11:40 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-03-07 16:20 - 2017-03-07 16:20 - 00032832 _____ C:\WINDOWS\system32\rnd_chunk.bin
2017-03-07 16:15 - 2017-03-07 16:50 - 00000000 ____D C:\Program Files\Driver Support
2017-03-06 15:53 - 2017-03-07 00:10 - 01144832 _____ C:\Documents and Settings\Mark\My Documents\receiptsFebruary2017.pub
2017-02-24 10:24 - 2017-02-24 10:24 - 00093985 _____ C:\Documents and Settings\Mark\My Documents\GCMC Inventory.pdf
2017-02-24 10:20 - 2017-02-24 10:26 - 01187840 _____ C:\Documents and Settings\Mark\My Documents\GCMC Inventory.indd

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-25 16:23 - 2011-02-06 21:08 - 00000000 ____D C:\Documents and Settings\Mark\Local Settings\Temp
2017-03-25 16:23 - 2011-02-06 15:53 - 00641070 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-25 16:22 - 2014-05-21 08:24 - 00000000 ____D C:\Documents and Settings\Mark\Desktop\mbar
2017-03-25 16:16 - 2011-02-06 21:20 - 00524288 _____ C:\WINDOWS\system32\config\ACEEvent.evt
2017-03-25 16:16 - 2011-02-06 21:08 - 00000178 ___SH C:\Documents and Settings\Mark\ntuser.ini
2017-03-25 16:16 - 2011-02-06 21:08 - 00000000 ____D C:\Documents and Settings\Mark
2017-03-25 16:16 - 2011-02-06 21:07 - 00032618 _____ C:\WINDOWS\SchedLgU.Txt
2017-03-25 16:16 - 2011-02-06 21:07 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-25 16:11 - 2014-05-20 15:58 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-03-25 16:09 - 2014-03-08 12:04 - 00000220 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-03-25 16:09 - 2011-03-10 17:30 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-03-25 15:21 - 2011-02-06 15:51 - 00000000 ____D C:\Documents and Settings
2017-03-25 14:59 - 2011-03-10 17:30 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-03-24 02:00 - 2011-06-15 19:45 - 00000340 _____ C:\WINDOWS\Tasks\AdobeAAMUpdater-1.0-MAERTEN-Mark.job
2017-03-23 09:08 - 2014-08-22 02:00 - 00000000 ____D C:\Documents and Settings\Mark\Local Settings\Application Data\Adobe
2017-03-23 09:04 - 2012-04-09 10:28 - 00802904 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2017-03-23 09:04 - 2011-06-15 14:27 - 00144472 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2017-03-23 09:04 - 2011-02-06 21:00 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-03-23 08:46 - 2011-03-30 18:40 - 00000000 ____D C:\Documents and Settings\Amy
2017-03-23 08:46 - 2011-02-11 19:12 - 00000000 ____D C:\Documents and Settings\Serena
2017-03-23 08:46 - 2011-02-06 21:07 - 00000000 __SHD C:\Documents and Settings\LocalService
2017-03-23 08:46 - 2011-02-06 21:06 - 00000000 __SHD C:\Documents and Settings\NetworkService
2017-03-23 08:46 - 2011-02-06 20:59 - 00000000 ____D C:\WINDOWS\Registration
2017-03-22 09:35 - 2013-07-29 16:45 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-03-22 09:35 - 2013-06-07 09:11 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-22 09:35 - 2004-08-04 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-03-17 17:02 - 2011-02-06 21:08 - 00000000 ___RD C:\Documents and Settings\Mark\My Documents
2017-03-17 10:35 - 2004-08-04 06:00 - 00000227 _____ C:\WINDOWS\system.ini
2017-03-17 10:03 - 2011-02-06 15:51 - 00065536 _____ C:\WINDOWS\system32\config\SECURITY.bak
2017-03-17 10:03 - 2011-02-06 15:51 - 00028672 _____ C:\WINDOWS\system32\config\SAM.bak
2017-03-17 10:03 - 2011-02-06 15:50 - 42070016 _____ C:\WINDOWS\system32\config\software.bak
2017-03-17 10:03 - 2011-02-06 15:50 - 06815744 _____ C:\WINDOWS\system32\config\system.bak
2017-03-17 10:03 - 2011-02-06 15:50 - 00270336 _____ C:\WINDOWS\system32\config\default.bak
2017-03-16 08:31 - 2011-02-06 21:45 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2017-03-15 18:49 - 2011-02-06 15:51 - 00000000 ____D C:\Documents and Settings\Default User
2017-03-15 18:45 - 2011-02-06 15:51 - 00000000 ____D C:\Documents and Settings\All Users
2017-03-15 13:50 - 2011-03-30 18:40 - 00000178 ___SH C:\Documents and Settings\Amy\ntuser.ini
2017-03-15 13:48 - 2011-03-30 18:40 - 00000000 ___RD C:\Documents and Settings\Amy\My Documents
2017-03-15 13:47 - 2013-08-23 15:13 - 00000000 ____D C:\Documents and Settings\Amy\Local Settings\Temp
2017-03-15 13:45 - 2011-03-30 18:41 - 00077728 _____ C:\Documents and Settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2017-03-15 10:07 - 2011-04-05 10:22 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2017-03-08 16:02 - 2014-03-08 12:04 - 00000214 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2017-03-07 16:51 - 2011-04-19 18:04 - 00000000 ____D C:\Documents and Settings\Mark\Application Data\Dropbox
2017-03-07 00:25 - 2016-03-26 22:07 - 00401408 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2017-03-06 14:22 - 2016-12-20 12:18 - 00744960 _____ C:\Documents and Settings\Mark\My Documents\receiptnovemberfuel2016.pub
2017-02-24 09:45 - 2015-07-08 15:46 - 01458176 _____ C:\Documents and Settings\Mark\My Documents\invitationPOP.indd
2017-02-24 08:31 - 2011-05-13 10:28 - 00000260 _____ C:\WINDOWS\lexstat.ini

