Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web Browser HiJack, Can't Install Adware Cleaner


  • This topic is locked This topic is locked
21 replies to this topic

#1 DM2-Inc

DM2-Inc

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 04 July 2018 - 06:40 PM

I'm working on my Wife's XP machine and she appears to have a hi-jack application running.  The Browser if Fire Fox.

 

I tried to install Adware Cleaner, but i'm getting an error message of "...failed to start because dwmapi.dll was not found..."

 

I was hoping to find a portable applications but can't  seem to find one.


Edited by hamluis, 05 July 2018 - 11:01 AM.
Moved from XP to MRA - Hamluis.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:02 AM

Posted 06 July 2018 - 07:45 PM

Greetings DM2-Inc and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

AdwCleaner doesn't work with Windows XP.

If you need assistance please do the following.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your Desktop. <<< Important
  • Right click on the icon and select Run as administrator
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of each report in separate reply windows
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 July 2018 - 11:33 AM

Gary...Dan here...thanks for extending a helping hand...

 

Below is the FRST Results (See second post for "Addition.txt" log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20.06.2018
Ran by Donna Marr (ATTENTION: The user is not administrator) on DONNA (07-07-2018 10:38:34)
Running from C:\Utilities\FarBar
Loaded Profiles: Donna Marr (Available Profiles: Donna Marr & Dan Marr & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 

 

 

 



