Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Attacked: Easy Auto Refresh, Nasty incomers and Browser Blocks


  • This topic is locked This topic is locked
16 replies to this topic

#1 waiata

waiata

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 31 March 2018 - 01:17 PM

A few issues: 1. Installed Easy Auto Downloader, and that contained malware that compromised my system.
 
My antivirus regularly informs me that it is blocking visits from nasty IP addresses. There have been times when it seems to have disabled my antivirus. It is also smart enough that there is a delay of five or so minutes before the visits occur after sign-on. 2. It has crippled my browsers. Internet Explorer, Chrome, Firefox-- none of those will work anymore. Only Opera will work... and it will only work on the original tab through links after a few minutes. It seems to block all new tabs, all new urls inputted. 3. An update to Juniper Networks also seems to have adversely affected the machine. I've tried to remove all remnants of it but have been unsuccessful. Here are the files.
 
Thanks for your help, as this one is above my level!
Mod Edit:  Merged posts - Hamluis.



Formatting didn't come through-- so reposting FRST and Addition
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04.03.2018
Ran by gorgonzola (07-03-2018 23:40:58)
Running from C:\Documents and Settings\gorgonzola\My Documents
Microsoft Windows XP Service Pack 3 (X86) (2011-04-13 02:26:11)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3098649794-2976184391-826721552-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-3098649794-2976184391-826721552-1005 - Limited - Enabled)
gorgonzola (S-1-5-21-3098649794-2976184391-826721552-1007 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\gorgonzola
Guest (S-1-5-21-3098649794-2976184391-826721552-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-3098649794-2976184391-826721552-1006 - Limited - Disabled)
MKDFostgresUser (S-1-5-21-3098649794-2976184391-826721552-1008 - Limited - Enabled) => %SystemDrive%\Documents and Settings\MKDFostgresUser
SUPPORT_388945a0 (S-1-5-21-3098649794-2976184391-826721552-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 28 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Adobe Reader X (10.0.1) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA0000000001}) (Version: 10.0.1 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.9.620 - Adobe Systems, Inc.)
Amazon Kindle (HKLM\...\Amazon Kindle) (Version:  - Amazon)
Apple Application Support (HKLM\...\{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}) (Version: 1.5.0 - Apple Inc.)
ATT-PRT22 (HKLM\...\ATT-PRT22) (Version:  - )
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Avery Wizard 3.1 (HKLM\...\{F19F7B24-AAD4-4236-8475-5335483DA676}) (Version: 3.1.9 - Avery)
Broadcom Gigabit Integrated Controller (HKLM\...\{FC57FC53-104C-415C-98D7-B05E659461A9}) (Version: 10.50.03 - Broadcom Corporation)
Calculator Powertoy for Windows XP (HKLM\...\{B37C842A-B624-46B8-A727-654E72F1C91A}) (Version: 1.00.0001 - Microsoft Corporation)
ClearType Tuning Control Panel Applet (HKLM\...\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}) (Version: 1.01.0000 - Microsoft Corporation)
CmdHere Powertoy For Windows XP (HKLM\...\{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}) (Version: 1.00.0001 - Microsoft Corporation)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6425.1000 - Microsoft Corporation)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1007.101.205 - ALPS ELECTRIC CO., LTD.)
EZ Vinyl/Tape Converter 10 by Ion Audio (HKLM\...\EZ Vinyl/Tape Converter by Ion Audio_is1) (Version:  - Ion Audio LLC)
EZ Vinyl/Tape Converter 11.7.0 (HKLM\...\EZ Vinyl/Tape Converter_is1) (Version: 11.7.0 - inMusic Brands Inc)
HP Photosmart 7510 series Basic Device Software (HKLM\...\{2DEC3D95-BEB0-4BFA-A322-7C2B3AFAA01A}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Photosmart 7510 series Help (HKLM\...\{6357D25F-A9C9-4CC7-A1FB-0DCF344E7C40}) (Version: 140.0.2.2 - Hewlett Packard)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
ISO Recorder (HKLM\...\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}) (Version: 2.0.0 - Alex Feinman)
iTunes (HKLM\...\{2A697B53-0DE3-42DA-B41D-C3F804B1C538}) (Version: 10.2.1.1 - Apple Inc.)
Junos Pulse (HKLM\...\{4BA08739-1B4F-440C-8BCF-3852325CAF01}) (Version: 3.1.29447 - Juniper Networks) Hidden
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2416447) (HKLM\...\M2416447) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Calculator Plus (HKLM\...\{83073C45-3003-4671-9A86-243AAADD915A}) (Version: 1.0.0 - Microsoft)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Lync Web App Plug-in (HKLM\...\{182E13EF-F4ED-4AD2-A799-F0CE3C258B3B}) (Version: 15.8.8308.920 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NetPro SelfServiceADmin NPGina x86 (HKLM\...\{C89305AC-0D2B-4BED-B713-E5DF35110D32}) (Version: 2.0.40 - NetPro Computing Inc)
NuVooDoo Analyst (HKLM\...\NuVooDoo Analyst) (Version:  - )
OGA Notifier 2.0.0048.0 (HKLM\...\{B2544A03-10D0-4E5E-BA69-0362FFC20D18}) (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Opera Stable 36.0.2130.80 (HKLM\...\Opera 36.0.2130.80) (Version: 36.0.2130.80 - Opera Software)
pdfFactory (2.x) (HKLM\...\pdfFactory (2.x)) (Version:  - )
pdfFactory (HKLM\...\pdfFactory) (Version:  - )
PDF-XChange 3.5 (HKLM\...\PDF-XChange 3_is1) (Version:  - Tracker Software)
PostgreSQL 8.1 (HKLM\...\{34D95765-2D5A-470F-A39F-BC9DEAAAF04F}) (Version: 8.1 - PostgreSQL Global Development Group)
PowerDVD (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.0 - Dell)
QuickTime (HKLM\...\{57752979-A1C9-4C02-856B-FBB27AC4E02C}) (Version: 7.69.80.9 - Apple Inc.)
RealNetworks - Microsoft Visual C++ 2008 Runtime (HKLM\...\{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}) (Version: 9.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 12.0) (Version:  - RealNetworks)
RealUpgrade 1.1 (HKLM\...\{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}) (Version: 1.1.0 - RealNetworks, Inc.) Hidden
ScanSoft PaperPort Viewer 7.0 (HKLM\...\ScanSoft PaperPort Viewer 7.0) (Version:  - )
Seagate Manager Installer (HKLM\...\{231A1A09-FDF2-45F2-B3D1-964CECE372BC}) (Version: 2.01.0109 - Seagate) Hidden
Seagate Manager Installer (HKLM\...\InstallShield_{231A1A09-FDF2-45F2-B3D1-964CECE372BC}) (Version: 2.01.0109 - Seagate)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Symantec Endpoint Protection (HKLM\...\{11CA5B07-1FA1-4106-8C75-E3743FD9F9A4}) (Version: 12.1.6168.6000 - Symantec Corporation)
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
Voice Manager Connect (HKLM\...\{6B2668A7-3263-CBB5-D458-99DB0F725929}) (Version: 1.0.1 - Time Warner Cable Media Inc) Hidden
Voice Manager Connect (HKLM\...\com.twc.voicemanagerconnect) (Version: 1.0.1 - Time Warner Cable Media Inc)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
Winamp (HKLM\...\Winamp) (Version: 5.63  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{40C37B6C-D273-41E2-8122-A338BBDB2528}\InprocServer32 -> C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Microsoft\LWAPlugin\x86\15.8\LWAPluginInProc.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\3499\G2MOutlookAddin.dll => No File
ContextMenuHandlers1: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\vpshell2.dll [2015-05-09] (Symantec Corporation)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\vpshell2.dll [2015-05-09] (Symantec Corporation)
ContextMenuHandlers2: [Record To CD] -> {34F4B935-17DC-4885-8BC9-CCD1ADF42F93} => C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll [2006-01-05] (Alex Feinman)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2011-03-09] (Intel Corporation)
ContextMenuHandlers6: [Create ISO Image from directory] -> {34F4B935-17DC-4885-8BC9-CCD1ADF42F93} => C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll [2006-01-05] (Alex Feinman)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\vpshell2.dll [2015-05-09] (Symantec Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
 
