Jump to content

August 9th and I've been attacked


KPM
 Share

Recommended Posts

This system has been infected for over a year.  The main reason you are infected is that you are running an Operating System that is completely unsupported and grossly out of date.  My advice is to stop using Windows XP immediately.

Do the following:

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
 

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
(APN) C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
() C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\a2.exe
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AtiExtEvent:
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [*nodpm<*>] => "C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\b7f6c3.lnk" <==== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [Uzpwmedia] => C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\a2.exe [191314 2016-09-19] ()
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [IZFsoft] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll"
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [Crypted] => C:\Documents and Settings\Maureen\Local Settings\Temp\a.txt [1384 2017-08-09] () <==== ATTENTION
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [YWCPack] => regsvr32.exe "C:\Documents and Settings\Maureen\Local Settings\Application Data\YWCPack\drgxuplq.dll"
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll ATTENTION
Startup: C:\Documents and Settings\Maureen\Desktop\Programs\Startup\29dd80.lnk [2017-08-09]
ShortcutTarget: 29dd80.lnk -> C:\WINDOWS\system32\mshta.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\Maureen\Desktop\Programs\Startup\5f500c.lnk [2016-09-19]
ShortcutTarget: 5f500c.lnk -> C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
URLSearchHook: HKU\S-1-5-21-6082561-254202236-1922501081-1006 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {D4521B95-D522-474B-82A7-8A8DE3332754} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=2CD3D77B-9805-4C7B-855F-D9982E629BF9&apn_sauid=99A6179E-76E1-4A6A-93F2-4742B6C5993C
SearchScopes: HKU\S-1-5-21-6082561-254202236-1922501081-1006 -> {5CDCF235-79E8-45BA-8B47-6208374B5E72} URL = hxxp://www.search.ask.com/web?tpid=ORJ&o=100000031&pf=V5&p2=&gct=sb&itbv=12.21.0.124&apn_uid=2CD3D77B-9805-4C7B-855F-D9982E629BF9&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_dbr=ff_10.0.2&doi=2013-09-18&trgb=IE,FF&q={searchTerms}&psv=&pt=tb
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Ask Shopping Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-11-09] (APN LLC.)
Toolbar: HKLM - Ask Shopping Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-11-09] (APN LLC.)
Toolbar: HKU\.DEFAULT -> Ask Shopping Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-11-09] (APN LLC.)
Toolbar: HKU\S-1-5-21-6082561-254202236-1922501081-1006 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF user.js: detected! => C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\user.js [2010-10-13]
FF SearchEngineOrder.1: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> Ask.com
FF SelectedSearchEngine: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> Ask Search
FF Homepage: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> hxxp://www.search.ask.com/?tpid=ORJ-V7C&o=APN11408&pf=V7&trgb=FF&p2=%5EBBG%5EOSJ000%5EYY%5EUS&gct=hp&apn_ptnrs=BBG&apn_dtid=%5EOSJ000%5EYY%5EUS&apn_dbr=ff_28.0.0.5186&apn_uid=B4A0428A-ECA9-4F66-A031-7CB31A68C407&itbv=12.10.6.48&doi=2014-04-17&psv=
FF Extension: (Ask Toolbar) - C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\Extensions\[email protected] [2017-01-31]
FF SearchPlugin: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\searchplugins\ask-search.xml [2014-04-17]
FF SearchPlugin: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\searchplugins\askcom.xml [2013-02-08]
S3 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.11.334\McCHSvc.exe" [X]
2017-08-09 12:04 - 2017-08-09 12:04 - 000001384 _____ C:\Documents and Settings\Maureen\Desktop\bit.txt
2017-08-06 03:00 - 2011-08-02 16:44 - 000000000 __HDC C:\Documents and Settings\All Users\Application Data\{306CA583-A598-43B0-914A-91240E3D07E4}
C:\Documents and Settings\Maureen\Local Settings\Temp\a.txt
2017-06-11 20:08 - 2017-06-11 20:08 - 000300032 _____ (Microsoft Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\333m3ela.exe
2017-06-04 05:54 - 2017-06-04 05:54 - 000304640 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\4dtcst22.exe
2016-09-19 11:01 - 2016-09-19 11:01 - 000302130 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\a1.exe
2016-09-19 11:00 - 2016-09-19 11:00 - 000191314 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\a2.exe
2014-04-17 09:29 - 2014-04-17 09:29 - 000523216 _____ (Ask Partner Network) C:\Documents and Settings\Maureen\Local Settings\Temp\APNSetup.exe
2012-09-24 16:24 - 2012-09-24 16:24 - 000357032 _____ (Ask.com) C:\Documents and Settings\Maureen\Local Settings\Temp\ApnStub.exe
2011-10-05 15:14 - 2009-07-21 19:31 - 000096256 _____ (Microsoft Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\atl80.dll