#4 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 July 2018 - 11:39 AM

Addition Log

 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20.06.2018
Ran by Donna Marr (07-07-2018 10:39:32)
Running from C:\Utilities\FarBar
Microsoft Windows XP Service Pack 3 (X86) (2009-12-23 20:34:01)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1745207134-3454814284-1759209248-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Dan Marr (S-1-5-21-1745207134-3454814284-1759209248-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dan Marr
Donna Marr (S-1-5-21-1745207134-3454814284-1759209248-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Donna Marr
Guest (S-1-5-21-1745207134-3454814284-1759209248-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1745207134-3454814284-1759209248-1004 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1745207134-3454814284-1759209248-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.1.0.5790 - Adobe Systems Inc.)
Adobe Flash Player 30 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 30.0.0.113 - Adobe Systems Incorporated)
Adobe Flash Player 30 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 30.0.0.113 - Adobe Systems Incorporated)
Adobe Media Player (HKLM\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
All Day Battery Life Configuration (HKLM\...\{2220CF3A-EBD6-4070-94D0-0C7337B537A7}) (Version: 1.1.0 - Dell Inc.)
Apple Application Support (32-bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{A75CA58D-DB9C-4D14-9428-E0C7B0F623DC}) (Version: 9.0.0.26 - Apple Inc.)
Apple Software Update (HKLM\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
BioAPI Framework (HKLM\...\{AF7E4468-E364-4991-BC2A-6E8293E1055B}) (Version: 1.0.1 - Dell Inc.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Camera Control Pro 2 (HKLM\...\{FE96C49B-DB90-405E-A00E-09E38372F880}) (Version: 2.7.0 - Nikon)
Dell Backup and Recovery Manager (HKLM\...\{9D59AC32-B0FA-4CD7-A2EC-4B57C06CD9D9}) (Version: 1.0.0 - Dell, Inc.)
Dell ControlVault Host Components Installer (HKLM\...\{81860953-8A77-4ED5-B57C-F35D703D9489}) (Version: 1.7.324.55 - Broadcom Corporation) Hidden
Dell Security Device Driver Pack (HKLM\...\{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}) (Version: 1.3.039 - Dell Inc.)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.2.101.216 - Alps Electric)
Dell Webcam Central (HKLM\...\Dell Webcam Central) (Version: 1.40.06 - Creative Technology Ltd)
Dell Wireless WLAN Card Utility (HKLM\...\Broadcom 802.11 Application) (Version: 5.10.79.22 - Dell Inc.)
Google Earth (HKLM\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Photos Backup (HKU\.DEFAULT\...\Google Photos Backup) (Version: 1.1.0.239 - Google, Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 7.16.0.4800 (HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\GoToMeeting) (Version: 7.16.0.4800 - CitrixOnline)
HL-L8350CDW series (HKLM\...\{620626CC-9A2D-4A22-A4CA-3750FDC05CB2}) (Version: 1.0.5.0 - Brother Industries, Ltd.)
HP Color LaserJet 2600 series (HKLM\...\HP Color LaserJet 2600 series) (Version:  - )
Integrated Webcam Driver (1.06.03.0309)   (HKLM\...\Creative OA001) (Version: 1.06.03.0309 - Creative Technology Ltd.)
Intel® Network Connections 13.0.42.0 (HKLM\...\{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}) (Version: 13.0.42.0 - Dell)
Intel® PRO Alerting Agent (HKLM\...\{6EA8A52B-8EA1-4A59-85AB-48132299061A}) (Version: 12.0.3 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iTunes (HKLM\...\{868B9974-4F23-494D-B6BC-4FAB92B2755D}) (Version: 12.1.3.6 - Apple Inc.)
Java 7 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217055FF}) (Version: 7.0.600 - Oracle)
Java™ 6 Update 17 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216016FF}) (Version: 6.0.170 - Sun Microsystems, Inc.)
Junk Mail filter update (HKLM\...\{E2DFE069-083E-4631-9B6C-43C48E991DE5}) (Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{91110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 3.0.40624.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Mozilla Firefox 40.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 40.0.2 (x86 en-US)) (Version: 40.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 40.0.2.5702 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
Nikon Message Center (HKLM\...\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}) (Version: 0.92.000 - Nikon)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
PKZIP Explorer (HKLM\...\{01B13122-1439-11D7-99DD-00600815E2D0}) (Version: 6.00.0108 - PKWARE, Inc.)
PKZIP for Windows (HKLM\...\{8FAA9C9F-0EA3-11D7-99DD-00600815E2D0}) (Version: 6.00.01 - PKWARE, Inc.)
PKZIP for Windows Command Line (HKLM\...\{8FAA9C37-0EA3-11D7-99DD-00600815E2D0}) (Version: 6.00.01 - PKWARE, Inc.)
PKZIP Plug-In (HKLM\...\{892A4788-1444-11D7-99DD-00600815E2D0}) (Version: 1.03.0027 - PKWARE, Inc.)
PKZIP Shared Components (HKLM\...\{5816F18C-19C1-11D7-99DD-00600815E2D0}) (Version: 1.00.0007 - PKWARE, Inc.)
PowerDVD DX (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.2.5024 - Dell Corp.)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
RealPlayer (HKLM\...\RealPlayer 12.0) (Version:  - RealNetworks)
Roxio Creator DE 10.3 (HKLM\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
Segoe UI (HKLM\...\{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}) (Version: 14.0.4327.805 - Microsoft Corp) Hidden
SRS Premium Sound (HKLM\...\{9C875FEA-B49E-49F7-AE62-0F9B91F90982}) (Version: 1.08.1400 - SRS Labs, Inc.)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
WD SmartWare (HKLM\...\{26B914C5-5565-4C96-A40C-8E0228D6C457}) (Version: 1.1.0.7 - Western Digital)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
WIDCOMM Bluetooth Software (HKLM\...\{84814E6B-2581-46EC-926A-823BD1C670F6}) (Version: 5.5.0.7800 - Dell)
Windows Driver Package - Dell Inc. PBADRV System  (01/07/2008 1.0.1.5) (HKLM\...\9D57DE505B6D8C710EF3B74BE638DBB936EED8A3) (Version: 01/07/2008 1.0.1.5 - Dell Inc.)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (HKLM\...\KB952011) (Version: 1.0 - Microsoft Corporation)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Resource Kit Tools - SubInAcl.exe (HKLM\...\{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}) (Version: 5.2.3790.1164 - Microsoft Corporation)
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
XML Paper Specification Shared Components Pack 1.0 (HKLM\...\XpsEPSC) (Version:  - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll -> No File
ContextMenuHandlers1: [PKContextMenuHandler Class] -> {7414E744-CEFF-11D1-BBE3-0000E8C9F421} => C:\Utilities\PKZip\PKZIPE\PKSHEX.dll [2002-12-31] (PKWARE, Inc.)
ContextMenuHandlers2: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll -> No File
ContextMenuHandlers5: [00nView] -> {1E9B04FB-F9E5-4718-997B-B8DA88302A48} => C:\WINDOWS\system32\nvshell.dll [2008-08-27] ()
ContextMenuHandlers5: [NvCplDesktopContext] -> {A70C977A-BF00-412C-90B7-034C51DA2439} => C:\WINDOWS\system32\nvcpl.dll [2008-08-27] (NVIDIA Corporation)
ContextMenuHandlers6: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll -> No File
ContextMenuHandlers6: [NetWareUNCMenu] -> {e3f2bac0-099f-11cf-8daa-00aa004a5691} => C:\WINDOWS\system32\nwprovau.dll [2008-04-14] (Microsoft Corporation)
ContextMenuHandlers6: [PKContextMenuHandler Class] -> {7414E744-CEFF-11D1-BBE3-0000E8C9F421} => C:\Utilities\PKZip\PKZIPE\PKSHEX.dll [2002-12-31] (PKWARE, Inc.)