==================== Files in the root of some directories =======

2011-05-28 16:35 - 2015-08-21 17:57 - 0000132 _____ () C:\Documents and Settings\Mark\Application Data\Adobe PNG Format CS5 Prefs
2011-09-08 22:43 - 2011-09-08 23:07 - 0024214 _____ () C:\Documents and Settings\Mark\Application Data\Comma Separated Values (Windows).ADR
2011-05-28 16:57 - 2012-04-20 15:56 - 0001456 _____ () C:\Documents and Settings\Mark\Local Settings\Application Data\Adobe Save for Web 12.0 Prefs
2011-02-22 18:16 - 2017-01-07 21:40 - 0130560 _____ () C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-09-30 14:23 - 2011-09-30 14:23 - 0000000 _____ () C:\Documents and Settings\Mark\Local Settings\Application Data\{A56D9013-44D2-4189-A520-865002FE185E}
2012-07-02 10:28 - 2013-05-25 12:29 - 0004171 _____ () C:\Documents and Settings\All Users\lxdd
2014-07-03 09:20 - 2014-07-03 09:20 - 0000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by Mark (25-03-2017 16:25:13)
Running from C:\Documents and Settings\Mark\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) (2011-02-07 01:05:50)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-220523388-1767777339-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Amy (S-1-5-21-220523388-1767777339-839522115-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Amy
ASPNET (S-1-5-21-220523388-1767777339-839522115-1007 - Limited - Enabled)
Guest (S-1-5-21-220523388-1767777339-839522115-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-220523388-1767777339-839522115-1000 - Limited - Disabled)
Mark (S-1-5-21-220523388-1767777339-839522115-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Mark
Serena (S-1-5-21-220523388-1767777339-839522115-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Serena
SUPPORT_388945a0 (S-1-5-21-220523388-1767777339-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {D4AC7077-9720-47B0-8B38-DFAF3AA21DB6}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 4.0.0.1390 - Adobe Systems Incorporated)
Adobe Community Help (HKLM\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.0.0.400 - Adobe Systems Incorporated)
Adobe Creative Suite 5 Design Premium (HKLM\...\{A1BC7068-C1BA-410F-8B9A-DB807C803DE2}) (Version: 5.0 - Adobe Systems Incorporated)
Adobe Digital Editions 2.0 (HKLM\...\Adobe Digital Editions 2.0) (Version: 2.0 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Adobe Flash Player 25 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated)
Adobe Media Player (HKLM\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Alarm Clock v1.0 (HKLM\...\Alarm Clock_is1) (Version:  - Moore Design Lmt.)
AMD Processor Driver (HKLM\...\{C151CE54-E7EA-4804-854B-F515368B0798}) (Version: 1.3.2. - )
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1016 - )
ATI Catalyst Control Center (HKLM\...\{EF40BAC3-372B-46F4-A32D-B37CF4217CE7}) (Version: 1.2.2475.36837 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.31-061011a-053721C-Dell - )
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom 440x 10/100 Integrated Controller (HKLM\...\{612B9183-67A9-4B44-9877-2F059E35B86A}) (Version: 10.04.02 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.07 - Piriform)
