Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware hiding? Had Zeus Pop-up in Chrome


  • This topic is locked This topic is locked
19 replies to this topic

#1 BettisGuy

BettisGuy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 08 June 2017 - 02:27 PM

Hello. I am posting the FSS log of my scan. Issue started 2 days ago when I got redirected in Chrome to a Zeus pop-up/. Read that they are not "real viruses" (Am and have been running Norton) but needed to clean it off. Found this site (Thank you!!), downloaded malwarebytes, hitman pro, Zemana, ran them all with nothing showing up. (still got pop=ups and redirects and slow speeds so figured I still had something.

 

Learned about root killers and got both rkill and tdsskiller and have been running them. Noticed later that in my download file there are additional versions of them created minutes after the original. Each has a (1) or something else appended to it. (Later I found it had done the same with Norton Power eraser and HitManPro.) I suspect these somehow compromised the programs or overan them as I never got any threats to show up in the root kit tools or malware scans.

 

When I ran NPE it wouldn't run the original, only the NPE (1).exe version (which has been deleted now by me). The npe.exe version said I needed the latest version and to click here to download it which I did--probably a mistake.  

 

Found some thread  that led me check my hosts file--it was in chinese. Copied and pasted in the defalut text from Windows, ran hitman pro on it fearing that might not solve the problem. It turned up an error and created a "clean version" but that was also chinese characters, but fewer. I totally deleted hosts file and created a new one and put it in the etc folder. Have been checking that one periodically and it is unchanged so far.

 

Also downloaded AdwCleaner have run it several times. It found a bunch of tracking cookies, and them a bunch more, but nothing in the the scans today. Ran Stinger too, nothing.

 

Downloaded the iexplore version of rkill and ran it in safe mode (and regular) with no internet connection--no processes stopped until just now and that was the FSS.exe--see below. 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/08/2017 03:20:59 PM in x64 mode.
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Kevin Fox\Downloads\FSS.exe (PID: 5464) [UP-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 06/08/2017 03:24:16 PM
Execution time: 0 hours(s), 3 minute(s), and 16 seconds(s)
 
Feels like something serious is going on here. Need help and will respond immediately. 
 
Thanks
 
Below is Farbar scan 
 
Farbar Service Scanner Version: 27-01-2016
Ran by Kevin Fox (administrator) on 08-06-2017 at 14:44:04
Running from "C:\Users\Kevin Fox\Downloads"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****

 



BC AdBot (Login to Remove)

 


#2 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 08 June 2017 - 04:33 PM

Quick update. I think I downloaded the wrong tool, got the Farbar Service Scanner and not the Recovery Scan tool. Now when I download the FRST and try to run it Norton says its unsafe and deletes it. Feels like something is bad is going on. 

 

Any ideas anyone?

 

Thanks



#3 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 08 June 2017 - 05:18 PM

Figured out how to get the FRST scan done. Here are the reports

 