2017-06-05 03:05 - 2017-06-05 03:05 - 000305152 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\kimrdbno.exe
2017-06-11 06:15 - 2017-06-11 06:15 - 000274432 _____ (mbcrump) C:\Documents and Settings\Maureen\Local Settings\Temp\lsbpm043.exe
2013-10-15 08:43 - 2013-10-15 08:43 - 000888320 _____ (McAfee, Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\mssinstaller.exe
2017-06-11 10:47 - 2017-06-11 10:47 - 000300032 _____ (Microsoft Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\nhuc4o0m.exe
2017-06-05 03:05 - 2017-06-05 03:05 - 000305152 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\p2chsd3i.exe
2017-06-05 03:05 - 2017-06-05 03:05 - 000503808 _____ (  Kapcom   ) C:\Documents and Settings\Maureen\Local Settings\Temp\p32sw2sr.exe
2017-05-24 10:25 - 2017-05-24 10:25 - 000384478 _____ (Zoormaht) C:\Documents and Settings\Maureen\Local Settings\Temp\p6maewbu.exe
2017-06-04 05:54 - 2017-06-04 05:54 - 000304640 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\r4cobbm3.exe
2016-04-12 12:17 - 2016-04-12 12:17 - 000205656 _____ (SlimWare Utilities, Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\scp12C.tmp.exe
2011-10-05 15:14 - 2009-07-21 19:31 - 000124168 _____ (Trend Micro Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\TmDbg32.dll
2015-05-19 14:04 - 2015-05-19 14:04 - 000007168 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\tmp10B..exe
2017-06-05 03:05 - 2017-06-05 03:05 - 000503808 _____ (  Kapcom   ) C:\Documents and Settings\Maureen\Local Settings\Temp\trobhclo.exe
2017-06-04 05:54 - 2017-06-04 05:54 - 000304640 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\u0w2is4r.exe
2017-06-05 03:24 - 2017-06-05 03:24 - 000503808 _____ (  Kapcom   ) C:\Documents and Settings\Maureen\Local Settings\Temp\w33ht4sp.exe
2010-09-15 07:10 - 2010-09-15 07:10 - 000329479 _____ (Yahoo! Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\ytb.exe
2016-04-01 11:46 - 2006-05-24 13:10 - 000455600 ____R (Macrovision Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\_is80.exe
2015-02-21 03:27 - 2015-02-21 03:28 - 120018672 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-27bc1cb6.exe
2015-06-03 13:17 - 2015-06-03 13:18 - 156832024 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-333673ca.exe
2015-06-13 13:18 - 2015-06-13 13:19 - 161186576 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-33ce69cd.exe
2015-06-07 13:17 - 2015-06-07 13:19 - 157990160 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-36de2210.exe
2015-06-03 06:07 - 2015-06-03 06:08 - 156793624 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-421d112.exe
2015-06-12 13:18 - 2015-06-12 13:19 - 161098512 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4640f9b4.exe
2015-06-11 13:18 - 2015-06-11 13:19 - 160856848 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4a770069.exe
2015-06-08 13:17 - 2015-06-08 13:18 - 158184208 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4dcc30f3.exe
2015-06-05 13:17 - 2015-06-05 13:18 - 157568272 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-5c0c31ac.exe
2015-06-07 01:39 - 2015-06-07 01:40 - 157927696 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-7885c209.exe
2015-06-09 13:17 - 2015-06-09 13:19 - 158548752 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-79fa939b.exe
2015-06-06 13:17 - 2015-06-06 13:18 - 157805328 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-8fa38f60.exe
2015-06-04 13:18 - 2015-06-04 13:19 - 157234968 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-9a6616e7.exe
2015-06-02 13:17 - 2015-06-02 13:18 - 156538136 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a5674e21.exe
2015-06-10 13:18 - 2015-06-10 13:19 - 160525584 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-b390a659.exe
2015-06-14 01:39 - 2015-06-14 01:40 - 161358096 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-ddf72df.exe
2015-06-14 13:18 - 2015-06-14 13:19 - 161382672 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-e2a66c25.exe
2015-06-03 06:37 - 2015-06-03 06:38 - 156793624 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-f524dbaa.exe
CustomCLSID: HKU\S-1-5-21-6082561-254202236-1922501081-1006_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 -> C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll ()
HKU\S-1-5-21-6082561-254202236-1922501081-1006\Software\Classes\2f4bce: "C:\WINDOWS\system32\mshta.exe" "javascript:UM6otP="T3anKt";Q6H=new ActiveXObject("WScript.Shell");gNw2wf="MTx";mPxp56=Q6H.RegRead("HKCU\\software\\mjfxdzfem\\qiblpczoq");biRQ9CuA="s";eval(mPxp56);gsIwy8H="6p";" <==== ATTENTION
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
FolderExtensions: [ShellFolder for CD Burning] -> {fbeb8a05-beee-4442-804e-409d6c4515e9} => C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll [2016-09-19] ()
2016-09-19 11:00 - 2016-09-19 11:00 - 000191314 _____ () C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\a2.exe
2016-09-19 11:10 - 2016-09-19 11:10 - 001294848 _____ () C:\Documents and Settings\Maureen\Local Settings\Application Data\YWCPack\drgxuplq.dll

Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

 

Link to comment
Share on other sites

Thank you, Zoll. I wish I could say I'm off and running but I am having a hell of a time just getting past the second step of the "Download AdwCleaner and save it on your desktop" list. I downloaded AdwCleaner but I cannot get it to open and run. When I place an icon on the desktop, I get and error message that reads "AdwCleaner (1).exe is not a valid Win32 application" and that's it. I cannot get any further to run the tool and move on to the scan  and cleans steps and so forth. Do you have a fix? I hope you do! Thank you.

-Kevin

Link to comment
Share on other sites

Thank you, Zoll. I wish I could say I'm off and running but I am having a hell of a time just getting past the second step of the "Download AdwCleaner and save it on your desktop" list. I downloaded AdwCleaner but I cannot get it to open and run. When I place an icon on the desktop, I get and error message that reads "AdwCleaner (1).exe is not a valid Win32 application" and that's it. I cannot get any further to run the tool and move on to the scan  and cleans steps and so forth. Do you have a fix? I hope you do! Thank you.

-Kevin

JRT.txt

Link to comment
Share on other sites

JRT and FRST are different tools.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
(APN) C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
() C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\a2.exe
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AtiExtEvent:
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [*nodpm<*>] => "C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\b7f6c3.lnk" <==== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [Uzpwmedia] => C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\a2.exe [191314 2016-09-19] ()
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [IZFsoft] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll"
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [Crypted] => C:\Documents and Settings\Maureen\Local Settings\Temp\a.txt [1384 2017-08-09] () <==== ATTENTION
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [YWCPack] => regsvr32.exe "C:\Documents and Settings\Maureen\Local Settings\Application Data\YWCPack\drgxuplq.dll"
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll ATTENTION
Startup: C:\Documents and Settings\Maureen\Desktop\Programs\Startup\29dd80.lnk [2017-08-09]
ShortcutTarget: 29dd80.lnk -> C:\WINDOWS\system32\mshta.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\Maureen\Desktop\Programs\Startup\5f500c.lnk [2016-09-19]
ShortcutTarget: 5f500c.lnk -> C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
URLSearchHook: HKU\S-1-5-21-6082561-254202236-1922501081-1006 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {D4521B95-D522-474B-82A7-8A8DE3332754} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=2CD3D77B-9805-4C7B-855F-D9982E629BF9&apn_sauid=99A6179E-76E1-4A6A-93F2-4742B6C5993C
SearchScopes: HKU\S-1-5-21-6082561-254202236-1922501081-1006 -> {5CDCF235-79E8-45BA-8B47-6208374B5E72} URL = hxxp://www.search.ask.com/web?tpid=ORJ&o=100000031&pf=V5&p2=&gct=sb&itbv=12.21.0.124&apn_uid=2CD3D77B-9805-4C7B-855F-D9982E629BF9&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_dbr=ff_10.0.2&doi=2013-09-18&trgb=IE,FF&q={searchTerms}&psv=&pt=tb
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll => No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Ask Shopping Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-11-09] (APN LLC.)
Toolbar: HKLM - Ask Shopping Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-11-09] (APN LLC.)
Toolbar: HKU\.DEFAULT -> Ask Shopping Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-11-09] (APN LLC.)
Toolbar: HKU\S-1-5-21-6082561-254202236-1922501081-1006 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF user.js: detected! => C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\user.js [2010-10-13]
FF SearchEngineOrder.1: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> Ask.com
FF SelectedSearchEngine: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> Ask Search
FF Homepage: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> hxxp://www.search.ask.com/?tpid=ORJ-V7C&o=APN11408&pf=V7&trgb=FF&p2=%5EBBG%5EOSJ000%5EYY%5EUS&gct=hp&apn_ptnrs=BBG&apn_dtid=%5EOSJ000%5EYY%5EUS&apn_dbr=ff_28.0.0.5186&apn_uid=B4A0428A-ECA9-4F66-A031-7CB31A68C407&itbv=12.10.6.48&doi=2014-04-17&psv=
FF Extension: (Ask Toolbar) - C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\Extensions\[email protected] [2017-01-31]
FF SearchPlugin: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\searchplugins\ask-search.xml [2014-04-17]
FF SearchPlugin: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\searchplugins\askcom.xml [2013-02-08]
S3 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.11.334\McCHSvc.exe" [X]
2017-08-09 12:04 - 2017-08-09 12:04 - 000001384 _____ C:\Documents and Settings\Maureen\Desktop\bit.txt
2017-08-06 03:00 - 2011-08-02 16:44 - 000000000 __HDC C:\Documents and Settings\All Users\Application Data\{306CA583-A598-43B0-914A-91240E3D07E4}
C:\Documents and Settings\Maureen\Local Settings\Temp\a.txt
2017-06-11 20:08 - 2017-06-11 20:08 - 000300032 _____ (Microsoft Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\333m3ela.exe
2017-06-04 05:54 - 2017-06-04 05:54 - 000304640 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\4dtcst22.exe
2016-09-19 11:01 - 2016-09-19 11:01 - 000302130 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\a1.exe