==================== Scheduled Tasks=============================
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1509062877.job => C:\Program Files\Opera\launcher.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1606980848-98502575-500.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-3098649794-2976184391-826721552-1007.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1606980848-98502575-500.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-3098649794-2976184391-826721552-1007.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{2093299C-C78D-47EE-BBF4-2C9F2ED827E2}.job => C:\WINDOWS\system32\msfeedssync.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Documents and Settings\gorgonzola\NetHood\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.co
 
==================== Loaded Modules (Whitelisted) ==============
 
2009-09-04 22:15 - 2009-09-04 22:15 - 000067872 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2006-05-22 08:28 - 2006-05-22 08:28 - 000178778 _____ () C:\Program Files\PostgreSQL\8.1\bin\libpq.dll
2003-02-01 14:51 - 2003-02-01 14:51 - 000051016 _____ () C:\Program Files\PostgreSQL\8.1\bin\libintl-2.dll
2003-01-31 17:41 - 2003-01-31 17:41 - 000916849 _____ () C:\Program Files\PostgreSQL\8.1\bin\libiconv-2.dll
2015-05-09 20:52 - 2015-05-09 20:52 - 000566328 ____C () C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\AvPluginImpl.dll
2018-01-02 22:26 - 2017-11-29 09:11 - 001934792 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{D08C5AB9-0E76-4AC5-9398-EE61ECA1445F}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\cheddar.com -> cheddar.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2004-08-04 04:00 - 2017-10-28 14:07 - 000000768 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-3098649794-2976184391-826721552-1008\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: Media is not connected to internet.
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Microsoft\LWAPlugin\x86\15.8\LWAPlugin.exe] => Enabled:Microsoft Lync Web App Plug-in
StandardProfile\AuthorizedApplications: [C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\Smc.exe] => Enabled:SMC Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\snac.exe] => Enabled:SNAC Service
StandardProfile\AuthorizedApplications: [C:\Program Files\HP\HP Photosmart 7510 series\Bin\DeviceSetup.exe] => :LocalSubNet:Enabled:HP Device Setup (HP Photosmart 7510 series)
StandardProfile\AuthorizedApplications: [C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPNetworkCommunicator.exe] => :LocalSubNet:Enabled:HP Network Communicator (HP Photosmart 7510 series)
StandardProfile\AuthorizedApplications: [C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPNetworkCommunicatorCom.exe] => :LocalSubNet:Enabled:HP Network Communicator COM (HP Photosmart 7510 series)
StandardProfile\GloballyOpenPorts: [10526:TCP] => Enabled:Remote Assistance Local
StandardProfile\GloballyOpenPorts: [10281:TCP] => Enabled:Remote Assistance Remote
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008
 
==================== Restore Points =========================
 
Could not list restore points
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check "winmgmt" service or repair WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/07/2018 11:35:47 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 11:35:47 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
Error: (03/07/2018 10:36:26 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 10:36:25 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
Error: (03/07/2018 09:11:28 AM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 09:11:28 AM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
Error: (03/07/2018 12:30:19 AM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 12:30:19 AM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
 
System errors:
=============
Error: (03/07/2018 11:35:38 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:35:38 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:34:40 PM) (Source: 0) (EventID: 4) (User: )
Description: Event-ID 4
 