Thanks

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-06-2017 01
Ran by Kevin Fox (administrator) on KFOXT2014 (08-06-2017 18:11:42)
Running from C:\Users\Kevin Fox\Downloads
Loaded Profiles: Kevin Fox (Available Profiles: Kevin Fox)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\nsbu.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\nsbu.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\System Setting\TSleepSrv.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\FAHWindow64.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE
(WinZip Computing, S.L.) C:\Program Files\WinZip\WzPreloader.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\HDD Accelerator\THAccelSvc.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHSrv.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
() C:\Program Files\RogueKiller\RogueKiller64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-11-29] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound HD] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-08-19] (SRS Labs, Inc.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2608040 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14516464 2017-03-28] (Copyright 2017.)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2995904 2012-07-11] (Symantec Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60688 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1874264 2011-08-19] (Intuit Inc. All rights reserved.)
HKLM\...\RunOnce: [RealProtect] => C:\Program Files\McAfee\Real Protect\RealProtect.exe [6909112 2017-06-07] (McAfee, Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-563055642-872065215-425065361-1001\...\Run: [GoToMeeting] => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\g2mstart.exe [41536 2017-01-24] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-563055642-872065215-425065361-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9105112 2016-11-15] (Piriform Ltd)
HKU\S-1-5-21-563055642-872065215-425065361-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27716568 2017-05-04] (Skype Technologies S.A.)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2017-03-16]
ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAHConsole.exe (WinZip Computing, S.L.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2014-01-05]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2014-01-05]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2014-01-05]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk [2017-03-16]
ShortcutTarget: Update Notifier.lnk -> C:\Program Files\WinZip\WZUpdateNotifier.exe (WinZip)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk [2017-03-16]
ShortcutTarget: WinZip Preloader.lnk -> C:\Program Files\WinZip\WzPreloader.exe (WinZip Computing, S.L.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A4BA80D2-CC1E-4490-9427-638AC20A9338}: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{AEA546A8-DA47-443D-B5E0-7C7434483502}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.toshiba.com?cid=J13
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.toshiba.com?cid=J13
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKU\S-1-5-21-563055642-872065215-425065361-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> DefaultScope {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
BHO-x32: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32_CP21-15858/webex/ieatgpc.cab
Handler-x32: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll [2014-01-05] (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Kevin Fox\AppData\Roaming\Mozilla\Firefox\Profiles\k5ouqhxs.default [2017-06-08]
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.7.0.76\coFFAddon
FF Extension: (Norton Security Toolbar) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.7.0.76\coFFAddon [2017-05-23]
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.7.0.76\coFFAddon
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [2017-05-09] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [2017-05-09] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-563055642-872065215-425065361-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Kevin Fox\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-03-05] (Citrix Online)
FF Plugin HKU\S-1-5-21-563055642-872065215-425065361-1001: @zoom.us/ZoomVideoPlugin -> C:\Users\Kevin Fox\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2015-02-12] (Zoom Video Communications, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Kevin Fox\AppData\Roaming\mozilla\plugins\npatgpc.dll [2015-12-22] (Cisco WebEx LLC)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR DefaultSearchURL: Default -> hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11908&prt=cr
CHR DefaultSearchKeyword: Default -> NortonSafe
CHR DefaultSuggestURL: Default -> hxxps://ss-sym.search.ask.com/ss?q={searchTerms}&li=ff
CHR Profile: C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default [2017-06-08]
CHR Extension: (Norton Security Toolbar) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2017-06-06]
CHR Extension: (Norton Identity Safe) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-07-15]
CHR Extension: (ClassLink OneClick Extension) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgfbgkjjlonelmpenhpfeeljjlcgnkpe [2017-01-14]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-04-19]
CHR Extension: (Norton Safe) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgcfemagnogdodbambjhdcmfcpicngl [2016-09-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-14]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\Exts\Chrome.crx [2017-06-04]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\Exts\Chrome.crx [2017-06-04]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-06-06] (SurfRight B.V.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3939008 2012-07-11] (Symantec Corporation)
R2 NSBU; C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\NSBU.exe [326160 2017-05-26] (Symantec Corporation)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2011-08-20] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2011-08-19] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-08-19] (Intuit Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-05] (Realtek Semiconductor)
R2 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [214488 2012-08-10] (TOSHIBA CORPORATION)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14516464 2017-03-28] (Copyright 2017.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BHDrvx64; C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\BASHDefs\20170607.003\BHDrvx64.sys [1862784 2017-05-18] (Symantec Corporation)
R1 ccSet_NARA; C:\WINDOWS\system32\drivers\NARAx64\0401000.00B\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
R1 ccSet_NSBU; C:\WINDOWS\system32\drivers\NSBUx64\1609040.008\ccSetx64.sys [174232 2017-05-11] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [507032 2017-05-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156824 2017-05-11] (Symantec Corporation)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77376 2017-05-25] ()
R3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [55232 2017-06-08] ()
R1 IDSVia64; C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\IPSDefs\20170607.001\IDSvia64.sys [1053824 2017-05-24] (Symantec Corporation)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [188312 2017-06-08] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [113592 2017-06-08] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [44960 2017-06-08] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [252832 2017-06-08] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [93600 2017-06-08] (Malwarebytes)
R3 RTWlanE; C:\WINDOWS\system32\DRIVERS\rtwlane.sys [2946264 2013-10-21] (Realtek Semiconductor Corporation                           )
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-16] (Synaptics Incorporated)
R0 SMR410; C:\WINDOWS\System32\drivers\SMR410.SYS [96856 2017-06-08] (Symantec Corporation)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NSBUx64\1609040.008\SRTSP64.SYS [770712 2017-05-11] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NSBUx64\1609040.008\SRTSPX64.SYS [49304 2017-05-11] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\NSBUx64\1609040.008\SYMEFASI64.SYS [1714328 2017-05-11] (Symantec Corporation)
S0 SymELAM; C:\WINDOWS\System32\drivers\NSBUx64\1609040.008\SymELAM.sys [24608 2017-05-11] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS [102608 2017-05-19] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NSBUx64\1609040.008\Ironx64.SYS [291480 2017-05-11] (Symantec Corporation)
R1 SymNetS; C:\WINDOWS\System32\Drivers\NSBUx64\1609040.008\SYMNETS.SYS [567496 2017-05-11] (Symantec Corporation)
R0 THAccel; C:\WINDOWS\System32\DRIVERS\THAccel.sys [131520 2012-08-10] (TOSHIBA CORPORATION)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [32624 2013-08-19] (Windows ® Win 7 DDK provider)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2017-06-08] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-06-08] (Zemana Ltd.)
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\SDSDefs\20170602.003\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\SDSDefs\20170602.003\NAVEX15.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-08 18:11 - 2017-06-08 18:12 - 00025308 _____ C:\Users\Kevin Fox\Downloads\FRST.txt
2017-06-08 18:10 - 2017-06-08 18:11 - 00000000 ____D C:\FRST
2017-06-08 18:09 - 2017-06-08 18:09 - 02435072 _____ (Farbar) C:\Users\Kevin Fox\Downloads\FRST64.exe
2017-06-08 17:07 - 2017-06-08 17:07 - 00000000 ____D C:\ProgramData\RogueKiller
2017-06-08 17:04 - 2017-06-08 17:04 - 00000881 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-06-08 17:04 - 2017-06-08 17:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-06-08 17:04 - 2017-06-08 17:04 - 00000000 ____D C:\Program Files\RogueKiller
2017-06-08 16:57 - 2017-06-08 16:59 - 35426672 _____ (Adlice Software ) C:\Users\Kevin Fox\Downloads\RogueKiller_setup_ref3.exe
2017-06-08 16:14 - 2017-06-08 16:14 - 00096856 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR410.SYS
2017-06-08 16:14 - 2017-06-08 16:14 - 00000020 _____ C:\WINDOWS\system32\Drivers\SMR410.dat
2017-06-08 15:33 - 2017-06-08 15:39 - 00000811 _____ C:\Users\Kevin Fox\Desktop\Stinger_08062017_153321.html
2017-06-08 14:48 - 2017-06-08 14:48 - 00000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2017-06-08 14:45 - 2017-06-08 14:45 - 00002995 _____ C:\Users\Kevin Fox\Desktop\FSS.txt
2017-06-08 14:44 - 2017-06-08 16:02 - 00003123 _____ C:\Users\Kevin Fox\Downloads\FSS.txt
2017-06-08 14:27 - 2017-06-08 14:27 - 00000915 _____ C:\Users\Kevin Fox\Documents\Documents - Shortcut.lnk
2017-06-08 13:55 - 2017-06-08 13:55 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2017-06-08 13:55 - 2017-06-08 13:55 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2017-06-08 13:55 - 2017-06-08 13:55 - 00055232 _____ C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2017-06-08 13:55 - 2017-06-08 13:55 - 00001167 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2017-06-08 13:55 - 2017-06-08 13:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-06-08 13:34 - 2017-06-08 13:34 - 00000022 _____ C:\Users\Kevin Fox\Downloads\esetpowelikscleaner.exe_20170608.133434.2528.zip
2017-06-08 13:34 - 2017-06-08 13:34 - 00000022 _____ C:\Users\Kevin Fox\Downloads\esetpowelikscleaner.exe_20170608.133402.2564.zip
2017-06-08 13:33 - 2017-06-08 13:33 - 00549504 _____ (ESET) C:\Users\Kevin Fox\Downloads\esetpowelikscleaner.exe
2017-06-08 13:19 - 2017-06-08 13:19 - 05766464 _____ (Zemana Ltd. ) C:\Users\Kevin Fox\Downloads\eXplorer.exe
2017-06-08 13:17 - 2017-06-08 13:17 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Downloads\iExplore.exe
2017-06-08 11:41 - 2017-06-08 11:45 - 00000811 _____ C:\Users\Kevin Fox\Desktop\Stinger_08062017_114128.html
2017-06-08 11:24 - 2017-06-08 11:24 - 00001333 _____ C:\Users\Kevin Fox\Desktop\hitmanlog1_6-8.txt
2017-06-08 10:55 - 2017-06-08 13:35 - 00159134 _____ C:\WINDOWS\ntbtlog.txt
2017-06-08 10:08 - 2017-06-08 15:44 - 00000118 ___RH C:\Users\Kevin Fox\Desktop\Stinger.opt
2017-06-08 10:04 - 2017-06-08 10:07 - 00000811 _____ C:\Users\Kevin Fox\Desktop\Stinger_08062017_100435.html
2017-06-08 08:52 - 2017-06-08 09:05 - 00236498 _____ C:\TDSSKiller.3.1.0.15_08.06.2017_08.52.24_log.txt
2017-06-07 11:55 - 2017-06-07 12:01 - 00000813 _____ C:\Users\Kevin Fox\Downloads\Stinger_07062017_115541.html
2017-06-07 11:12 - 2017-06-08 10:17 - 00000000 ____D C:\NPE
2017-06-07 11:10 - 2017-06-07 12:05 - 00000122 ___RH C:\Users\Kevin Fox\Downloads\Stinger.opt
2017-06-07 11:10 - 2017-06-07 11:10 - 00000000 ____D C:\Program Files\McAfee
2017-06-07 11:09 - 2017-06-07 11:09 - 15582008 _____ (McAfee Inc) C:\Users\Kevin Fox\Desktop\stinger64.exe
2017-06-07 11:04 - 2017-06-08 16:16 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\NPE
2017-06-07 11:04 - 2017-06-07 12:16 - 03077584 ____N (Symantec Corporation) C:\Users\Kevin Fox\Desktop\npe.exe
2017-06-07 10:52 - 2017-06-07 10:52 - 05822560 _____ (Symantec Corporation) C:\Users\Kevin Fox\Desktop\FixNecurs64bit.exe
2017-06-07 10:34 - 2017-06-07 10:34 - 00001643 _____ C:\Users\Kevin Fox\Desktop\AdwCleaner[C0].txt
2017-06-07 10:25 - 2017-06-08 15:47 - 00000000 ____D C:\AdwCleaner
2017-06-07 10:22 - 2017-06-07 10:22 - 04110280 _____ C:\Users\Kevin Fox\Desktop\AdwCleaner.exe
2017-06-07 09:28 - 2017-06-07 09:28 - 00000020 _____ C:\Users\Kevin Fox\Desktop\hosts.old
2017-06-07 09:25 - 2017-06-07 09:25 - 00001466 _____ C:\WINDOWS\system32\Drivers\etc\hosts.txt
2017-06-07 07:27 - 2017-06-07 07:31 - 00467730 _____ C:\TDSSKiller.3.1.0.15_07.06.2017_07.27.27_log.txt
2017-06-07 07:17 - 2017-06-08 13:47 - 00113592 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-06-07 07:13 - 2017-06-08 16:55 - 00093600 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-06-07 07:11 - 2017-06-07 07:12 - 00498968 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-06-07 06:35 - 2017-06-08 13:47 - 00044960 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-06-07 06:35 - 2017-06-08 13:35 - 00188312 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-06-07 01:05 - 2017-06-08 13:47 - 00252832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-06-07 01:05 - 2017-06-07 01:05 - 00001894 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-06-07 01:05 - 2017-06-07 01:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-07 01:05 - 2017-06-07 01:05 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-07 01:05 - 2017-06-07 01:05 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-07 01:05 - 2017-05-25 11:58 - 00077376 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-06-07 01:02 - 2017-06-07 01:03 - 00232570 _____ C:\TDSSKiller.3.1.0.15_07.06.2017_01.02.59_log.txt