2016-09-19 11:00 - 2016-09-19 11:00 - 000191314 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\a2.exe
2014-04-17 09:29 - 2014-04-17 09:29 - 000523216 _____ (Ask Partner Network) C:\Documents and Settings\Maureen\Local Settings\Temp\APNSetup.exe
2012-09-24 16:24 - 2012-09-24 16:24 - 000357032 _____ (Ask.com) C:\Documents and Settings\Maureen\Local Settings\Temp\ApnStub.exe
2011-10-05 15:14 - 2009-07-21 19:31 - 000096256 _____ (Microsoft Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\atl80.dll
2017-06-05 03:05 - 2017-06-05 03:05 - 000305152 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\kimrdbno.exe
2017-06-11 06:15 - 2017-06-11 06:15 - 000274432 _____ (mbcrump) C:\Documents and Settings\Maureen\Local Settings\Temp\lsbpm043.exe
2013-10-15 08:43 - 2013-10-15 08:43 - 000888320 _____ (McAfee, Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\mssinstaller.exe
2017-06-11 10:47 - 2017-06-11 10:47 - 000300032 _____ (Microsoft Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\nhuc4o0m.exe
2017-06-05 03:05 - 2017-06-05 03:05 - 000305152 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\p2chsd3i.exe
2017-06-05 03:05 - 2017-06-05 03:05 - 000503808 _____ (  Kapcom   ) C:\Documents and Settings\Maureen\Local Settings\Temp\p32sw2sr.exe
2017-05-24 10:25 - 2017-05-24 10:25 - 000384478 _____ (Zoormaht) C:\Documents and Settings\Maureen\Local Settings\Temp\p6maewbu.exe
2017-06-04 05:54 - 2017-06-04 05:54 - 000304640 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\r4cobbm3.exe
2016-04-12 12:17 - 2016-04-12 12:17 - 000205656 _____ (SlimWare Utilities, Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\scp12C.tmp.exe
2011-10-05 15:14 - 2009-07-21 19:31 - 000124168 _____ (Trend Micro Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\TmDbg32.dll
2015-05-19 14:04 - 2015-05-19 14:04 - 000007168 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\tmp10B..exe
2017-06-05 03:05 - 2017-06-05 03:05 - 000503808 _____ (  Kapcom   ) C:\Documents and Settings\Maureen\Local Settings\Temp\trobhclo.exe
2017-06-04 05:54 - 2017-06-04 05:54 - 000304640 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\u0w2is4r.exe
2017-06-05 03:24 - 2017-06-05 03:24 - 000503808 _____ (  Kapcom   ) C:\Documents and Settings\Maureen\Local Settings\Temp\w33ht4sp.exe
2010-09-15 07:10 - 2010-09-15 07:10 - 000329479 _____ (Yahoo! Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\ytb.exe
2016-04-01 11:46 - 2006-05-24 13:10 - 000455600 ____R (Macrovision Corporation) C:\Documents and Settings\Maureen\Local Settings\Temp\_is80.exe
2015-02-21 03:27 - 2015-02-21 03:28 - 120018672 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-27bc1cb6.exe
2015-06-03 13:17 - 2015-06-03 13:18 - 156832024 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-333673ca.exe
2015-06-13 13:18 - 2015-06-13 13:19 - 161186576 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-33ce69cd.exe
2015-06-07 13:17 - 2015-06-07 13:19 - 157990160 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-36de2210.exe
2015-06-03 06:07 - 2015-06-03 06:08 - 156793624 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-421d112.exe
2015-06-12 13:18 - 2015-06-12 13:19 - 161098512 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4640f9b4.exe
2015-06-11 13:18 - 2015-06-11 13:19 - 160856848 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4a770069.exe
2015-06-08 13:17 - 2015-06-08 13:18 - 158184208 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-4dcc30f3.exe
2015-06-05 13:17 - 2015-06-05 13:18 - 157568272 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-5c0c31ac.exe
2015-06-07 01:39 - 2015-06-07 01:40 - 157927696 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-7885c209.exe
2015-06-09 13:17 - 2015-06-09 13:19 - 158548752 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-79fa939b.exe
2015-06-06 13:17 - 2015-06-06 13:18 - 157805328 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-8fa38f60.exe
2015-06-04 13:18 - 2015-06-04 13:19 - 157234968 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-9a6616e7.exe
2015-06-02 13:17 - 2015-06-02 13:18 - 156538136 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a5674e21.exe
2015-06-10 13:18 - 2015-06-10 13:19 - 160525584 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-b390a659.exe
2015-06-14 01:39 - 2015-06-14 01:40 - 161358096 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-ddf72df.exe
2015-06-14 13:18 - 2015-06-14 13:19 - 161382672 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-e2a66c25.exe
2015-06-03 06:37 - 2015-06-03 06:38 - 156793624 _____ (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-f524dbaa.exe
CustomCLSID: HKU\S-1-5-21-6082561-254202236-1922501081-1006_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 -> C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll ()
HKU\S-1-5-21-6082561-254202236-1922501081-1006\Software\Classes\2f4bce: "C:\WINDOWS\system32\mshta.exe" "javascript:UM6otP="T3anKt";Q6H=new ActiveXObject("WScript.Shell");gNw2wf="MTx";mPxp56=Q6H.RegRead("HKCU\\software\\mjfxdzfem\\qiblpczoq");biRQ9CuA="s";eval(mPxp56);gsIwy8H="6p";" <==== ATTENTION
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
FolderExtensions: [ShellFolder for CD Burning] -> {fbeb8a05-beee-4442-804e-409d6c4515e9} => C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll [2016-09-19] ()
2016-09-19 11:00 - 2016-09-19 11:00 - 000191314 _____ () C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\a2.exe
2016-09-19 11:10 - 2016-09-19 11:10 - 001294848 _____ () C:\Documents and Settings\Maureen\Local Settings\Application Data\YWCPack\drgxuplq.dll