==================== Scheduled Tasks=============================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job =>
Task: C:\WINDOWS\Tasks\Adobe Flash Player NPAPI Notifier.job =>
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job =>
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job =>
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job =>
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job =>

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2010-02-27 01:23 - 2016-06-29 09:55 - 000000888 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost
85.13.206.114 haksjdi262fsf.com
0.0.0.1    mssplus.mcafee.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

DNS Servers: 192.168.1.254
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk => C:\WINDOWS\pss\Bluetooth.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\WINDOWS\pss\McAfee Security Scan Plus.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^My Bluetooth Places.lnk => C:\WINDOWS\pss\My Bluetooth Places.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk => C:\WINDOWS\pss\PKZIP Attachments Status.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk => C:\WINDOWS\pss\WDDMStatus.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDSmartWare.lnk => C:\WINDOWS\pss\WDSmartWare.lnkCommon Startup
MSCONFIG\startupreg: AdAwareTray => "C:\Utilities\Ad-Ware\Ad-Aware Antivirus\11.8.586.8535\AdAwareTray.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Photo\Adobe Acrobat\Reader\Reader_sl.exe"
MSCONFIG\startupreg: BrStsMon00 => C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN
MSCONFIG\startupreg: Dell Webcam Central => "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
MSCONFIG\startupreg: Google+ Auto Backup => "C:\Program Files\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart
MSCONFIG\startupreg: HitmanPro35 => "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
MSCONFIG\startupreg: iTunesHelper => "C:\MultiMedia\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: NVHotkey => rundll32.exe nvHotkey.dll,Start
MSCONFIG\startupreg: nwiz => nwiz.exe /installquiet
MSCONFIG\startupreg: OA001Mon => C:\WINDOWS\OA001Mon.exe
MSCONFIG\startupreg: PDVDDXSrv => "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Utilities\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Java\jre6\bin\jusched.exe"
MSCONFIG\startupreg: sysfbtray => C:\windows\bill103.exe
MSCONFIG\startupreg: TkBellExe => "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\wlcsdk.exe] => Enabled:Windows Live Call
DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe] => Enabled:Windows Live Sync
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\wlcsdk.exe] => Enabled:Windows Live Call
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe] => Enabled:Windows Live Sync
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
StandardProfile\AuthorizedApplications: [C:\hp_CLJ_2600n_Full_Solution\ProdInst.exe] => Enabled:Advanced TCP/IP Port Installer
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\AuthorizedApplications: [C:\Program Files\iTunes\iTunes.exe] => Enabled:iTunes
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [9100:TCP] => Enabled:Advanced TCP/IP Printer Port
StandardProfile\GloballyOpenPorts: [427:TCP] => Enabled:Advanced TCP/IP SLP Port
StandardProfile\GloballyOpenPorts: [161:TCP] => Enabled:Advanced TCP/IP SNMP Port
StandardProfile\GloballyOpenPorts: [427:UDP] => Enabled:SLP

==================== Restore Points =========================

Could not list restore points
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/04/2018 06:12:48 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/04/2018 06:12:48 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/04/2018 06:12:46 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/04/2018 06:12:46 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/04/2018 06:12:46 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/27/2018 11:17:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12190547

Error: (06/27/2018 11:17:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/27/2018 11:17:30 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12174672


System errors:
=============
Error: (07/07/2018 10:37:46 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The adfs service failed to start due to the following error:
The system cannot find the file specified.

Error: (07/07/2018 10:37:31 AM) (Source: DCOM) (EventID: 10005) (User: DONNA)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (07/07/2018 09:59:01 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The adfs service failed to start due to the following error:
The system cannot find the file specified.

Error: (07/07/2018 09:58:42 AM) (Source: DCOM) (EventID: 10005) (User: DONNA)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service iPod Service with arguments ""
in order to run the server:
{063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (07/04/2018 06:22:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bluetooth Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (07/04/2018 06:22:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Matrix Storage Event Monitor service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/04/2018 06:22:00 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The WD SmartWare Drive Manager service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/04/2018 06:22:00 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Edited by Oh My!, 08 July 2018 - 05:28 PM.


#5 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 July 2018 - 11:41 AM

On anoter note...I just noticed while booting, that two (2) scripts apear to launch during the Boot Process...



#6 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 July 2018 - 11:47 AM

One other note...I noticed that in the "FRST" post, it noted that "DONNA" (this is my wife's computer i'm trying to fix) wasn't the "...administrator...".

 

I tried in XP to "...run as Administrator", but it didn't like the password.  I used "Offline NT Registry Editor" to change the password, but it didn't allow me.  DONNA is an Administrator on the computer i'm trying to fix.



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:02 AM

Posted 08 July 2018 - 01:09 PM

Hi Dan.

 

Can you repost the FTST.txt report for me since the first one is blank? There is no need to put it in quotes.