Error: (03/07/2018 11:33:09 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:33:09 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:30:17 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:30:17 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:26:52 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5 CPU M 520 @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 3509.85 MB
Available physical RAM: 2682.89 MB
Total Virtual: 5389.27 MB
Available Virtual: 4797.5 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.88 GB) (Free:177.89 GB) NTFS ==>[drive with boot components (Windows XP)]
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: 84918491)
Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 04.03.2018
Ran by gorgonzola (07-03-2018 23:40:58)
Running from C:\Documents and Settings\gorgonzola\My Documents
Microsoft Windows XP Service Pack 3 (X86) (2011-04-13 02:26:11)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3098649794-2976184391-826721552-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-3098649794-2976184391-826721552-1005 - Limited - Enabled)
gorgonzola (S-1-5-21-3098649794-2976184391-826721552-1007 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\gorgonzola
Guest (S-1-5-21-3098649794-2976184391-826721552-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-3098649794-2976184391-826721552-1006 - Limited - Disabled)
MKDFostgresUser (S-1-5-21-3098649794-2976184391-826721552-1008 - Limited - Enabled) => %SystemDrive%\Documents and Settings\MKDFostgresUser
SUPPORT_388945a0 (S-1-5-21-3098649794-2976184391-826721552-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 28 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 28.0.0.161 - Adobe Systems Incorporated)
Adobe Reader X (10.0.1) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA0000000001}) (Version: 10.0.1 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.9.620 - Adobe Systems, Inc.)
Amazon Kindle (HKLM\...\Amazon Kindle) (Version:  - Amazon)
Apple Application Support (HKLM\...\{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}) (Version: 1.5.0 - Apple Inc.)
ATT-PRT22 (HKLM\...\ATT-PRT22) (Version:  - )
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Avery Wizard 3.1 (HKLM\...\{F19F7B24-AAD4-4236-8475-5335483DA676}) (Version: 3.1.9 - Avery)
Broadcom Gigabit Integrated Controller (HKLM\...\{FC57FC53-104C-415C-98D7-B05E659461A9}) (Version: 10.50.03 - Broadcom Corporation)
Calculator Powertoy for Windows XP (HKLM\...\{B37C842A-B624-46B8-A727-654E72F1C91A}) (Version: 1.00.0001 - Microsoft Corporation)
ClearType Tuning Control Panel Applet (HKLM\...\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}) (Version: 1.01.0000 - Microsoft Corporation)
CmdHere Powertoy For Windows XP (HKLM\...\{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}) (Version: 1.00.0001 - Microsoft Corporation)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6425.1000 - Microsoft Corporation)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1007.101.205 - ALPS ELECTRIC CO., LTD.)
EZ Vinyl/Tape Converter 10 by Ion Audio (HKLM\...\EZ Vinyl/Tape Converter by Ion Audio_is1) (Version:  - Ion Audio LLC)
EZ Vinyl/Tape Converter 11.7.0 (HKLM\...\EZ Vinyl/Tape Converter_is1) (Version: 11.7.0 - inMusic Brands Inc)
HP Photosmart 7510 series Basic Device Software (HKLM\...\{2DEC3D95-BEB0-4BFA-A322-7C2B3AFAA01A}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Photosmart 7510 series Help (HKLM\...\{6357D25F-A9C9-4CC7-A1FB-0DCF344E7C40}) (Version: 140.0.2.2 - Hewlett Packard)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
ISO Recorder (HKLM\...\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}) (Version: 2.0.0 - Alex Feinman)
iTunes (HKLM\...\{2A697B53-0DE3-42DA-B41D-C3F804B1C538}) (Version: 10.2.1.1 - Apple Inc.)
Junos Pulse (HKLM\...\{4BA08739-1B4F-440C-8BCF-3852325CAF01}) (Version: 3.1.29447 - Juniper Networks) Hidden
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2416447) (HKLM\...\M2416447) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Calculator Plus (HKLM\...\{83073C45-3003-4671-9A86-243AAADD915A}) (Version: 1.0.0 - Microsoft)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Lync Web App Plug-in (HKLM\...\{182E13EF-F4ED-4AD2-A799-F0CE3C258B3B}) (Version: 15.8.8308.920 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NetPro SelfServiceADmin NPGina x86 (HKLM\...\{C89305AC-0D2B-4BED-B713-E5DF35110D32}) (Version: 2.0.40 - NetPro Computing Inc)
NuVooDoo Analyst (HKLM\...\NuVooDoo Analyst) (Version:  - )
OGA Notifier 2.0.0048.0 (HKLM\...\{B2544A03-10D0-4E5E-BA69-0362FFC20D18}) (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Opera Stable 36.0.2130.80 (HKLM\...\Opera 36.0.2130.80) (Version: 36.0.2130.80 - Opera Software)
pdfFactory (2.x) (HKLM\...\pdfFactory (2.x)) (Version:  - )
pdfFactory (HKLM\...\pdfFactory) (Version:  - )
PDF-XChange 3.5 (HKLM\...\PDF-XChange 3_is1) (Version:  - Tracker Software)
PostgreSQL 8.1 (HKLM\...\{34D95765-2D5A-470F-A39F-BC9DEAAAF04F}) (Version: 8.1 - PostgreSQL Global Development Group)
PowerDVD (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.0 - Dell)
QuickTime (HKLM\...\{57752979-A1C9-4C02-856B-FBB27AC4E02C}) (Version: 7.69.80.9 - Apple Inc.)
RealNetworks - Microsoft Visual C++ 2008 Runtime (HKLM\...\{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}) (Version: 9.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 12.0) (Version:  - RealNetworks)
RealUpgrade 1.1 (HKLM\...\{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}) (Version: 1.1.0 - RealNetworks, Inc.) Hidden
ScanSoft PaperPort Viewer 7.0 (HKLM\...\ScanSoft PaperPort Viewer 7.0) (Version:  - )
Seagate Manager Installer (HKLM\...\{231A1A09-FDF2-45F2-B3D1-964CECE372BC}) (Version: 2.01.0109 - Seagate) Hidden
Seagate Manager Installer (HKLM\...\InstallShield_{231A1A09-FDF2-45F2-B3D1-964CECE372BC}) (Version: 2.01.0109 - Seagate)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Symantec Endpoint Protection (HKLM\...\{11CA5B07-1FA1-4106-8C75-E3743FD9F9A4}) (Version: 12.1.6168.6000 - Symantec Corporation)
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
Voice Manager Connect (HKLM\...\{6B2668A7-3263-CBB5-D458-99DB0F725929}) (Version: 1.0.1 - Time Warner Cable Media Inc) Hidden
Voice Manager Connect (HKLM\...\com.twc.voicemanagerconnect) (Version: 1.0.1 - Time Warner Cable Media Inc)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
Winamp (HKLM\...\Winamp) (Version: 5.63  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{40C37B6C-D273-41E2-8122-A338BBDB2528}\InprocServer32 -> C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Microsoft\LWAPlugin\x86\15.8\LWAPluginInProc.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\3499\G2MOutlookAddin.dll => No File
ContextMenuHandlers1: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\vpshell2.dll [2015-05-09] (Symantec Corporation)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\vpshell2.dll [2015-05-09] (Symantec Corporation)
ContextMenuHandlers2: [Record To CD] -> {34F4B935-17DC-4885-8BC9-CCD1ADF42F93} => C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll [2006-01-05] (Alex Feinman)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2011-03-09] (Intel Corporation)
ContextMenuHandlers6: [Create ISO Image from directory] -> {34F4B935-17DC-4885-8BC9-CCD1ADF42F93} => C:\Program Files\Alex Feinman\ISO Recorder\ISORecorder.dll [2006-01-05] (Alex Feinman)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\vpshell2.dll [2015-05-09] (Symantec Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
 