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Hey there. I can't seem to find the link to perform an FRST64 scan, the product which is to copied and posted. Also, I am not certain what "NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work." means? Does that just mean that both files need to be on the Desktop or do the files need to be in a newly created file together on the desktop...or elsewhere even? 

Thank you.

-Kevin

Link to comment
Share on other sites

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Link to comment
Share on other sites

By any USB or external drives, do you mean anything connected via USB as in keyboards, a blue tooth receiver and mouse? And this computer serves as my server and there is an external back up "bank" connected to it....I hesitate to disconnect that. Can those things stay connected while RogueKiller runs?

Thank you.

-Kevin

Link to comment
Share on other sites

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Select the following items:
      [PUP.Ask|PUP.Gen1|VT.PUP.Optional.ASK.Generic] apnmcp.exe(4832) -- C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe[7] -> Found
      [VT.Trojan:Win32/Miuref.C] gdzcobql.dll(6420) -- C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll[-] -> Found
      [PUP.Gen0|VT.PUP.Optional.ASK.Generic] (SVC) APNMCP -- "C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe"[7] -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{44CBC005-6243-4502-8A02-3A096A282664} ("C:\Program Files\AskPartnerNetwork\Toolbar\ServiceLocator.exe") -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{80703783-E415-4EE3-AB60-D36981C5A6F1} ("C:\Program Files\AskPartnerNetwork\Toolbar\ToolbarPS.dll") -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{D8278076-BC68-4484-9233-6E7F1628B56C} ("C:\Program Files\AskPartnerNetwork\Toolbar\searchhook.dll") -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{F297534D-7B06-459D-BC19-2DD8EF69297B} ("C:\Program Files\AskPartnerNetwork\Toolbar\Toolbar.exe") -> Found
      [PUP.Ask|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\SlimWare Utilities Inc -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
      [PUP.Ask|PUP.Gen1] HKEY_USERS\.DEFAULT\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_USERS\.DEFAULT\Software\AskToolbar -> Found
      [PUP.Ask|PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\SlimWare Utilities Inc -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\YahooPartnerToolbar -> Found
      [PUP.Ask|PUP.Gen1] HKEY_USERS\S-1-5-18\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-18\Software\AskToolbar -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{177CD779-4EEC-43C5-8DEA-4E0EC103624B} -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{177CD779-4EEC-43C5-8DEA-4E0EC103624B} -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE} -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0} -> Found
      [PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ApnTBMon : "C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" [x] -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\Microsoft\Windows\CurrentVersion\Run | DriverUpdate : "C:\Program Files\DriverUpdate\DriverUpdate.exe" -boot [x] -> Found
      [PUP.Gen0|PUP.Ask|PUP.Gen1|VT.PUP.Optional.ASK.Generic] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
      [PUP.Gen0|PUP.Ask|PUP.Gen1|VT.PUP.Optional.ASK.Generic] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SlimService ("C:\Program Files\SlimService\SlimServiceFactory.exe") -> Found
      [PUP.Gen0] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SWDUMon (system32\DRIVERS\SWDUMon.sys) -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Application Data\e06dc7\9b5fd1.b0e9a34 -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\818bc1.b0e9a34 -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\95fc88.bat -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\b7f6c3.lnk [[email protected]] C:\DOCUME~1\Maureen\LOCALS~1\APPLIC~1\c0b6cc\95fc88.bat -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\APN -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Ask -> Found
      [PUP.Ask|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Driver Manager -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\SlimWare Utilities Inc -> Found
      [PUP.Gen0|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Solvusoft -> Found
      [PUP.Gen0|PUP.Gen1][File] C:\RECYCLER\S-1-5-21-6082561-254202236-1922501081-1006\Dc691\Support Tools\Log Files.lnk [[email protected]] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SOLVUS~1\WINTHR~1\Logs -> Found
      [PUP.Ask|PUP.Gen1][Folder] C:\Program Files\AskPartnerNetwork -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\APN -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Ask -> Found
      [PUP.Ask|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Driver Manager -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\SlimWare Utilities Inc -> Found
      [PUP.Gen0|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Solvusoft -> Found
      [PUP.Gen2][Firefox:Addon] u8aaj7rr.default : Yahoo Toolbar and New Tab [{635abd67-4fe9-1b23-4f01-e679fa7484c1}] -> Found
      [PUM.HomePage][Firefox:Config] u8aaj7rr.default : user_pref("browser.startup.homepage", "http://search.hmyquickconverter.com?uid=e1f76fc8-e758-4283-8dae-65fdcd54d006&uc=20170814&ap=appfocus1&source=ntm-d&page=homepage&implementation_id=converter_4.1.3"); -> Found
    • Click the Delete button.