2017-06-07 00:16 - 2017-06-07 00:18 - 00235620 _____ C:\TDSSKiller.3.1.0.15_07.06.2017_00.16.44_log.txt
2017-06-07 00:12 - 2017-06-07 07:10 - 00000000 ____D C:\WINDOWS\pss
2017-06-07 00:01 - 2017-06-08 16:35 - 00002288 _____ C:\Users\Kevin Fox\Desktop\Rkill.txt
2017-06-07 00:01 - 2017-06-07 00:01 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Desktop\rkill64.exe
2017-06-06 23:58 - 2017-06-06 23:58 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Downloads\rkill.exe
2017-06-06 23:32 - 2017-06-06 23:33 - 04922400 _____ (AO Kaspersky Lab) C:\Users\Kevin Fox\Downloads\tdsskiller.exe
2017-06-06 22:47 - 2017-06-06 22:47 - 00001912 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2017-06-06 22:46 - 2017-06-06 22:47 - 00000000 ____D C:\Program Files\HitmanPro
2017-06-06 22:43 - 2017-06-07 06:33 - 00000000 ____D C:\ProgramData\HitmanPro
2017-06-06 21:41 - 2017-06-06 21:49 - 00238302 _____ C:\TDSSKiller.3.1.0.15_06.06.2017_21.41.39_log.txt
2017-06-06 17:58 - 2017-06-06 17:59 - 64232976 _____ (Malwarebytes ) C:\Users\Kevin Fox\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-06 17:45 - 2017-06-08 18:12 - 00520801 _____ C:\WINDOWS\ZAM.krnl.trace
2017-06-06 17:45 - 2017-06-08 18:11 - 00067494 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-06-06 17:45 - 2017-06-08 13:55 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-06-06 17:45 - 2017-06-06 17:45 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\Zemana
2017-06-06 17:43 - 2017-06-06 17:44 - 05774688 _____ (Zemana Ltd. ) C:\Users\Kevin Fox\Downloads\Zemana.AntiMalware.Setup.exe
2017-06-04 23:25 - 2017-06-04 23:25 - 00003238 _____ C:\WINDOWS\System32\Tasks\Norton WSC Integration
2017-06-02 10:11 - 2017-06-02 10:11 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\CEF
2017-06-02 00:45 - 2017-06-08 14:26 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-06-02 00:45 - 2017-06-02 00:45 - 00002078 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2017-06-02 00:44 - 2017-06-02 00:44 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-05-23 08:50 - 2017-06-04 23:30 - 00000000 ____D C:\WINDOWS\System32\Tasks\Norton Security with Backup
2017-05-14 14:46 - 2017-04-28 18:44 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-05-14 14:46 - 2017-04-28 18:44 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-05-11 13:33 - 2017-03-30 09:15 - 00875712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll
2017-05-11 13:33 - 2017-03-30 09:15 - 00869568 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcr120_clr0400.dll
2017-05-11 13:33 - 2017-03-30 09:15 - 00678592 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcp120_clr0400.dll
2017-05-11 13:33 - 2017-03-30 09:15 - 00536768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvcp120_clr0400.dll
2017-05-11 12:35 - 2017-04-28 17:15 - 07444824 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-05-11 12:35 - 2017-04-26 10:06 - 04169216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-05-11 12:35 - 2017-04-16 06:23 - 02176584 _____ (Microsoft Corporation) C:\WINDOWS\system32\combase.dll
2017-05-11 12:35 - 2017-04-16 06:23 - 01662096 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2017-05-11 12:35 - 2017-04-16 06:23 - 01063464 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinTypes.dll
2017-05-11 12:35 - 2017-04-16 06:18 - 01135288 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2017-05-11 12:35 - 2017-04-16 06:18 - 00803192 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll
2017-05-11 12:35 - 2017-04-16 05:07 - 01566032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\combase.dll
2017-05-11 12:35 - 2017-04-16 05:07 - 01213792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2017-05-11 12:35 - 2017-04-16 05:07 - 00548032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinTypes.dll
2017-05-11 12:35 - 2017-04-16 05:05 - 00612096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleaut32.dll
2017-05-11 12:35 - 2017-04-16 04:54 - 00576512 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-05-11 12:35 - 2017-04-16 04:54 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2017-05-11 12:35 - 2017-04-16 04:51 - 02899456 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-05-11 12:35 - 2017-04-16 04:37 - 00116224 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieetwcollector.exe
2017-05-11 12:35 - 2017-04-16 04:36 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-05-11 12:35 - 2017-04-16 04:35 - 25741312 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-05-11 12:35 - 2017-04-16 04:18 - 05977600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-05-11 12:35 - 2017-04-16 04:16 - 00862720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2017-05-11 12:35 - 2017-04-16 04:10 - 00087552 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdc.ocx
2017-05-11 12:35 - 2017-04-16 04:03 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2017-05-11 12:35 - 2017-04-16 04:02 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2017-05-11 12:35 - 2017-04-16 04:01 - 00499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-05-11 12:35 - 2017-04-16 04:00 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2017-05-11 12:35 - 2017-04-16 04:00 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2017-05-11 12:35 - 2017-04-16 03:53 - 02290176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-05-11 12:35 - 2017-04-16 03:52 - 01033216 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2017-05-11 12:35 - 2017-04-16 03:49 - 20278272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-05-11 12:35 - 2017-04-16 03:47 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-05-11 12:35 - 2017-04-16 03:43 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2017-05-11 12:35 - 2017-04-16 03:40 - 00806912 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2017-05-11 12:35 - 2017-04-16 03:40 - 00725504 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-05-11 12:35 - 2017-04-16 03:40 - 00378880 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2017-05-11 12:35 - 2017-04-16 03:37 - 02132992 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2017-05-11 12:35 - 2017-04-16 03:29 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdc.ocx
2017-05-11 12:35 - 2017-04-16 03:24 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2017-05-11 12:35 - 2017-04-16 03:23 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2017-05-11 12:35 - 2017-04-16 03:22 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcss.dll
2017-05-11 12:35 - 2017-04-16 03:22 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2017-05-11 12:35 - 2017-04-16 03:17 - 00880640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-05-11 12:35 - 2017-04-16 03:12 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2017-05-11 12:35 - 2017-04-16 03:10 - 15250944 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-05-11 12:35 - 2017-04-16 03:10 - 00693248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2017-05-11 12:35 - 2017-04-16 03:10 - 00330752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2017-05-11 12:35 - 2017-04-16 03:08 - 04548608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-05-11 12:35 - 2017-04-16 03:08 - 02057216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2017-05-11 12:35 - 2017-04-16 03:04 - 03241472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-05-11 12:35 - 2017-04-16 03:02 - 00267776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wincorlib.dll
2017-05-11 12:35 - 2017-04-16 02:53 - 13661184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-05-11 12:35 - 2017-04-16 02:50 - 01544704 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-05-11 12:35 - 2017-04-16 02:40 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2017-05-11 12:35 - 2017-04-16 02:37 - 02767872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-05-11 12:35 - 2017-04-16 02:34 - 01314816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-05-11 12:35 - 2017-04-16 02:34 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2017-05-11 12:35 - 2017-04-09 18:00 - 01548640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2017-05-11 12:35 - 2017-04-09 18:00 - 00388448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2017-05-11 12:35 - 2017-04-07 19:20 - 01375960 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2017-05-11 12:35 - 2017-04-07 09:56 - 01094656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2017-05-11 12:35 - 2017-04-02 12:41 - 00684544 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2017-05-11 12:35 - 2017-04-02 12:41 - 00414720 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2017-05-11 12:35 - 2017-03-31 19:16 - 01968408 _____ (Microsoft Corporation) C:\WINDOWS\system32\crypt32.dll
2017-05-11 12:35 - 2017-03-31 17:59 - 01612504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\crypt32.dll
2017-05-11 12:35 - 2017-03-13 12:38 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmitomi.dll
2017-05-11 12:35 - 2017-03-13 12:29 - 02609664 _____ (Microsoft Corporation) C:\WINDOWS\system32\WsmSvc.dll
2017-05-11 12:35 - 2017-03-13 12:25 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\WsmWmiPl.dll
2017-05-11 12:35 - 2017-03-13 12:13 - 00159232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmitomi.dll
2017-05-11 12:35 - 2017-03-13 12:07 - 02170880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WsmSvc.dll
2017-05-11 12:35 - 2017-03-13 12:06 - 00236032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WsmWmiPl.dll
2017-05-11 12:35 - 2017-03-11 15:34 - 00201728 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2017-05-11 12:35 - 2017-03-11 15:32 - 00401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2017-05-11 12:35 - 2017-03-11 15:32 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2017-05-11 12:35 - 2017-03-11 14:49 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2017-05-11 12:35 - 2017-03-11 13:58 - 01437696 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-05-11 12:35 - 2017-03-11 13:54 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2017-05-11 12:35 - 2017-03-10 19:38 - 02017624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2017-05-11 12:35 - 2017-03-10 19:38 - 00275800 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\msiscsi.sys
2017-05-11 12:35 - 2017-03-09 16:52 - 00293376 _____ (Microsoft Corporation) C:\WINDOWS\system32\wisp.dll
2017-05-11 12:35 - 2017-03-09 15:17 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wisp.dll
2017-05-11 12:35 - 2017-03-07 22:44 - 00448285 _____ C:\WINDOWS\system32\ApnDatabase.xml
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-08 17:16 - 2015-03-05 15:25 - 00000606 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001.job
2017-06-08 17:13 - 2015-07-06 00:32 - 00000702 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001.job
2017-06-08 16:50 - 2014-10-20 09:04 - 00000000 ____D C:\Users\Kevin Fox
2017-06-08 16:29 - 2013-06-09 17:35 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-563055642-872065215-425065361-1001
2017-06-08 15:21 - 2014-01-03 09:01 - 00000000 ____D C:\Users\Kevin Fox\AppData\Roaming\Skype
2017-06-08 14:31 - 2014-09-24 03:15 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-08 14:31 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\Inf
2017-06-08 14:18 - 2013-06-09 17:53 - 00000000 ____D C:\Users\Kevin Fox\Documents\Temp 2011
2017-06-08 13:47 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-08 12:12 - 2013-06-10 00:33 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\CrashDumps
2017-06-07 11:11 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-06-07 11:04 - 2012-11-13 02:30 - 00000000 ____D C:\ProgramData\Norton
2017-06-07 10:35 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2017-06-07 09:18 - 2013-08-22 09:25 - 00000019 _____ C:\WINDOWS\system32\Drivers\etc\hosts.old
2017-06-06 14:00 - 2016-11-18 11:58 - 00000000 ____D C:\Users\Kevin Fox\AppData\LocalLow\Mozilla
2017-06-04 23:51 - 2015-07-19 17:10 - 00000000 ____D C:\Program Files\Common Files\AV
2017-06-04 23:25 - 2016-07-15 10:45 - 00002470 _____ C:\Users\Public\Desktop\Norton Security with Backup.lnk
2017-06-04 23:25 - 2016-07-15 10:38 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security with Backup
2017-06-04 23:25 - 2016-07-15 10:38 - 00000000 ____D C:\WINDOWS\system32\Drivers\NSBUx64
2017-06-04 13:12 - 2015-07-06 00:32 - 00003712 _____ C:\WINDOWS\System32\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001
2017-06-04 13:12 - 2015-03-05 15:25 - 00003616 _____ C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001
2017-06-02 10:11 - 2013-06-13 00:00 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\Adobe
2017-06-02 10:09 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-02 00:46 - 2015-01-07 08:38 - 00004476 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2017-06-02 00:44 - 2012-11-13 02:28 - 00000000 ____D C:\ProgramData\Adobe
2017-06-01 23:41 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-06-01 21:00 - 2014-02-10 18:47 - 00000000 ____D C:\Users\Kevin Fox\Desktop\Other
2017-05-31 14:16 - 2017-03-31 08:53 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-05-31 14:16 - 2014-01-03 09:01 - 00000000 ____D C:\ProgramData\Skype
2017-05-25 10:54 - 2013-07-31 09:53 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-05-25 10:46 - 2013-06-10 19:05 - 132223576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-05-24 09:08 - 2014-01-24 16:24 - 00000000 ____D C:\Users\Kevin Fox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yahoo
2017-05-19 08:48 - 2016-07-15 10:50 - 00102608 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS
2017-05-19 08:48 - 2016-07-15 10:50 - 00008339 _____ C:\WINDOWS\system32\Drivers\SYMEVENT64x86.CAT
2017-05-14 15:04 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\rescache
2017-05-14 14:40 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2017-05-12 06:51 - 2013-10-03 09:57 - 00002226 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-05-12 06:51 - 2013-10-03 09:57 - 00002214 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-05-11 13:46 - 2012-07-26 03:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-05-09 15:07 - 2013-06-13 00:02 - 00004288 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-05-09 15:06 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-05-09 15:06 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\Macromed
 