==================== Scheduled Tasks=============================
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1509062877.job => C:\Program Files\Opera\launcher.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1606980848-98502575-500.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-3098649794-2976184391-826721552-1007.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1606980848-98502575-500.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-3098649794-2976184391-826721552-1007.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{2093299C-C78D-47EE-BBF4-2C9F2ED827E2}.job => C:\WINDOWS\system32\msfeedssync.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Documents and Settings\gorgonzola\NetHood\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.co
 
==================== Loaded Modules (Whitelisted) ==============
 
2009-09-04 22:15 - 2009-09-04 22:15 - 000067872 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2006-05-22 08:28 - 2006-05-22 08:28 - 000178778 _____ () C:\Program Files\PostgreSQL\8.1\bin\libpq.dll
2003-02-01 14:51 - 2003-02-01 14:51 - 000051016 _____ () C:\Program Files\PostgreSQL\8.1\bin\libintl-2.dll
2003-01-31 17:41 - 2003-01-31 17:41 - 000916849 _____ () C:\Program Files\PostgreSQL\8.1\bin\libiconv-2.dll
2015-05-09 20:52 - 2015-05-09 20:52 - 000566328 ____C () C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\AvPluginImpl.dll
2018-01-02 22:26 - 2017-11-29 09:11 - 001934792 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{D08C5AB9-0E76-4AC5-9398-EE61ECA1445F}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\cheddar.com -> cheddar.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2004-08-04 04:00 - 2017-10-28 14:07 - 000000768 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-3098649794-2976184391-826721552-1008\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: Media is not connected to internet.
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Microsoft\LWAPlugin\x86\15.8\LWAPlugin.exe] => Enabled:Microsoft Lync Web App Plug-in
StandardProfile\AuthorizedApplications: [C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\Smc.exe] => Enabled:SMC Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\snac.exe] => Enabled:SNAC Service
StandardProfile\AuthorizedApplications: [C:\Program Files\HP\HP Photosmart 7510 series\Bin\DeviceSetup.exe] => :LocalSubNet:Enabled:HP Device Setup (HP Photosmart 7510 series)
StandardProfile\AuthorizedApplications: [C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPNetworkCommunicator.exe] => :LocalSubNet:Enabled:HP Network Communicator (HP Photosmart 7510 series)
StandardProfile\AuthorizedApplications: [C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPNetworkCommunicatorCom.exe] => :LocalSubNet:Enabled:HP Network Communicator COM (HP Photosmart 7510 series)
StandardProfile\GloballyOpenPorts: [10526:TCP] => Enabled:Remote Assistance Local
StandardProfile\GloballyOpenPorts: [10281:TCP] => Enabled:Remote Assistance Remote
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008
 
==================== Restore Points =========================
 
Could not list restore points
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check "winmgmt" service or repair WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/07/2018 11:35:47 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 11:35:47 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
Error: (03/07/2018 10:36:26 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 10:36:25 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
Error: (03/07/2018 09:11:28 AM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 09:11:28 AM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
Error: (03/07/2018 12:30:19 AM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.
 
Error: (03/07/2018 12:30:19 AM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.
 
 
System errors:
=============
Error: (03/07/2018 11:35:38 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:35:38 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:34:40 PM) (Source: 0) (EventID: 4) (User: )
Description: Event-ID 4
 
Error: (03/07/2018 11:33:09 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:33:09 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:30:17 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:30:17 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
Error: (03/07/2018 11:26:52 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible. 
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5 CPU M 520 @ 2.40GHz
Percentage of memory in use: 23%
Total physical RAM: 3509.85 MB
Available physical RAM: 2682.89 MB
Total Virtual: 5389.27 MB
Available Virtual: 4797.5 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.88 GB) (Free:177.89 GB) NTFS ==>[drive with boot components (Windows XP)]
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: 84918491)
Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 

Edited by hamluis, 31 March 2018 - 02:21 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 31 March 2018 - 08:33 PM

Greetings waiata and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

There should be a FRST.txt document in the C:\Documents and Settings\gorgonzola\My Documents folder. Please copy and paste the contents of that report in your reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 31 March 2018 - 09:41 PM

Here you go Gary...  Thank you!  