  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt)
    • The highest number of [X], is the most recent Delete log.


Link to comment
Share on other sites

Hello, Kevin. I am sorry but I am bit lost here. I ran that scan again and went to "select the following" but it was not in a format to simply select a line and delete the material. Further more, I am not really sure what I am deleting or where we are with this process. Would it be possible to speak on the phone briefly sometime next week so that I can clear up some stuff? For example, I am not sure if you are waiting to get the correct report in order to delete the viral material or if each report is just one part of a continuing process....and, if so, ....how long do you expect it to go on? A quick call could clear these things up for me. The close to 4 pages of line that accompanied your last reply I think can be found in the report but there is no option to delete lines in this format. And the format which would allow me to delete files does not match the lines you sent. Know what I mean? Just let me know if this is something you might be open to, if you would,? and we can set something up. As always, I appreciate your work on this!-Kevin

Roguekiller Report.txt

Link to comment
Share on other sites

Close all programs and disconnect any USB or external drives before running the tool.

  • Double-click RogueKiller.exe to run the tool again (Vista/7/8/10 users: Right-click and select Run As Administrator)[/i].)[/i].)[/i].
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished".
    • Click the Processes Tab and select the following items:
      [Proc.Injected] explorer.exe(6420) -- C:\WINDOWS\explorer.exe[7] -> Found
      [PUP.Ask|PUP.Gen1|VT.PUP.Optional.ASK.Generic] apnmcp.exe(4832) -- C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe[7] -> Found
      [VT.Trojan:Win32/Miuref.C] gdzcobql.dll(6420) -- C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia\gdzcobql.dll[-] -> Found
      [PUP.Gen0|VT.PUP.Optional.ASK.Generic] (SVC) APNMCP -- "C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe"[7] -> Found
    • Click the Registry Tab and select the following items:
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{44CBC005-6243-4502-8A02-3A096A282664} ("C:\Program Files\AskPartnerNetwork\Toolbar\ServiceLocator.exe") -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{80703783-E415-4EE3-AB60-D36981C5A6F1} ("C:\Program Files\AskPartnerNetwork\Toolbar\ToolbarPS.dll") -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{D8278076-BC68-4484-9233-6E7F1628B56C} ("C:\Program Files\AskPartnerNetwork\Toolbar\searchhook.dll") -> Found
      [PUP.Gen0] HKEY_CLASSES_ROOT\CLSID\{F297534D-7B06-459D-BC19-2DD8EF69297B} ("C:\Program Files\AskPartnerNetwork\Toolbar\Toolbar.exe") -> Found
      [PUP.Ask|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\SlimWare Utilities Inc -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\SlimWare Utilities, Inc. -> Found
      [PUP.Ask|PUP.Gen1] HKEY_USERS\.DEFAULT\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_USERS\.DEFAULT\Software\AskToolbar -> Found
      [PUP.Ask|PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\SlimWare Utilities Inc -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\YahooPartnerToolbar -> Found
      [PUP.Ask|PUP.Gen1] HKEY_USERS\S-1-5-18\Software\AskPartnerNetwork -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-18\Software\AskToolbar -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{177CD779-4EEC-43C5-8DEA-4E0EC103624B} -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{177CD779-4EEC-43C5-8DEA-4E0EC103624B} -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE} -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0} -> Found
      [PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ApnTBMon : "C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe" [x] -> Found
      [PUP.Gen1] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\Microsoft\Windows\CurrentVersion\Run | DriverUpdate : "C:\Program Files\DriverUpdate\DriverUpdate.exe" -boot [x] -> Found
      [PUP.Gen0|PUP.Ask|PUP.Gen1|VT.PUP.Optional.ASK.Generic] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
