Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Everything is non responding. Do I have a virus or malware?

Non responding

  • Please log in to reply

#1
pb204

pb204

    Member

  • Member
  • PipPip
  • 52 posts

I have a Toshiba PX35 all-in-one with wireless keyboard and wireless mouse purchased in 2013 with Windows 8 installed, but now operating on Windows 10 64 bit with a wifi connection. In recent months I have received intermittent non responding messages from websites on Firefox. Now it is constant. Yesterday I tried to run a scan with Malwarebytes and it stopped scanning part way thru. I was able to access the internet and malwarebytes in safe mode, but the scan did not find anything. Today I was not even able to log on in normal mode. It was like my mouse and keyboard clicks were not going thru and when I was finally able to get them to respond, I got a message to please wait getting windows ready and it shut itself down. I was able to long in Safe mode and I am currently operating in safe mode. Another computer has the same wifi setup with no problems.  I downloaded FRST and ran the scan.  Can someone help me?

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Pat (administrator) on PAT (26-03-2017 16:52:40)
Running from C:\Users\Pat\Downloads
Loaded Profiles: Pat (Available Profiles: Pat)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [TosTogKeyMon] => C:\Program Files\TOSHIBA\Hotkey\TosTogKeyMon.exe [2365792 2013-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1549392 2013-03-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [178016 2013-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-08-17] (TOSHIBA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-03-19] (Apple Inc.)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-27] (Microsoft Corporation)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2016-02-03] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrHelp] => C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe [2009088 2013-01-18] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2016-03-18] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-06-17] (Apple Inc.)
HKLM-x32\...\Run: [Digital Coupon Print Driver] => C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe [90048 2015-09-22] (Inmar, Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [Zoner Photo Studio Autoupdate] => C:\Program Files\Zoner\Photo Studio 16\Program32\ZPSTRAY.EXE [833024 2014-06-16] (ZONER software)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [TomTomHOME.exe] => C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [255224 2016-11-29] (TomTom)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [52148864 2016-04-29] (Skype Technologies S.A.)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9105112 2016-11-15] (Piriform Ltd)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1231240 2016-11-13] (Ruiware)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-18\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll [2013-12-17] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll [2013-12-17] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll [2013-12-17] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
Startup: C:\Users\Pat\xozof\438a3d.lnk [2016-09-29]
ShortcutTarget: 438a3d.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 216.144.187.199 24.229.54.212 204.186.0.180
Tcpip\..\Interfaces\{08a1b842-f50e-4385-b9b5-e7ecca783a9c}: [DhcpNameServer] 216.144.187.199 24.229.54.212 204.186.0.180

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=130907128730433258&GUID=B9F66AB7-2C77-4F1F-8468-088BF4E72F3D
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001 -> {E2807A52-035B-4014-AAF7-DF2653D33D3A} URL =
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-09-19] (Oracle Corporation)
BHO-x32: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-09-19] (Oracle Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Pat\AppData\Roaming\TomTom\HOME\Profiles\enrgoumf.default [2017-01-08]
FF Extension: (Emulator) - C:\Users\Pat\AppData\Roaming\TomTom\HOME\Profiles\enrgoumf.default\Extensions\[email protected] [2014-11-14] [not signed]
FF Extension: (Map status indicator) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\[email protected] [2017-01-08] [not signed]
FF ProfilePath: C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155 [2017-03-26]
FF Homepage: Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155 -> hxxps://my.yahoo.com/#
FF Extension: (Search and New Tab by Yahoo) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\Extensions\[email protected] [2016-11-21]
FF Extension: (Yahoo! Toolbar) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\Extensions\{3F0CE537-A919-4201-9970-00C2820315E4} [2016-06-11]
FF Extension: (Yahoo Toolbar and New Tab) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}.xpi [2016-12-23]
FF Extension: (Site Deployment Checker) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\features\{f98e5567-e8a8-43dc-9683-4aea50b8c002}\[email protected] [2017-03-24]
FF HKLM-x32\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn
FF Extension: (Norton Identity Safe Toolbar) - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn [2017-03-26]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-06-08] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-03-18] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-18] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1217157.dll [2015-02-16] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Users\Pat\Desktop\New folder\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.66 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-09-28] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-09-28] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-09-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-09-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll [2013-12-09] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-03-24]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-03-24]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
S2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe [432528 2013-03-27] (Nuance Communications, Inc.)
S3 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [19960 2015-05-27] ()
S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-04-17] (WildTangent)
S2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [337888 2016-05-03] (Intel Corporation)
S2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [732160 2012-12-10] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [130592 2012-10-26] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165488 2012-12-18] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [232424 2013-10-11] (Symantec Corporation)
S2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe [131144 2015-03-05] (Symantec Corporation)
S3 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [4230016 2013-01-28] (Symantec Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S2 PSI_SVC_2_x64; C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ccSet_NARA; C:\WINDOWS\system32\drivers\NARAx64\0403000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
S1 ccSet_NAT; C:\WINDOWS\system32\drivers\NATx64\010A000.009\ccSetx64.sys [150104 2013-07-29] (Symantec Corporation)
S1 ccSet_NST; C:\WINDOWS\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3343872 2016-07-16] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
S3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [433912 2016-07-13] (Realsil Semiconductor Corporation)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [54424 2015-07-29] (Toshiba Corporation)
S3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [48024 2013-01-28] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 XHCIPort; C:\WINDOWS\System32\drivers\XHCIPort.sys [194456 2013-01-28] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-26 16:52 - 2017-03-26 16:53 - 00019847 _____ C:\Users\Pat\Downloads\FRST.txt
2017-03-26 16:52 - 2017-03-26 16:52 - 00000000 ____D C:\FRST
2017-03-26 16:51 - 2017-03-26 16:52 - 02424832 _____ (Farbar) C:\Users\Pat\Downloads\FRST64.exe
2017-03-24 21:23 - 2017-03-24 21:24 - 49405136 _____ (Microsoft Corporation) C:\Users\Pat\Downloads\Windows-KB890830-x64-V5.46.exe
2017-03-24 12:30 - 2017-03-26 16:29 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-23 13:37 - 2017-03-23 13:37 - 00013880 ____N C:\bootsqm.dat
2017-03-22 14:36 - 2017-03-26 16:33 - 00005596 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-20 11:58 - 2017-03-20 11:58 - 00237429 _____ C:\Users\Pat\Documents\Contact information lsit.pdf
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\Users\Pat\AppData\Roaming\WinPatrol
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\ProgramData\InstallMate
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\Program Files (x86)\Ruiware
2017-03-18 17:36 - 2017-03-18 17:37 - 01512368 _____ (Ruiware) C:\Users\Pat\Downloads\wpsetup(1).exe
2017-03-18 17:34 - 2017-03-18 17:34 - 00000000 ____D C:\Users\Pat\AppData\Local\Hopster
2017-03-18 17:34 - 2017-03-18 17:34 - 00000000 ____D C:\Program Files (x86)\Digital Coupon Printer
2017-03-18 17:31 - 2017-03-18 17:31 - 18640896 _____ C:\Users\Pat\Downloads\DigitalCouponPrinter-3.50.0.0(1).msi
2017-03-15 14:26 - 2017-03-15 14:26 - 18640896 _____ C:\Users\Pat\Downloads\DigitalCouponPrinter-3.50.0.0.msi
2017-03-13 12:08 - 2017-03-18 17:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2017-03-06 11:57 - 2017-03-22 13:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-26 16:36 - 2016-11-21 13:22 - 00000000 ____D C:\Users\Pat\AppData\LocalLow\Mozilla
2017-03-26 16:28 - 2016-07-16 02:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-03-26 16:27 - 2016-09-27 04:51 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-26 16:27 - 2016-09-27 04:11 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-26 15:57 - 2016-07-16 07:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-25 18:45 - 2016-07-16 07:45 - 00000000 ____D C:\WINDOWS\INF
2017-03-25 18:43 - 2015-08-06 12:26 - 00000000 __SHD C:\Users\Pat\IntelGraphicsProfiles
2017-03-25 17:59 - 2014-04-25 13:16 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-25 17:54 - 2016-09-27 04:18 - 00000000 ____D C:\Users\Pat
2017-03-24 21:24 - 2013-11-30 09:49 - 138634176 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-03-24 19:07 - 2013-12-18 13:41 - 00000000 ____D C:\Users\Pat\AppData\Local\ElevatedDiagnostics
2017-03-23 12:43 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-22 18:51 - 2013-11-30 22:23 - 00000000 ____D C:\Users\Pat\AppData\Local\CrashDumps
2017-03-22 17:35 - 2013-11-30 09:49 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-03-22 13:01 - 2013-12-01 19:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-22 12:17 - 2013-11-30 19:39 - 00015907 _____ C:\WINDOWS\BRRBCOM.INI
2017-03-22 12:08 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-18 20:29 - 2016-09-27 04:50 - 00004386 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-03-18 20:29 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-03-18 20:29 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-03-14 12:27 - 2013-11-29 21:00 - 00000000 ___RD C:\Users\Pat\Pictures 10-2013
2017-03-10 01:17 - 2016-07-16 07:49 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-03-10 01:17 - 2016-07-16 07:49 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2013-12-27 13:42 - 2013-12-27 13:42 - 0000288 _____ () C:\Users\Pat\AppData\Roaming\.backup.dm
2017-01-15 17:27 - 2017-01-15 17:45 - 171115806 _____ () C:\Users\Pat\AppData\Roaming\Thunderbird.zip
2014-03-04 17:38 - 2014-03-04 17:38 - 0003584 _____ () C:\Users\Pat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-27 04:14 - 2016-09-27 04:14 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-23 14:32