==================== Files in the root of some directories =======
 
2017-03-16 14:18 - 2017-03-16 14:40 - 0008704 _____ () C:\Users\Kevin Fox\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-11-07 14:57 - 2013-11-07 14:57 - 0000017 _____ () C:\Users\Kevin Fox\AppData\Local\resmon.resmoncfg
2014-09-13 08:41 - 2014-09-13 08:41 - 0000000 _____ () C:\Users\Kevin Fox\AppData\Local\{4B017007-7EC2-4299-9D98-0F96E93D4B32}
 
Some files in TEMP:
====================
2017-06-08 17:07 - 2016-08-13 03:40 - 1737080 _____ (Microsoft Corporation) C:\Users\Kevin Fox\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-08 15:41
 
==================== End of FRST.txt ============================
 
Addition.txt
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-06-2017 01
Ran by Kevin Fox (08-06-2017 18:13:03)
Running from C:\Users\Kevin Fox\Downloads
Windows 8.1 (Update) (X64) (2014-10-20 13:34:04)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-563055642-872065215-425065361-500 - Administrator - Disabled)
Guest (S-1-5-21-563055642-872065215-425065361-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-563055642-872065215-425065361-1003 - Limited - Enabled)
Kevin Fox (S-1-5-21-563055642-872065215-425065361-1001 - Administrator - Enabled) => C:\Users\Kevin Fox
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security (Disabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Disabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
FW: Norton Security (Enabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.6 - Atheros Communications Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Bullzip PDF Printer 10.11.0.2338 (HKLM\...\Bullzip PDF Printer_is1) (Version: 10.11.0.2338 - Bullzip)
Canon MP Navigator EX 4.1 (HKLM-x32\...\MP Navigator EX 4.1) (Version:  - )
Canon MX410 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX410_series) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.24 - Piriform)
Cisco WebEx Meetings (HKU\S-1-5-21-563055642-872065215-425065361-1001\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
Fathom 2L (HKLM-x32\...\Fathom 2L) (Version:  - Key Curriculum Press)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.110 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
GoToMeeting 8.6.0.7107 (HKU\S-1-5-21-563055642-872065215-425065361-1001\...\GoToMeeting) (Version: 8.6.0.7107 - CitrixOnline)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3345 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.2.1001 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Office 2007 Primary Interop Assemblies (HKLM-x32\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Small Business 2007 (HKLM-x32\...\SMALLBUSINESSR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
Microsoft Works 6-9 Converter (HKLM-x32\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.45 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.11 - Symantec Corporation) Hidden
Norton Security (HKLM-x32\...\NSBU) (Version: 22.9.4.8 - Symantec Corporation)
Origin (HKLM-x32\...\Origin) (Version: 9.0.15.60 - Electronic Arts, Inc.)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
Premium Sound HD (HKLM\...\{94F03B8E-CB73-4653-AFE9-79112C01FED2}) (Version: 1.12.5000 - SRS Labs, Inc.)
QuickBooks (x32 Version: 22.0.4001.2206 - Intuit Inc.) Hidden
QuickBooks Pro 2012 (HKLM-x32\...\{22057D8D-7CC8-46FF-AD8C-9BD24F9014F3}) (Version: 22.0.4001.2206 - Intuit Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6794 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.8400.39030 - Realtek Semiconductor Corp.)
Realtek WLAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4fed-B2B9-173001290E16}) (Version: 2.00.0020 - REALTEK Semiconductor Corp.)
RogueKiller version 12.11.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.1.0 - Adlice Software)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.36 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.36.101 - Skype Technologies S.A.)
Slideshow Creator (HKLM-x32\...\{4E1A63B1-F547-4CFC-91F7-F32F1A6BF430}_is1) (Version: 2.2 - Bolide Software)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.8.21 - Synaptics Incorporated)
Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.4 - TOSHIBA)
Toshiba Book Place (HKLM-x32\...\{24B45620-22B6-4E4A-B836-FF30A0B0404E}) (Version: 3.1.9534 - K-NFB Reading Technology, Inc.)
TOSHIBA Desktop Assist (HKLM\...\{95CCACF0-010D-45F0-82BF-858643D8BC02}) (Version: 1.00.08.6402 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.0.0.6415 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.00.6425.01 - Toshiba Corporation)
TOSHIBA HDD Accelerator (HKLM\...\{DB4D9937-0B14-4EF1-BF9A-BB7E3B9DCB04}) (Version: 1.1.0001 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\{B1786E63-2127-42C9-95A3-146E5F727BF1}) (Version: v1.0.0.8 - TOSHIBA Corporation)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.8.17.640104 - Toshiba Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.8 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.2.0.54043005 - Toshiba Corporation)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.2.2.00 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM\...\{B1F241E1-90BF-4201-8977-A0DF85A38EBB}) (Version: 2.6.16.0 - Toshiba Corporation)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0032 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.00.0002.32002 - Toshiba Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBA VIDEO PLAYER (HKLM\...\{FF07604E-C860-40E9-A230-E37FA41F103A}) (Version: 5.1.0.12-A - Toshiba Corporation)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.1.6 - TOSHIBA)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Web Easy Professional (HKLM-x32\...\{B651BFCB-C9F3-489C-A2A7-764A12E2C79B}) (Version: 10.1 - Avanquest)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3503.0728 - Microsoft Corporation)
WinZip 21.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C2410D}) (Version: 21.0.12288 - WinZip Computing, S.L. )
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.72.0.345 - Zemana Ltd.)
Zoom (HKU\S-1-5-21-563055642-872065215-425065361-1001\...\ZoomUMX) (Version: 3.5 - Zoom Video Communications, Inc.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-563055642-872065215-425065361-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-563055642-872065215-425065361-1001_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.dll ()
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {03023120-C31C-4A81-BBFE-D4722323F4D6} - System32\Tasks\WinZipBackGroundToolsTask => C:\Program Files\WinZip\WzBGTools.exe [2017-02-10] (WinZip Computing, S.L.)
Task: {0E28344B-9A33-4FE0-8A03-7188E5829A83} - System32\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001 => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupload.exe [2017-06-04] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {272F416B-116B-4C84-8BBD-A2157D6980C3} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-08-28] (Synaptics Incorporated)
Task: {2998C011-4CA2-4B58-8DBF-BAF4DD14FBA8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {32F52E2F-BFDA-4782-9DE5-FABE8995925E} - System32\Tasks\WinZip Update Notifier => C:\Program Files\WinZip\WZUpdateNotifier.exe [2017-02-10] (WinZip)
Task: {414A1F2F-242B-4A5F-81EA-151F3658325C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {48E46FF8-AF98-4C17-8FE2-877442E0DB94} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-27] (Apple Inc.)
Task: {4A3FD61D-99C3-4B86-BB97-D85215436B07} - System32\Tasks\Norton Security with Backup\Norton Security with Backup Error Processor => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\SymErr.exe [2017-05-11] (Symantec Corporation)
Task: {53D9EDEE-9647-4A36-918A-1CD1A28443D9} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe
Task: {69D3FDA7-DB79-4CE4-B736-BCFC8075CE54} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-05-09] (Adobe Systems Incorporated)
Task: {75E9C93C-FC9C-4968-AF31-EE9FFAFC72ED} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2014-04-03] (TOSHIBA Corporation)
Task: {94732EA0-9F78-4CF3-8885-7FF06609C373} - System32\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001 => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupdate.exe [2017-06-04] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {BEE59D93-C24F-4D2E-A909-4CEE9892A45A} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2017-05-26] (Symantec Corporation)
Task: {CFC8E562-36F2-49BA-AFF9-C7DA962E2302} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe
Task: {DC11993D-B3E6-40CC-B065-CDA3063C2FD2} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-11-15] (Piriform Ltd)
Task: {DECE4F0E-C7A7-4361-B2D2-F0C81E177248} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {E5CFDA94-E6CA-4242-9456-1D264E5ACCBE} - System32\Tasks\Norton Security with Backup\Norton Security with Backup Error Analyzer => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\SymErr.exe [2017-05-11] (Symantec Corporation)
Task: {F715C040-515A-4F41-9EFB-C7C1F5D003D8} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\WSCStub.exe [2017-05-26] (Symantec Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001.job => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupdate.exe
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001.job => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupload.exe
Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo! SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-06-08 13:55 - 2017-06-08 13:55 - 00154480 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 00085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-06-07 01:05 - 2017-05-25 14:11 - 02270664 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2012-07-18 21:38 - 2012-07-18 21:38 - 00020904 _____ () C:\Program Files\TOSHIBA\Hotkey\SmoothView.dll
2012-07-18 21:38 - 2012-07-18 21:38 - 00049064 _____ () C:\Program Files\TOSHIBA\Hotkey\Hotkey\FnZ.dll
2012-08-13 22:13 - 2012-08-13 22:13 - 00018344 _____ () C:\Program Files\Toshiba\Teco\TecoMUI.dll
2012-08-06 10:36 - 2012-08-06 10:36 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-08-22 03:19 - 2013-08-22 02:54 - 00174592 _____ () C:\WINDOWS\system32\WinMetadata\Windows.UI.winmd
2013-08-22 03:19 - 2013-08-22 02:54 - 00050176 _____ () C:\WINDOWS\system32\WinMetadata\Windows.Data.winmd
2013-08-22 03:19 - 2013-08-22 02:54 - 00030208 _____ () C:\WINDOWS\system32\WinMetadata\Windows.Foundation.winmd
2017-05-12 06:50 - 2017-05-09 05:13 - 03767640 _____ () C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\libglesv2.dll
2017-05-12 06:50 - 2017-05-09 05:13 - 00100696 _____ () C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\libegl.dll
2017-06-08 17:04 - 2017-06-05 08:23 - 26377288 _____ () C:\Program Files\RogueKiller\RogueKiller64.exe
2011-08-20 02:32 - 2011-08-20 02:32 - 00268648 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\boost_regex-vc90-mt-p-1_33.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00020840 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\QBCompressor.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00379752 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\BackupLib.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00138088 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\QBMAPILibrary.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00059904 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\zlib1.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00176488 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\boost_serialization-vc90-mt-p-1_33.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00042344 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\mbpopup.dll
2013-03-14 06:47 - 2012-06-25 13:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-563055642-872065215-425065361-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Outdoor\Toshiba_screensaver_ducks.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run32: => "Norton Online Backup"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{8AFD07AF-E11E-4A6C-B3FC-8E52C505F1E0}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{80A23B66-0313-4174-83CC-A33F322A58B9}] => (Allow) LPort=1900
FirewallRules: [{ED8E71CD-9D55-4CA3-9A00-B8C13E88D5B7}] => (Allow) LPort=2869
FirewallRules: [{C42C9C11-7201-4803-8F22-D676678AA92C}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{FA367A04-9832-4465-BF6E-DF1C92DBFB7C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5E9F0FCE-C981-4CEF-BE8D-E9503C564E9B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{84C18A0A-4D47-4445-9DD4-8422F7AB129F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{564825F7-951C-4098-97AB-4C694BC0BAA9}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{36C39343-87F4-4247-9959-9907D4268BB4}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{84AAC8C9-8FFD-40D2-B285-F4F3AB6F2609}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{136C4785-6EBD-4D24-B1AE-BE7DBEF61191}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{48F09560-AC13-4882-AF75-A2CCE5A51B51}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 
==================== Restore Points =========================
 
25-05-2017 10:43:53 Windows Update
02-06-2017 01:00:21 Scheduled Checkpoint
07-06-2017 09:17:18 Checkpoint by HitmanPro
08-06-2017 11:24:59 Checkpoint by HitmanPro
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/08/2017 05:08:33 PM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files\WinZip\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files\WinZip\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
Error: (06/08/2017 03:46:01 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Skype.exe version 7.36.0.101 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 10c4
 
Start Time: 01d2e07f6f222567
 
Termination Time: 4294967295
 
Application Path: C:\Program Files (x86)\Skype\Phone\Skype.exe
 
Report Id: 14fa9cdc-4c83-11e7-bf6e-008cfa4233e1
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (06/08/2017 01:57:52 PM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files\WinZip\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files\WinZip\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
Error: (06/08/2017 01:49:01 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/08/2017 01:49:01 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/08/2017 01:49:01 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/08/2017 01:48:49 PM) (Source: Toshiba App Place) (EventID: 0) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
   at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
   at System.Timers.Timer.set_Enabled(Boolean value)
   at SnappCloud.ActivationReminder.AraClient.PostInit()
   at SnappCloud.ActivationReminder.Program.Main(String[] args)
 
Error: (06/08/2017 12:13:33 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/08/2017 12:13:33 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/08/2017 12:13:33 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
 
System errors:
=============
Error: (06/08/2017 04:54:39 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/08/2017 01:56:03 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: KFOXT2014)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/08/2017 01:54:44 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/08/2017 01:47:40 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/08/2017 01:46:36 PM) (Source: DCOM) (EventID: 10005) (User: KFOXT2014)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B68-F52A-11D8-B9A5-505054503030}
 
Error: (06/08/2017 01:46:36 PM) (Source: DCOM) (EventID: 10005) (User: KFOXT2014)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (06/08/2017 01:44:32 PM) (Source: DCOM) (EventID: 10005) (User: KFOXT2014)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (06/08/2017 01:44:32 PM) (Source: DCOM) (EventID: 10005) (User: KFOXT2014)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (06/08/2017 01:44:32 PM) (Source: DCOM) (EventID: 10005) (User: KFOXT2014)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (06/08/2017 01:44:32 PM) (Source: DCOM) (EventID: 10005) (User: KFOXT2014)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
 
CodeIntegrity:
===================================
  Date: 2013-10-13 18:35:30.200
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\wmi64.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-13 18:35:30.185
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\wmi64.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-13 18:35:30.185
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\wmi64.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 76%
Total physical RAM: 3980.22 MB
Available physical RAM: 939.64 MB
Total Virtual: 5772.22 MB
Available Virtual: 1413.27 MB
 
==================== Drives ================================
 
Drive c: (TI10657300E) (Fixed) (Total:584.51 GB) (Free:438.75 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 596.2 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 13 June 2017 - 02:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/648841 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 13 June 2017 - 07:37 PM

Thank you for reviewing my case the FRST and Addition.txt files are below.

 

I have not gotten any more Zeus pop-ups in google, so this is good. However I also never got any malware hits (save some adware when running AdwCleaner) on any of my scans with: Malwarebytes, Hitman Pro, NPE, Stinger or Zemana. Nor did anything turn up in rkill scans.  My computer is running slow and I am still spooked by some of the issues I had which make me concerned that something is still lurking. My HOSTS file came up as Chinese characters, though since I deleted and created a new one several days ago it has not changed, and when I downloaded several anti-malware programs (again several days ago) the download created duplicate versions on my computer even though I was careful only to click download once. 

 

The logs don't show anything this amateur can identify as an obvious  problem, but the fact that no viruses nor malware appeared in the searches makes me worried I am still not clean. 