      [PUP.Gen0|PUP.Ask|PUP.Gen1|VT.PUP.Optional.ASK.Generic] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\APNMCP ("C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe") -> Found
      [PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SlimService ("C:\Program Files\SlimService\SlimServiceFactory.exe") -> Found
      [PUP.Gen0] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SWDUMon (system32\DRIVERS\SWDUMon.sys) -> Found
      [PUM.SearchPage] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\Microsoft\Internet Explorer\Main | Search Page :  http://www.bing.com -> Found
      [PUM.SearchPage] HKEY_USERS\S-1-5-21-6082561-254202236-1922501081-1006\Software\Microsoft\Internet Explorer\Main | Search Bar : http://www.bing.com/sphome.aspx -> Found
    • Click the Files Tab and select the following items:
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Application Data\e06dc7\9b5fd1.b0e9a34 -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\818bc1.b0e9a34 -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\95fc88.bat -> Found
      [Tr.Kovter][File] C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc\b7f6c3.lnk [[email protected]] C:\DOCUME~1\Maureen\LOCALS~1\APPLIC~1\c0b6cc\95fc88.bat -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\APN -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Ask -> Found
      [PUP.Ask|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Driver Manager -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\SlimWare Utilities Inc -> Found
      [PUP.Gen0|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Solvusoft -> Found
      [Hj.Shortcut][File] C:\RECYCLER\S-1-5-21-6082561-254202236-1922501081-1006\Dc129\Invisalign Doctor Site.lnk [[email protected]] C:\PROGRA~1\INTERN~1\iexplore.exe http://www.invisalign.com/vip -> Found
      [PUP.Gen0|PUP.Gen1][File] C:\RECYCLER\S-1-5-21-6082561-254202236-1922501081-1006\Dc691\Support Tools\Log Files.lnk [[email protected]] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SOLVUS~1\WINTHR~1\Logs -> Found
      [PUP.Ask|PUP.Gen1][Folder] C:\Program Files\AskPartnerNetwork -> Found
      [Hj.Shortcut][File] C:\Program Files\Dentrix\Data\Dental Ssesame\Dr's Web Page.lnk [[email protected]] C:\PROGRA~1\INTERN~1\iexplore.exe http://www.walpoledentist.com -> Found
      [Hj.Shortcut][File] C:\Program Files\Dentrix\Data\Dental Ssesame\Sesame Control Panel.lnk [[email protected]] C:\PROGRA~1\INTERN~1\iexplore.exe https://www4.orthosesame.com/kmischley/sesame/cp -> Found
      [Hj.Shortcut][File] C:\Program Files\Dentrix\Data\Dental Ssesame\Sesame Staff Access.lnk [[email protected]] C:\PROGRA~1\INTERN~1\iexplore.exe https://www4.orthosesame.com/kmischley/staff -> Found
      [Hj.Shortcut][File] C:\Program Files\Dentrix\Data\Dental Ssesame\Sesame Support.lnk [[email protected]] C:\PROGRA~1\INTERN~1\iexplore.exe http://www.orthosesame.com/support -> Found
      [PUP.HackTool][Folder] C:\Program Files\UltraVNC -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\APN -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Ask -> Found
      [PUP.Ask|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\AskPartnerNetwork -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Driver Manager -> Found
      [PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\SlimWare Utilities Inc -> Found
      [PUP.Gen0|PUP.Gen1][Folder] C:\Documents and Settings\All Users\Application Data\Solvusoft -> Found
    • Click the Web browsers Tab and select the following items:
      [PUP.Gen2][Firefox:Addon] u8aaj7rr.default : Yahoo Toolbar and New Tab [{635abd67-4fe9-1b23-4f01-e679fa7484c1}] -> Found
      [PUM.HomePage][Firefox:Config] u8aaj7rr.default : user_pref("browser.startup.homepage", "http://search.hmyquickconverter.com?uid=e1f76fc8-e758-4283-8dae-65fdcd54d006&uc=20170814&ap=appfocus1&source=ntm-d&page=homepage&implementation_id=converter_4.1.3"); -> Found
    • Click the Delete button.

  • Attach the RogueKiller report to your next reply.
    • The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt)
    • The highest number of [X], is the most recent Delete log.


Link to comment
Share on other sites

Good morning, Kevin. I am still looking to have a brief telephone conversation, if possible, to get the big picture regarding this project. Please let me know if you are open to this or not. I really appreciate the help so far!

