Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scan webpage, Remote Control Attack, Unknown infection(s)


  • This topic is locked This topic is locked
7 replies to this topic

#1 haplo888

haplo888

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 12 November 2015 - 07:09 PM

My sister navigated to a scam webpage which told her she was infected and provided a number to call 'Microsoft', which unfortunately she did.  The person that answered had her run iexplore.exe + a website from a command prompt and she installed an unknown remote control app and the person took control of her computer. He showed her something indicating she had been '91% infected' and that her IP address would be compromised for 'all her devices', unless they helped her.

At this point she finally called me, and hearing red flags, I told her to power off the laptop and hang up.

 

Upon receiving the laptop I used hiren's boot cd to run mini xp and ran malwarebytes and some antivirus, which found an removed a few items. After, from safe mode, I ran rkill, malwarebytes, adwclean, roguekiller, and trendmicro's stand-alone housecall, again a few discoveries were removed. I then finally did a regular boot and repeated rkill, malwarebytes, adwclean, finding nothing.  I also noticed gotomeeting and a citrix launcher were installed around the time of the incident, but I cannot confirm they are related.  I uninstalled those, and reset IE and firefox to defaults (FRST also shows Chrome).

 

At this point I posted on 'am i infected' and boopme instructed me to follow the prep guide and post here.

 

edit: Of note, the attack occured ~ Sept. 30, so I'm adding a 90 Days Files FRST. Looks like the remote control was LogMeIn Rescue?

 

90-Day FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-11-2015
Ran by staceyandtom (administrator) on THANKSMOMANDDAD (12-11-2015 19:58:44)
Running from C:\Users\staceyandtom\Downloads
Loaded Profiles: staceyandtom (Available Profiles: staceyandtom)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
() C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe
() C:\Program Files (x86)\Lexmark\ErrorApp\lmab1err.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\n360.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\n360.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWXUX.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7191768 2013-06-17] (Realtek Semiconductor)
HKLM\...\Run: [LMADGmon] => C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe [952496 2012-09-07] ()
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [LMADGmon] => C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe [952496 2012-09-07] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [Power2GoExpress8] => C:\Program Files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe [1718536 2014-07-23] (CyberLink Corp.)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [LMab1err] => C:\Program Files (x86)\Lexmark\ErrorApp\LMab1err.exe [645296 2012-08-07] ()
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [LMADGmon] => C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe [952496 2012-09-07] ()
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [Google Update] => C:\Users\staceyandtom\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-30] (Google Inc.)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31280256 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\MountPoints2: {b23ec5a3-561b-11e5-be93-a0481c27c6bd} - "H:\VZW_Software_upgrade_assistant.exe"
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\MountPoints2: {b4ab2c7b-6517-11e4-be72-806e6f6e6963} - "E:\SETUP.EXE"
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-09-03]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\staceyandtom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk [2015-09-24]
ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk -> C:\Users\staceyandtom\AppData\Roaming\VERIZON\UA_ar\UA.exe (SAMSUNG Electornics Co., Ltd.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1    mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{837131F3-EC07-4634-AE44-BA7EF29C045E}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.msn.com/HPNOT13/1
SearchScopes: HKLM -> {73C8A433-EF3B-4C0C-9AF2-12FF629CB537} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {73C8A433-EF3B-4C0C-9AF2-12FF629CB537} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-08-11] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-08-11] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T29L10NSP10EP1-10115/event/ieatgpc1.cab