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04.03.2018
Ran by gorgonzola (administrator) on WBC-gorgonzolaLAP (07-03-2018 23:40:32)
Running from C:\Documents and Settings\gorgonzola\My Documents
Loaded Profiles: gorgonzola & MKDFostgresUser (Available Profiles: gorgonzola & MKDFostgresUser & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: Opera)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(IDT, Inc.) C:\WINDOWS\inf\UIU\T10\stacsv.exe
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Andrea Electronics Corporation) C:\WINDOWS\system32\aestfltr.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Nullsoft, Inc.) C:\Program Files\Winamp\winampa.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Seagate LLC) C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe
(Seagate Technology LLC) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.1\bin\postmaster.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\8.1\bin\postgres.exe
(Microsoft Corporation) C:\WINDOWS\system32\snmp.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [pdfFactory Dispatcher v2] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe [483328 2005-07-22] (FinePrint Software, LLC)
HKLM\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128560 2007-06-08] (CyberLink Corp.)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2011-01-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-10] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [421160 2011-03-07] (Apple Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [495708 2011-03-09] (IDT, Inc.)
HKLM\...\Run: [AESTFltr] => C:\WINDOWS\system32\AESTFltr.exe [737280 2011-03-09] (Andrea Electronics Corporation)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [288112 2011-03-09] (Alps Electric Co., Ltd.)
HKLM\...\Run: [pdfFactory Dispatcher v3] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe [614400 2010-03-18] (FinePrint Software, LLC)
HKLM\...\Run: [WinampAgent] => C:\Program Files\Winamp\winampa.exe [74752 2012-06-28] (Nullsoft, Inc.)
HKLM\...\Run: [MaxMenuMgr] => C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [185640 2009-05-01] (Seagate LLC)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [JunosPulse] => C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe -tray
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\Run: [HP Photosmart 7510 series (NET)] => C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe [1837672 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\Run: [Zoom] => [X]
GroupPolicy: Restriction ? <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 127.0.0.1 localhost
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3098649794-2976184391-826721552-1008\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
SearchScopes: HKU\S-1-5-21-3098649794-2976184391-826721552-1007 -> DefaultScope {DC92EFA6-14D1-4CB1-B588-E4A37B685300} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-3098649794-2976184391-826721552-1007 -> {3EDD28CB-FB0F-4309-901D-DBE4424E9E84} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ie8
SearchScopes: HKU\S-1-5-21-3098649794-2976184391-826721552-1007 -> {DC92EFA6-14D1-4CB1-B588-E4A37B685300} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-3098649794-2976184391-826721552-1008 -> DefaultScope {DC92EFA6-14D1-4CB1-B588-E4A37B685300} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-3098649794-2976184391-826721552-1008 -> {3EDD28CB-FB0F-4309-901D-DBE4424E9E84} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ie8
SearchScopes: HKU\S-1-5-21-3098649794-2976184391-826721552-1008 -> {DC92EFA6-14D1-4CB1-B588-E4A37B685300} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01-30] (Adobe Systems Incorporated)
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\bin\IPS\IPSBHO.DLL [2015-05-09] (Symantec Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1254759012718
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\gorgonzola\Application Data\Mozilla\Firefox\Profiles\06gyflrk.default [2017-10-28]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-10-05] [Legacy] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_28_0_0_161.dll [2018-02-09] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2011-02-02] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2011-03-06] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 -> C:\Program Files\Common Files\Motive\npMotive.dll [2009-01-07] (Motive, Inc.)
FF Plugin: @real.com/nppl3260;version=12.0.1.647 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [2011-04-13] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=12.0.1.647 -> c:\program files\real\realplayer\Netscape6\nprjplug.dll [2011-04-13] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=12.0.1.647 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [2011-04-13] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=12.0.1.647 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2011-04-13] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=12.0.1.647 -> c:\program files\real\realplayer\Netscape6\nprpjplug.dll [2011-04-13] (RealNetworks, Inc.)
FF Plugin HKU\S-1-5-21-3098649794-2976184391-826721552-1007: LWAPlugin15.8 -> C:\Documents and Settings\gorgonzola\Application Data\Mozilla\Plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npatgpc.dll [2015-06-18] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\gorgonzola\Application Data\mozilla\plugins\npatgpc.dll [2015-06-18] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\gorgonzola\Application Data\mozilla\plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
 