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Pat (26-03-2017 16:54:17)
Running from C:\Users\Pat\Downloads
Windows 10 Home Version 1607 (X64) (2016-09-27 08:55:47)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3782273632-2773322664-1913436750-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3782273632-2773322664-1913436750-503 - Limited - Disabled)
Guest (S-1-5-21-3782273632-2773322664-1913436750-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3782273632-2773322664-1913436750-1005 - Limited - Enabled)
Pat (S-1-5-21-3782273632-2773322664-1913436750-1001 - Administrator - Enabled) => C:\Users\Pat

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.18)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.18 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Amazon Kindle (HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Amazon Kindle) (Version: 1.17.1.44183 - Amazon)
Apple Application Support (32-bit) (HKLM-x32\...\{FE5C2FAA-118D-4509-B51D-3F71CC9E1B3E}) (Version: 4.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{2937FD88-C9D6-4B82-B539-37CD0A572F42}) (Version: 4.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Athentech Perfectly Clear (HKLM-x32\...\_{12097B7C-04C4-4049-AEBF-0ECE0D6FCEE3}) (Version: 1.0.0.101 - Corel Corporation)
Athentech Perfectly Clear (Version: 1.0.0.101 - Corel Corporation) Hidden
Athentech Perfectly Clear (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Brother MFL-Pro Suite MFC-J875DW (HKLM-x32\...\{7B4C83B6-17C1-4BFD-B86D-4D7AD4498CBB}) (Version: 1.0.4.0 - Brother Industries, Ltd.)
CCleaner (HKLM\...\CCleaner) (Version: 5.24 - Piriform)
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Corel KPT Collection (HKLM-x32\...\_{5ACF958F-3106-4F13-B947-FC6DF23E1A53}) (Version: 1.0.0.103 - Corel Corporation)
Corel KPT Collection (x32 Version: 1.0.0.103 - Corel Corporation) Hidden
Corel PaintShop Pro X6 (HKLM-x32\...\_{166D1CB6-DD8A-40DD-9E25-4D31D2D6DE4D}) (Version: 16.2.0.20 - Corel Corporation)
Corel PaintShop Pro X6 (x32 Version: 16.2.0.20 - Corel Corporation) Hidden
Creative Content (x32 Version: 1.0.0.103 - Corel Corporation) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Digital Coupon Printer (HKLM-x32\...\{2CDD20A5-DFDE-4AC0-97DD-F60B1196BF98}) (Version: 3.50.0.0 - Hopster, Inc. an Inmar company)
DocX Viewer version 1.2 (HKLM-x32\...\DocX Viewer_is1) (Version: 1.2 - )
Dragon Assistant Application en-US version 1.5.4 (HKLM-x32\...\{1CCBE73F-4948-4711-8D12-22E2FD65D706}_is1) (Version: 1.5.4 - Nuance Communications, Inc.)
Dragon Assistant Core Recognition Service version 1.1.8 (HKLM-x32\...\{E97BA7A6-46FC-4EBF-B24A-B8362948C696}_is1) (Version: 1.1.8 - Nuance Communications, Inc.)
Dragon Assistant Language Data en-US version 1.1.1 (HKLM-x32\...\{4C0C1E4E-D3B1-4496-98EC-DA14D45EC855}_is1) (Version: 1.1.1 - Nuance Communications, Inc.)
Dragon Assistant version 1.5.4 (HKLM-x32\...\{D57A8269-3BE5-4D10-B882-64D0F2D448BF}_is1) (Version: 1.5.4 - Nuance Communications, Inc.)
DriverDR 6.3.0 (HKLM\...\DriverDR_is1) (Version: 6.3.0.0 - DriverDR.com)
DTS Studio Sound (HKLM-x32\...\{793B70D2-41E9-46AB-9DDC-B34C99D07DB5}) (Version: 1.02.4100 - DTS, Inc.)
Elementals - The Magic Key (x32 Version: 2.2.0.97 - WildTangent) Hidden
FaceFilter v3.02 Standard (HKLM-x32\...\{6020758E-57A9-41E3-AF20-8EE311EA6156}) (Version: 3.02.1506.1 - Reallusion Inc.)
FastStone Image Viewer 4.9 (HKLM-x32\...\FastStone Image Viewer) (Version: 4.9 - FastStone Soft)
FinePixViewer Ver.5.5 (HKLM-x32\...\{24ED4D80-8294-11D5-96CD-0040266301AD}) (Version: 5.5 - FUJIFILM Corporation)
Google+ Auto Backup (HKLM-x32\...\{A50DE037-B5C0-4C8A-8049-B0C576B313D1}) (Version: 1.0.21.81 - Google)
ICA (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
iCloud (HKLM\...\{4B48E22A-2FB0-4EFA-B99E-954B1E50CD69}) (Version: 5.1.0.34 - Apple Inc.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.30.1349 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4276 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{7224B7CE-196C-4E2A-A1AE-1D7BF259FD36}) (Version: 3.4.1942 - Intel Corporation)
Intel® WiDi (HKLM\...\{62E7C369-64FF-452C-8F46-6BE9B77FF097}) (Version: 4.0.18.0 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{c9967fbd-e3c3-4ed0-992a-5b33260f2944}) (Version: 16.1.5 - Intel Corporation)
IPM_PSP_COM (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
IPM_PSP_COM64 (Version: 16.0.0.113 - Corel Corporation) Hidden
iTunes (HKLM\...\{A31C5565-90D9-4615-AE13-94D86C3836C7}) (Version: 12.3.3.17 - Apple Inc.)
Jack of All Tribes (x32 Version: 2.2.0.97 - WildTangent) Hidden
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Junk Mail filter update (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
King Oddball (x32 Version: 3.0.2.48 - WildTangent) Hidden
Logitech SetPoint 6.67 (HKLM\...\sp6) (Version: 6.67.83 - Logitech)
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.7.133.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Works 6-9 Converter (HKLM-x32\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Minesweeper 3.6 (HKLM-x32\...\{93E4BB7D-23B4-4E27-851B-49730D202E18}_is1) (Version: 3.6 - FreeMineSweeper.org)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 52.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.1 (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
Mozilla Thunderbird 45.8.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.8.0 (x86 en-US)) (Version: 45.8.0 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Norton Anti-Theft (HKLM-x32\...\NAT) (Version: 1.10.0.9 - Symantec Corporation)
Norton Identity Safe (HKLM-x32\...\NST) (Version: 2014.7.11.42 - Symantec Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.7.0.24 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.3.0.14 - Symantec Corporation) Hidden
Nuance PaperPort 12 (HKLM-x32\...\{869FCC6C-5669-4B0B-827E-2BBAACD88A87}) (Version: 12.1.0006 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)
OpenOffice 4.0.1 (HKLM-x32\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Origin (HKLM-x32\...\Origin) (Version: 9.1.12.73 - Electronic Arts, Inc.)
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 14.00.0000 - Nuance Communications, Inc.)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PSPPContent (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
PSPPHelp (x32 Version: 16.1.0.48 - Corel Corporation) Hidden
PSPPro64 (Version: 16.2.0.20 - Corel Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10586.31225 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.10.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7885 - Realtek Semiconductor Corp.)
Realtek USB Card Reader (HKLM-x32\...\{1E496A68-4943-424E-829D-5C3C85B7B8F2}) (Version: 6.2.9200.39041 - Realtek Semiconductor Corp.)
Scansoft PDF Professional (x32 Version:  - ) Hidden
Setup (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
Skype™ 7.23 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.23.105 - Skype Technologies S.A.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TomTom HOME (HKLM-x32\...\{3C595537-D968-48D5-AAB1-CCB2E90FA59A}) (Version: 2.9.94 - TomTom)
TomTom HOME Visual Studio Merge Modules (HKLM-x32\...\{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}) (Version: 1.0.2 - TomTom International B.V.)
Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.5 - TOSHIBA)
TOSHIBA Audio Enhancement (HKLM\...\{1515F5E3-29EA-4CD1-A981-032D88880F09}) (Version: 2.0.15.4 - Toshiba Corporation)
TOSHIBA Battery Check Utility (HKLM-x32\...\{5468E297-7EF8-4CB3-A091-F8714147793F}) (Version: 1.00.01.01 - Toshiba Corporation)
Toshiba Book Place (HKLM-x32\...\{11244D6B-9842-440F-8579-6A4D771A0D9B}) (Version: 3.3.9661 - K-NFB Reading Technology, Inc.)
TOSHIBA Desktop Assist (HKLM\...\{C4CDCEF0-0A7A-4425-887C-33E39533D758}) (Version: 1.03.08.6402 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.2.0.6404 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.1.0002.6401 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\{B02384B3-8C5B-4927-A190-E767C8FCFD25}) (Version: v3.0.0.1 - Toshiba Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.8 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 3.0.01.55004008 - Toshiba Corporation)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.2.11.1 - Toshiba Corporation)
TOSHIBA Service Station (HKLM\...\{B1F241E1-90BF-4201-8977-A0DF85A38EBB}) (Version: 2.6.16.0 - Toshiba Corporation)
Toshiba Start (HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Pokki_b52b7a05ea010d22183cece45cbb6e86cf917a76) (Version: 1.0.0.0 - Pokki)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0030 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.00.0007.32003 - Toshiba Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBA VIDEO PLAYER (HKLM\...\{FF07604E-C860-40E9-A230-E37FA41F103A}) (Version: 5.3.50.2  - Toshiba Corporation)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.1.6 - TOSHIBA)
U3Launcher (HKLM-x32\...\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}) (Version: 1.0.0 - U3)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (Toshiba Games) (x32 Version: 4.0.11.2 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinPatrol (HKLM-x32\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 34.11.2016.27 - Ruiware)
Wonderland Solitaire (x32 Version: 2.2.0.110 - WildTangent) Hidden
Yahoo! Toolbar (HKLM-x32\...\Yahoo! Companion) (Version:  - )
Yahoo! Toolbar (HKLM-x32\...\Yahoo! Toolbar) (Version:  - )
Zero Assumption Recovery Version 9 (HKLM-x32\...\Zero Assumption Recovery_is1) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09E7E0A3-8014-4202-B0F2-B5C875A9447D} - System32\Tasks\Norton Online Backup ARA => C:\Program Files (x86)\Norton Online Backup ARA\Engine\4.3.0.14\\Ara.exe [2013-08-27] (Symantec Corporation)
Task: {1504AC22-05F1-4C69-BDB2-F4572B3DE6A4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {193B43B4-CDA6-4094-BEB7-7B4BA4BE0E40} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)
Task: {22388E75-BAC9-42B1-8645-C5187F70B1D1} - System32\Tasks\Norton AntiVirus\Norton Error Processor => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\SymErr.exe
Task: {29378CCE-AA9B-4B27-899B-260AE379A6C3} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {2A5AC1B1-61AC-42ED-BED7-B027C579F701} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe [2013-08-01] (Symantec Corporation)
Task: {33EA85BF-6229-4B7B-A2ED-3C8FC3AB5867} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe
Task: {3D389249-CC30-48E6-852F-31F4F56D3F99} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2016-08-26] (Realtek Semiconductor)
Task: {55C5F335-9644-43ED-A5F3-85C661D530B8} - \WPD\SqmUpload_S-1-5-21-3782273632-2773322664-1913436750-1001 -> No File <==== ATTENTION
Task: {5D22C6E7-1F06-4374-9A9B-4B70A408868A} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2014-04-03] (TOSHIBA Corporation)
Task: {5EBE743E-A94A-47F4-846C-882ADC127971} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {653596CB-380A-49DF-89A5-8A44496E3B29} - System32\Tasks\{9730527E-0513-4557-9D79-3041C7251FBA} => pcalua.exe -a C:\Users\Pat\Downloads\nettool_1270.EXE
Task: {6BCD7D78-3148-4FC9-949E-5FAEBC159FC9} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-03-18] (Adobe Systems Incorporated)
Task: {725FF6FB-B016-443E-B948-9E56D3DB785A} - System32\Tasks\dts_apo_service_task => C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_task.exe [2015-05-27] ()
Task: {86198499-6CAB-4AC7-80C1-6215BBFD34BD} - System32\Tasks\Norton AntiVirus\Norton Error Analyzer => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\SymErr.exe
Task: {89EDF731-F8F7-481D-91E5-361F2E508211} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {8BBC0024-193C-4656-A9D0-898950BEF1C1} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2016-08-12] (Intel Corporation)
Task: {94652537-6FFE-4316-BC4A-FF8A002C848C} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {94660463-7AAA-4AA5-8875-8B726C54DEE2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {9D5E9C30-C10E-4CD5-B34D-B399562FE9C0} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {ACF97105-EE10-40A0-BB89-DA42F06732E8} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)
Task: {B35E5EFC-58AE-4011-9075-EC7D57846F64} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)
Task: {B4D0C935-1E5A-4EF5-8CDA-7DC8E57190A7} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {B52B6697-6A05-4DD3-8F40-6B806CE94B69} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {B735A842-9D85-45FF-B1DB-32DFA1796CBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {BE4E983E-AF1D-4735-8838-8121E661810C} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2015-12-09] (Microsoft)
Task: {BEF158DB-4DB4-4AA1-8907-6607B1E66E2B} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\WSCStub.exe
Task: {C23A92FF-EFFC-4F61-84BF-94FA4B53C326} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2016-08-12] (Intel Corporation)
Task: {D29240DC-17D6-4BDD-85DA-101F042CBB36} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {D42FB530-ED30-4B2A-945C-F2F3DCBFDE95} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {D5DF7C2A-41EA-4A54-95BE-5AE1C325464F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E6C0F6D3-D81C-421B-AF33-4EF0EDF92870} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {E993BF1A-6D7F-43C6-BC52-2C8BE2BC4553} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)
Task: {EFD023AD-8F32-45FB-ADC5-1B7A6E62049D} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-11-15] (Piriform Ltd)
Task: {F9851894-0F8B-4DB7-AE8A-B1427823E30E} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe [2013-08-01] (Symantec Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\DriverDR Scheduled Scan.job => C:\Program Files\DriverDR.com\DriverDR\DriverDR.exe --scan C:\Program Files\DriverDR.com