FireFox:
========
FF ProfilePath: C:\Users\staceyandtom\AppData\Roaming\Mozilla\Firefox\Profiles\lt17cxki.default-1447343845856
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll [2014-12-09] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll [2014-12-09] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll [2013-04-03] (Adobe Systems, Inc.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-02-13] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-08-11] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-08-11] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-10-12] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2282064086-2867235003-3058993359-1002: @citrixonline.com/appdetectorplugin -> C:\Users\staceyandtom\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-09-28] (Citrix Online)
FF Plugin HKU\S-1-5-21-2282064086-2867235003-3058993359-1002: @tools.google.com/Google Update;version=3 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-20] (Google Inc.)
FF Plugin HKU\S-1-5-21-2282064086-2867235003-3058993359-1002: @tools.google.com/Google Update;version=9 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-20] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-02-26] (Coupons, Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{EBA722F5-038F-4CAF-9EE2-545A221628BC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn [2015-11-12] [not signed]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\Exts\Chrome.crx [2015-11-12]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\Exts\Chrome.crx [2015-11-12]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.) [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe [411024 2013-02-01] (Nuance Communications, Inc.)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-09] (Hewlett-Packard Development Company, L.P.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.163\McCHSvc.exe [289256 2015-07-31] (McAfee, Inc.)
R2 N360; C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\N360.exe [282016 2015-09-24] (Symantec Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-11-30] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-20] (Advanced Micro Devices)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3880448 2013-11-13] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [98744 2013-04-23] (Advanced Micro Devices)
R3 BHDrvx64; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\BASHDefs\20150706.001\BHDrvx64.sys [1648880 2015-07-10] (Symantec Corporation)
R3 ccSet_N360; C:\Windows\system32\drivers\N360x64\1605040.018\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-12-11] (Symantec Corporation)
R3 IDSVia64; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\IPSDefs\20150710.001\IDSVia64.sys [692984 2015-07-10] (Symantec Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2015-11-12] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\VirusDefs\20150824.018\ENG64.SYS [138488 2015-05-20] (Symantec Corporation)
S3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\VirusDefs\20150824.018\EX64.SYS [2146040 2015-05-20] (Symantec Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2015-01-25] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [29424 2013-06-04] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [33008 2013-06-04] (Synaptics Incorporated)
S3 SRTSP; C:\Windows\System32\Drivers\N360x64\1605040.018\SRTSP64.SYS [930024 2015-09-23] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\N360x64\1605040.018\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)
R3 SymEFASI; C:\Windows\system32\drivers\N360x64\1605040.018\SYMEFASI64.SYS [1620720 2015-07-10] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\N360x64\1605040.018\SymELAM.sys [24192 2015-07-10] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-25] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\N360x64\1605040.018\Ironx64.SYS [297720 2015-07-10] (Symantec Corporation)
R3 SymNetS; C:\Windows\System32\Drivers\N360x64\1605040.018\SYMNETS.SYS [577768 2015-09-23] (Symantec Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-11-12] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Three Months Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-12 19:58 - 2015-11-12 18:46 - 00028925 _____ C:\Users\staceyandtom\Downloads\Addition - Copy.txt
2015-11-12 19:58 - 2015-11-12 18:46 - 00027772 _____ C:\Users\staceyandtom\Downloads\FRST - Copy.txt
2015-11-12 18:51 - 2015-09-18 22:18 - 00035384 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2015-11-12 18:51 - 2015-09-18 08:42 - 01290752 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-11-12 18:51 - 2015-09-18 08:42 - 01163776 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-11-12 18:51 - 2015-09-18 08:42 - 00766464 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-11-12 18:51 - 2015-09-18 08:42 - 00699904 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-11-12 18:51 - 2015-09-18 08:42 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-11-12 18:51 - 2015-09-18 08:42 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-11-12 18:51 - 2015-09-12 08:47 - 00414559 _____ C:\WINDOWS\system32\ApnDatabase.xml
2015-11-12 18:49 - 2015-08-06 12:05 - 00669184 _____ (Microsoft Corporation) C:\WINDOWS\system32\hhctrl.ocx
2015-11-12 18:49 - 2015-08-06 11:37 - 00536576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hhctrl.ocx
2015-11-12 18:47 - 2015-08-22 08:42 - 00901264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00066400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00022368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00019808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00016224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00015712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00014176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00013664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:42 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00984448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00063840 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-private-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00020832 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-math-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00019808 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-string-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00017760 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00016224 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00015712 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00014176 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-time-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00013664 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-process-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00012640 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-11-12 18:47 - 2015-08-22 08:35 - 00012128 _____ (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-11-12 18:47 - 2015-07-16 13:58 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\system32\NcdAutoSetup.dll
2015-11-12 18:45 - 2015-11-12 18:46 - 00028925 _____ C:\Users\staceyandtom\Downloads\Addition.txt
2015-11-12 18:44 - 2015-11-12 19:58 - 00019777 _____ C:\Users\staceyandtom\Downloads\FRST.txt
2015-11-12 18:44 - 2015-11-12 19:58 - 00000000 ____D C:\FRST
2015-11-12 18:44 - 2015-11-12 18:44 - 00000000 ____D C:\WINDOWS\System32\Tasks\Norton 360
2015-11-12 18:43 - 2015-11-12 18:43 - 02198528 _____ (Farbar) C:\Users\staceyandtom\Downloads\FRST64.exe
2015-11-12 15:41 - 2015-11-12 15:41 - 03796546 _____ C:\Users\staceyandtom\AppData\Local\census.cache
2015-11-12 15:41 - 2015-11-12 15:41 - 00071235 _____ C:\Users\staceyandtom\AppData\Local\ars.cache
2015-11-12 10:57 - 2015-11-12 10:57 - 00000000 ____D C:\Users\staceyandtom\Desktop\Old Firefox Data
2015-11-12 10:40 - 2015-11-12 10:40 - 00001231 _____ C:\Users\staceyandtom\Desktop\AdwCleaner[C1].txt
2015-11-12 10:24 - 2015-11-12 10:49 - 00000000 ____D C:\AdwCleaner
2015-11-12 10:16 - 2015-11-12 10:47 - 00002272 _____ C:\Users\staceyandtom\Desktop\Rkill.txt
2015-11-12 10:09 - 2015-11-12 10:09 - 00004504 _____ C:\Users\staceyandtom\Desktop\rogue.txt
2015-11-12 08:26 - 2015-11-12 08:26 - 01712128 _____ C:\Users\staceyandtom\Desktop\AdwCleaner.exe
2015-11-12 08:25 - 2015-11-12 08:25 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\staceyandtom\Downloads\iExplore.exe
2015-11-12 08:25 - 2015-11-12 08:25 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\staceyandtom\Desktop\iExplore.exe
2015-11-12 06:51 - 2015-11-12 11:44 - 00000010 _____ C:\Users\staceyandtom\AppData\Local\sponge.last.runtime.cache
2015-11-12 06:48 - 2015-11-12 19:22 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-11-12 06:47 - 2015-11-12 06:47 - 22908888 _____ (Malwarebytes ) C:\Users\staceyandtom\Downloads\mbam-setup-2.2.0.1024.exe
2015-11-12 06:47 - 2015-11-12 06:47 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-11-12 06:47 - 2015-11-12 06:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-11-12 06:47 - 2015-11-12 06:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-11-12 06:47 - 2015-11-12 06:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-11-12 06:47 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-11-12 06:47 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-11-12 06:47 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2015-11-12 06:45 - 2015-11-12 06:45 - 00000036 _____ C:\Users\staceyandtom\AppData\Local\housecall.guid.cache
2015-11-12 06:44 - 2015-11-12 06:44 - 02073512 _____ (Trend Micro Inc.) C:\Users\staceyandtom\Downloads\HousecallLauncher.exe
2015-11-12 06:31 - 2015-11-12 10:06 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-11-12 06:31 - 2015-11-12 06:42 - 00000000 ____D C:\ProgramData\RogueKiller
2015-11-09 06:56 - 2015-11-09 07:01 - 18979400 _____ C:\RogueKiller.exe