Chrome: 
=======
CHR Profile: C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Google\Chrome\User Data\Default [2017-11-11]
CHR Extension: (Slides) - C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-29]
CHR Extension: (Docs) - C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-29]
CHR Extension: (Sheets) - C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-29]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\gorgonzola\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-10-29]
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [272384 2018-02-09] (Adobe Systems Incorporated) [File not signed]
R2 FreeAgentGoNext Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [181544 2009-05-01] (Seagate Technology LLC)
S3 Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [163840 2006-01-04] (Alex Feinman) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4563920 2017-11-01] (Malwarebytes)
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [319488 2009-08-14] (Alcatel-Lucent) [File not signed]
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe [145008 2015-05-09] (Symantec Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\snac.exe [339512 2015-05-09] (Symantec Corporation)
R2 STacSV; c:\windows\inf\uiu\t10\stacsv.exe [237650 2011-03-09] (IDT, Inc.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
S2 JuniperAccessService; C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [X]
R2 pgsql-8.1; "C:\Program Files\PostgreSQL\8.1\bin\pg_ctl.exe" runservice -N "pgsql-8.1" -D "C:\Program Files\PostgreSQL\8.1\data\"
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 Acceler; C:\WINDOWS\System32\DRIVERS\Accelern.sys [42672 2011-03-09] (ST Microelectronics)
R3 AESTAud; C:\WINDOWS\System32\drivers\AESTAud.sys [113664 2011-03-09] (Andrea Electronics Corporation)
U0 amd_ahci; C:\WINDOWS\System32\Drivers\ahcix86.sys [184888 2011-03-09] (Advanced Micro Devices, Inc)
R0 atiide; C:\WINDOWS\System32\Drivers\atiide.sys [3456 2011-03-09] (ATI Technologies Inc.) [File not signed]
S3 b57w2k; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [161792 2007-06-06] (Broadcom Corporation) [File not signed]
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2696448 2011-03-09] (Broadcom Corporation)
R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\BASHDefs\20180306.005\BHDrvx86.sys [1371216 2018-03-06] (Symantec Corporation)
R1 ccSettings_{D08C5AB9-0E76-4AC5-9398-EE61ECA1445F}; C:\WINDOWS\System32\Drivers\SEP\0C011818\1770.105\x86\ccSetx86.sys [127064 2015-05-09] (Symantec Corporation)
R3 cvusbdrv; C:\WINDOWS\System32\Drivers\cvusbdrv.sys [32808 2011-03-09] (Broadcom Corporation)
R3 e1kexpress; C:\WINDOWS\System32\DRIVERS\e1k5132.sys [168616 2011-03-09] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [393296 2018-01-04] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [121936 2018-01-04] (Symantec Corporation)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae.sys [59896 2017-11-29] ()
R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\IPSDefs\20180307.011\IDSxpx86.sys [759448 2017-11-15] (Symantec Corporation)
R3 JNPRNA; C:\WINDOWS\System32\DRIVERS\jnprna5.sys [446712 2012-11-02] (Juniper Networks, Inc.)
S3 jnprva; C:\WINDOWS\System32\DRIVERS\jnprva.sys [25456 2012-11-02] (Juniper Networks, Inc.)
S3 JnprVaMgr; C:\WINDOWS\System32\DRIVERS\jnprvamgr.sys [36776 2012-11-02] (Juniper Networks, Inc.)
R2 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [151328 2018-01-21] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [40376 2018-03-07] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [221112 2018-03-07] (Malwarebytes)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2009-08-14] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\VirusDefs\20180307.019\NAVENG.SYS [104832 2017-12-18] (Symantec Corporation)
R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\VirusDefs\20180307.019\NAVEX15.SYS [1648512 2017-12-18] (Symantec Corporation)
S0 nvgts; C:\WINDOWS\System32\Drivers\nvgts.sys [164896 2011-03-09] (NVIDIA Corporation)
R2 risdpcie; C:\WINDOWS\System32\DRIVERS\risdpe86.sys [49152 2011-03-09] (REDC)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SEP\0C011818\1770.105\x86\SRTSP.SYS [677592 2015-05-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SEP\0C011818\1770.105\x86\SRTSPX.SYS [32984 2015-05-09] (Symantec Corporation)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1660051 2011-03-09] (IDT, Inc.)
R0 SymEFASI; C:\WINDOWS\System32\drivers\symefasi\0501010.002\symefasi.sys [1281752 2015-05-23] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [143576 2015-05-23] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\System32\Drivers\SEP\0C011818\1770.105\x86\Ironx86.SYS [211672 2015-05-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SEP\0C011818\1770.105\x86\SYMTDI.SYS [423384 2015-05-09] (Symantec Corporation)
U2 CertPropSvc; no ImagePath
S3 COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-07 23:38 - 2018-03-07 23:39 - 000003040 _____ C:\Documents and Settings\gorgonzola\Desktop\Rkill.txt
2018-03-07 23:38 - 2018-03-07 23:38 - 000013721 _____ C:\Documents and Settings\gorgonzola\My Documents\Addition.txt
2018-03-07 23:36 - 2018-03-07 23:40 - 000019264 _____ C:\Documents and Settings\gorgonzola\My Documents\FRST.txt
2018-03-07 23:21 - 2018-03-07 23:36 - 000000000 ____D C:\FRST
2018-03-07 23:18 - 2018-03-07 23:18 - 001763328 _____ (Farbar) C:\Documents and Settings\gorgonzola\My Documents\FRST (1).exe
2018-03-07 23:15 - 2018-03-07 23:15 - 002403328 _____ (Farbar) C:\Documents and Settings\gorgonzola\My Documents\FRST64.exe
2018-03-07 23:14 - 2018-03-07 23:14 - 001763328 _____ (Farbar) C:\Documents and Settings\gorgonzola\My Documents\FRST.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-03-07 23:40 - 2014-03-30 09:07 - 000000000 ____D C:\Documents and Settings\gorgonzola\Local Settings\temp
2018-03-07 23:38 - 2009-10-16 15:47 - 000000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{2093299C-C78D-47EE-BBF4-2C9F2ED827E2}.job
2018-03-07 23:38 - 2009-10-02 13:40 - 000031950 _____ C:\WINDOWS\SchedLgU.Txt
2018-03-07 23:38 - 2009-10-02 13:40 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-03-07 23:36 - 2018-01-02 22:26 - 000221112 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2018-03-07 23:36 - 2018-01-02 22:26 - 000040376 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2018-03-07 23:36 - 2004-08-04 04:00 - 000002206 _____ C:\WINDOWS\system32\wpa.dbl
2018-03-07 23:34 - 2017-10-26 16:08 - 000000420 _____ C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1509062877.job
2018-03-07 23:34 - 2017-10-26 16:05 - 000000000 ____D C:\Program Files\Opera
2018-03-07 23:34 - 2011-04-13 12:36 - 000000284 _____ C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-3098649794-2976184391-826721552-1007.job
2018-03-07 23:34 - 2010-04-29 13:39 - 000000294 _____ C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-1409082233-1606980848-98502575-500.job
2018-03-07 23:34 - 2009-10-16 14:40 - 000000000 ____D C:\MDT
2018-03-07 23:33 - 2015-05-23 13:44 - 008388608 _____ C:\WINDOWS\system32\config\Symantec.evt
2018-03-07 23:33 - 2011-04-13 12:25 - 000000278 ___SH C:\Documents and Settings\gorgonzola\ntuser.ini
2018-03-07 23:02 - 2012-11-28 18:51 - 000000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2018-03-07 10:10 - 2010-04-29 13:39 - 000000302 _____ C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-1409082233-1606980848-98502575-500.job
2018-03-07 01:11 - 2011-04-13 12:25 - 000000000 ____D C:\Documents and Settings\gorgonzola
2018-02-21 13:37 - 2011-04-13 12:36 - 000000292 _____ C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-3098649794-2976184391-826721552-1007.job
2018-02-19 14:27 - 2015-11-27 18:50 - 000517578 _____ C:\Documents and Settings\gorgonzola\My Documents\sbwcrv.exe
2018-02-18 12:24 - 2015-11-28 09:56 - 000000308 _____ C:\Documents and Settings\gorgonzola\Desktop\Linksys Smart Wi-Fi.txt
2018-02-09 04:02 - 2012-11-28 18:51 - 000803328 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2018-02-09 04:02 - 2011-09-05 16:51 - 000144896 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2018-02-09 04:02 - 2009-10-02 13:36 - 000000000 ____D C:\WINDOWS\system32\Macromed
 