Conexant HDA D330 MDC V.92 Modem (HKLM\...\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F) (Version:  - )
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 10.1.2.0 - Synaptics)
Dell Wireless WLAN Card (HKLM\...\Broadcom 802.11b Network Adapter) (Version: 4.100.15.8 - Dell Inc.)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.21 - BVRP Software, Inc)
Google Earth Plug-in (HKLM\...\{57BB4801-61C8-4E74-9672-2160728A461E}) (Version: 7.1.5.1557 - Google)
Google Talk (remove only) (HKLM\...\{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk) (Version:  - )
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.32.7 - Google Inc.) Hidden
GoToMeeting 5.7.0.1172 (HKU\S-1-5-21-220523388-1767777339-839522115-1004\...\GoToMeeting) (Version: 5.7.0.1172 - CitrixOnline)
GPL Ghostscript 9.00 (HKLM\...\GPL Ghostscript 9.00) (Version:  - )
iTunes (HKLM\...\{B0261E53-B6F1-474A-864B-E7C3CBF468E0}) (Version: 11.0.1.12 - Apple Inc.)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Java™ 6 Update 22 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216022F0}) (Version: 6.0.220 - Oracle)
Lexmark X6100 Series (HKLM\...\Lexmark X6100 Series) (Version:  - )
LG United Mobile Drivers (HKLM\...\{5DB849D6-9392-4FB7-9ABB-87ED433152E5}) (Version: 3.8.1 - LG Electronics)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (HKLM\...\{90120000-00B2-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Modem Diagnostic Tool (HKLM\...\{F63A3748-B93D-4360-9AD4-B064481A5C7B}) (Version: 1.0.20.0 - Dell)
Mozilla Firefox 52.0.1 ESR (x86 en-US) (HKLM\...\Mozilla Firefox 52.0.1 ESR (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
OpenOffice 4.0.1 (HKLM\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
PDF Settings CS5 (Version: 10.0 - Adobe Systems Incorporated) Hidden
QuickSet (HKLM\...\{C5074CC4-0E26-4716-A307-960272A90040}) (Version: 8.3.11 - Dell Computer Corporation)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.5210.0 - SigmaTel)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1018 - SUPERAntiSpyware.com)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04) (HKLM\...\4569969E1360D2854474C661EF9B4D54F143EB16) (Version: 11/14/2006 6.00.01.04 - Ricoh Company)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{33b07fd4-5917-43e1-968d-4c79231836bf}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{795B06EA-58E8-482C-AF11-A7E4E34DA16F}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{7A162288-DE78-473C-A6BA-23FF17F768E9}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{8CC82228-2200-4D22-9859-B762582F6D31}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{A8F086C3-2497-4229-82FE-586F2D326F95}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-220523388-1767777339-839522115-1004_Classes\CLSID\{E169D2B5-9411-47B9-A473-345A3FB57090}\InprocServer32 -> C:\Documents and Settings\Mark\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\AdobeAAMUpdater-1.0-MAERTEN-Mark.job => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2017-03-15 10:07 - 2017-02-24 06:23 - 01732896 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
e"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-220523388-1767777339-839522115-1004\...\localhost -> localhost