2015-11-09 06:37 - 2015-07-24 07:31 - 04404952 _____ (Kaspersky Lab ZAO) C:\TDSSKiller.exe
2015-09-30 17:01 - 2015-11-09 07:43 - 00000000 ____D C:\Program Files (x86)\LogMeIn Rescue RC - 8168a256-9155-4998-a2ec-e22cf9d1f5a4
2015-09-30 17:00 - 2015-09-30 17:00 - 00002303 _____ C:\Users\staceyandtom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Technical Support.lnk
2015-09-30 17:00 - 2015-09-30 17:00 - 00000000 ____D C:\Users\staceyandtom\AppData\Local\LogMeIn Rescue Applet
2015-09-28 16:49 - 2015-09-28 16:49 - 00003760 _____ C:\WINDOWS\System32\Tasks\G2MUploadTask-S-1-5-21-2282064086-2867235003-3058993359-1002
2015-09-28 16:49 - 2015-09-28 16:49 - 00003664 _____ C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-2282064086-2867235003-3058993359-1002
2015-09-28 16:46 - 2015-11-12 11:04 - 00000000 ____D C:\Users\staceyandtom\AppData\Local\Citrix
2015-09-24 19:20 - 2015-09-24 19:20 - 00000000 ____D C:\Users\staceyandtom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Verizon
2015-09-24 19:18 - 2014-10-13 00:57 - 00206080 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\WINDOWS\system32\Drivers\ssudmdm.sys
2015-09-24 19:18 - 2014-10-13 00:57 - 00110336 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\WINDOWS\system32\Drivers\ssudbus.sys
2015-09-24 19:14 - 2015-09-24 19:44 - 00000000 ____D C:\Users\staceyandtom\AppData\Roaming\VERIZON
2015-09-24 19:14 - 2015-09-24 19:14 - 00000000 ____D C:\Users\Public\Documents\Verizon2.0_Log
2015-09-24 19:10 - 2015-09-24 19:10 - 00000000 ____D C:\Program Files\SAMSUNG
2015-09-23 15:48 - 2015-09-24 19:44 - 00000000 ____D C:\ProgramData\Samsung
2015-09-22 08:08 - 2015-09-24 19:12 - 00000000 ____D C:\Users\staceyandtom\Documents\girl scouts badge requirements printed
2015-09-12 07:37 - 2015-11-12 18:38 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360
2015-09-08 18:24 - 2015-08-22 13:19 - 25188352 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-09-08 18:24 - 2015-08-22 12:35 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-09-08 18:24 - 2015-08-22 12:34 - 00585216 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-09-08 18:24 - 2015-08-22 12:22 - 19856384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-09-08 18:24 - 2015-08-22 12:21 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-09-08 18:24 - 2015-08-22 12:20 - 05923840 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-09-08 18:24 - 2015-08-22 11:55 - 00504832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-09-08 18:24 - 2015-08-22 11:50 - 02279424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-09-08 18:24 - 2015-08-22 11:50 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-09-08 18:24 - 2015-08-22 11:45 - 00665600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-09-08 18:24 - 2015-08-22 11:44 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-09-08 18:24 - 2015-08-22 11:41 - 14451712 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-09-08 18:24 - 2015-08-22 11:41 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-09-08 18:24 - 2015-08-22 11:41 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-09-08 18:24 - 2015-08-22 11:41 - 00374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-09-08 18:24 - 2015-08-22 11:39 - 02126336 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-09-08 18:24 - 2015-08-22 11:28 - 04520448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-09-08 18:24 - 2015-08-22 11:26 - 02427392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-09-08 18:24 - 2015-08-22 11:23 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-09-08 18:24 - 2015-08-22 11:22 - 12857344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-09-08 18:24 - 2015-08-22 11:20 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-09-08 18:24 - 2015-08-22 11:18 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-09-08 18:24 - 2015-08-22 11:18 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-09-08 18:24 - 2015-08-22 11:18 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-09-08 18:24 - 2015-08-22 11:14 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-09-08 18:24 - 2015-08-22 11:01 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-09-08 18:24 - 2015-08-22 11:00 - 01951232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-09-08 18:24 - 2015-08-22 10:56 - 01310720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-09-08 18:24 - 2015-08-22 10:55 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-09-08 18:24 - 2015-07-30 12:18 - 00268288 _____ (Microsoft Corporation) C:\WINDOWS\system32\InkEd.dll
2015-09-08 18:24 - 2015-07-30 11:22 - 00230912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InkEd.dll
2015-09-08 18:24 - 2015-07-22 09:19 - 00041984 _____ (Microsoft Corporation) C:\WINDOWS\system32\UtcResources.dll
2015-09-08 18:24 - 2015-07-22 08:52 - 01633792 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2015-09-08 18:24 - 2015-07-17 09:15 - 00951296 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
2015-09-08 18:24 - 2015-07-17 09:10 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
2015-09-08 16:44 - 2015-09-02 21:18 - 02531400 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml6.dll
2015-09-08 16:44 - 2015-09-02 21:17 - 01903848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
2015-09-08 16:44 - 2015-09-02 13:48 - 02345472 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3.dll
2015-09-08 16:44 - 2015-09-02 12:09 - 01556992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml3.dll
2015-09-08 16:43 - 2015-08-26 21:48 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-09-08 16:43 - 2015-08-26 13:00 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-09-08 16:43 - 2015-08-26 13:00 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-09-08 16:43 - 2015-08-26 13:00 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-09-08 16:43 - 2015-08-26 13:00 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-09-08 16:43 - 2015-08-26 09:46 - 03705344 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-09-08 16:43 - 2015-08-26 09:29 - 02240512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-09-08 16:43 - 2015-08-26 09:27 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-09-08 16:43 - 2015-08-26 09:27 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-09-08 16:43 - 2015-08-26 09:26 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-09-08 16:43 - 2015-08-26 09:26 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-09-08 16:43 - 2015-08-26 09:26 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-09-08 16:43 - 2015-06-27 06:47 - 00118616 _____ (Microsoft Corporation) C:\WINDOWS\system32\consent.exe
2015-09-08 16:27 - 2015-07-03 16:51 - 01380056 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2015-09-08 16:27 - 2015-07-03 09:00 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2015-09-08 16:24 - 2015-09-01 21:56 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-09-08 16:24 - 2015-09-01 21:55 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2015-09-08 16:24 - 2015-09-01 21:50 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2015-09-08 16:24 - 2015-09-01 21:17 - 00301568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2015-09-08 16:24 - 2015-09-01 21:13 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2015-09-08 16:24 - 2015-07-31 22:47 - 00229376 _____ (Microsoft Corporation) C:\WINDOWS\system32\schtasks.exe
2015-09-08 16:24 - 2015-07-31 22:45 - 00182784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schtasks.exe
2015-09-08 16:24 - 2015-07-31 22:38 - 01265152 _____ (Microsoft Corporation) C:\WINDOWS\system32\schedsvc.dll
2015-09-08 16:24 - 2015-07-31 22:37 - 00468992 _____ (Microsoft Corporation) C:\WINDOWS\system32\taskeng.exe
2015-09-08 16:24 - 2015-07-31 22:37 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\taskeng.exe
2015-09-08 16:24 - 2015-07-22 09:34 - 02775552 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-09-08 16:24 - 2015-07-22 09:33 - 01728000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Immersive.dll
2015-09-08 16:24 - 2015-07-22 09:25 - 02461184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-09-08 16:24 - 2015-07-22 09:25 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Immersive.dll
2015-09-08 16:24 - 2015-07-18 13:31 - 00194048 _____ (Microsoft Corporation) C:\WINDOWS\system32\shacct.dll
2015-09-08 16:24 - 2015-07-18 13:29 - 00655872 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSync.dll
2015-09-08 16:24 - 2015-07-18 13:29 - 00148480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shacct.dll
2015-09-08 16:24 - 2015-07-18 13:27 - 00520192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSync.dll
2015-09-08 16:24 - 2015-07-09 11:14 - 00228864 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-09-08 16:24 - 2015-06-19 12:07 - 02819072 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers.dll
2015-09-08 16:23 - 2015-08-03 16:15 - 00074928 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2015-09-08 16:23 - 2015-08-03 16:15 - 00065600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appidapi.dll
2015-09-08 16:23 - 2015-08-01 09:22 - 00039936 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2015-09-08 16:18 - 2015-07-13 22:27 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\tzsync.exe
2015-09-06 20:31 - 2015-09-06 23:01 - 00000000 ____D C:\Users\staceyandtom\Documents\room parent
2015-09-05 11:53 - 2015-09-07 20:20 - 00000000 ____D C:\Users\staceyandtom\Documents\Aislynn's erosion project 9-15
2015-09-03 17:19 - 2015-09-03 17:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2015-09-03 17:19 - 2015-09-03 17:19 - 00000000 ____D C:\Program Files\McAfee Security Scan
2015-09-01 20:50 - 2015-09-25 21:52 - 00000000 ____D C:\Users\staceyandtom\Documents\room rep 15-16
2015-08-25 09:58 - 2015-08-25 09:58 - 00000000 ____D C:\Users\staceyandtom\Documents\rentals