 

The main current symptom is slow speeds and some program opening errors I got from MS Office programs. This may be related to running so many antimalware programs, I do not know. 

 

Thanks in advance for any assistance. 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-06-2017 01
Ran by Kevin Fox (administrator) on KFOXT2014 (13-06-2017 20:20:24)
Running from C:\Users\Kevin Fox\Downloads
Loaded Profiles: Kevin Fox (Available Profiles: Kevin Fox)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\nsbu.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\nsbu.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(McAfee, Inc.) C:\Program Files\McAfee\Real Protect\RealProtect.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\System Setting\TSleepSrv.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\g2mstart.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\g2mcomm.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\g2mlauncher.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\FAHWindow64.exe
(Intuit Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE
(WinZip Computing, S.L.) C:\Program Files\WinZip\WzPreloader.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\HDD Accelerator\THAccelSvc.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TPHM\TPCHWMsg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-11-29] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound HD] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2170784 2012-08-19] (SRS Labs, Inc.)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2608040 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [169896 2012-08-13] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [356776 2012-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2774256 2013-08-28] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14516464 2017-03-28] (Copyright 2017.)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2995904 2012-07-11] (Symantec Corporation)
HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60688 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1874264 2011-08-19] (Intuit Inc. All rights reserved.)
HKLM\...\RunOnce: [RealProtect] => C:\Program Files\McAfee\Real Protect\RealProtect.exe [6909112 2017-06-07] (McAfee, Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-563055642-872065215-425065361-1001\...\Run: [GoToMeeting] => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\g2mstart.exe [41536 2017-01-24] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-563055642-872065215-425065361-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9105112 2016-11-15] (Piriform Ltd)
HKU\S-1-5-21-563055642-872065215-425065361-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27716568 2017-05-04] (Skype Technologies S.A.)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FAH.lnk [2017-03-16]
ShortcutTarget: FAH.lnk -> C:\Program Files\WinZip\FAHConsole.exe (WinZip Computing, S.L.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2014-01-05]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2014-01-05]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2014-01-05]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Update Notifier.lnk [2017-03-16]
ShortcutTarget: Update Notifier.lnk -> C:\Program Files\WinZip\WZUpdateNotifier.exe (WinZip)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Preloader.lnk [2017-03-16]
ShortcutTarget: WinZip Preloader.lnk -> C:\Program Files\WinZip\WzPreloader.exe (WinZip Computing, S.L.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 172.20.100.1
Tcpip\..\Interfaces\{A4BA80D2-CC1E-4490-9427-638AC20A9338}: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{AEA546A8-DA47-443D-B5E0-7C7434483502}: [DhcpNameServer] 172.20.100.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.toshiba.com?cid=J13
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.toshiba.com?cid=J13
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKU\S-1-5-21-563055642-872065215-425065361-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> DefaultScope {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
BHO-x32: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security with Backup\Engine32\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32_CP21-15858/webex/ieatgpc.cab
Handler-x32: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll [2014-01-05] (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Kevin Fox\AppData\Roaming\Mozilla\Firefox\Profiles\k5ouqhxs.default [2017-06-13]
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.7.0.76\coFFAddon
FF Extension: (Norton Security Toolbar) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.7.0.76\coFFAddon [2017-05-23]
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NSBU_22.7.0.76\coFFAddon
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [2017-05-09] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [2017-05-09] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3503.0728 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-07-28] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-563055642-872065215-425065361-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Kevin Fox\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-03-05] (Citrix Online)
FF Plugin HKU\S-1-5-21-563055642-872065215-425065361-1001: @zoom.us/ZoomVideoPlugin -> C:\Users\Kevin Fox\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2015-02-12] (Zoom Video Communications, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Kevin Fox\AppData\Roaming\mozilla\plugins\npatgpc.dll [2015-12-22] (Cisco WebEx LLC)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR NewTab: Default ->  Not-active:"chrome-extension://gfoabcdjalmeenbjjngidappmppchblc/homePageRedirect.html"
CHR DefaultSearchURL: Default -> hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11908
CHR DefaultSearchKeyword: Default -> NortonSafe
CHR DefaultSuggestURL: Default -> hxxps://ss-sym.search.ask.com/ss?q={searchTerms}&li=ff
CHR Profile: C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default [2017-06-13]
CHR Extension: (Norton Security Toolbar) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2017-06-06]
CHR Extension: (Norton Home Page for Chrome) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfoabcdjalmeenbjjngidappmppchblc [2017-06-12]
CHR Extension: (Norton Safe) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbmobhkkblcgdifigjglcjneplefbkmh [2017-06-12]
CHR Extension: (Norton Identity Safe) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-07-15]
CHR Extension: (ClassLink OneClick Extension) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgfbgkjjlonelmpenhpfeeljjlcgnkpe [2017-01-14]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-04-19]
CHR Extension: (Norton Safe) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgcfemagnogdodbambjhdcmfcpicngl [2016-09-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-14]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\Exts\Chrome.crx [2017-06-04]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\Exts\Chrome.crx [2017-06-04]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2017-06-06] (SurfRight B.V.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3939008 2012-07-11] (Symantec Corporation)
R2 NSBU; C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\NSBU.exe [326160 2017-05-26] (Symantec Corporation)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2011-08-20] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2011-08-19] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-08-19] (Intuit Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-05] (Realtek Semiconductor)
R2 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [214488 2012-08-10] (TOSHIBA CORPORATION)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14516464 2017-03-28] (Copyright 2017.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BHDrvx64; C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\BASHDefs\20170612.001\BHDrvx64.sys [1862784 2017-05-18] (Symantec Corporation)
R1 ccSet_NARA; C:\WINDOWS\system32\drivers\NARAx64\0401000.00B\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
R1 ccSet_NSBU; C:\WINDOWS\system32\drivers\NSBUx64\1609040.008\ccSetx64.sys [174232 2017-05-11] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [507032 2017-05-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156824 2017-05-11] (Symantec Corporation)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77376 2017-05-25] ()
R1 IDSVia64; C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\IPSDefs\20170612.001\IDSvia64.sys [1053824 2017-05-24] (Symantec Corporation)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [188312 2017-06-08] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [113592 2017-06-13] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [44960 2017-06-13] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [252832 2017-06-13] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [93600 2017-06-13] (Malwarebytes)
R3 RTWlanE; C:\WINDOWS\system32\DRIVERS\rtwlane.sys [2946264 2013-10-21] (Realtek Semiconductor Corporation                           )
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-16] (Synaptics Incorporated)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NSBUx64\1609040.008\SRTSP64.SYS [770712 2017-05-11] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NSBUx64\1609040.008\SRTSPX64.SYS [49304 2017-05-11] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\NSBUx64\1609040.008\SYMEFASI64.SYS [1714328 2017-05-11] (Symantec Corporation)
S0 SymELAM; C:\WINDOWS\System32\drivers\NSBUx64\1609040.008\SymELAM.sys [24608 2017-05-11] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS [102608 2017-05-19] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NSBUx64\1609040.008\Ironx64.SYS [291480 2017-05-11] (Symantec Corporation)
R1 SymNetS; C:\WINDOWS\System32\Drivers\NSBUx64\1609040.008\SYMNETS.SYS [567496 2017-05-11] (Symantec Corporation)
R0 THAccel; C:\WINDOWS\System32\DRIVERS\THAccel.sys [131520 2012-08-10] (TOSHIBA CORPORATION)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [32624 2013-08-19] (Windows ® Win 7 DDK provider)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2017-06-08] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-06-08] (Zemana Ltd.)