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 06:00 - 2017-03-17 10:34 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-220523388-1767777339-839522115-1004\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 75.75.75.75 - 75.75.76.76
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Documents and Settings^Mark^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Deskjet 3510 series.lnk => C:\WINDOWS\pss\Monitor Ink Alerts - HP Deskjet 3510 series.lnkStartup

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Lexmark 2500 Series\app4r.exe] => C:\Program Files\Lexmark 2500 Series\App4R.exe:*:Enabled:Printing Application
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\GROOVE.EXE] => Enabled:Microsoft Office Groove
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE] => Enabled:Microsoft Office OneNote
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Google Earth\plugin\geplugin.exe] => Enabled:Google Earth
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Google Talk\googletalk.exe] => Enabled:Google Talk
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\LEXPPS.EXE] => Disabled:LEXPPS.EXE
StandardProfile\AuthorizedApplications: [C:\Program Files\iTunes\iTunes.exe] => Enabled:iTunes
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008

==================== Restore Points =========================

03-03-2017 07:31:02 System Checkpoint
04-03-2017 07:52:58 System Checkpoint
05-03-2017 07:53:15 System Checkpoint
06-03-2017 08:54:13 System Checkpoint
07-03-2017 16:49:35 System Checkpoint
08-03-2017 18:18:56 System Checkpoint
09-03-2017 19:04:29 System Checkpoint
10-03-2017 20:04:34 System Checkpoint
11-03-2017 21:06:22 System Checkpoint
12-03-2017 22:04:09 System Checkpoint
13-03-2017 22:04:46 System Checkpoint
14-03-2017 22:05:30 System Checkpoint
16-03-2017 08:17:36 Software Distribution Service 3.0
16-03-2017 08:34:26 Restore Operation
16-03-2017 10:14:39 JRT Pre-Junkware Removal
17-03-2017 09:44:16 JRT Pre-Junkware Removal
18-03-2017 10:33:16 System Checkpoint
19-03-2017 11:32:05 System Checkpoint
20-03-2017 11:44:25 System Checkpoint
22-03-2017 11:14:13 System Checkpoint
23-03-2017 08:43:06 Restore Operation
23-03-2017 08:44:59 Restore Operation
24-03-2017 09:54:12 System Checkpoint
25-03-2017 11:05:35 System Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/25/2017 03:21:03 PM) (Source: Userenv) (EventID: 1511) (User: MAERTEN)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (03/25/2017 03:21:02 PM) (Source: Userenv) (EventID: 1515) (User: MAERTEN)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (03/25/2017 03:21:02 PM) (Source: Userenv) (EventID: 1502) (User: NT AUTHORITY)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - The process cannot access the file because it is being used by another process.

Error: (03/25/2017 03:20:41 PM) (Source: Userenv) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.


DETAIL - The process cannot access the file because it is being used by another process.  for C:\Documents and Settings\Mark\ntuser.dat

Error: (03/24/2017 02:55:45 PM) (Source: EventSystem) (EventID: 4614) (User: )
Description: The COM+ Event System detected an inconsistency in its internal state.  The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/24/2017 02:55:41 PM) (Source: EventSystem) (EventID: 4614) (User: )
Description: The COM+ Event System detected an inconsistency in its internal state.  The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.  Please contact Microsoft Product Support Services to report this error.

Error: (03/23/2017 12:40:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application 6k4gr1q1.exe, version 2.2.19882.0, faulting module 6k4gr1q1.exe, version 2.2.19882.0, fault address 0x00012298.
Processing media-specific event for [6k4gr1q1.exe!ws!]