==================== Three Months Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-12 19:59 - 2014-11-30 11:28 - 01351754 _____ C:\WINDOWS\WindowsUpdate.log
2015-11-12 19:58 - 2015-01-26 12:14 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-11-12 19:58 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-11-12 19:32 - 2015-04-13 10:39 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-11-12 19:32 - 2015-04-13 10:39 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-11-12 19:32 - 2014-12-15 18:04 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-11-12 19:32 - 2014-09-24 04:50 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2015-11-12 19:30 - 2014-11-08 10:13 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-11-12 19:27 - 2015-05-04 20:40 - 00000968 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2282064086-2867235003-3058993359-1002UA.job
2015-11-12 19:24 - 2014-11-05 14:43 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2282064086-2867235003-3058993359-1002
2015-11-12 19:00 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-11-12 18:52 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-11-12 18:42 - 2014-09-24 02:15 - 00956476 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-11-12 18:40 - 2014-11-05 14:28 - 00003982 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{28420496-A071-4D10-A1E9-98C8EC7C0BD0}
2015-11-12 18:39 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2015-11-12 18:38 - 2014-11-13 19:28 - 00003206 _____ C:\WINDOWS\System32\Tasks\Norton WSC Integration
2015-11-12 18:38 - 2014-11-13 19:28 - 00002264 _____ C:\Users\Public\Desktop\Norton 360.LNK
2015-11-12 18:38 - 2014-11-13 19:27 - 00000000 ____D C:\WINDOWS\system32\Drivers\N360x64
2015-11-12 18:38 - 2014-11-05 14:30 - 00000000 ____D C:\Users\staceyandtom\Documents\Youcam
2015-11-12 18:38 - 2012-07-26 03:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2015-11-12 18:35 - 2013-08-22 09:46 - 00321411 _____ C:\WINDOWS\setupact.log
2015-11-12 18:35 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-11-12 11:39 - 2015-05-10 14:21 - 00000000 ____D C:\Users\staceyandtom\AppData\Roaming\Skype
2015-11-12 10:55 - 2015-03-06 16:01 - 00003886 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2015-11-12 10:50 - 2014-11-08 09:40 - 00000052 _____ C:\WINDOWS\SysWOW64\DOErrors.log
2015-11-12 07:29 - 2014-11-30 11:36 - 00000000 ____D C:\Users\staceyandtom
2015-11-12 07:26 - 2014-12-09 08:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-11-12 07:26 - 2014-09-24 02:03 - 00051554 _____ C:\WINDOWS\PFRO.log
2015-11-12 06:26 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-11-09 07:02 - 2013-08-22 08:36 - 00000000 __RHD C:\Users\Default
2015-10-27 18:43 - 2014-11-08 10:13 - 145617392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2015-11-12 15:41 - 2015-11-12 15:41 - 0071235 _____ () C:\Users\staceyandtom\AppData\Local\ars.cache
2015-11-12 15:41 - 2015-11-12 15:41 - 3796546 _____ () C:\Users\staceyandtom\AppData\Local\census.cache
2015-11-12 06:45 - 2015-11-12 06:45 - 0000036 _____ () C:\Users\staceyandtom\AppData\Local\housecall.guid.cache
2015-11-12 06:51 - 2015-11-12 11:44 - 0000010 _____ () C:\Users\staceyandtom\AppData\Local\sponge.last.runtime.cache
2014-12-09 09:26 - 2014-12-15 18:05 - 0021602 _____ () C:\ProgramData\LMabWiaMini.log
2015-03-20 21:21 - 2015-09-22 09:35 - 0004980 _____ () C:\ProgramData\LMADGscan.log