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\SDSDefs\20170602.003\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.7.0.76\Definitions\SDSDefs\20170602.003\NAVEX15.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-13 20:19 - 2017-06-13 20:19 - 00000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2017-06-13 18:53 - 2017-06-13 18:58 - 00002190 _____ C:\Users\Kevin Fox\Desktop\Rkill.txt
2017-06-12 13:42 - 2017-06-12 13:45 - 00000000 ____D C:\Users\Kevin Fox\Desktop\Anti-malware
2017-06-09 12:13 - 2017-06-09 12:13 - 00126848 _____ C:\Users\Kevin Fox\AppData\Local\GDIPFONTCACHEV1.DAT
2017-06-09 10:55 - 2017-06-09 10:55 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Downloads\iExplore64.exe
2017-06-09 10:40 - 2017-06-09 10:40 - 00000290 _____ C:\WINDOWS\system32\.crusader
2017-06-09 09:59 - 2017-06-09 09:59 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Downloads\rkill64.exe
2017-06-08 18:13 - 2017-06-08 18:14 - 00030761 _____ C:\Users\Kevin Fox\Downloads\Addition.txt
2017-06-08 18:11 - 2017-06-13 20:21 - 00025498 _____ C:\Users\Kevin Fox\Downloads\FRST.txt
2017-06-08 18:10 - 2017-06-13 20:20 - 00000000 ____D C:\FRST
2017-06-08 18:09 - 2017-06-08 18:09 - 02435072 _____ (Farbar) C:\Users\Kevin Fox\Downloads\FRST64.exe
2017-06-08 17:07 - 2017-06-08 18:19 - 00000000 ____D C:\ProgramData\RogueKiller
2017-06-08 17:04 - 2017-06-08 17:04 - 00000881 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-06-08 17:04 - 2017-06-08 17:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-06-08 17:04 - 2017-06-08 17:04 - 00000000 ____D C:\Program Files\RogueKiller
2017-06-08 16:57 - 2017-06-08 16:59 - 35426672 _____ (Adlice Software ) C:\Users\Kevin Fox\Downloads\RogueKiller_setup_ref3.exe
2017-06-08 14:44 - 2017-06-08 16:02 - 00003123 _____ C:\Users\Kevin Fox\Downloads\FSS.txt
2017-06-08 14:27 - 2017-06-08 14:27 - 00000915 _____ C:\Users\Kevin Fox\Documents\Documents - Shortcut.lnk
2017-06-08 13:55 - 2017-06-08 13:55 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2017-06-08 13:55 - 2017-06-08 13:55 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2017-06-08 13:55 - 2017-06-08 13:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-06-08 13:34 - 2017-06-08 13:34 - 00000022 _____ C:\Users\Kevin Fox\Downloads\esetpowelikscleaner.exe_20170608.133434.2528.zip
2017-06-08 13:34 - 2017-06-08 13:34 - 00000022 _____ C:\Users\Kevin Fox\Downloads\esetpowelikscleaner.exe_20170608.133402.2564.zip
2017-06-08 13:33 - 2017-06-08 13:33 - 00549504 _____ (ESET) C:\Users\Kevin Fox\Downloads\esetpowelikscleaner.exe
2017-06-08 13:19 - 2017-06-08 13:19 - 05766464 _____ (Zemana Ltd. ) C:\Users\Kevin Fox\Downloads\eXplorer.exe
2017-06-08 13:17 - 2017-06-08 13:17 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Downloads\iExplore.exe
2017-06-08 10:55 - 2017-06-08 13:35 - 00159134 _____ C:\WINDOWS\ntbtlog.txt
2017-06-08 08:52 - 2017-06-08 09:05 - 00236498 _____ C:\TDSSKiller.3.1.0.15_08.06.2017_08.52.24_log.txt
2017-06-07 11:55 - 2017-06-07 12:01 - 00000813 _____ C:\Users\Kevin Fox\Downloads\Stinger_07062017_115541.html
2017-06-07 11:12 - 2017-06-08 10:17 - 00000000 ____D C:\NPE
2017-06-07 11:10 - 2017-06-07 12:05 - 00000122 ___RH C:\Users\Kevin Fox\Downloads\Stinger.opt
2017-06-07 11:10 - 2017-06-07 11:10 - 00000000 ____D C:\Program Files\McAfee
2017-06-07 11:04 - 2017-06-08 16:16 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\NPE
2017-06-07 10:25 - 2017-06-13 19:41 - 00000000 ____D C:\AdwCleaner
2017-06-07 09:25 - 2017-06-07 09:25 - 00001466 _____ C:\WINDOWS\system32\Drivers\etc\hosts.txt
2017-06-07 07:27 - 2017-06-07 07:31 - 00467730 _____ C:\TDSSKiller.3.1.0.15_07.06.2017_07.27.27_log.txt
2017-06-07 07:17 - 2017-06-13 19:44 - 00113592 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-06-07 07:13 - 2017-06-13 19:44 - 00093600 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-06-07 07:11 - 2017-06-07 07:12 - 00498968 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-06-07 06:35 - 2017-06-13 19:44 - 00044960 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-06-07 06:35 - 2017-06-08 13:35 - 00188312 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-06-07 01:05 - 2017-06-13 19:44 - 00252832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-06-07 01:05 - 2017-06-07 01:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-06-07 01:05 - 2017-06-07 01:05 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-06-07 01:05 - 2017-06-07 01:05 - 00000000 ____D C:\Program Files\Malwarebytes
2017-06-07 01:05 - 2017-05-25 11:58 - 00077376 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-06-07 01:02 - 2017-06-07 01:03 - 00232570 _____ C:\TDSSKiller.3.1.0.15_07.06.2017_01.02.59_log.txt
2017-06-07 00:16 - 2017-06-07 00:18 - 00235620 _____ C:\TDSSKiller.3.1.0.15_07.06.2017_00.16.44_log.txt
2017-06-07 00:12 - 2017-06-07 07:10 - 00000000 ____D C:\WINDOWS\pss
2017-06-06 23:58 - 2017-06-06 23:58 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Kevin Fox\Downloads\rkill.exe
2017-06-06 23:32 - 2017-06-06 23:33 - 04922400 _____ (AO Kaspersky Lab) C:\Users\Kevin Fox\Downloads\tdsskiller.exe
2017-06-06 22:46 - 2017-06-06 22:47 - 00000000 ____D C:\Program Files\HitmanPro
2017-06-06 22:43 - 2017-06-09 10:40 - 00000000 ____D C:\ProgramData\HitmanPro
2017-06-06 21:41 - 2017-06-06 21:49 - 00238302 _____ C:\TDSSKiller.3.1.0.15_06.06.2017_21.41.39_log.txt
2017-06-06 17:58 - 2017-06-06 17:59 - 64232976 _____ (Malwarebytes ) C:\Users\Kevin Fox\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092.exe
2017-06-06 17:45 - 2017-06-13 20:21 - 00151840 _____ C:\WINDOWS\ZAM.krnl.trace
2017-06-06 17:45 - 2017-06-13 20:20 - 00029817 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-06-06 17:45 - 2017-06-08 13:55 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-06-06 17:45 - 2017-06-06 17:45 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\Zemana
2017-06-06 17:43 - 2017-06-06 17:44 - 05774688 _____ (Zemana Ltd. ) C:\Users\Kevin Fox\Downloads\Zemana.AntiMalware.Setup.exe
2017-06-04 23:25 - 2017-06-04 23:25 - 00003238 _____ C:\WINDOWS\System32\Tasks\Norton WSC Integration
2017-06-02 10:11 - 2017-06-02 10:11 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\CEF
2017-06-02 00:45 - 2017-06-08 14:26 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-06-02 00:45 - 2017-06-02 00:45 - 00002078 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2017-06-02 00:44 - 2017-06-02 00:44 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-05-23 08:50 - 2017-06-04 23:30 - 00000000 ____D C:\WINDOWS\System32\Tasks\Norton Security with Backup
2017-05-14 14:46 - 2017-04-28 18:44 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-05-14 14:46 - 2017-04-28 18:44 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-13 20:16 - 2015-03-05 15:25 - 00000606 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001.job
2017-06-13 20:00 - 2014-01-03 09:01 - 00000000 ____D C:\Users\Kevin Fox\AppData\Roaming\Skype
2017-06-13 19:45 - 2014-10-20 09:04 - 00000000 ____D C:\Users\Kevin Fox
2017-06-13 19:43 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-13 19:13 - 2015-07-06 00:32 - 00000702 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001.job
2017-06-13 14:54 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\Inf
2017-06-12 10:11 - 2013-06-10 00:33 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\CrashDumps
2017-06-09 10:07 - 2013-06-09 17:35 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-563055642-872065215-425065361-1001
2017-06-08 14:31 - 2014-09-24 03:15 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-08 14:18 - 2013-06-09 17:53 - 00000000 ____D C:\Users\Kevin Fox\Documents\Temp 2011
2017-06-07 11:11 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-06-07 11:04 - 2012-11-13 02:30 - 00000000 ____D C:\ProgramData\Norton
2017-06-07 10:35 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2017-06-07 09:18 - 2013-08-22 09:25 - 00000019 _____ C:\WINDOWS\system32\Drivers\etc\hosts.old
2017-06-06 14:00 - 2016-11-18 11:58 - 00000000 ____D C:\Users\Kevin Fox\AppData\LocalLow\Mozilla
2017-06-04 23:51 - 2015-07-19 17:10 - 00000000 ____D C:\Program Files\Common Files\AV
2017-06-04 23:25 - 2016-07-15 10:45 - 00002470 _____ C:\Users\Public\Desktop\Norton Security with Backup.lnk
2017-06-04 23:25 - 2016-07-15 10:38 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security with Backup
2017-06-04 23:25 - 2016-07-15 10:38 - 00000000 ____D C:\WINDOWS\system32\Drivers\NSBUx64
2017-06-04 13:12 - 2015-07-06 00:32 - 00003712 _____ C:\WINDOWS\System32\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001
2017-06-04 13:12 - 2015-03-05 15:25 - 00003616 _____ C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001
2017-06-02 10:11 - 2013-06-13 00:00 - 00000000 ____D C:\Users\Kevin Fox\AppData\Local\Adobe
2017-06-02 10:09 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-02 00:46 - 2015-01-07 08:38 - 00004476 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2017-06-02 00:44 - 2012-11-13 02:28 - 00000000 ____D C:\ProgramData\Adobe
2017-06-01 23:41 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-06-01 21:00 - 2014-02-10 18:47 - 00000000 ____D C:\Users\Kevin Fox\Desktop\Other
2017-05-31 14:16 - 2017-03-31 08:53 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-05-31 14:16 - 2014-01-03 09:01 - 00000000 ____D C:\ProgramData\Skype
2017-05-25 10:54 - 2013-07-31 09:53 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-05-25 10:46 - 2013-06-10 19:05 - 132223576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-05-24 09:08 - 2014-01-24 16:24 - 00000000 ____D C:\Users\Kevin Fox\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yahoo
2017-05-19 08:48 - 2016-07-15 10:50 - 00102608 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS
2017-05-19 08:48 - 2016-07-15 10:50 - 00008339 _____ C:\WINDOWS\system32\Drivers\SYMEVENT64x86.CAT
2017-05-14 15:04 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\rescache
2017-05-14 14:40 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
 