 

My error, you don't need to try to run FRST as an Administrator since that is automatic with Windows XP. We will check the Donna/Administrator issue as well.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 July 2018 - 01:28 PM

Here is the repost of FTST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20.06.2018
Ran by Donna Marr (ATTENTION: The user is not administrator) on DONNA (07-07-2018 10:38:34)
Running from C:\Utilities\FarBar
Loaded Profiles: Donna Marr (Available Profiles: Donna Marr & Dan Marr & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:02 AM

Posted 08 July 2018 - 03:11 PM

That still isn't the full report. Double click on the FRST icon and run another scan. See if there is more to the FRST.txt report and if so copy and paste the contents in your reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 July 2018 - 03:31 PM

Your right...here is the current report:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20.06.2018
Ran by Donna Marr (administrator) on DONNA (08-07-2018 15:30:38)
Running from C:\Utilities\FarBar
Loaded Profiles: Donna Marr (Available Profiles: Donna Marr & Dan Marr & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(IDT, Inc.) C:\drivers\audio\R213367\stacsv.exe
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files\Intel\ASF Agent\ASFAgent.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
(Memeo) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Andrea Electronics Corporation) C:\WINDOWS\system32\AESTFltr.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Dell Inc.) C:\WINDOWS\system32\WLTRAY.EXE
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [200704 2009-02-22] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [483420 2009-03-16] (IDT, Inc.)
HKLM\...\Run: [AESTFltr] => C:\WINDOWS\system32\AESTFltr.exe [729088 2009-03-16] (Andrea Electronics Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-02-11] (Intel Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [2396160 2009-12-17] (Dell Inc.)
HKLM\...\Run: [ChangeTPMAuth] => C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Utilities\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [TkBellExe] => C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-12-29] (RealNetworks, Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157456 2015-09-12] (Apple Inc.)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [169984 2008-04-14] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\DONNAM~1\LOCALS~1\Temp\DCSCMIN\IMDCSC.exe
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\Run: [DarkComet RAT] => C:\Documents and Settings\Donna Marr\Local Settings\Temp\DCSCMIN\IMDCSC.exe [1172472 2008-07-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\RunOnce: [Startname] => C:\Documents and Settings\Donna Marr\Application Data\xxz.exe [1139200 2016-04-01] (VAuDCrLOwb)
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\MountPoints2: {3acd0cc5-f02c-11de-aa61-0c6076660438} - E:\setupSNK.exe
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\MountPoints2: {b68bab4d-0b07-11df-aa7b-701a045a51e3} - E:\InstallSeagateManager.exe
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\MountPoints2: {b68bab4e-0b07-11df-aa7b-701a045a51e3} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-18\...\Run: [Google Update] => C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [116648 2015-06-04] (Google Inc.)
HKLM\...\Providers\NetWare or Compatible Network: C:\WINDOWS\system32\nwprovau.dll [142336 2008-04-14] (Microsoft Corporation)
Lsa: [Authentication Packages] msv1_0 nwprovau
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{A58F1B4C-413F-4045-8619-3D35B32FC98A}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USREL/1
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/USREL/1
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.live.com
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USREL/1
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Utilities\RealPlayer\rpbrowserrecordplugin.dll [2009-12-29] (RealPlayer)
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14] (Microsoft Corp.)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Internet\Java\bin\ssv.dll [2014-05-07] (Oracle Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Internet\Java\bin\jp2ssv.dll [2014-05-07] (Oracle Corporation)
BHO: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
Toolbar: HKLM - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-1745207134-3454814284-1759209248-1005 -> &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default [2018-07-08]
FF Homepage: C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default -> www.google.com
FF NewTab: C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default -> hxxp://search.gomaps.co?uid=18494cb2-1f15-421b-aed8-6d5f9eb5321d&uc=20170411&ap=appfocus1&source=googlemaps-googledisplay-v12-bb8&page=newtab&implementation_id=maps_4.0.3
FF NetworkProxy: C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default -> no_proxies_on", "*.local"
FF Extension: (EasyPDFCombine) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ceMembers_@free.easypdfcombine.com [2018-07-04] [Legacy]
FF Extension: (RecipeSearch) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ejMembers_@free.downloadrecipesearch.com [2018-07-04] [Legacy]