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Pat\AppData\Local\bcae17\143b65.lnk -> C:\Users\Pat\AppData\Local\bcae17\bb6366.bat (No File)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 07:42 - 2016-07-16 07:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-09-29 13:42 - 2016-09-15 13:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-09-29 13:42 - 2016-09-15 13:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-27 08:05 - 2016-09-27 08:05 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-11-11 16:41 - 2016-11-02 06:30 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-11-11 16:41 - 2016-11-02 06:21 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-11-11 16:41 - 2016-11-02 06:15 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-11-11 16:41 - 2016-11-02 06:14 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-11-11 16:41 - 2016-11-02 06:15 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-11-11 16:41 - 2016-11-02 06:16 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-11-11 16:41 - 2016-11-02 06:17 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_0favicon-2079221766 [10862]
AlternateDataStreams: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_1favicon1313128964 [10862]
AlternateDataStreams: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_2favicon-2092717923 [10862]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
iver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 09:25 - 2013-08-22 09:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 216.144.187.199 - 24.229.54.212
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKLM\...\StartupApproved\Run32: => "APSDaemon"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "Digital Coupon Print Driver"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "TomTomHOME.exe"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "Zoner Photo Studio Autoupdate"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "OneDriveSetup"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "Skype"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{911BCD39-0E1A-4AB7-B826-D51D806DC78F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EA6A33F2-A0CA-4FEB-BDBB-8D1ED41808DB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{9A55A0C2-43FC-41E9-B4CF-722447FCE486}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{ABC264CB-3CDE-4246-83C7-FD9033E3CDBB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{4849957C-149F-48A5-9D88-90828E233408}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8BC310CD-51A2-4243-8659-C2829B92D5FB}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A66FE08E-12D0-4F74-87B8-5FC19B596BB3}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{B4A5F672-CD24-4AE0-BF8B-00CD8C848605}] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{CCDEC758-D693-4298-9A25-95A984583094}] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{BDDDEA5C-564A-47A8-AE60-78EE86BDD5E5}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{0FBD6B41-4121-4AB8-9AE7-46A10C0A4331}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{E09A3B6F-750E-448E-A82A-A7C92746C90F}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS59DB.tmp\SymNRT.exe
FirewallRules: [{84CA1766-31F4-48A3-8C34-A5C7FB080B67}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS59DB.tmp\SymNRT.exe
FirewallRules: [{C53C36D3-5F96-4034-B56B-59AF41E5BCB7}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS9F4B.tmp\SymNRT.exe
FirewallRules: [{D92F4943-8E61-4709-A2B7-AEF793B9764A}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS9F4B.tmp\SymNRT.exe
FirewallRules: [{33F2C413-38A4-48E2-9359-D93732A7F0F5}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{3468902C-1911-4F9F-B145-4DF77296F147}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{F35A23FF-10DC-4444-8DF7-0686320EB7DC}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{B587612F-6887-4ACC-A678-D88D1BE77DD6}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{A5085C5D-2570-41CC-B0FE-0DE11D2A5A14}] => (Allow) C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{5A8E1D26-2824-4AD9-BC2D-D04ED12AB1A6}] => (Allow) LPort=54925
FirewallRules: [{F30EC9B7-7ED3-49DC-96B9-608C895A4376}] => (Allow) C:\Program Files (x86)\Brother\Brmfl13b\FAXRX.EXE
FirewallRules: [{AC0DF1DC-0428-45A3-803E-97E1766A0A9D}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{3499F1C8-BB2F-4F1C-A40D-BE0A09160956}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{E702CD7B-C250-4CDC-A264-F0478EBCCBFE}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{86E864A6-E5B8-42E8-B2D4-2E6CB8D929EA}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7D86998C-C8DC-4ADF-B96E-A7DFFB4984B5}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{B3C4FC37-5453-4BA7-8A6F-32CD0910EA25}] => (Allow) LPort=2869
FirewallRules: [{94C7D0CF-6D24-46A9-A231-456EF9C2EC31}] => (Allow) LPort=1900
FirewallRules: [{70747C94-7A44-4159-9E17-7876E859720A}] => (Allow) LPort=15600