==================== Files in the root of some directories =======
 
2012-11-24 22:32 - 2013-01-05 10:09 - 000006507 _____ () C:\Documents and Settings\gorgonzola\Local Settings\Application Data\bb3e2e23-fa85-478c-89d7-a46c2f0e6e74.crx
2012-03-18 22:09 - 2014-06-14 18:01 - 000003584 _____ () C:\Documents and Settings\gorgonzola\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-12-10 13:21 - 2016-12-10 13:21 - 000000057 _____ () C:\Documents and Settings\All Users\Application Data\Ament.ini
2013-04-13 15:05 - 2013-04-13 15:05 - 000000000 _____ () C:\Documents and Settings\All Users\Application Data\Norton.fix
2014-08-01 22:21 - 2014-08-02 09:36 - 000090607 _____ () C:\Documents and Settings\All Users\Application Data\RUNDLL32.EXE-3196-F.txt
2014-08-01 21:41 - 2014-08-01 21:42 - 000035703 _____ () C:\Documents and Settings\All Users\Application Data\RUNDLL32.EXE-3312-F.txt
2014-08-01 21:43 - 2014-08-01 21:43 - 000000055 _____ () C:\Documents and Settings\All Users\Application Data\RUNDLL32.EXE-6048-F.txt
 
Some files in TEMP:
====================
2015-09-27 21:55 - 2015-09-27 21:56 - 003327000 _____ () C:\Documents and Settings\gorgonzola\Local Settings\temp\880e9c52-0887-46a1-a2c5-10f5fb551f56.exe
2017-10-26 17:32 - 2017-10-26 17:33 - 005660403 _____ (Swearware) C:\Documents and Settings\gorgonzola\Local Settings\temp\ComboFix.exe
2014-08-02 00:52 - 2014-08-02 00:57 - 000000000 _____ () C:\Documents and Settings\gorgonzola\Local Settings\temp\HitmanPro_x64.exe
2014-08-02 00:52 - 2014-08-02 00:57 - 000143640 _____ (SurfRight B.V.) C:\Documents and Settings\gorgonzola\Local Settings\temp\Kickstarter.exe
2014-03-30 09:20 - 2010-12-09 07:15 - 000718336 _____ (Microsoft Corporation) C:\Documents and Settings\gorgonzola\Local Settings\temp\ntdll_dump.dll
2015-08-14 04:29 - 2015-07-29 12:08 - 000681097 _____ (SQLite Development Team) C:\Documents and Settings\gorgonzola\Local Settings\temp\sqlite3.dll
2018-01-21 14:42 - 2004-01-20 17:44 - 000132608 _____ (Microsoft Corp.) C:\Documents and Settings\gorgonzola\Local Settings\temp\TFRB4.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of FRST.txt ============================


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 31 March 2018 - 10:17 PM

Thank you for the information.

I am ending for the evening but will check back first thing in the morning.

Please do this.

===================================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s). If you desire to keep the program I would ask that you reinstall it following our efforts here.
  • Press Windows Key + R on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

Junos Pulse

  • Reboot your computer
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time (there is no need to paste the information anywhere)
Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\Run: [Zoom] => [X]
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
U2 CertPropSvc; no ImagePath
S3 COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
C:\Documents and Settings\gorgonzola\Local Settings\temp
2015-09-27 21:55 - 2015-09-27 21:56 - 003327000 _____ () C:\Documents and Settings\gorgonzola\Local Settings\temp\880e9c52-0887-46a1-a2c5-10f5fb551f56.exe
2018-01-21 14:42 - 2004-01-20 17:44 - 000132608 _____ (Microsoft Corp.) C:\Documents and Settings\gorgonzola\Local Settings\temp\TFRB4.exe
CustomCLSID: HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\3499\G2MOutlookAddin.dll => No File
HKLM\...\Run: [JunosPulse] => C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe -tray
C:\Program Files\Common Files\Juniper Networks
S2 JuniperAccessService; C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [X]
R3 JNPRNA; C:\WINDOWS\System32\DRIVERS\jnprna5.sys [446712 2012-11-02] (Juniper Networks, Inc.)
S3 jnprva; C:\WINDOWS\System32\DRIVERS\jnprva.sys [25456 2012-11-02] (Juniper Networks, Inc.)
S3 JnprVaMgr; C:\WINDOWS\System32\DRIVERS\jnprvamgr.sys [36776 2012-11-02] (Juniper Networks, Inc.)
C:\WINDOWS\System32\DRIVERS\jnprna5.sys
C:\WINDOWS\System32\DRIVERS\jnprva.sys
C:\WINDOWS\System32\DRIVERS\jnprvamgr.sys
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
Folder: C:\MDT
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
===================================================

Malwarebytes AdwCleaner

-------------------
  • Please download AdwCleaner and save it on your desktop.
  • Close all open programs and browsers
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed if there are threats found you will see Found 3 threats or something similar above the progress bar
  • Click each tab under Results and uncheck any items you want to keep
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Click OK twice to finish the removal process by automatically rebooting your computer
  • Once completed an AdwCleaner document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Program uninstall?
  • Fixlog
  • AdwCleaner log
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 31 March 2018 - 11:10 PM

Junos Pulse was removed previously using this method.  It didn't remove everything as the remnants shown in the FRST run still remain.  Neither Junos Pulse nor Juniper Networks appear in the list.

 

I have XP on this machine so adwcleaner cannot be installed.  I do subscribe to Malwarebytes Premium.  It finds no threats.  Neither does Symantec.  Other programs have also come back empty so I have no particular malware to point you towards.  I can only point you towards an Easy Auto Refesher is Malware video on Youtube.  That program has been removed previously, but the issues remain-- and likely remnants- remain.