FF Extension: (Search Extension by Ask) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_j5Members_@ext.ask.com [2018-07-04] [Legacy]
FF Extension: (Microsoft .NET Framework Assistant) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-05-20] [Legacy] [not signed]
FF Extension: (Flash and Video Download) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}(2) [2013-12-29] [Legacy] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-11-03] [Legacy] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Utilities\RealPlayer\browserrecord\firefox\ext
FF Extension: (RealPlayer Browser Record Plugin) - C:\Utilities\RealPlayer\browserrecord\firefox\ext [2009-12-29] [Legacy] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_30_0_0_113.dll [2018-06-08] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-09-04] ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Photo\Picasa\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.60.2 -> C:\Internet\Java\bin\dtplugin\npDeployJava1.dll [2014-05-07] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.60.2 -> C:\Internet\Java\bin\plugin2\npjp2.dll [2014-05-07] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\3.0.40624.0\npctrl.dll [2009-06-23] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.450 -> C:\Utilities\RealPlayer\Netscape6\nppl3260.dll [2009-12-29] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.448 -> C:\Utilities\RealPlayer\Netscape6\nprjplug.dll [2009-12-29] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.448 -> C:\Utilities\RealPlayer\Netscape6\nprpjplug.dll [2009-12-29] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-17] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\.DEFAULT: @tools.google.com/Google Update;version=3 -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll [2015-06-04] (Google Inc.)
FF Plugin HKU\.DEFAULT: @tools.google.com/Google Update;version=9 -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll [2015-06-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-1745207134-3454814284-1759209248-1005: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Donna Marr\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2016-04-13] (Citrix Online)
StartMenuInternet: FIREFOX.EXE - C:\Internet\FireFox\firefox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [335872 2018-06-08] (Adobe Systems Incorporated) [File not signed]
R2 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [133968 2007-04-19] (Intel Corporation)
S4 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
S4 Credential Vault Host Control Service; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [812392 2009-06-26] (Broadcom Corporation)
S4 Credential Vault Host Storage; C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [26984 2009-06-26] (Broadcom Corporation)
S4 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S4 JavaQuickStarterService; C:\Internet\Java\bin\jqs.exe [182696 2014-05-07] (Oracle Corporation)
R2 NWCWorkstation; C:\WINDOWS\System32\nwwks.dll [65536 2008-04-14] (Microsoft Corporation)
R2 STacSV; c:\drivers\audio\r213367\stacsv.exe [254034 2009-03-16] (IDT, Inc.)
R2 WDDMService; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [98304 2009-09-04] (WDC) [File not signed]
R2 WDSmartWareBackgroundService; C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [20480 2009-06-16] (Memeo) [File not signed]
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [2134016 2009-12-17] (Dell Inc.) [File not signed]
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.11.334\McCHSvc.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R3 AESTAud; C:\WINDOWS\System32\drivers\AESTAud.sys [112512 2009-03-16] (Andrea Electronics Corporation)
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1735680 2009-12-17] (Broadcom Corporation)
R3 btaudio; C:\WINDOWS\System32\drivers\btaudio.sys [533024 2009-12-17] (Broadcom Corporation.)
R3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [37160 2009-12-17] (Broadcom Corporation.)
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [991264 2009-12-17] (Broadcom Corporation.)
R3 BTWDNDIS; C:\WINDOWS\System32\DRIVERS\btwdndis.sys [156816 2009-12-17] (Broadcom Corporation.)
R3 btwmodem; C:\WINDOWS\System32\DRIVERS\btwmodem.sys [37032 2009-12-17] (Broadcom Corporation.)
R3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [45984 2009-09-30] (Broadcom Corporation.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R3 cvusbdrv; C:\WINDOWS\System32\Drivers\cvusbdrv.sys [33832 2009-06-26] (Broadcom Corporation)
R3 e1yexpress; C:\WINDOWS\System32\DRIVERS\e1y5132.sys [244368 2009-02-22] (Intel Corporation)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2008-02-20] (Intel Corporation )
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-14] (Microsoft Corporation)
R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2008-04-14] (Microsoft Corporation)
R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2008-04-14] (Microsoft Corporation)
R3 NWRDR; C:\WINDOWS\System32\DRIVERS\nwrdr.sys [163584 2008-04-14] (Microsoft Corporation)
R3 OA001Afx; C:\WINDOWS\system32\Drivers\OA001Afx.sys [148056 2009-03-29] (Creative Technology Ltd.)
R3 OA001Ufd; C:\WINDOWS\System32\DRIVERS\OA001Ufd.sys [133632 2009-03-29] (Creative Technology Ltd.)
R3 OA001Vid; C:\WINDOWS\System32\DRIVERS\OA001Vid.sys [280096 2009-03-29] (Creative Technology Ltd.)