-Kevin

1-508-668-3970

Link to comment
Share on other sites

Hello there. Here are the two most recent reports. The one dated 9.1.17 was one that I ran and didn't delete anything from because I wasn't sure what I had and what I had to delete. The second dated 9.6.17 is the one I ran and then deleted from. I understand that you do not offer phone support. I am just looking for some info on how you, and therefore I, will know when this is done? Not to rush anything! I am just curious.

 Thank you!

Rogue 9.6.17.txt

Rogue 9.1.17.txt

Link to comment
Share on other sites

Hello,

I will be able to determine if the system is safe based on what I see in the logs as we go along. Once, I am comfortable that the system is clean I will let you know.

Since it has been awhile since I had you download AdwCleaner and JRT, delete the copies you have on your computer.

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Link to comment
Share on other sites

Hello there. I am unable to run neither AdwCleaner nor JRT, much like the first time you asked me to do this about a month ago. You had me run Rogeuware at that time. Would you like me to do this again or do something else? I am going to be unable to come into the office tomorrow to run a scan but may on Sunday.

Thank you.

-Kevin

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(PC Drivers HeadQuarters LP) C:\Program Files\Driver Support\svc\DriverSupportAOsvc.exe
(PC Drivers HeadQuarters LP) C:\Program Files\Driver Support\svc\DriverSupportAO.exe
(PC Drivers Headquarters LP) C:\Program Files\Driver Support\DriverSupport.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.3.132.0\SeaPort.EXE
HKLM\...\Run: [ApnTBMon] => "C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Run: [DriverUpdate] => "C:\Program Files\DriverUpdate\DriverUpdate.exe" -boot
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-08-17]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.376\SSScheduler.exe (McAfee, Inc.)
FF Homepage: C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default -> hxxp://search.hmyquickconverter.com?uid=e1f76fc8-e758-4283-8dae-65fdcd54d006&uc=20170814&ap=appfocus1&source=ntm-d&page=homepage&implementation_id=converter_4.1.3
FF Extension: (Converter) - C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\Extensions\@Converter.xpi [2017-08-10]
FF Extension: (Yahoo! Toolbar) - C:\Documents and Settings\Maureen\Application Data\Mozilla\Firefox\Profiles\u8aaj7rr.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2015-03-06] [not signed]
FF HKU\S-1-5-21-6082561-254202236-1922501081-1006\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\Documents and Settings\All Users\Application Data\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: (McAfee Security Scan Plus) - C:\Documents and Settings\All Users\Application Data\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04] [not signed]
R2 DSAO; C:\Program Files\driver support\svc\DriverSupportAOsvc.exe [2033104 2016-10-22] (PC Drivers HeadQuarters LP)
S4 LMIRfsClientNP; no ImagePath
S3 NvtSp50; System32\Drivers\NvtSp50.sys [X]
U1 WS2IFSL; no ImagePath
2017-09-06 15:48 - 2016-09-19 11:00 - 000000000 ____D C:\Documents and Settings\Maureen\Local Settings\Application Data\c0b6cc
2017-09-06 15:48 - 2016-09-19 11:00 - 000000000 ____D C:\Documents and Settings\Maureen\Application Data\e06dc7
2017-08-16 13:26 - 2016-09-19 11:10 - 000000000 ____D C:\Documents and Settings\Maureen\Local Settings\Application Data\YWCPack
2017-08-16 13:26 - 2016-09-19 11:00 - 000000000 ____D C:\Documents and Settings\Maureen\Local Settings\Application Data\Uzpwmedia
2017-08-10 15:54 - 2017-08-10 15:54 - 006189288 _____ (PC Drivers HeadQuarters LP) C:\Documents and Settings\Maureen\Local Settings\Temp\DriverSupport.exe
2013-10-15 10:10 - 2013-10-15 10:10 - 002923816 _____ (McAfee, Inc.) C:\Documents and Settings\Maureen\Local Settings\Temp\SecurityScan_Release.exe
2012-10-26 12:39 - 2014-12-09 17:59 - 000636848 _____ (APN LLC.) C:\Documents and Settings\Maureen\Local Settings\Temp\setup.exe
2016-09-24 13:28 - 2016-09-24 13:29 - 000267776 _____ () C:\Documents and Settings\Maureen\Local Settings\Temp\systemrestore.exe
Task: C:\WINDOWS\Tasks\Driver Support-RTMRules.job => C:\Program Files\Driver Support\DriverSupport.exe
Task: C:\WINDOWS\Tasks\Driver Support-RTMScan.job => C:\Program Files\Driver Support\DriverSupport.exe
Task: C:\WINDOWS\Tasks\Driver Support-RTMUpdater.job => C:\Program Files\Driver Support\DriverSupport.exe
Task: C:\WINDOWS\Tasks\Driver Support.job => C:\Program Files\Driver Support\DriverSupport.exe

Close Notepad.



NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...