 

Doing the Fixlog now...  Symantec sees FRST as a threat so I have to disable Symantec...

 

Thanks!



#6 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 31 March 2018 - 11:51 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 14.03.2018
Ran by gorgonzola (31-03-2018 21:27:31) Run:1
Running from C:\Documents and Settings\gorgonzola\My Documents
Loaded Profiles: gorgonzola & MKDFostgresUser (Available Profiles: gorgonzola & MKDFostgresUser & Administrator)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3098649794-2976184391-826721552-1007\...\Run: [Zoom] => [X]
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - <no Path/update_url>
U2 CertPropSvc; no ImagePath
S3 COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
C:\Documents and Settings\gorgonzola\Local Settings\temp
2015-09-27 21:55 - 2015-09-27 21:56 - 003327000 _____ () C:\Documents and Settings\gorgonzola\Local Settings\temp\880e9c52-0887-46a1-a2c5-10f5fb551f56.exe
2018-01-21 14:42 - 2004-01-20 17:44 - 000132608 _____ (Microsoft Corp.) C:\Documents and Settings\gorgonzola\Local Settings\temp\TFRB4.exe
CustomCLSID: HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\3499\G2MOutlookAddin.dll => No File
HKLM\...\Run: [JunosPulse] => C:\Program Files\Common Files\Juniper Networks\JamUI\Pulse.exe -tray
C:\Program Files\Common Files\Juniper Networks
S2 JuniperAccessService; C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [X]
R3 JNPRNA; C:\WINDOWS\System32\DRIVERS\jnprna5.sys [446712 2012-11-02] (Juniper Networks, Inc.)
S3 jnprva; C:\WINDOWS\System32\DRIVERS\jnprva.sys [25456 2012-11-02] (Juniper Networks, Inc.)
S3 JnprVaMgr; C:\WINDOWS\System32\DRIVERS\jnprvamgr.sys [36776 2012-11-02] (Juniper Networks, Inc.)
C:\WINDOWS\System32\DRIVERS\jnprna5.sys
C:\WINDOWS\System32\DRIVERS\jnprva.sys
C:\WINDOWS\System32\DRIVERS\jnprvamgr.sys
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
Folder: C:\MDT
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-3098649794-2976184391-826721552-1007\Software\Microsoft\Windows\CurrentVersion\Run\\Zoom" => removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully.
"HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk" => removed successfully.
"HKLM\System\CurrentControlSet\Services\CertPropSvc" => removed successfully.
CertPropSvc => service removed successfully.
"HKLM\System\CurrentControlSet\Services\COH_Mon" => removed successfully.
COH_Mon => service removed successfully.
"HKLM\System\CurrentControlSet\Services\MREMPR5" => removed successfully.
MREMPR5 => service removed successfully.
"HKLM\System\CurrentControlSet\Services\MRENDIS5" => removed successfully.
MRENDIS5 => service removed successfully.
C:\Documents and Settings\gorgonzola\Local Settings\temp => moved successfully
"C:\Documents and Settings\gorgonzola\Local Settings\temp\880e9c52-0887-46a1-a2c5-10f5fb551f56.exe" => not found
"C:\Documents and Settings\gorgonzola\Local Settings\temp\TFRB4.exe" => not found
"HKU\S-1-5-21-3098649794-2976184391-826721552-1007_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}" => removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\JunosPulse" => removed successfully.
"C:\Program Files\Common Files\Juniper Networks" => not found
"HKLM\System\CurrentControlSet\Services\JuniperAccessService" => removed successfully.
JuniperAccessService => service removed successfully.
JNPRNA => Unable to stop service.
"HKLM\System\CurrentControlSet\Services\JNPRNA" => removed successfully.
JNPRNA => service removed successfully.
"HKLM\System\CurrentControlSet\Services\jnprva" => removed successfully.
jnprva => service removed successfully.
"HKLM\System\CurrentControlSet\Services\JnprVaMgr" => removed successfully.
JnprVaMgr => service removed successfully.
C:\WINDOWS\System32\DRIVERS\jnprna5.sys => moved successfully
C:\WINDOWS\System32\DRIVERS\jnprva.sys => moved successfully
C:\WINDOWS\System32\DRIVERS\jnprvamgr.sys => moved successfully
 
========= netsh winsock reset catalog =========


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 01 April 2018 - 08:22 AM

Thank you for the information.

Please update me on the current performance of your computer.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 01 April 2018 - 01:44 PM

Performance seems the same, but the browser blocking does seem to have cleared.  I can type a url into a new tab and it will work now.  Internet Explorer will launch now.  Opera is still quirky about launching, but new url's will work there now.  I'm not getting the timing out after a few minutes yet.  Thanks for that!!



#9 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 01 April 2018 - 08:19 PM

Can you tell if there are any remnants of the Easy Auto Refresher malware still hanging on in my system, inviting the nasty IP's in still?  Thanks



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 01 April 2018 - 09:12 PM

Greetings.

No, I don't see any evidence of it. When you say the performance seems the same specifically what are you referring to?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 01 April 2018 - 09:30 PM

Thanks for looking.  For instance, Opera will only open at launch.  If it is later, it hangs and doesn't open.  Often have to kill the processes and/or reboot in order to get it to run... 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 01 April 2018 - 10:00 PM

Other than Opera what issues are you experiencing?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 01 April 2018 - 10:16 PM

the computer is regularly getting visits from IP addresses known to be threats that I get notices of my anti-virus blocking.  Tended to happen about ten minutes after launch of browser or so.  Thought it might be connected to Easy Auto Downloader malware.



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 01 April 2018 - 10:23 PM

Blocking unwanted attempts to access your computer is normal and not an indication of malware on your computer.

I don't know anything about Opera so the only thing I could suggest is to reset the browser. However, I am not sure what changes are made. You might also consider starting a topic in the Opera Discussion Forum.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 waiata

waiata
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 02 April 2018 - 02:19 AM

Thanks for your help Gary!  It was much appreciated!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users