==================== Restore Points =========================

06-03-2017 14:02:54 Windows Update
13-03-2017 11:23:37 Windows Update
18-03-2017 17:32:11 Installed Digital Coupon Printer
22-03-2017 17:32:01 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/26/2017 04:30:12 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/25/2017 06:37:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SearchUI.exe, version: 10.0.14393.447, time stamp: 0x5819bdb2
Faulting module name: CSGSuggestLib.dll, version: 0.0.0.0, time stamp: 0x5819bc90
Exception code: 0xc0000005
Fault offset: 0x00000000000177f9
Faulting process id: 0x960
Faulting application start time: 0x01d2a5b27179ff2e
Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
Report Id: 99d9238a-e603-4210-9e3a-86ae44afd772
Faulting package full name: Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI

Error: (03/25/2017 05:55:08 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root namespace does not exist. The query will be ignored.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root namespace does not exist. The query will be ignored.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (03/25/2017 05:47:49 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/subscription namespace does not exist. The query will be ignored.


System errors:
=============
Error: (03/26/2017 04:56:02 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/26/2017 04:55:52 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:52:51 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:52:04 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:50:10 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:46:21 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:46:04 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:45:59 PM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/26/2017 04:44:04 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (03/26/2017 04:44:04 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.


==================== Memory info ===========================

Processor: Intel® Core™ i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 18%
Total physical RAM: 8056.15 MB
Available physical RAM: 6542.09 MB
Total Virtual: 9336.15 MB
Available Virtual: 8015.58 MB

==================== Drives ================================

Drive c: (TI10665000G) (Fixed) (Total:917.82 GB) (Free:690.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================


Edited by pb204, 26 March 2017 - 04:09 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
 
Download the attached fixlist.txt to the same location as FRST
Attached File  fixlist.txt   7.29KB   47 downloads
 
 
Run FRST and press Fix
A fix log will be generated please post that 
 
See if you can boot into regular mode
Run FRST again as before.  Make sure Addition.txt is checked and hit Scan.  Post both logs.
 

  • 0

#3
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

fix log :

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Pat (27-03-2017 11:07:41) Run:1
Running from C:\Users\Pat\Downloads
Loaded Profiles: Pat (Available Profiles: Pat)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
Startup: C:\Users\Pat\xozof\438a3d.lnk [2016-09-29]
ShortcutTarget: 438a3d.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001 -> {E2807A52-035B-4014-AAF7-DF2653D33D3A} URL =
Task: {1504AC22-05F1-4C69-BDB2-F4572B3DE6A4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {33EA85BF-6229-4B7B-A2ED-3C8FC3AB5867} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {55C5F335-9644-43ED-A5F3-85C661D530B8} - \WPD\SqmUpload_S-1-5-21-3782273632-2773322664-1913436750-1001 -> No File <==== ATTENTION
Task: {653596CB-380A-49DF-89A5-8A44496E3B29} - System32\Tasks\{9730527E-0513-4557-9D79-3041C7251FBA} => pcalua.exe -a C:\Users\Pat\Downloads\nettool_1270.EXE
Task: {89EDF731-F8F7-481D-91E5-361F2E508211} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {94652537-6FFE-4316-BC4A-FF8A002C848C} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {94660463-7AAA-4AA5-8875-8B726C54DEE2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {9D5E9C30-C10E-4CD5-B34D-B399562FE9C0} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {B4D0C935-1E5A-4EF5-8CDA-7DC8E57190A7} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {B52B6697-6A05-4DD3-8F40-6B806CE94B69} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {B735A842-9D85-45FF-B1DB-32DFA1796CBC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {D5DF7C2A-41EA-4A54-95BE-5AE1C325464F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {E6C0F6D3-D81C-421B-AF33-4EF0EDF92870} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\DriverDR Scheduled Scan.job => C:\Program Files\DriverDR.com\DriverDR\DriverDR.exe --scan C:\Program Files\DriverDR.com
AlternateDataStreams: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_0favicon-2079221766 [10862]
AlternateDataStreams: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_1favicon1313128964 [10862]
AlternateDataStreams: C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_2favicon-2092717923 [10862]
C:\Users\Pat\xozof
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => key removed successfully
HKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => key removed successfully
HKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => key removed successfully
HKCR\Wow6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => key removed successfully
HKCR\Wow6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1 => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2 => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3 => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
C:\Users\Pat\xozof\438a3d.lnk => moved successfully
C:\Windows\System32\cmd.exe => moved successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E2807A52-035B-4014-AAF7-DF2653D33D3A} => key removed successfully
HKCR\CLSID\{E2807A52-035B-4014-AAF7-DF2653D33D3A} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1504AC22-05F1-4C69-BDB2-F4572B3DE6A4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1504AC22-05F1-4C69-BDB2-F4572B3DE6A4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{33EA85BF-6229-4B7B-A2ED-3C8FC3AB5867} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33EA85BF-6229-4B7B-A2ED-3C8FC3AB5867} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{55C5F335-9644-43ED-A5F3-85C661D530B8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{55C5F335-9644-43ED-A5F3-85C661D530B8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-3782273632-2773322664-1913436750-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{653596CB-380A-49DF-89A5-8A44496E3B29} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{653596CB-380A-49DF-89A5-8A44496E3B29} => key removed successfully
C:\WINDOWS\System32\Tasks\{9730527E-0513-4557-9D79-3041C7251FBA} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{9730527E-0513-4557-9D79-3041C7251FBA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{89EDF731-F8F7-481D-91E5-361F2E508211} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{89EDF731-F8F7-481D-91E5-361F2E508211} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{94652537-6FFE-4316-BC4A-FF8A002C848C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{94652537-6FFE-4316-BC4A-FF8A002C848C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{94660463-7AAA-4AA5-8875-8B726C54DEE2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{94660463-7AAA-4AA5-8875-8B726C54DEE2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9D5E9C30-C10E-4CD5-B34D-B399562FE9C0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D5E9C30-C10E-4CD5-B34D-B399562FE9C0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B4D0C935-1E5A-4EF5-8CDA-7DC8E57190A7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B4D0C935-1E5A-4EF5-8CDA-7DC8E57190A7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B52B6697-6A05-4DD3-8F40-6B806CE94B69} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B52B6697-6A05-4DD3-8F40-6B806CE94B69} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B735A842-9D85-45FF-B1DB-32DFA1796CBC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B735A842-9D85-45FF-B1DB-32DFA1796CBC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D5DF7C2A-41EA-4A54-95BE-5AE1C325464F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5DF7C2A-41EA-4A54-95BE-5AE1C325464F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E6C0F6D3-D81C-421B-AF33-4EF0EDF92870} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6C0F6D3-D81C-421B-AF33-4EF0EDF92870} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => moved successfully
C:\WINDOWS\Tasks\DriverDR Scheduled Scan.job => moved successfully
C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website => ":TASKICON_0favicon-2079221766" ADS removed successfully.
C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website => ":TASKICON_1favicon1313128964" ADS removed successfully.
C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website => ":TASKICON_2favicon-2092717923" ADS removed successfully.
C:\Users\Pat\xozof => moved successfully

========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========


========= End of CMD: =========


==== End of Fixlog 11:07:42 ====

 

will now close safe mode and try to boot into normal mode


  • 0

#4
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

I am again logged in in Safe mode. Per above instructions from RKinner, I ran the fix in Safe mode, posted the log above and then I tried Normal mode and was unsuccessful in logging into the internet or email from any venue that I tried.  I tried Thunderbird, Firefox, Microsoft Edge and Verizon Yahoo, each one either gave a non responding message that I was not able to closeout and had to shutdown and restart or it shutdown the program on its own.