Some files in TEMP:
====================
C:\Users\staceyandtom\AppData\Local\Temp\COMAP.EXE
C:\Users\staceyandtom\AppData\Local\Temp\dllnt_dump.dll
C:\Users\staceyandtom\AppData\Local\Temp\Extract.exe
C:\Users\staceyandtom\AppData\Local\Temp\GURA2D6.exe
C:\Users\staceyandtom\AppData\Local\Temp\ose00000.exe
C:\Users\staceyandtom\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe
C:\Users\staceyandtom\AppData\Local\Temp\SkypeSetup.exe
C:\Users\staceyandtom\AppData\Local\Temp\SP71811.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-11-12 19:24

==================== End of FRST.txt ============================

 

 

 

 

 

 

30-Day FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-11-2015
Ran by staceyandtom (administrator) on THANKSMOMANDDAD (12-11-2015 18:44:50)
Running from C:\Users\staceyandtom\Downloads
Loaded Profiles: staceyandtom (Available Profiles: staceyandtom)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
() C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe
() C:\Program Files (x86)\Lexmark\ErrorApp\lmab1err.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\n360.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\n360.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17709_none_fa7932f59afc2e40\TiWorker.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7191768 2013-06-17] (Realtek Semiconductor)
HKLM\...\Run: [LMADGmon] => C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe [952496 2012-09-07] ()
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [LMADGmon] => C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe [952496 2012-09-07] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [Power2GoExpress8] => C:\Program Files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe [1718536 2014-07-23] (CyberLink Corp.)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [LMab1err] => C:\Program Files (x86)\Lexmark\ErrorApp\LMab1err.exe [645296 2012-08-07] ()
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [LMADGmon] => C:\Program Files (x86)\Lexmark S410 Series\LMADGmon.exe [952496 2012-09-07] ()
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [Google Update] => C:\Users\staceyandtom\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-30] (Google Inc.)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31280256 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\MountPoints2: {b23ec5a3-561b-11e5-be93-a0481c27c6bd} - "H:\VZW_Software_upgrade_assistant.exe"
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\...\MountPoints2: {b4ab2c7b-6517-11e4-be72-806e6f6e6963} - "E:\SETUP.EXE"
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\buShell.dll [2015-08-27] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2015-09-03]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.163\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\staceyandtom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk [2015-09-24]
ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk -> C:\Users\staceyandtom\AppData\Roaming\VERIZON\UA_ar\UA.exe (SAMSUNG Electornics Co., Ltd.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1    mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{837131F3-EC07-4634-AE44-BA7EF29C045E}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
HKU\S-1-5-21-2282064086-2867235003-3058993359-1002\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.msn.com/HPNOT13/1
SearchScopes: HKLM -> {73C8A433-EF3B-4C0C-9AF2-12FF629CB537} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {73C8A433-EF3B-4C0C-9AF2-12FF629CB537} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-08-11] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-08-11] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\coIEPlg.dll [2015-09-23] (Symantec Corporation)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T29L10NSP10EP1-10115/event/ieatgpc1.cab