Error: (03/23/2017 12:20:13 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (03/23/2017 12:20:13 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (03/23/2017 08:42:40 AM) (Source: Userenv) (EventID: 1511) (User: MAERTEN)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.


System errors:
=============
Error: (03/25/2017 04:21:16 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AmdK8
APPDRV
ESProtectionDriver
Fips
SASDIFSV
SASKUTIL

Error: (03/25/2017 04:20:17 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/25/2017 03:18:46 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/25/2017 03:18:35 PM) (Source: DCOM) (EventID: 10005) (User: MAERTEN)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (03/25/2017 03:14:30 PM) (Source: DCOM) (EventID: 10005) (User: MAERTEN)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (03/25/2017 03:14:20 PM) (Source: DCOM) (EventID: 10005) (User: MAERTEN)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (03/25/2017 03:08:54 PM) (Source: DCOM) (EventID: 10005) (User: MAERTEN)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (03/25/2017 03:08:22 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
AmdK8
APPDRV
ESProtectionDriver
Fips
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
WS2IFSL

Error: (03/25/2017 03:08:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning.

Error: (03/25/2017 03:08:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
A device attached to the system is not functioning.


==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual-Core Processor TK-57
Percentage of memory in use: 48%
Total physical RAM: 893.97 MB
Available physical RAM: 461.25 MB
Total Virtual: 2171.13 MB
Available Virtual: 1877.45 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:87.89 GB) (Free:2.6 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:61.15 GB) (Free:46.6 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: 4630462F)
Partition 1: (Active) - (Size=87.9 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=61.2 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:21 PM

Posted 25 March 2017 - 08:36 PM

Thank you.

Can you confirm this was the GMER download?

C:\Documents and Settings\Mark\Desktop\6k4gr1q1.exe

We have a few things going on. Yes, I believe the partitioning of your hard drive has negatively affected your computer performance. There is not enough space on the C: partition for your computer to function properly. Rule of thumb is a minimum of 15% free space and you are at 3%. And that is 3% of a very small drive. Another factor is the limited amount of RAM. In Safe Mode you are running at 49% and in Normal Boot you are at 89% which leaves very little operating room. In addition we are having problems loading your User Profile in Normal Boot but I am assuming that is not the case in Safe Mode, correct? If so, that seems to indicate it is a lack of sufficient resources issue but it is possible it is a corrupt user profile. So what to do now.

You have far too many autostart entries for your computer to handle. If we disable some of these that is one way we can address the RAM issue. I believe you can use a 3rd party program to shrink the D: drive in order to expand the C: drive but I am not an expert in that area. We can create a new user profile to see if your current profile is corrupt but I don't think that should be our first course of action since we have other issues (RAM and drive space). Finally, we need to follow up on the BSOD and I will do that by looking at your Minidump folder.

I would like to start by running the below Fixlist and also disable some Autoruns entries. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
CloseProcesses:
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> DefaultScope {85A60A59-D3D8-468F-B598-FB4393789EF4} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> ToolbarSearchProviderProgress {96bd48dd-741b-41ae-ac4a-aff96ba00f7e}
BHO: Updater For XFIN_PORTAL -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} -> No File
FF Plugin HKU\S-1-5-21-220523388-1767777339-839522115-1004: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll [No File]
zip: C:\WINDOWS\Minidump
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • The tool will also create a zip file on your Desktop with today's date and time, example 05.12.2016_13.04.06.zip. Please attach that file to your reply
===================================================