 

When I first logged into normal mode I got a popup alert from Win Patrol that said: " Win Patrol noticed a program previously set to run automatically on startup will no longer use this function.  It may be this option was changed or the entire program has been removed or updated:  Windows Command Processor  C:\windows\system32\cmd.exe  If you want this program to automatically start you may need to re-install or update its auto startup option.  (OK box).

 

The other thing that I noticed, when I logged into normal mode, was that I did not get a popup alert that I have been getting for several months:  Windows cannot find  'c:\users\pat\appdata\903694\14d643.d1225ac'. Make sure you typed the name correctly, and then try again. 

 

At one point I deleted that profile from appdata and had no problems with Thunderbird, but continued to get the alert.  I always just exited the box. I thought it had something to do with an old Thunderbird profile.  At a later point, Thunderbird lost my current profile and I was not able to reselect it, so I copied it from my husband's computer onto a flashdrive and reinstalled it. That popup alert still continued after I reinstalled my profile.  I am still able to access my email thru Thunderbird in Safe Mode.

 

What can I do now?


  • 0

#5
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP

Run FRST again as before.  Make sure Addition.txt is checked and hit Scan.  Post both logs.

 

Let's run Rogue Killer
 
 
Portable 64 bits  <==This one
 
Download and Save.
 
 
 
Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe)
 
Start Scan
Start Scan
 
Will take about 20 minutes to complete.
 
Open Report
Export TXT (save it to your desktop as rk) Save
 
Do not let Rogue Killer remove anything until you hear from me.  Leave Rogue Killer up (but minimized) so you won't have to rescan.
 
Open rk.txt and copy and paste it to your next Reply. 
 
 
Get Process Explorer
 
Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  
 
View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures
 
 
Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  
 
Wait a full minute then:
 
File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.
 

  • 0

#6
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

frst log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Pat (administrator) on PAT (28-03-2017 09:24:53)
Running from C:\Users\Pat\Downloads
Loaded Profiles: Pat (Available Profiles: Pat)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [TosTogKeyMon] => C:\Program Files\TOSHIBA\Hotkey\TosTogKeyMon.exe [2365792 2013-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1549392 2013-03-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [178016 2013-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-08-17] (TOSHIBA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-03-19] (Apple Inc.)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-27] (Microsoft Corporation)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2016-02-03] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrHelp] => C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe [2009088 2013-01-18] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2016-03-18] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-06-17] (Apple Inc.)
HKLM-x32\...\Run: [Digital Coupon Print Driver] => C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe [90048 2015-09-22] (Inmar, Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [Zoner Photo Studio Autoupdate] => C:\Program Files\Zoner\Photo Studio 16\Program32\ZPSTRAY.EXE [833024 2014-06-16] (ZONER software)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [TomTomHOME.exe] => C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [255224 2016-11-29] (TomTom)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [52148864 2016-04-29] (Skype Technologies S.A.)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9105112 2016-11-15] (Piriform Ltd)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1231240 2016-11-13] (Ruiware)
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-18\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll [2013-12-17] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll [2013-12-17] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll [2013-12-17] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 216.144.187.199 24.229.54.212 204.186.0.180
Tcpip\..\Interfaces\{08a1b842-f50e-4385-b9b5-e7ecca783a9c}: [DhcpNameServer] 216.144.187.199 24.229.54.212 204.186.0.180

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=130907128730433258&GUID=B9F66AB7-2C77-4F1F-8468-088BF4E72F3D
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://my.yahoo.com/
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://home.toshiba.com?cid=J13
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-09-19] (Oracle Corporation)
BHO-x32: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-09-19] (Oracle Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\coIEPlg.dll [2015-06-26] (Symantec Corporation)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Pat\AppData\Roaming\TomTom\HOME\Profiles\enrgoumf.default [2017-01-08]
FF Extension: (Emulator) - C:\Users\Pat\AppData\Roaming\TomTom\HOME\Profiles\enrgoumf.default\Extensions\[email protected] [2014-11-14] [not signed]
FF Extension: (Map status indicator) - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\[email protected] [2017-01-08] [not signed]
FF ProfilePath: C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155 [2017-03-28]
FF Homepage: Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155 -> hxxps://my.yahoo.com/#
FF Extension: (Search and New Tab by Yahoo) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\Extensions\[email protected] [2016-11-21]
FF Extension: (Yahoo! Toolbar) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\Extensions\{3F0CE537-A919-4201-9970-00C2820315E4} [2016-06-11]
FF Extension: (Yahoo Toolbar and New Tab) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}.xpi [2016-12-23]
FF Extension: (Site Deployment Checker) - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\ze71kmce.default-1464798093155\features\{f98e5567-e8a8-43dc-9683-4aea50b8c002}\[email protected] [2017-03-24]
FF HKLM-x32\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn
FF Extension: (Norton Identity Safe Toolbar) - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn [2017-03-28]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-06-08] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-03-18] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-18] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1217157.dll [2015-02-16] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Users\Pat\Desktop\New folder\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.66 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-09-28] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-09-28] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-09-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-09-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\4\NP_wtapp.dll [2013-12-09] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-03-24]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-03-24]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
S2 DACoreService; C:\Program Files (x86)\Nuance\Dragon Assistant\Core\DACore.exe [432528 2013-03-27] (Nuance Communications, Inc.)
S3 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [19960 2015-05-27] ()
S2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-04-17] (WildTangent)
S2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [337888 2016-05-03] (Intel Corporation)
S2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [732160 2012-12-10] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [130592 2012-10-26] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [177376 2016-08-12] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165488 2012-12-18] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S2 NAT; C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\NAT.exe [232424 2013-10-11] (Symantec Corporation)
S2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe [131144 2015-03-05] (Symantec Corporation)
S3 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [4230016 2013-01-28] (Symantec Corporation)
S2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
S2 PSI_SVC_2_x64; C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ccSet_NARA; C:\WINDOWS\system32\drivers\NARAx64\0403000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
S1 ccSet_NAT; C:\WINDOWS\system32\drivers\NATx64\010A000.009\ccSetx64.sys [150104 2013-07-29] (Symantec Corporation)
S1 ccSet_NST; C:\WINDOWS\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys [162392 2013-09-27] (Symantec Corporation)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3343872 2016-07-16] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
S3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [433912 2016-07-13] (Realsil Semiconductor Corporation)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [54424 2015-07-29] (Toshiba Corporation)
S3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [48024 2013-01-28] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 XHCIPort; C:\WINDOWS\System32\drivers\XHCIPort.sys [194456 2013-01-28] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-27 11:47 - 2017-03-28 09:08 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-27 11:07 - 2017-03-27 11:07 - 00013203 _____ C:\Users\Pat\Downloads\Fixlog.txt
2017-03-26 16:54 - 2017-03-26 16:56 - 00040345 _____ C:\Users\Pat\Downloads\Addition.txt
2017-03-26 16:52 - 2017-03-28 09:25 - 00018589 _____ C:\Users\Pat\Downloads\FRST.txt
2017-03-26 16:52 - 2017-03-28 09:24 - 00000000 ____D C:\FRST
2017-03-26 16:51 - 2017-03-26 16:52 - 02424832 _____ (Farbar) C:\Users\Pat\Downloads\FRST64.exe
2017-03-24 21:23 - 2017-03-24 21:24 - 49405136 _____ (Microsoft Corporation) C:\Users\Pat\Downloads\Windows-KB890830-x64-V5.46.exe
2017-03-23 13:37 - 2017-03-23 13:37 - 00013880 ____N C:\bootsqm.dat
2017-03-22 14:36 - 2017-03-27 11:52 - 00009950 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-20 11:58 - 2017-03-20 11:58 - 00237429 _____ C:\Users\Pat\Documents\Contact information lsit.pdf
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\Users\Pat\AppData\Roaming\WinPatrol
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\ProgramData\InstallMate
2017-03-18 17:38 - 2017-03-18 17:38 - 00000000 ____D C:\Program Files (x86)\Ruiware
2017-03-18 17:36 - 2017-03-18 17:37 - 01512368 _____ (Ruiware) C:\Users\Pat\Downloads\wpsetup(1).exe
2017-03-18 17:34 - 2017-03-18 17:34 - 00000000 ____D C:\Users\Pat\AppData\Local\Hopster
2017-03-18 17:34 - 2017-03-18 17:34 - 00000000 ____D C:\Program Files (x86)\Digital Coupon Printer
2017-03-18 17:31 - 2017-03-18 17:31 - 18640896 _____ C:\Users\Pat\Downloads\DigitalCouponPrinter-3.50.0.0(1).msi
2017-03-15 14:26 - 2017-03-15 14:26 - 18640896 _____ C:\Users\Pat\Downloads\DigitalCouponPrinter-3.50.0.0.msi
2017-03-13 12:08 - 2017-03-18 17:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2017-03-06 11:57 - 2017-03-22 13:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-28 09:23 - 2016-11-21 13:22 - 00000000 ____D C:\Users\Pat\AppData\LocalLow\Mozilla
2017-03-28 09:06 - 2016-09-27 04:51 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-27 16:21 - 2016-07-16 02:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-03-27 16:20 - 2016-09-27 04:11 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-27 11:31 - 2016-09-27 04:18 - 00000000 ____D C:\Users\Pat
2017-03-27 11:20 - 2016-07-16 07:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-25 18:45 - 2016-07-16 07:45 - 00000000 ____D C:\WINDOWS\INF
2017-03-25 18:43 - 2015-08-06 12:26 - 00000000 __SHD C:\Users\Pat\IntelGraphicsProfiles
2017-03-25 17:59 - 2014-04-25 13:16 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-24 21:24 - 2013-11-30 09:49 - 138634176 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-03-24 19:07 - 2013-12-18 13:41 - 00000000 ____D C:\Users\Pat\AppData\Local\ElevatedDiagnostics
2017-03-23 12:43 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-22 18:51 - 2013-11-30 22:23 - 00000000 ____D C:\Users\Pat\AppData\Local\CrashDumps
2017-03-22 17:35 - 2013-11-30 09:49 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-03-22 13:01 - 2013-12-01 19:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-22 12:17 - 2013-11-30 19:39 - 00015907 _____ C:\WINDOWS\BRRBCOM.INI
2017-03-22 12:08 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-18 20:29 - 2016-09-27 04:50 - 00004386 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-03-18 20:29 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-03-18 20:29 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-03-14 12:27 - 2013-11-29 21:00 - 00000000 ___RD C:\Users\Pat\Pictures 10-2013
2017-03-10 01:17 - 2016-07-16 07:49 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-03-10 01:17 - 2016-07-16 07:49 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2013-12-27 13:42 - 2013-12-27 13:42 - 0000288 _____ () C:\Users\Pat\AppData\Roaming\.backup.dm
2017-01-15 17:27 - 2017-01-15 17:45 - 171115806 _____ () C:\Users\Pat\AppData\Roaming\Thunderbird.zip
2014-03-04 17:38 - 2014-03-04 17:38 - 0003584 _____ () C:\Users\Pat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-09-27 04:14 - 2016-09-27 04:14 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD.