FireFox:
========
FF ProfilePath: C:\Users\staceyandtom\AppData\Roaming\Mozilla\Firefox\Profiles\lt17cxki.default-1447343845856
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll [2014-12-09] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll [2014-12-09] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll [2013-04-03] (Adobe Systems, Inc.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-02-13] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-08-11] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-08-11] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-10-12] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2282064086-2867235003-3058993359-1002: @citrixonline.com/appdetectorplugin -> C:\Users\staceyandtom\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-09-28] (Citrix Online)
FF Plugin HKU\S-1-5-21-2282064086-2867235003-3058993359-1002: @tools.google.com/Google Update;version=3 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-20] (Google Inc.)
FF Plugin HKU\S-1-5-21-2282064086-2867235003-3058993359-1002: @tools.google.com/Google Update;version=9 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-20] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2015-02-26] (Coupons, Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{EBA722F5-038F-4CAF-9EE2-545A221628BC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFPlgn [2015-11-12] [not signed]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\Exts\Chrome.crx [2015-11-12]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\Exts\Chrome.crx [2015-11-12]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.) [File not signed]
R2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Notes\Core\DACore.exe [411024 2013-02-01] (Nuance Communications, Inc.)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-09] (Hewlett-Packard Development Company, L.P.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.163\McCHSvc.exe [289256 2015-07-31] (McAfee, Inc.)
R2 N360; C:\Program Files (x86)\Norton 360\Engine\22.5.4.24\N360.exe [282016 2015-09-24] (Symantec Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-13] (DEVGURU Co., LTD.)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-11-30] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AODDriver4.2.0; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-09-20] (Advanced Micro Devices)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3880448 2013-11-13] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [98744 2013-04-23] (Advanced Micro Devices)
R3 BHDrvx64; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\BASHDefs\20150706.001\BHDrvx64.sys [1648880 2015-07-10] (Symantec Corporation)
R3 ccSet_N360; C:\Windows\system32\drivers\N360x64\1605040.018\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-12-11] (Symantec Corporation)
R3 IDSVia64; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\IPSDefs\20150710.001\IDSVia64.sys [692984 2015-07-10] (Symantec Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2015-11-12] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\VirusDefs\20150824.018\ENG64.SYS [138488 2015-05-20] (Symantec Corporation)
S3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\22.5.2.15\Definitions\VirusDefs\20150824.018\EX64.SYS [2146040 2015-05-20] (Symantec Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2015-01-25] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [29424 2013-06-04] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [33008 2013-06-04] (Synaptics Incorporated)
S3 SRTSP; C:\Windows\System32\Drivers\N360x64\1605040.018\SRTSP64.SYS [930024 2015-09-23] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\N360x64\1605040.018\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)
R3 SymEFASI; C:\Windows\system32\drivers\N360x64\1605040.018\SYMEFASI64.SYS [1620720 2015-07-10] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\N360x64\1605040.018\SymELAM.sys [24192 2015-07-10] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-25] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\N360x64\1605040.018\Ironx64.SYS [297720 2015-07-10] (Symantec Corporation)
R3 SymNetS; C:\Windows\System32\Drivers\N360x64\1605040.018\SYMNETS.SYS [577768 2015-09-23] (Symantec Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-11-12] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-12 18:44 - 2015-11-12 18:45 - 00019465 _____ C:\Users\staceyandtom\Downloads\FRST.txt
2015-11-12 18:44 - 2015-11-12 18:44 - 00000000 ____D C:\WINDOWS\System32\Tasks\Norton 360
2015-11-12 18:44 - 2015-11-12 18:44 - 00000000 ____D C:\FRST
2015-11-12 18:43 - 2015-11-12 18:43 - 02198528 _____ (Farbar) C:\Users\staceyandtom\Downloads\FRST64.exe
2015-11-12 15:41 - 2015-11-12 15:41 - 03796546 _____ C:\Users\staceyandtom\AppData\Local\census.cache
2015-11-12 15:41 - 2015-11-12 15:41 - 00071235 _____ C:\Users\staceyandtom\AppData\Local\ars.cache
2015-11-12 10:57 - 2015-11-12 10:57 - 00000000 ____D C:\Users\staceyandtom\Desktop\Old Firefox Data
2015-11-12 10:40 - 2015-11-12 10:40 - 00001231 _____ C:\Users\staceyandtom\Desktop\AdwCleaner[C1].txt
2015-11-12 10:24 - 2015-11-12 10:49 - 00000000 ____D C:\AdwCleaner
2015-11-12 10:16 - 2015-11-12 10:47 - 00002272 _____ C:\Users\staceyandtom\Desktop\Rkill.txt
2015-11-12 10:09 - 2015-11-12 10:09 - 00004504 _____ C:\Users\staceyandtom\Desktop\rogue.txt
2015-11-12 08:26 - 2015-11-12 08:26 - 01712128 _____ C:\Users\staceyandtom\Desktop\AdwCleaner.exe
2015-11-12 08:25 - 2015-11-12 08:25 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\staceyandtom\Downloads\iExplore.exe
2015-11-12 08:25 - 2015-11-12 08:25 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\staceyandtom\Desktop\iExplore.exe
2015-11-12 06:51 - 2015-11-12 11:44 - 00000010 _____ C:\Users\staceyandtom\AppData\Local\sponge.last.runtime.cache
2015-11-12 06:48 - 2015-11-12 18:36 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-11-12 06:47 - 2015-11-12 06:47 - 22908888 _____ (Malwarebytes ) C:\Users\staceyandtom\Downloads\mbam-setup-2.2.0.1024.exe
2015-11-12 06:47 - 2015-11-12 06:47 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-11-12 06:47 - 2015-11-12 06:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-11-12 06:47 - 2015-11-12 06:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-11-12 06:47 - 2015-11-12 06:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-11-12 06:47 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-11-12 06:47 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-11-12 06:47 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2015-11-12 06:45 - 2015-11-12 06:45 - 00000036 _____ C:\Users\staceyandtom\AppData\Local\housecall.guid.cache
2015-11-12 06:44 - 2015-11-12 06:44 - 02073512 _____ (Trend Micro Inc.) C:\Users\staceyandtom\Downloads\HousecallLauncher.exe
2015-11-12 06:31 - 2015-11-12 10:06 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-11-12 06:31 - 2015-11-12 06:42 - 00000000 ____D C:\ProgramData\RogueKiller
2015-11-09 06:56 - 2015-11-09 07:01 - 18979400 _____ C:\RogueKiller.exe
2015-11-09 06:37 - 2015-07-24 07:31 - 04404952 _____ (Kaspersky Lab ZAO) C:\TDSSKiller.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-12 18:45 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-11-12 18:42 - 2014-09-24 02:15 - 00956476 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-11-12 18:41 - 2014-11-05 14:43 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2282064086-2867235003-3058993359-1002
2015-11-12 18:40 - 2014-11-05 14:28 - 00003982 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{28420496-A071-4D10-A1E9-98C8EC7C0BD0}
2015-11-12 18:39 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2015-11-12 18:38 - 2015-09-12 07:37 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360
2015-11-12 18:38 - 2014-11-13 19:28 - 00003206 _____ C:\WINDOWS\System32\Tasks\Norton WSC Integration
2015-11-12 18:38 - 2014-11-13 19:28 - 00002264 _____ C:\Users\Public\Desktop\Norton 360.LNK
2015-11-12 18:38 - 2014-11-13 19:27 - 00000000 ____D C:\WINDOWS\system32\Drivers\N360x64
2015-11-12 18:38 - 2014-11-05 14:30 - 00000000 ____D C:\Users\staceyandtom\Documents\Youcam
2015-11-12 18:38 - 2012-07-26 03:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2015-11-12 18:37 - 2014-11-30 11:28 - 01748587 _____ C:\WINDOWS\WindowsUpdate.log
2015-11-12 18:35 - 2013-08-22 09:46 - 00321411 _____ C:\WINDOWS\setupact.log
2015-11-12 18:35 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-11-12 11:39 - 2015-05-10 14:21 - 00000000 ____D C:\Users\staceyandtom\AppData\Roaming\Skype
2015-11-12 11:27 - 2015-05-04 20:40 - 00000968 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2282064086-2867235003-3058993359-1002UA.job
2015-11-12 11:04 - 2015-09-28 16:46 - 00000000 ____D C:\Users\staceyandtom\AppData\Local\Citrix
2015-11-12 11:03 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-11-12 10:55 - 2015-03-06 16:01 - 00003886 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2015-11-12 10:50 - 2014-11-08 09:40 - 00000052 _____ C:\WINDOWS\SysWOW64\DOErrors.log
2015-11-12 07:29 - 2014-11-30 11:36 - 00000000 ____D C:\Users\staceyandtom
2015-11-12 07:26 - 2014-12-09 08:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-11-12 07:26 - 2014-09-24 02:03 - 00051554 _____ C:\WINDOWS\PFRO.log
2015-11-12 06:26 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-11-09 07:43 - 2015-09-30 17:01 - 00000000 ____D C:\Program Files (x86)\LogMeIn Rescue RC - 8168a256-9155-4998-a2ec-e22cf9d1f5a4
2015-11-09 07:39 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-11-09 07:02 - 2013-08-22 08:36 - 00000000 __RHD C:\Users\Default