==================== Files in the root of some directories =======
 
2017-03-16 14:18 - 2017-03-16 14:40 - 0008704 _____ () C:\Users\Kevin Fox\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-11-07 14:57 - 2013-11-07 14:57 - 0000017 _____ () C:\Users\Kevin Fox\AppData\Local\resmon.resmoncfg
2014-09-13 08:41 - 2014-09-13 08:41 - 0000000 _____ () C:\Users\Kevin Fox\AppData\Local\{4B017007-7EC2-4299-9D98-0F96E93D4B32}
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-13 19:08
 
==================== End of FRST.txt ============================
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-06-2017 01
Ran by Kevin Fox (13-06-2017 20:21:38)
Running from C:\Users\Kevin Fox\Downloads
Windows 8.1 (Update) (X64) (2014-10-20 13:34:04)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-563055642-872065215-425065361-500 - Administrator - Disabled)
Guest (S-1-5-21-563055642-872065215-425065361-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-563055642-872065215-425065361-1003 - Limited - Enabled)
Kevin Fox (S-1-5-21-563055642-872065215-425065361-1001 - Administrator - Enabled) => C:\Users\Kevin Fox
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security (Enabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Enabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
FW: Norton Security (Enabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.6 - Atheros Communications Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Bullzip PDF Printer 10.11.0.2338 (HKLM\...\Bullzip PDF Printer_is1) (Version: 10.11.0.2338 - Bullzip)
Canon MP Navigator EX 4.1 (HKLM-x32\...\MP Navigator EX 4.1) (Version:  - )
Canon MX410 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX410_series) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.24 - Piriform)
Cisco WebEx Meetings (HKU\S-1-5-21-563055642-872065215-425065361-1001\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
Fathom 2L (HKLM-x32\...\Fathom 2L) (Version:  - Key Curriculum Press)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 58.0.3029.110 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
GoToMeeting 8.6.0.7107 (HKU\S-1-5-21-563055642-872065215-425065361-1001\...\GoToMeeting) (Version: 8.6.0.7107 - CitrixOnline)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3345 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.2.1001 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Office 2007 Primary Interop Assemblies (HKLM-x32\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Small Business 2007 (HKLM-x32\...\SMALLBUSINESSR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
Microsoft Works 6-9 Converter (HKLM-x32\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.45 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.11 - Symantec Corporation) Hidden
Norton Security (HKLM-x32\...\NSBU) (Version: 22.9.4.8 - Symantec Corporation)
Origin (HKLM-x32\...\Origin) (Version: 9.0.15.60 - Electronic Arts, Inc.)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
Premium Sound HD (HKLM\...\{94F03B8E-CB73-4653-AFE9-79112C01FED2}) (Version: 1.12.5000 - SRS Labs, Inc.)
QuickBooks (x32 Version: 22.0.4001.2206 - Intuit Inc.) Hidden
QuickBooks Pro 2012 (HKLM-x32\...\{22057D8D-7CC8-46FF-AD8C-9BD24F9014F3}) (Version: 22.0.4001.2206 - Intuit Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6794 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.8400.39030 - Realtek Semiconductor Corp.)
Realtek WLAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4fed-B2B9-173001290E16}) (Version: 2.00.0020 - REALTEK Semiconductor Corp.)
RogueKiller version 12.11.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.1.0 - Adlice Software)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.36 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.36.101 - Skype Technologies S.A.)
Slideshow Creator (HKLM-x32\...\{4E1A63B1-F547-4CFC-91F7-F32F1A6BF430}_is1) (Version: 2.2 - Bolide Software)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.8.21 - Synaptics Incorporated)
Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.4 - TOSHIBA)
Toshiba Book Place (HKLM-x32\...\{24B45620-22B6-4E4A-B836-FF30A0B0404E}) (Version: 3.1.9534 - K-NFB Reading Technology, Inc.)
TOSHIBA Desktop Assist (HKLM\...\{95CCACF0-010D-45F0-82BF-858643D8BC02}) (Version: 1.00.08.6402 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.0.0.6415 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.00.6425.01 - Toshiba Corporation)
TOSHIBA HDD Accelerator (HKLM\...\{DB4D9937-0B14-4EF1-BF9A-BB7E3B9DCB04}) (Version: 1.1.0001 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\{B1786E63-2127-42C9-95A3-146E5F727BF1}) (Version: v1.0.0.8 - TOSHIBA Corporation)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.8.17.640104 - Toshiba Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.8 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.2.0.54043005 - Toshiba Corporation)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.2.2.00 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM\...\{B1F241E1-90BF-4201-8977-A0DF85A38EBB}) (Version: 2.6.16.0 - Toshiba Corporation)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0032 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.00.0002.32002 - Toshiba Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBA VIDEO PLAYER (HKLM\...\{FF07604E-C860-40E9-A230-E37FA41F103A}) (Version: 5.1.0.12-A - Toshiba Corporation)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.1.6 - TOSHIBA)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Web Easy Professional (HKLM-x32\...\{B651BFCB-C9F3-489C-A2A7-764A12E2C79B}) (Version: 10.1 - Avanquest)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3503.0728 - Microsoft Corporation)
WinZip 21.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C2410D}) (Version: 21.0.12288 - WinZip Computing, S.L. )
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.72.0.345 - Zemana Ltd.)
Zoom (HKU\S-1-5-21-563055642-872065215-425065361-1001\...\ZoomUMX) (Version: 3.5 - Zoom Video Communications, Inc.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-563055642-872065215-425065361-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\6291\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-563055642-872065215-425065361-1001_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.dll ()
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {03023120-C31C-4A81-BBFE-D4722323F4D6} - System32\Tasks\WinZipBackGroundToolsTask => C:\Program Files\WinZip\WzBGTools.exe [2017-02-10] (WinZip Computing, S.L.)
Task: {0E28344B-9A33-4FE0-8A03-7188E5829A83} - System32\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001 => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupload.exe [2017-06-04] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {272F416B-116B-4C84-8BBD-A2157D6980C3} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-08-28] (Synaptics Incorporated)
Task: {2998C011-4CA2-4B58-8DBF-BAF4DD14FBA8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {32F52E2F-BFDA-4782-9DE5-FABE8995925E} - System32\Tasks\WinZip Update Notifier => C:\Program Files\WinZip\WZUpdateNotifier.exe [2017-02-10] (WinZip)
Task: {414A1F2F-242B-4A5F-81EA-151F3658325C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {48E46FF8-AF98-4C17-8FE2-877442E0DB94} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-27] (Apple Inc.)
Task: {4A3FD61D-99C3-4B86-BB97-D85215436B07} - System32\Tasks\Norton Security with Backup\Norton Security with Backup Error Processor => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\SymErr.exe [2017-05-11] (Symantec Corporation)
Task: {4A9DF327-A9B6-40CC-9E94-58DD2B781E08} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2017-05-26] (Symantec Corporation)
Task: {53D9EDEE-9647-4A36-918A-1CD1A28443D9} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe
Task: {69D3FDA7-DB79-4CE4-B736-BCFC8075CE54} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-05-09] (Adobe Systems Incorporated)
Task: {75E9C93C-FC9C-4968-AF31-EE9FFAFC72ED} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2014-04-03] (TOSHIBA Corporation)
Task: {94732EA0-9F78-4CF3-8885-7FF06609C373} - System32\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001 => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupdate.exe [2017-06-04] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {CFC8E562-36F2-49BA-AFF9-C7DA962E2302} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe
Task: {DC11993D-B3E6-40CC-B065-CDA3063C2FD2} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-11-15] (Piriform Ltd)
Task: {DECE4F0E-C7A7-4361-B2D2-F0C81E177248} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {E5CFDA94-E6CA-4242-9456-1D264E5ACCBE} - System32\Tasks\Norton Security with Backup\Norton Security with Backup Error Analyzer => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\SymErr.exe [2017-05-11] (Symantec Corporation)
Task: {F715C040-515A-4F41-9EFB-C7C1F5D003D8} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.4.8\WSCStub.exe [2017-05-26] (Symantec Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-563055642-872065215-425065361-1001.job => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupdate.exe
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-563055642-872065215-425065361-1001.job => C:\Users\Kevin Fox\AppData\Local\Citrix\GoToMeeting\7107\g2mupload.exe
Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo! SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-12-17 19:38 - 2015-12-17 19:38 - 00085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-06-07 01:05 - 2017-05-25 14:11 - 02270664 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2012-07-18 21:38 - 2012-07-18 21:38 - 00020904 _____ () C:\Program Files\TOSHIBA\Hotkey\SmoothView.dll
2012-07-18 21:38 - 2012-07-18 21:38 - 00049064 _____ () C:\Program Files\TOSHIBA\Hotkey\Hotkey\FnZ.dll
2012-08-13 22:13 - 2012-08-13 22:13 - 00018344 _____ () C:\Program Files\Toshiba\Teco\TecoMUI.dll
2012-08-06 10:36 - 2012-08-06 10:36 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-05-12 06:50 - 2017-05-09 05:13 - 03767640 _____ () C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\libglesv2.dll
2017-05-12 06:50 - 2017-05-09 05:13 - 00100696 _____ () C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.110\libegl.dll
2017-04-26 15:19 - 2017-04-26 15:19 - 02005976 ____R () C:\Program Files (x86)\Skype\Phone\skypert.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00268648 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\boost_regex-vc90-mt-p-1_33.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00020840 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\QBCompressor.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00379752 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\BackupLib.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00138088 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\QBMAPILibrary.dll
2011-08-19 22:30 - 2011-08-19 22:30 - 00059904 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\zlib1.dll
2011-08-20 02:32 - 2011-08-20 02:32 - 00176488 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\boost_serialization-vc90-mt-p-1_33.dll
2011-08-20 02:33 - 2011-08-20 02:33 - 00042344 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2012\mbpopup.dll
2013-03-14 06:47 - 2012-06-25 13:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-563055642-872065215-425065361-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Outdoor\Toshiba_screensaver_ducks.jpg
DNS Servers: 172.20.100.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run32: => "Norton Online Backup"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{8AFD07AF-E11E-4A6C-B3FC-8E52C505F1E0}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{80A23B66-0313-4174-83CC-A33F322A58B9}] => (Allow) LPort=1900
FirewallRules: [{ED8E71CD-9D55-4CA3-9A00-B8C13E88D5B7}] => (Allow) LPort=2869
FirewallRules: [{C42C9C11-7201-4803-8F22-D676678AA92C}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{FA367A04-9832-4465-BF6E-DF1C92DBFB7C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5E9F0FCE-C981-4CEF-BE8D-E9503C564E9B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{84C18A0A-4D47-4445-9DD4-8422F7AB129F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{564825F7-951C-4098-97AB-4C694BC0BAA9}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{36C39343-87F4-4247-9959-9907D4268BB4}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{84AAC8C9-8FFD-40D2-B285-F4F3AB6F2609}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{136C4785-6EBD-4D24-B1AE-BE7DBEF61191}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{48F09560-AC13-4882-AF75-A2CCE5A51B51}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 
==================== Restore Points =========================
 
25-05-2017 10:43:53 Windows Update
02-06-2017 01:00:21 Scheduled Checkpoint
07-06-2017 09:17:18 Checkpoint by HitmanPro
08-06-2017 11:24:59 Checkpoint by HitmanPro
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/13/2017 07:45:27 PM) (Source: Toshiba App Place) (EventID: 0) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
   at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
   at System.Timers.Timer.set_Enabled(Boolean value)
   at SnappCloud.ActivationReminder.AraClient.PostInit()
   at SnappCloud.ActivationReminder.Program.Main(String[] args)
 
Error: (06/13/2017 07:45:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/13/2017 07:45:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/13/2017 07:45:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/13/2017 06:47:00 PM) (Source: Microsoft Office 12) (EventID: 2000) (User: )
Description: Accepted Safe Mode action : Microsoft Office Outlook.
 
Error: (06/13/2017 06:33:03 PM) (Source: Toshiba App Place) (EventID: 0) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
   at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
   at System.Timers.Timer.set_Enabled(Boolean value)
   at SnappCloud.ActivationReminder.AraClient.PostInit()
   at SnappCloud.ActivationReminder.Program.Main(String[] args)
 
Error: (06/13/2017 06:31:49 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/13/2017 06:31:49 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/13/2017 06:31:49 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (06/13/2017 02:50:25 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
 
System errors:
=============
Error: (06/13/2017 07:55:52 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: KFOXT2014)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/13/2017 07:50:18 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Security Center service hung on starting.
 
Error: (06/13/2017 07:48:05 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Background Intelligent Transfer Service service hung on starting.
 
Error: (06/13/2017 07:44:28 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/13/2017 07:43:49 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.
 
Error: (06/13/2017 07:42:42 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Apple Mobile Device Service service failed to start due to the following error: 
The pipe has been ended.
 
Error: (06/13/2017 07:42:32 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\WINDOWS\system32\Rtlihvs.dll
 
Error: (06/13/2017 07:42:32 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\WINDOWS\system32\Rtlihvs.dll
 
Error: (06/13/2017 07:42:25 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\WINDOWS\system32\Rtlihvs.dll
 
Error: (06/13/2017 07:41:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TMachInfo service terminated unexpectedly.  It has done this 1 time(s).
 
 
CodeIntegrity:
===================================
  Date: 2013-10-13 18:35:30.200
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\wmi64.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-13 18:35:30.185
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\wmi64.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2013-10-13 18:35:30.185
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\wmi64.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 66%
Total physical RAM: 3980.22 MB
Available physical RAM: 1322.67 MB
Total Virtual: 5772.22 MB
Available Virtual: 2797.91 MB
 
==================== Drives ================================
 
Drive c: (TI10657300E) (Fixed) (Total:584.51 GB) (Free:438.39 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 596.2 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#6 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 16 June 2017 - 08:03 AM

I hope someone can take a look at my logs and give me an opinion. Also would appreciate a recommendation on what anti-malware to keep, what to delete from my computer and the best tool/ process for deleting what I don't need. 

 

Quick update is that Malwarebytes blocked a trojan when I was using  Explorer the other day, so I am still unsure if something is lurking on my computer, or whether I am still vulnerable somewhere. 

 

Thanks for any help!



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 17 June 2017 - 12:01 PM

BettisGuy:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

Please accept my apologies, on behalf of the Bleeping Computer community.  This Forum is very busy and there are only a limited number of trained volunteers to respond to the many requests for assistance.  Thank you for your understanding.