LastRegBack: 2017-03-23 14:32

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Pat (28-03-2017 09:26:32)
Running from C:\Users\Pat\Downloads
Windows 10 Home Version 1607 (X64) (2016-09-27 08:55:47)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3782273632-2773322664-1913436750-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3782273632-2773322664-1913436750-503 - Limited - Disabled)
Guest (S-1-5-21-3782273632-2773322664-1913436750-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3782273632-2773322664-1913436750-1005 - Limited - Enabled)
Pat (S-1-5-21-3782273632-2773322664-1913436750-1001 - Administrator - Enabled) => C:\Users\Pat

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.18)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.18 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Amazon Kindle (HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Amazon Kindle) (Version: 1.17.1.44183 - Amazon)
Apple Application Support (32-bit) (HKLM-x32\...\{FE5C2FAA-118D-4509-B51D-3F71CC9E1B3E}) (Version: 4.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{2937FD88-C9D6-4B82-B539-37CD0A572F42}) (Version: 4.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Athentech Perfectly Clear (HKLM-x32\...\_{12097B7C-04C4-4049-AEBF-0ECE0D6FCEE3}) (Version: 1.0.0.101 - Corel Corporation)
Athentech Perfectly Clear (Version: 1.0.0.101 - Corel Corporation) Hidden
Athentech Perfectly Clear (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Brother MFL-Pro Suite MFC-J875DW (HKLM-x32\...\{7B4C83B6-17C1-4BFD-B86D-4D7AD4498CBB}) (Version: 1.0.4.0 - Brother Industries, Ltd.)
CCleaner (HKLM\...\CCleaner) (Version: 5.24 - Piriform)
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Corel KPT Collection (HKLM-x32\...\_{5ACF958F-3106-4F13-B947-FC6DF23E1A53}) (Version: 1.0.0.103 - Corel Corporation)
Corel KPT Collection (x32 Version: 1.0.0.103 - Corel Corporation) Hidden
Corel PaintShop Pro X6 (HKLM-x32\...\_{166D1CB6-DD8A-40DD-9E25-4D31D2D6DE4D}) (Version: 16.2.0.20 - Corel Corporation)
Corel PaintShop Pro X6 (x32 Version: 16.2.0.20 - Corel Corporation) Hidden
Creative Content (x32 Version: 1.0.0.103 - Corel Corporation) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Digital Coupon Printer (HKLM-x32\...\{2CDD20A5-DFDE-4AC0-97DD-F60B1196BF98}) (Version: 3.50.0.0 - Hopster, Inc. an Inmar company)
DocX Viewer version 1.2 (HKLM-x32\...\DocX Viewer_is1) (Version: 1.2 - )
Dragon Assistant Application en-US version 1.5.4 (HKLM-x32\...\{1CCBE73F-4948-4711-8D12-22E2FD65D706}_is1) (Version: 1.5.4 - Nuance Communications, Inc.)
Dragon Assistant Core Recognition Service version 1.1.8 (HKLM-x32\...\{E97BA7A6-46FC-4EBF-B24A-B8362948C696}_is1) (Version: 1.1.8 - Nuance Communications, Inc.)
Dragon Assistant Language Data en-US version 1.1.1 (HKLM-x32\...\{4C0C1E4E-D3B1-4496-98EC-DA14D45EC855}_is1) (Version: 1.1.1 - Nuance Communications, Inc.)
Dragon Assistant version 1.5.4 (HKLM-x32\...\{D57A8269-3BE5-4D10-B882-64D0F2D448BF}_is1) (Version: 1.5.4 - Nuance Communications, Inc.)
DriverDR 6.3.0 (HKLM\...\DriverDR_is1) (Version: 6.3.0.0 - DriverDR.com)
DTS Studio Sound (HKLM-x32\...\{793B70D2-41E9-46AB-9DDC-B34C99D07DB5}) (Version: 1.02.4100 - DTS, Inc.)
Elementals - The Magic Key (x32 Version: 2.2.0.97 - WildTangent) Hidden
FaceFilter v3.02 Standard (HKLM-x32\...\{6020758E-57A9-41E3-AF20-8EE311EA6156}) (Version: 3.02.1506.1 - Reallusion Inc.)
FastStone Image Viewer 4.9 (HKLM-x32\...\FastStone Image Viewer) (Version: 4.9 - FastStone Soft)
FinePixViewer Ver.5.5 (HKLM-x32\...\{24ED4D80-8294-11D5-96CD-0040266301AD}) (Version: 5.5 - FUJIFILM Corporation)
Google+ Auto Backup (HKLM-x32\...\{A50DE037-B5C0-4C8A-8049-B0C576B313D1}) (Version: 1.0.21.81 - Google)
ICA (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
iCloud (HKLM\...\{4B48E22A-2FB0-4EFA-B99E-954B1E50CD69}) (Version: 5.1.0.34 - Apple Inc.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.30.1349 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4276 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{7224B7CE-196C-4E2A-A1AE-1D7BF259FD36}) (Version: 3.4.1942 - Intel Corporation)
Intel® WiDi (HKLM\...\{62E7C369-64FF-452C-8F46-6BE9B77FF097}) (Version: 4.0.18.0 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{c9967fbd-e3c3-4ed0-992a-5b33260f2944}) (Version: 16.1.5 - Intel Corporation)
IPM_PSP_COM (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
IPM_PSP_COM64 (Version: 16.0.0.113 - Corel Corporation) Hidden
iTunes (HKLM\...\{A31C5565-90D9-4615-AE13-94D86C3836C7}) (Version: 12.3.3.17 - Apple Inc.)
Jack of All Tribes (x32 Version: 2.2.0.97 - WildTangent) Hidden
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Junk Mail filter update (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
King Oddball (x32 Version: 3.0.2.48 - WildTangent) Hidden
Logitech SetPoint 6.67 (HKLM\...\sp6) (Version: 6.67.83 - Logitech)
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.7.133.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Works 6-9 Converter (HKLM-x32\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Minesweeper 3.6 (HKLM-x32\...\{93E4BB7D-23B4-4E27-851B-49730D202E18}_is1) (Version: 3.6 - FreeMineSweeper.org)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 52.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.1 (x86 en-US)) (Version: 52.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.1.6284 - Mozilla)
Mozilla Thunderbird 45.8.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.8.0 (x86 en-US)) (Version: 45.8.0 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Norton Anti-Theft (HKLM-x32\...\NAT) (Version: 1.10.0.9 - Symantec Corporation)
Norton Identity Safe (HKLM-x32\...\NST) (Version: 2014.7.11.42 - Symantec Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.7.0.24 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.3.0.14 - Symantec Corporation) Hidden
Nuance PaperPort 12 (HKLM-x32\...\{869FCC6C-5669-4B0B-827E-2BBAACD88A87}) (Version: 12.1.0006 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)
OpenOffice 4.0.1 (HKLM-x32\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Origin (HKLM-x32\...\Origin) (Version: 9.1.12.73 - Electronic Arts, Inc.)
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 14.00.0000 - Nuance Communications, Inc.)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PSPPContent (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
PSPPHelp (x32 Version: 16.1.0.48 - Corel Corporation) Hidden
PSPPro64 (Version: 16.2.0.20 - Corel Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10586.31225 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.10.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7885 - Realtek Semiconductor Corp.)
Realtek USB Card Reader (HKLM-x32\...\{1E496A68-4943-424E-829D-5C3C85B7B8F2}) (Version: 6.2.9200.39041 - Realtek Semiconductor Corp.)
Scansoft PDF Professional (x32 Version:  - ) Hidden
Setup (x32 Version: 16.0.0.113 - Corel Corporation) Hidden
Skype™ 7.23 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.23.105 - Skype Technologies S.A.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TomTom HOME (HKLM-x32\...\{3C595537-D968-48D5-AAB1-CCB2E90FA59A}) (Version: 2.9.94 - TomTom)
TomTom HOME Visual Studio Merge Modules (HKLM-x32\...\{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}) (Version: 1.0.2 - TomTom International B.V.)
Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.5 - TOSHIBA)
TOSHIBA Audio Enhancement (HKLM\...\{1515F5E3-29EA-4CD1-A981-032D88880F09}) (Version: 2.0.15.4 - Toshiba Corporation)
TOSHIBA Battery Check Utility (HKLM-x32\...\{5468E297-7EF8-4CB3-A091-F8714147793F}) (Version: 1.00.01.01 - Toshiba Corporation)
Toshiba Book Place (HKLM-x32\...\{11244D6B-9842-440F-8579-6A4D771A0D9B}) (Version: 3.3.9661 - K-NFB Reading Technology, Inc.)
TOSHIBA Desktop Assist (HKLM\...\{C4CDCEF0-0A7A-4425-887C-33E39533D758}) (Version: 1.03.08.6402 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.2.0.6404 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.1.0002.6401 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\{B02384B3-8C5B-4927-A190-E767C8FCFD25}) (Version: v3.0.0.1 - Toshiba Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.8 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 3.0.01.55004008 - Toshiba Corporation)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.2.11.1 - Toshiba Corporation)
TOSHIBA Service Station (HKLM\...\{B1F241E1-90BF-4201-8977-A0DF85A38EBB}) (Version: 2.6.16.0 - Toshiba Corporation)