Disabling Autoruns Entries

--------------------

Autoruns Explained

Many programs, when installed, create registry or file entries which instructs the program to launch at system startup whether or not that program is essential or advantageous to run in the background. By disabling the autorun feature we do not delete or otherwise prohibit the program from running, it is just that it does automatically run regardless of whether or not you are going to us it. Think of it like a car. Sometime today you might to use the car to go to the store. The car can be in one of two conditions before you decide. You can leave the car running all day long even though you may or may not use it (enabling autorun) or you can start the car when you are ready (disabling autorun then launching a program). Either way the car will work for you it is just a matter of how ready it will be if/when it is time. Just as gas is wasted by leaving the car running, your computer resources are "wasted" because programs are running in the backgroud that you may not be using.
  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder (or if necessary right click and select Extract)
  • Double click autoruns.exe for 32 bit or autoruns64.exe for 64 bit computers (not autorunsc.exe)
  • Uncheck any items you do not need to launch at startup
  • If you are unsure about an entry you can Google it or check the startup in the BleepingComputer Startup List. You can also ask me about it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • GMER?
  • User Profile load properly in Safe Mode?
  • Fixlog
  • Attached zip file
  • Disable Autoruns?
  • Update on your computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 26 March 2017 - 12:54 PM

Thanks again for all of your help Gary.  This round took me a little longer.  So I will go in order of your requests. 

 

1. Yes 6k4gr1q1.exe is gmer.  This would crash on my when i tried running.
 

2. My user profile loaded properly in safe mode, and also I noticed it loaded perfectly intermittently today when I restarted. However If I received the blue screen Multiple_IRP_Complete_Requests error, it would restart under what appeared to be a completely new user setup.

 

3. Below these numbered items is the fixlog and i have attached the zip file.

 

4. Wow, I cant believe how many programs and scripts I had in my startup Autorun.  I searched most every one that I disabled.  There were a number that were highlighted with the message that it could not find the associated file.  There might be a few more that could be disabled, but I think I got most of them.

 

5.  Once I deselected a number of the Autorun files, I restarted, Received the above quoted blue screen error again, then restarted again with no problem loading my user profile.  On my second successful profile load, which I am running right now as i respond to you, this system is smoking fast compared to yesterday.

 

If this stays moving along like this Woo hooo. How cool

 

May God bless you for your efforts in helping me. 

 

here are the logs:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by Mark (26-03-2017 11:29:52) Run:1
Running from C:\Documents and Settings\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark & Amy & Serena & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> DefaultScope {85A60A59-D3D8-468F-B598-FB4393789EF4} URL =
SearchScopes: HKU\S-1-5-21-220523388-1767777339-839522115-1004 -> ToolbarSearchProviderProgress {96bd48dd-741b-41ae-ac4a-aff96ba00f7e}
BHO: Updater For XFIN_PORTAL -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} -> No File
FF Plugin HKU\S-1-5-21-220523388-1767777339-839522115-1004: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll [No File]
zip: C:\WINDOWS\Minidump
emptytemp:
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files\OpenOffice.org 3\program\quickstart.exe => not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-21-220523388-1767777339-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\ToolbarSearchProviderProgress => value removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb46be07-13eb-4c49-b0f0-fc78b9ea4983} => key removed successfully.
HKCR\CLSID\{bb46be07-13eb-4c49-b0f0-fc78b9ea4983} => key not found.
HKU\S-1-5-21-220523388-1767777339-839522115-1004\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin => key removed successfully.
C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll => not found.
================== Zip: ===================
C:\WINDOWS\Minidump -> copied successfully to C:\Documents and Settings\Mark\Desktop\26.03.2017_11.30.00.zip
=========== Zip: End ===========

=========== EmptyTemp: ==========

BITS transfer queue => 9769 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 65549 B
Java, Flash, Steam htmlcache => 36644 B
Windows/system/dllcache/drivers => 229376 B
Edge => 0 B
Chrome => 0 B
Firefox => 350252005 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 16741 B
All Users => 0 B
systemprofile => 131432 B
LocalService => 424 B
NetworkService => 66228 B
Mark => 77265389 B
Amy => 163046 B
Serena => 33275 B
Administrator => 66228 B

RecycleBin => 165886701 B
EmptyTemp: => 566.7 MB temporary data Removed.

================================

 



#9 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 26 March 2017 - 12:56 PM

I am trying to attach zip file but it is not letting me. Giving me error. Upload Skipped (Error IO)



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:21 PM

Posted 26 March 2017 - 01:41 PM

:thumbsup2:

If your computer has improved then no need to investigate the dump file just yes. Keep it just in case.