R0 PBADRV; C:\WINDOWS\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
R3 SRS_PremiumSound_Service; C:\WINDOWS\System32\drivers\srs_PremiumSound_i386.sys [232744 2009-03-24] ()
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1545795 2009-03-16] (IDT, Inc.)
S3 USBAAPL; C:\WINDOWS\System32\Drivers\usbaapl.sys [45056 2014-08-15] (Apple, Inc.) [File not signed]
S2 adfs; no ImagePath
S3 NvtSp50; System32\Drivers\NvtSp50.sys [X]
S3 PCASp50; System32\Drivers\PCASp50.sys [X]
U2 srvoko6; no ImagePath
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-07 11:50 - 2018-07-07 11:50 - 000000784 _____ C:\Documents and Settings\Administrator\Desktop\Windows Media Player.lnk
2018-07-07 11:50 - 2018-07-07 11:50 - 000000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2018-07-07 11:50 - 2018-07-07 11:50 - 000000000 ____D C:\Documents and Settings\Administrator\Application Data\Real
2018-07-07 11:50 - 2018-07-07 11:50 - 000000000 ____D C:\Documents and Settings\Administrator\Application Data\Apple Computer
2018-07-07 10:38 - 2018-07-07 10:38 - 000000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-07-08 15:31 - 2009-12-23 15:34 - 000000000 ____D C:\Documents and Settings\Donna Marr\Local Settings\Temp
2018-07-08 15:29 - 2015-06-04 12:24 - 000000998 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
2018-07-08 15:00 - 2014-06-04 01:07 - 000000226 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2018-07-08 14:46 - 2015-04-10 09:24 - 000000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2018-07-08 14:34 - 2009-12-27 02:02 - 000000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2018-07-08 13:29 - 2016-04-01 19:13 - 000000000 ____D C:\Documents and Settings\Donna Marr\Application Data\dclogs
2018-07-08 13:28 - 2009-12-17 06:50 - 000028314 _____ C:\WINDOWS\system32\nvModes.001
2018-07-08 12:29 - 2015-06-04 12:24 - 000000946 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
2018-07-08 07:34 - 2009-12-27 02:02 - 000000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2018-07-07 23:02 - 2018-03-13 06:46 - 000000880 _____ C:\WINDOWS\Tasks\Adobe Flash Player NPAPI Notifier.job
2018-07-07 23:02 - 2008-04-25 16:32 - 000032530 _____ C:\WINDOWS\SchedLgU.Txt
2018-07-07 23:02 - 2008-04-25 16:27 - 000000000 ____D C:\WINDOWS\system32\Macromed
2018-07-07 12:36 - 2008-04-25 11:16 - 000000603 _____ C:\WINDOWS\win.ini
2018-07-07 12:36 - 2008-04-25 11:16 - 000000246 _____ C:\WINDOWS\system.ini
2018-07-07 12:36 - 2008-04-25 11:16 - 000000211 __RSH C:\boot.ini
2018-07-07 12:05 - 2016-04-13 12:57 - 000000000 ____D C:\Program Files\Citrix
2018-07-07 11:52 - 2009-12-17 06:50 - 000028314 _____ C:\WINDOWS\system32\nvModes.dat
2018-07-07 11:51 - 2014-06-04 01:07 - 000000232 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2018-07-07 11:51 - 2009-12-17 12:48 - 000189747 _____ C:\WINDOWS\system32\nvapps.xml
2018-07-07 11:51 - 2008-04-25 16:32 - 000000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2018-07-07 11:51 - 2008-04-25 16:32 - 000000000 ____D C:\Documents and Settings\Administrator
2018-07-07 11:51 - 2008-04-25 11:16 - 000001158 _____ C:\WINDOWS\system32\wpa.dbl
2018-07-07 11:50 - 2008-04-25 16:32 - 000000805 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2018-07-07 11:50 - 2008-04-25 16:32 - 000000790 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2018-07-07 11:50 - 2008-04-25 16:32 - 000000740 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.LNK
2018-07-07 11:50 - 2008-04-25 16:32 - 000000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2018-07-07 11:50 - 2008-04-25 16:29 - 000001868 _____ C:\WINDOWS\OEWABLog.txt
2018-07-07 10:41 - 2008-04-25 04:22 - 000612568 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-07-07 10:37 - 2008-04-25 16:32 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-07-07 10:01 - 2009-12-24 01:47 - 000000000 ____D C:\Utilities
2018-07-04 18:12 - 2010-11-12 21:03 - 000000000 ____D C:\Temp
2018-07-04 10:38 - 2012-11-26 21:23 - 000000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2018-07-02 21:12 - 2015-10-19 21:12 - 000000472 _____ C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
2018-06-08 02:46 - 2014-03-09 13:24 - 000842240 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2018-06-08 02:46 - 2014-03-09 13:24 - 000175104 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2009-12-24 00:47 - 2009-12-24 00:47 - 000000268 ___RH () C:\Documents and Settings\Donna Marr\Application Data\Animals
2016-04-01 19:13 - 2016-04-01 19:13 - 001139200 _____ (VAuDCrLOwb) C:\Documents and Settings\Donna Marr\Application Data\xxz.exe
2014-09-13 12:10 - 2014-09-13 12:10 - 000003584 _____ () C:\Documents and Settings\Donna Marr\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-12-23 15:34 - 2008-02-05 14:28 - 000000051 _____ () C:\Documents and Settings\Donna Marr\Local Settings\Application Data\setup.txt
2009-12-23 15:34 - 2009-12-23 15:34 - 000000000 _____ () C:\Documents and Settings\Donna Marr\Local Settings\Application Data\WavXMapDrive.bat
2009-12-24 00:47 - 2009-12-24 00:47 - 000000268 ___RH () C:\Documents and Settings\All Users\Application Data\Applications
2009-12-24 00:43 - 2014-08-25 17:42 - 000000020 ____H () C:\Documents and Settings\All Users\Application Data\PKP_DLdy.DAT