I will need some time to review your FRST logs. That could take a day or two.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 18 June 2017 - 11:19 AM

BettisGuy:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

One of the probable causes of your issues is, as you suspect, having too many security programs providing real-time protection. They interfere with each other and can really slow a computer down. I see remnants of McAfee Real Protect and I will be removing those for you.

Please turn off real-time protection for either Zemana or Malwarebytes. You can keep them both, to provide a "second opinion", but only one should have real-time protection enabled. The choice is up to you as to which one to keep enabled at all times because they are both reputable and well-regarded anti-malware programs. Please see this post by quietman7, one of Bleeping Computers foremost computer security experts.

As a general rule, using more than one anti-malware program like Malwarebytes, SuperAntispyware, Emsisoft Emergency Kit, Windows Defender in Windows 7 and earlier, Zemana AntiMalware, etc. will not conflict with each other or your anti-virus if using only one of them for real-time protection and the others as stand-alone on demand scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. Using different signature databases will aid in detection and removal of more threats when scanning your system for malware.

Security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavioral Analysis, Sandboxing and Signature file detection which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. Further, each vendor has its own definition (naming standards) of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

If using multiple anti-malware real-time resident shields together at the same time, there can be conflicts as a result of the overlap in protection. These conflicts are typical when similar applications try to compete for resources and exclusive rights to perform an action. They may identify the activity of each other as suspicious and produce alerts. Further, your anti-virus may detect suspicious activity while anti-malware programs are scanning (reading) files, especially if it uses a heuristic scanning engine, regardless if they are running in real-time or on demand. The anti-virus may even detect as threats, any malware removed by these programs and placed into quarantined areas. This can lead to a repetitive cycle of endless alerts or false alarms that continually warn a threat has been found if the contents of the quarantine folder are not removed before beginning a new security scan. Generally these conflicts are more of an annoyance rather than the significant conflicts which occur when running two anti-virus programs in real time.


.

:step1: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
(McAfee, Inc.) C:\Program Files\McAfee\Real Protect\RealProtect.exe
C:\Program Files\McAfee
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
Hosts:
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> DefaultScope {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo! SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
EmptyTemp:
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.


Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#9 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 18 June 2017 - 03:50 PM

Phil,

 

THank you very much for reviewing my logs and assisting me. My name is Kevin. I have run the fix you provided and the log is below. In terms of all of the anti-malware programs I have on my computer I have stopped the real-time protection for Malwarebytes, leaving Zemana running real-time protection. I am happy to keep only what I might routinely need in terms of all  of the anti-malware programs. I have an active Norton anti-virus program running and would like to keep that but not the old McAfeee which may have left remnants on my computer. I will follow your recommendations on these matters and really appreciate your help. 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-06-2017
Ran by Kevin Fox (18-06-2017 16:29:08) Run:1
Running from C:\Users\Kevin Fox\Downloads
Loaded Profiles: Kevin Fox (Available Profiles: Kevin Fox)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
CreateRestorePoint:
CloseProcesses:
(McAfee, Inc.) C:\Program Files\McAfee\Real Protect\RealProtect.exe
C:\Program Files\McAfee
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
Hosts:
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> DefaultScope {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
SearchScopes: HKU\S-1-5-21-563055642-872065215-425065361-1001 -> {D1F746A6-BD09-450A-8B81-4BDFACC0809B} URL = 
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
Shortcut: C:\Users\Kevin Fox\Desktop\Other\Yahoo! SiteBuilder.lnk -> C:\Program Files (x86)\Yahoo SiteBuilder\ysitebuilder.bat (No File)
EmptyTemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files\McAfee\Real Protect\RealProtect.exe => Could not close process
C:\Program Files\McAfee => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 => key removed successfully
HKLM\Software\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 => key removed successfully
HKLM\Software\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 => key removed successfully
HKLM\Software\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
Hosts restored successfully.
HKU\S-1-5-21-563055642-872065215-425065361-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-563055642-872065215-425065361-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D1F746A6-BD09-450A-8B81-4BDFACC0809B} => key removed successfully
HKLM\Software\Classes\CLSID\{D1F746A6-BD09-450A-8B81-4BDFACC0809B} => key not found. 
HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key removed successfully
C:\Users\Kevin Fox\Desktop\Other\Yahoo SiteBuilder.lnk => moved successfully
C:\Users\Kevin Fox\Desktop\Other\Yahoo! SiteBuilder.lnk => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14749609 B
Java, Flash, Steam htmlcache => 765 B
Windows/system/drivers => 155934550 B
Edge => 0 B
Chrome => 391755448 B
Firefox => 18551322 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 61706 B
NetworkService => 0 B
Kevin Fox => 69246610 B
 
RecycleBin => 0 B
EmptyTemp: => 628.2 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 16:31:29 ====
 
Thank you again, Phil!
 
Regards,

Kevin


#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 19 June 2017 - 11:49 AM

Kevin:
 
Thank you for your "fixlog.txt" log, and for permission to address you by your first name.
 
Your "fixlog.txt" file looks good.
 
.
 
:step1: I would recommend that you uninstall the following two programs from your computer using the Control Panel, Remove Programs; or, using an uninstaller like Revo Uninstaller Pro, which I use and which is very good at getting rid of the "leftovers" that program uninstallers often leave behind (files, folders, and registry entries).
  • HitmanPro 3.7
  • RogueKiller
.
 
:step2: I want to run some standard anti-malware scans.  I know you have run a many anti-malware scans, but I would like to see some current scan logs.  Let's start with the ESET Online scan.

ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.
Don't forget to re-enable your antivirus when finished!

.

:step3: Please run a Malwarebytes scan for me.
  • Please ensure that under "Settings", "Protection", "Scan for rootkits", is turned "On."
  • Please ensure that under "Potential Threat Protetion", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then please scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day, Kevin.

Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#11 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 20 June 2017 - 07:30 AM

Phil,

 

Thanks again. I have removed Rogue Killer and HitMan, and run the scans you suggested. The logs for ESET and Malwarebytes scans are below. ESET showed three items, Malwarebytes was clean. 

 

ESET:

 

C:\Users\Kevin Fox\AppData\LocalLow\Sun\Java\jre1.7.0_55\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application cleaned by deleting
C:\Users\Kevin Fox\Downloads\ccsetup524.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Windows\Installer\2e5b86ae.msi a variant of Win32/Systweak.L potentially unwanted application deleted
 
 
Malwarebytes:
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 6/20/17
Scan Time: 7:23 AM
Log File: 
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2192
License: Trial
 
-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: KFOXT2014\Kevin Fox
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 374003
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 25 min, 12 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
 
What do you think? 
I really appreciate all your assistance Phil, Thank you. 
 
Kevin


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 20 June 2017 - 08:59 AM

Kevin:
 
Thank you for your logs.  I am not seeing anything really nefarious in your logs so far.  I know that you have run lots of scans, but as before, I want to see some more logs for myself before declaring your computer clean.
 
.
 
:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • After the scan has finished ...
  • Uncheck any PUP and adware applications that you want to keep.
  • Then click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#13 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 20 June 2017 - 11:48 AM

Phil,

 

Great! Thank you. Here are the requested logs.

 

AdwCleaner:

 

# AdwCleaner v6.047 - Logfile created 20/06/2017 at 12:29:31
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-19.1 [Server]
# Operating System : Windows 8.1  (X64)
# Username : Kevin Fox - KFOXT2014
# Running from : C:\Users\Kevin Fox\Desktop\Anti-malware\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\Kevin Fox\Favorites\StumbleUpon
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKU\S-1-5-21-563055642-872065215-425065361-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Kevin Fox\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
 
[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1643 Bytes] - [07/06/2017 10:28:57]
C:\AdwCleaner\AdwCleaner[C2].txt - [1526 Bytes] - [07/06/2017 12:26:49]
C:\AdwCleaner\AdwCleaner[C3].txt - [1570 Bytes] - [08/06/2017 12:10:00]
C:\AdwCleaner\AdwCleaner[C4].txt - [1629 Bytes] - [09/06/2017 09:52:12]
C:\AdwCleaner\AdwCleaner[C5].txt - [1777 Bytes] - [12/06/2017 09:42:29]
C:\AdwCleaner\AdwCleaner[C6].txt - [2573 Bytes] - [13/06/2017 19:41:47]
C:\AdwCleaner\AdwCleaner[S0].txt - [1894 Bytes] - [07/06/2017 10:27:48]
C:\AdwCleaner\AdwCleaner[S1].txt - [1620 Bytes] - [07/06/2017 12:24:10]
C:\AdwCleaner\AdwCleaner[S2].txt - [1432 Bytes] - [08/06/2017 10:04:05]
C:\AdwCleaner\AdwCleaner[S3].txt - [1898 Bytes] - [08/06/2017 12:05:23]
C:\AdwCleaner\AdwCleaner[S4].txt - [1651 Bytes] - [08/06/2017 14:37:45]
C:\AdwCleaner\AdwCleaner[S5].txt - [1724 Bytes] - [08/06/2017 15:47:45]
C:\AdwCleaner\AdwCleaner[S6].txt - [1797 Bytes] - [09/06/2017 09:50:23]
C:\AdwCleaner\AdwCleaner[S7].txt - [1944 Bytes] - [12/06/2017 09:29:30]
C:\AdwCleaner\AdwCleaner[S8].txt - [2828 Bytes] - [13/06/2017 19:31:44]
C:\AdwCleaner\AdwCleaner[S9].txt - [2846 Bytes] - [20/06/2017 12:29:31]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S9].txt - [2919 Bytes] ##########
 

 

JRT.txt:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 8.1 x64 
Ran by Kevin Fox (Administrator) on Tue 06/20/2017 at 12:38:51.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 06/20/2017 at 12:43:00.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Thanks,
Kevin


#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:58 AM

Posted 20 June 2017 - 12:01 PM

Kevin:
 
Thank you for the logs.  Things are looking pretty clean on your fine computer! :)
 
How is it working now?  If there are any issues, please let me know, in as much detail as possible.
 
If all is good, then we can remove all of the anti-malware tools that I had you download and run for me.

If all is not good, then please skip the rest of the instructions and let me know what issues remain.

.

:step1: bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in Notepad. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


 


Member of the Unified Network of Instructors and Trusted Eliminators


#15 BettisGuy

BettisGuy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 20 June 2017 - 12:30 PM

Phil,

 

Thank you. Things seem to be running pretty well, no issues to speak of. Most importantly I feel much more confident now that you have walked me through these steps. I am very thankful to you for that!

 

I have a couple of questions as I remove all this that shouldn't take much more of your time. 

 

1. Norton let me download DelFix but removed it when I launched it. Assuming I have to switch off Norton before I run it?

2. Should I continue to leave one Anti-malware program running on my computer in addition to Norton? (its either Zemana or Malwarebytes I guess, if you have a recommendation there). 

3. If it's running real time do I need to do scans routinely as well?

4. I use CC Cleaner to get rid of build ups and caches, am I okay to keep using this?

 

Thank you again, I will run DelFix as soon as you let me know I just have to turn off Norton. 

 

Thanks,

Kevin






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users