==================== Files in the root of some directories =======

2015-11-12 15:41 - 2015-11-12 15:41 - 0071235 _____ () C:\Users\staceyandtom\AppData\Local\ars.cache
2015-11-12 15:41 - 2015-11-12 15:41 - 3796546 _____ () C:\Users\staceyandtom\AppData\Local\census.cache
2015-11-12 06:45 - 2015-11-12 06:45 - 0000036 _____ () C:\Users\staceyandtom\AppData\Local\housecall.guid.cache
2015-11-12 06:51 - 2015-11-12 11:44 - 0000010 _____ () C:\Users\staceyandtom\AppData\Local\sponge.last.runtime.cache
2014-12-09 09:26 - 2014-12-15 18:05 - 0021602 _____ () C:\ProgramData\LMabWiaMini.log
2015-03-20 21:21 - 2015-09-22 09:35 - 0004980 _____ () C:\ProgramData\LMADGscan.log

Some files in TEMP:
====================
C:\Users\staceyandtom\AppData\Local\Temp\COMAP.EXE
C:\Users\staceyandtom\AppData\Local\Temp\dllnt_dump.dll
C:\Users\staceyandtom\AppData\Local\Temp\Extract.exe
C:\Users\staceyandtom\AppData\Local\Temp\GURA2D6.exe
C:\Users\staceyandtom\AppData\Local\Temp\ose00000.exe
C:\Users\staceyandtom\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe
C:\Users\staceyandtom\AppData\Local\Temp\SkypeSetup.exe
C:\Users\staceyandtom\AppData\Local\Temp\SP71811.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-26 15:21

==================== End of FRST.txt ============================

Attached Files


Edited by haplo888, 13 November 2015 - 03:10 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 16 November 2015 - 10:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

No malware was found on your 90-day logs.