While we monitor your computer performance please do this.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 26 March 2017 - 07:31 PM

From the last post. 

 

1.) Below is pasted ESET log

2) Below is pasted Security Check Log

3.)  The systems seems to still be moving really fast compared to previously. Like trying to run 50 yards with 250 lbs on my back then someone cuts the weight loose. 

*********************************************************************************************************************************************************************************************

C:\Documents and Settings\Mark\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab    Win32/OpenCandy potentially unsafe application    deleted
C:\Documents and Settings\Mark\Application Data\Sun\Java\jre1.8.0_31\java_sp.dll    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    cleaned by deleting
C:\Documents and Settings\Mark\My Documents\Downloads\ccsetup407.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting

 

*********************************************************************************************************************************************************************************************

Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 CCleaner     
 Java™ 6 Update 22  
 Java 8 Update 31  
 Java version 32-bit out of Date!
 Adobe Flash Player     25.0.0.127  
 Adobe Reader XI  
 Mozilla Firefox (52.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 MALWAREBYTES ANTI-MALWARE mbamtray.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 18% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:21 PM

Posted 26 March 2017 - 07:43 PM

Great.

I am assuming you have not installed a Solid State Drive (SSD) and that you still have a regular hard drive installed. If you aren't sure you have a regular drive stop and let me know, otherwise please do this.

===================================================

Update Java

-------------------

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Please follow these steps to update Java and remove any existing older versions:
  • Click here to Verify Java version
  • If you are notified your Java version is out of date click Update (recommended)
  • Click Agree and Start Free Java Download
  • Save jxpiinstall.exe to your desktop
  • Double click the icon then click Install
  • Uncheck all optional offers
  • Click Next
  • Once completed you should be notified You have successfully installed Java
  • If Java notifies you older versions of the program need to be removed check each of the versions and click Uninstall
  • Verify the older version(s) was uninstalled then click Next
  • Click Close
===================================================

Checking Disk Fragmentation Level - Windows XP

--------------------
  • Click Start, All Programs, Accessories, System Tools, then Disk Defragmenter
  • Under Volume select the C: drive
  • Click Analyze
  • If recommended click Defragment disk
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Java update?
  • Defrag go OK?
  • Computer still performing well?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 27 March 2017 - 10:48 AM

That took a little longer.  But I was able to confirm Java update.  I had two versions in my program file. Uninstalled the older of the two.  Was not able to confirm using Firefox.  perhaps that is why i sometimes get script error freeze events.  Maybe this removal will fix. 

 

I removed a number of old MP3 files and large powerpoint presentations to finally get to 15% free on C drive.  Ran the Disk Defrag. Took about three hours. I saved the report.  

 

Everything seems to be running smooth. No BSODs since yesterday. Going to buy a backup drive sometime this week to start removing and backing up old photographs etc.  I will continue to run the two programs Superantispyware and malware antibytes.  

 

I wonder if there is a way to remove .net and do a fresh install.  Seems like this program and its revisions taking up a lot of space.  Maybe time to move on to a better laptop.  I really like the XP operating system though.. Very intuitive. But then again, it has been years  since i have delved into computers. 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,995 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:21 PM

Posted 27 March 2017 - 11:14 AM

Greetings.

The steps you took will help but the machine has its limitations. I still have an XP test computer and love to dabble with it. :)

See here regarding .NET removal.

It looks like we are all set!

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and we will now remove the tools used and logs created during our steps. Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmarks in:

Remove disinfection tools
Create registry backup
Purge system restore

  • Click Run
===================================================

You may delete any additional programs or logs on your computer which were not automatically removed by Delfix. Simply delete the log files or desktop icons. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Satelllite

Satelllite
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 27 March 2017 - 04:58 PM

Gary,
Thank you so much. I have to tell you. This website is the absolute best ever.  I wish I knew as much as you to be able to offer help like you did for me.  God bless you for all of your hard work.  You have been a blessing to me. 
 
Sincerely,
 

Mark






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users