Files to move or delete:
====================
C:\Documents and Settings\Donna Marr\Local Settings\Temp\DCSCMIN\IMDCSC.exe


Some files in TEMP:
====================
2010-01-16 19:55 - 2010-01-16 19:55 - 001924840 _____ (Adobe Systems Incorporated) C:\Documents and Settings\Dan Marr\Local Settings\Temp\FP_PL_PFS_INSTALLER.exe
2016-02-05 17:34 - 2016-02-26 11:01 - 000000229 _____ () C:\Documents and Settings\Donna Marr\Local Settings\Temp\1174935.exe
2016-02-05 17:34 - 2016-02-26 11:01 - 000000229 _____ () C:\Documents and Settings\Donna Marr\Local Settings\Temp\2274935.exe
2016-02-05 17:34 - 2016-02-26 11:01 - 000000229 _____ () C:\Documents and Settings\Donna Marr\Local Settings\Temp\3354869.exe
2016-04-11 20:10 - 2008-11-17 15:04 - 000939592 ____R (Google Inc.) C:\Documents and Settings\Donna Marr\Local Settings\Temp\PicasaCD.exe
2016-03-28 19:01 - 2015-05-14 03:42 - 000455600 ____R (Macrovision Corporation) C:\Documents and Settings\Donna Marr\Local Settings\Temp\_is17.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,770 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:02 AM

Posted 08 July 2018 - 05:39 PM

Greetings Dan.

Thank you for the information. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be "pasted" into FRST automatically when you click Fix as instructed below
Start::
CreateRestorePoint:
CloseProcesses:
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\DONNAM~1\LOCALS~1\Temp\DCSCMIN\IMDCSC.exe
C:\DOCUME~1\DONNAM~1\LOCALS~1\Temp\DCSCMIN
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\Run: [DarkComet RAT] => C:\Documents and Settings\Donna Marr\Local Settings\Temp\DCSCMIN\IMDCSC.exe [1172472 2008-07-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\RunOnce: [Startname] => C:\Documents and Settings\Donna Marr\Application Data\xxz.exe [1139200 2016-04-01] (VAuDCrLOwb)
C:\Documents and Settings\Donna Marr\Application Data\xxz.exe
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
FF Extension: (EasyPDFCombine) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ceMembers_@free.easypdfcombine.com [2018-07-04] [Legacy]
FF Extension: (RecipeSearch) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ejMembers_@free.downloadrecipesearch.com [2018-07-04] [Legacy]
FF Extension: (Search Extension by Ask) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_j5Members_@ext.ask.com [2018-07-04] [Legacy]
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.11.334\McCHSvc.exe" [X]
S2 adfs; no ImagePath
S3 NvtSp50; System32\Drivers\NvtSp50.sys [X]
S3 PCASp50; System32\Drivers\PCASp50.sys [X]
U2 srvoko6; no ImagePath
U1 WS2IFSL; no ImagePath
ContextMenuHandlers1: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll 
ContextMenuHandlers2: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll
ContextMenuHandlers6: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll
Task: C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job =>
Task: C:\WINDOWS\Tasks\Adobe Flash Player NPAPI Notifier.job =>
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job =>
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job =>
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job =>
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job =>
MSCONFIG\startupreg: sysfbtray => C:\windows\bill103.exe
C:\windows\bill103.exe
cmd: ipconfig /flushdns
hosts:
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Update on computer/browser behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 July 2018 - 07:07 PM

Gary,

 

Here's the Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 20.06.2018
Ran by Donna Marr (08-07-2018 18:54:02) Run:1
Running from C:\Utilities\FarBar
Loaded Profiles: Donna Marr (Available Profiles: Donna Marr & Dan Marr & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\DONNAM~1\LOCALS~1\Temp\DCSCMIN\IMDCSC.exe
C:\DOCUME~1\DONNAM~1\LOCALS~1\Temp\DCSCMIN
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\Run: [DarkComet RAT] => C:\Documents and Settings\Donna Marr\Local Settings\Temp\DCSCMIN\IMDCSC.exe [1172472 2008-07-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\...\RunOnce: [Startname] => C:\Documents and Settings\Donna Marr\Application Data\xxz.exe [1139200 2016-04-01] (VAuDCrLOwb)
C:\Documents and Settings\Donna Marr\Application Data\xxz.exe
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
FF Extension: (EasyPDFCombine) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ceMembers_@free.easypdfcombine.com [2018-07-04] [Legacy]
FF Extension: (RecipeSearch) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ejMembers_@free.downloadrecipesearch.com [2018-07-04] [Legacy]
FF Extension: (Search Extension by Ask) - C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_j5Members_@ext.ask.com [2018-07-04] [Legacy]
S4 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.11.334\McCHSvc.exe" [X]
S2 adfs; no ImagePath
S3 NvtSp50; System32\Drivers\NvtSp50.sys [X]
S3 PCASp50; System32\Drivers\PCASp50.sys [X]
U2 srvoko6; no ImagePath
U1 WS2IFSL; no ImagePath
ContextMenuHandlers1: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll
ContextMenuHandlers2: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll
ContextMenuHandlers6: [LavasoftShellExt] -> {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => C:\Utilities\Ad-Ware\Lavasoft\Ad-Aware\ShellExt.dll
Task: C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job =>
Task: C:\WINDOWS\Tasks\Adobe Flash Player NPAPI Notifier.job =>
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job =>
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job =>
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job =>
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job =>
MSCONFIG\startupreg: sysfbtray => C:\windows\bill103.exe
C:\windows\bill103.exe
cmd: ipconfig /flushdns
hosts:
emptytemp:

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully
C:\DOCUME~1\DONNAM~1\LOCALS~1\Temp\DCSCMIN => moved successfully
"HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\Software\Microsoft\Windows\CurrentVersion\Run\\DarkComet RAT" => removed successfully.
"HKU\S-1-5-21-1745207134-3454814284-1759209248-1005\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Startname" => removed successfully.
C:\Documents and Settings\Donna Marr\Application Data\xxz.exe => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => removed successfully.
HKLM\Software\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => not found
C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ceMembers_@free.easypdfcombine.com => moved successfully
C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_ejMembers_@free.downloadrecipesearch.com => moved successfully
C:\Documents and Settings\Donna Marr\Application Data\Mozilla\Firefox\Profiles\lnjcqzxp.default\Extensions\_j5Members_@ext.ask.com => moved successfully
"HKLM\System\CurrentControlSet\Services\McComponentHostService" => removed successfully.
McComponentHostService => service removed successfully.
"HKLM\System\CurrentControlSet\Services\adfs" => removed successfully.
adfs => service removed successfully.
"HKLM\System\CurrentControlSet\Services\NvtSp50" => removed successfully.
NvtSp50 => service removed successfully.
"HKLM\System\CurrentControlSet\Services\PCASp50" => removed successfully.
PCASp50 => service removed successfully.
"HKLM\System\CurrentControlSet\Services\srvoko6" => removed successfully.
srvoko6 => service removed successfully.
"HKLM\System\CurrentControlSet\Services\WS2IFSL" => removed successfully.
WS2IFSL => service removed successfully.
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\LavasoftShellExt" => removed successfully.
"HKLM\Software\Classes\CLSID\{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}" => removed successfully.
"HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers\LavasoftShellExt" => removed successfully.
HKLM\Software\Classes\CLSID\{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => not found
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\LavasoftShellExt" => removed successfully.
HKLM\Software\Classes\CLSID\{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F} => not found
C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job => moved successfully
C:\WINDOWS\Tasks\Adobe Flash Player NPAPI Notifier.job => moved successfully
C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => moved successfully
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => moved successfully
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job => moved successfully
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job => moved successfully
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => moved successfully
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => moved successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\sysfbtray => not found
"C:\windows\bill103.exe" => not found

========= ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 9723 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 85591 B
Java, Flash, Steam htmlcache => 91421 B
Windows/system/dllcache/drivers => 7505576238 B
Edge => 0 B
Chrome => 0 B
Firefox => 504157253 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 82494 B
All Users => 0 B
systemprofile => 924659697 B
LocalService => 131976 B
NetworkService => 119307985 B
Donna Marr => 1860178088 B
Dan Marr => 73783482 B
Administrator => 83257 B

RecycleBin => 2968695375 B
EmptyTemp: => 13 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:02:42 ====



#13 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 July 2018 - 07:12 PM

Comments 1 on Web Browser:

 

I opened FireFox and noticed that when I click on the "+" to launch a new browser tab, it opens to the below:

 

https://search.gomaps.co/?uid=18494cb2-1f15-421b-aed8-6d5f9eb5321d&uc=20170411&ap=appfocus1&source=googlemaps-googledisplay-v12-bb8&page=newtab&implementation_id=maps_4.0.3

 

If I click on the "Home" icon, it goes to the the page I have setup for Home, which is "www.google.com"

 

Comment 2 on Startup:

I see a script that runs when the computer boots up...I can't identify this.  Did you see anything?



#14 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 July 2018 - 07:23 PM

A Quick Search on the internet suggests the below solution:

https://support.mozilla.org/en-US/questions/941901

 

The site says "It sounds like you have a Third-Party Toolbar that has taken over your Search Engine, Home Page, and/or the Default New Tab Page."

 

That is infact what's happening, but only when I click on the "+".

 

When I follow the instructions, which have me looking into "Extensions", But there are only 2 extensions, (."NET Framework..." and "Real Player...").  Both of these extensions are disabled because firefox wouldn't verify for use in FireFox.



#15 DM2-Inc

DM2-Inc
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 July 2018 - 07:28 PM

I fixed the FireFox issue by following a few more steps on the above link and now that issue isn't occuring again.

 

I'll send something later if there's an issue with the Browser.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users