This is just a cleaning of empty items.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
C:\Users\staceyandtom\AppData\Local\Temp\COMAP.EXE
C:\Users\staceyandtom\AppData\Local\Temp\dllnt_dump.dll
C:\Users\staceyandtom\AppData\Local\Temp\Extract.exe
C:\Users\staceyandtom\AppData\Local\Temp\GURA2D6.exe
C:\Users\staceyandtom\AppData\Local\Temp\ose00000.exe
C:\Users\staceyandtom\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe
C:\Users\staceyandtom\AppData\Local\Temp\SkypeSetup.exe
C:\Users\staceyandtom\AppData\Local\Temp\SP71811.exe
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 haplo888

haplo888
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 17 November 2015 - 04:49 AM

I did as you said and am pasting the fixlog below.  My only remaining concern is LogMeIn Rescue, which seems like it may be a legitimate app, is what was installed and used by the scammers.  Is simply deleting the 'C:\Users\staceyandtom\AppData\Local\LogMeIn Rescue Applet' folder sufficient? Could they have left behind anything else that could allow them access back into her computer?

 

Thanks for your help.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:16-11-2015
Ran by staceyandtom (2015-11-17 04:22:07) Run:1
Running from C:\Users\staceyandtom\Downloads
Loaded Profiles: staceyandtom &  (Available Profiles: staceyandtom)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
C:\Users\staceyandtom\AppData\Local\Temp\COMAP.EXE
C:\Users\staceyandtom\AppData\Local\Temp\dllnt_dump.dll
C:\Users\staceyandtom\AppData\Local\Temp\Extract.exe
C:\Users\staceyandtom\AppData\Local\Temp\GURA2D6.exe
C:\Users\staceyandtom\AppData\Local\Temp\ose00000.exe
C:\Users\staceyandtom\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe
C:\Users\staceyandtom\AppData\Local\Temp\SkypeSetup.exe
C:\Users\staceyandtom\AppData\Local\Temp\SP71811.exe
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\staceyandtom\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
C:\Users\staceyandtom\AppData\Local\Temp\COMAP.EXE => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\Extract.exe => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\GURA2D6.exe => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\ose00000.exe => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\SkypeSetup.exe => moved successfully
C:\Users\staceyandtom\AppData\Local\Temp\SP71811.exe => moved successfully
"HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-2282064086-2867235003-3058993359-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
EmptyTemp: => 517.2 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 04:23:45 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 17 November 2015 - 09:55 AM

I check all your logs and the only reference to LogMeIn are.

Delete both folder in bold.

C:\Program Files (x86)\LogMeIn Rescue RC - 8168a256-9155-4998-a2ec-e22cf9d1f5a4
C:\Users\staceyandtom\AppData\Local\LogMeIn Rescue Applet

Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter LogMeIn in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

If you find anything in the registry post the log.
I will give you a fix for it.

#5 haplo888

haplo888
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 17 November 2015 - 02:12 PM

Farbar Recovery Scan Tool (x64) Version:16-11-2015
Ran by staceyandtom (2015-11-17 14:10:41)
Running from C:\Users\staceyandtom\Downloads
Boot Mode: Normal

================== Search Registry: "LogMeIn" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
""="LogMeIn Rescue GUI"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeIn Rescue]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard]
"WebSite"="secure.logmeinrescue-enterprise.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard\Version]
"ProductName"="LogMeIn Rescue Calling Card"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard\Version]
"MenuFolder"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Rescue Calling Card\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
""="LogMeIn Rescue GUI"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\LogMeIn Rescue RC - 8168a256-9155-4998-a2ec-e22cf9d1f5a4\LMIRescueRC.exe"="0x53414350010000000000000007000000280000006073320025A9320001000000000000000000030600210000975FD891C99ECE010000000000000000020000002800000000000000000000400000000000000000000000000000000002B31E00000000000200000002000000"
[HKEY_USERS\S-1-5-21-2282064086-2867235003-3058993359-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"SIGN.IE=0183D40 Support-LogMeInRescue.exe"="0x5341435001000000000000000700000028000000403D18002A4E180001000000000000000000030600210000975FD891C99ECE010000000000000000"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\LogMeIn Rescue RC - 8168a256-9155-4998-a2ec-e22cf9d1f5a4\LMIRescueRC.exe"="0x53414350010000000000000007000000280000006073320025A9320001000000000000000000030600210000975FD891C99ECE010000000000000000020000002800000000000000000000400000000000000000000000000000000002B31E00000000000200000002000000"

====== End of Search ======



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 18 November 2015 - 08:58 AM

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeIn Rescue]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\LogMeInRescueCallingCard\Version]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{12BC4FF0-603E-4f21-9F53-F63FF34F6ED4}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
[HKEY_USERS\S-1-5-21-2282064086-2867235003-3058993359-1002\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
Restart the when completed.

You can delete the fixme.reg file when done.

You should have not more worries about LogMeIn issues.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 24 November 2015 - 09:16 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,528 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 30 November 2015 - 09:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users