Toshiba Start (HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\Pokki_b52b7a05ea010d22183cece45cbb6e86cf917a76) (Version: 1.0.0.0 - Pokki)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0030 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.00.0007.32003 - Toshiba Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBA VIDEO PLAYER (HKLM\...\{FF07604E-C860-40E9-A230-E37FA41F103A}) (Version: 5.3.50.2  - Toshiba Corporation)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.1.6 - TOSHIBA)
U3Launcher (HKLM-x32\...\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}) (Version: 1.0.0 - U3)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (Toshiba Games) (x32 Version: 4.0.11.2 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinPatrol (HKLM-x32\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 34.11.2016.27 - Ruiware)
Wonderland Solitaire (x32 Version: 2.2.0.110 - WildTangent) Hidden
Yahoo! Toolbar (HKLM-x32\...\Yahoo! Companion) (Version:  - )
Yahoo! Toolbar (HKLM-x32\...\Yahoo! Toolbar) (Version:  - )
Zero Assumption Recovery Version 9 (HKLM-x32\...\Zero Assumption Recovery_is1) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3782273632-2773322664-1913436750-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09E7E0A3-8014-4202-B0F2-B5C875A9447D} - System32\Tasks\Norton Online Backup ARA => C:\Program Files (x86)\Norton Online Backup ARA\Engine\4.3.0.14\\Ara.exe [2013-08-27] (Symantec Corporation)
Task: {193B43B4-CDA6-4094-BEB7-7B4BA4BE0E40} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)
Task: {22388E75-BAC9-42B1-8645-C5187F70B1D1} - System32\Tasks\Norton AntiVirus\Norton Error Processor => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\SymErr.exe
Task: {29378CCE-AA9B-4B27-899B-260AE379A6C3} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {2A5AC1B1-61AC-42ED-BED7-B027C579F701} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe [2013-08-01] (Symantec Corporation)
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe
Task: {3D389249-CC30-48E6-852F-31F4F56D3F99} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2016-08-26] (Realtek Semiconductor)
Task: {5D22C6E7-1F06-4374-9A9B-4B70A408868A} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2014-04-03] (TOSHIBA Corporation)
Task: {5EBE743E-A94A-47F4-846C-882ADC127971} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {6BCD7D78-3148-4FC9-949E-5FAEBC159FC9} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-03-18] (Adobe Systems Incorporated)
Task: {725FF6FB-B016-443E-B948-9E56D3DB785A} - System32\Tasks\dts_apo_service_task => C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_task.exe [2015-05-27] ()
Task: {86198499-6CAB-4AC7-80C1-6215BBFD34BD} - System32\Tasks\Norton AntiVirus\Norton Error Analyzer => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\SymErr.exe
Task: {8BBC0024-193C-4656-A9D0-898950BEF1C1} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2016-08-12] (Intel Corporation)
Task: {ACF97105-EE10-40A0-BB89-DA42F06732E8} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)
Task: {B35E5EFC-58AE-4011-9075-EC7D57846F64} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2015-12-09] (Microsoft Corporation)
Task: {BE4E983E-AF1D-4735-8838-8121E661810C} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2015-12-09] (Microsoft)
Task: {BEF158DB-4DB4-4AA1-8907-6607B1E66E2B} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\WSCStub.exe
Task: {C23A92FF-EFFC-4F61-84BF-94FA4B53C326} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2016-08-12] (Intel Corporation)
Task: {D29240DC-17D6-4BDD-85DA-101F042CBB36} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {D42FB530-ED30-4B2A-945C-F2F3DCBFDE95} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {E993BF1A-6D7F-43C6-BC52-2C8BE2BC4553} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2015-12-09] (Microsoft Corporation)
Task: {EFD023AD-8F32-45FB-ADC5-1B7A6E62049D} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-11-15] (Piriform Ltd)
Task: {F9851894-0F8B-4DB7-AE8A-B1427823E30E} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.10.0.9\SymErr.exe [2013-08-01] (Symantec Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Pat\AppData\Local\bcae17\143b65.lnk -> C:\Users\Pat\AppData\Local\bcae17\bb6366.bat (No File)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 07:42 - 2016-07-16 07:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-09-29 13:42 - 2016-09-15 13:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-09-29 13:42 - 2016-09-15 13:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-27 08:05 - 2016-09-27 08:05 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-11-11 16:41 - 2016-11-02 06:30 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-11-11 16:41 - 2016-11-02 06:21 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-11-11 16:41 - 2016-11-02 06:15 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-11-11 16:41 - 2016-11-02 06:14 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-11-11 16:41 - 2016-11-02 06:15 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-11-11 16:41 - 2016-11-02 06:16 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-11-11 16:41 - 2016-11-02 06:17 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
iver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 09:25 - 2013-08-22 09:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 216.144.187.199 - 24.229.54.212
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKLM\...\StartupApproved\Run32: => "APSDaemon"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "Digital Coupon Print Driver"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "TomTomHOME.exe"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "Zoner Photo Studio Autoupdate"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "OneDriveSetup"
HKU\S-1-5-21-3782273632-2773322664-1913436750-1001\...\StartupApproved\Run: => "Skype"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{911BCD39-0E1A-4AB7-B826-D51D806DC78F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EA6A33F2-A0CA-4FEB-BDBB-8D1ED41808DB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{9A55A0C2-43FC-41E9-B4CF-722447FCE486}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{ABC264CB-3CDE-4246-83C7-FD9033E3CDBB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{4849957C-149F-48A5-9D88-90828E233408}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8BC310CD-51A2-4243-8659-C2829B92D5FB}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A66FE08E-12D0-4F74-87B8-5FC19B596BB3}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{B4A5F672-CD24-4AE0-BF8B-00CD8C848605}] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{CCDEC758-D693-4298-9A25-95A984583094}] => (Block) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{BDDDEA5C-564A-47A8-AE60-78EE86BDD5E5}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{0FBD6B41-4121-4AB8-9AE7-46A10C0A4331}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{E09A3B6F-750E-448E-A82A-A7C92746C90F}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS59DB.tmp\SymNRT.exe
FirewallRules: [{84CA1766-31F4-48A3-8C34-A5C7FB080B67}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS59DB.tmp\SymNRT.exe
FirewallRules: [{C53C36D3-5F96-4034-B56B-59AF41E5BCB7}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS9F4B.tmp\SymNRT.exe
FirewallRules: [{D92F4943-8E61-4709-A2B7-AEF793B9764A}] => (Allow) C:\Users\Pat\AppData\Local\Temp\7zS9F4B.tmp\SymNRT.exe
FirewallRules: [{33F2C413-38A4-48E2-9359-D93732A7F0F5}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{3468902C-1911-4F9F-B145-4DF77296F147}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{F35A23FF-10DC-4444-8DF7-0686320EB7DC}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{B587612F-6887-4ACC-A678-D88D1BE77DD6}] => (Allow) C:\Program Files (x86)\Brother\BrLauncher\BrLauncher.exe
FirewallRules: [{A5085C5D-2570-41CC-B0FE-0DE11D2A5A14}] => (Allow) C:\Users\Pat\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{5A8E1D26-2824-4AD9-BC2D-D04ED12AB1A6}] => (Allow) LPort=54925
FirewallRules: [{F30EC9B7-7ED3-49DC-96B9-608C895A4376}] => (Allow) C:\Program Files (x86)\Brother\Brmfl13b\FAXRX.EXE
FirewallRules: [{AC0DF1DC-0428-45A3-803E-97E1766A0A9D}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{3499F1C8-BB2F-4F1C-A40D-BE0A09160956}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{E702CD7B-C250-4CDC-A264-F0478EBCCBFE}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{86E864A6-E5B8-42E8-B2D4-2E6CB8D929EA}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7D86998C-C8DC-4ADF-B96E-A7DFFB4984B5}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{B3C4FC37-5453-4BA7-8A6F-32CD0910EA25}] => (Allow) LPort=2869
FirewallRules: [{94C7D0CF-6D24-46A9-A231-456EF9C2EC31}] => (Allow) LPort=1900
FirewallRules: [{70747C94-7A44-4159-9E17-7876E859720A}] => (Allow) LPort=15600

==================== Restore Points =========================

06-03-2017 14:02:54 Windows Update
13-03-2017 11:23:37 Windows Update
18-03-2017 17:32:11 Installed Digital Coupon Printer
22-03-2017 17:32:01 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/28/2017 09:21:41 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/28/2017 09:19:04 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/28/2017 09:08:39 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/27/2017 11:52:05 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3001) (User: NT AUTHORITY)
Description: The performance counter name string value in the registry is not formatted correctly. The malformed string is WMI Objects. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (03/27/2017 11:48:13 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/27/2017 10:59:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PAT)
Description: Activation of app Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (03/27/2017 10:56:29 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/27/2017 10:56:29 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (03/27/2017 10:56:29 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (03/27/2017 10:56:29 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.


System errors:
=============
Error: (03/28/2017 09:28:23 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (03/28/2017 09:28:12 AM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/28/2017 09:25:04 AM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/28/2017 09:24:30 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (03/28/2017 09:24:30 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (03/28/2017 09:24:30 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (03/28/2017 09:24:24 AM) (Source: DCOM) (EventID: 10005) (User: PAT)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (03/28/2017 09:23:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (03/28/2017 09:23:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (03/28/2017 09:23:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.


==================== Memory info ===========================

Processor: Intel® Core™ i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 19%
Total physical RAM: 8056.15 MB
Available physical RAM: 6488.81 MB
Total Virtual: 9336.15 MB
Available Virtual: 7978.98 MB

==================== Drives ================================

Drive c: (TI10665000G) (Fixed) (Total:917.82 GB) (Free:689.91 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

 

Rogue Killer text:

 

RogueKiller V12.10.2.0 (x64) [Mar 27 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Safe mode with network support
User : Pat [Administrator]
Started from : C:\Users\Pat\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 03/28/2017 10:07:34 (Duration : 00:41:36)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUP.Pokki|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Pokki -> Found
[PUP.Pokki|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Pokki -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\usyndication.com -> Found
[PUP.Pokki|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Pokki -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\usyndication.com -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://home.toshiba.com?cid=J13 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://home.toshiba.com?cid=J13 -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://home.toshiba.com?cid=J13 -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3782273632-2773322664-1913436750-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 216.144.187.199 24.229.54.212 204.186.0.180 ([United States][-][United States])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{08a1b842-f50e-4385-b9b5-e7ecca783a9c} | DhcpNameServer : 216.144.187.199 24.229.54.212 204.186.0.180 ([United States][-][United States])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E09A3B6F-750E-448E-A82A-A7C92746C90F} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Pat\AppData\Local\Temp\7zS59DB.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {84CA1766-31F4-48A3-8C34-A5C7FB080B67} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Pat\AppData\Local\Temp\7zS59DB.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C53C36D3-5F96-4034-B56B-59AF41E5BCB7} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Pat\AppData\Local\Temp\7zS9F4B.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D92F4943-8E61-4709-A2B7-AEF793B9764A} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Pat\AppData\Local\Temp\7zS9F4B.tmp\SymNRT.exe|Name=Norton Removal Tool| [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 21 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\Yahoo! Companion -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dragons of Atlantis.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"cfada041afdc4a11092a096cac66ab6a0945d92b" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Edgeworld.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"2e9d53cc2b402b6e65aa9551308ca17a19c4721a" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Goodgame Empire.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"149b46d4a102c0304583931ceaa3f0bf19785ee3" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pirate Storm.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"17dd240efdb0c50e8a5015de26b6d100f1b1072c" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Menu.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe /OPEN"menu" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Godfather.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"923d0f1d35897f6a6a73ba838623cda94c4ab689" -> Found
[PUP.Gen1][Folder] C:\Users\Pat\AppData\Roaming\Yahoo!\Companion -> Found
[Tr.Kovter][File] C:\Users\Pat\AppData\Local\bcae17\143b65.lnk [[email protected]] C:\Users\Pat\AppData\Local\bcae17\bb6366.bat -> Found
[Tr.Kovter][File] C:\Users\Pat\AppData\Local\bcae17\b28a81.d1225ac -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Toshiba Start.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\pokki.exe  /OPENb52b7a05ea010d22183cece45cbb6e86cf917a76 -> Found
[PUP.Gen1][Folder] C:\ProgramData\Yahoo! Companion -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Digital Coupon Printer -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\HiDefMedia -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Yahoo!\Companion -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dragons of Atlantis.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"cfada041afdc4a11092a096cac66ab6a0945d92b" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Edgeworld.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"2e9d53cc2b402b6e65aa9551308ca17a19c4721a" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Goodgame Empire.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"149b46d4a102c0304583931ceaa3f0bf19785ee3" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pirate Storm.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"17dd240efdb0c50e8a5015de26b6d100f1b1072c" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Menu.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe /OPEN"menu" -> Found
[PUP.Pokki|PUP.Gen0|PUP.Gen1][File] C:\Users\Pat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Godfather.lnk [[email protected]] C:\Users\Pat\AppData\Local\Pokki\Engine\HostAppService.exe  /OPEN"923d0f1d35897f6a6a73ba838623cda94c4ab689" -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUP.Gen2][Firefox:Addon] ze71kmce.default-1464798093155 : Yahoo Toolbar and New Tab [{635abd67-4fe9-1b23-4f01-e679fa7484c1}] -> Found
[PUP.Gen2][Firefox:Addon] ze71kmce.default-1464798093155 : Search and New Tab by Yahoo [[email protected]] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA100 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1024 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2099200 | Size: 260 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2631680 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2893824 | Size: 939845 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1927696384 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1928617984 | Size: 350 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1929334784 | Size: 11811 MB
User = LL1 ... OK
User = LL2 ... OK

 

(I'm going to post this much so I don't lose it before I do the Process Explorer, because it took over 41 minutes to run the Rogue Killer scan)


  • 0

#7
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

Process Explorer System Idle Process: 

 

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name    Verified Signer
ApplicationFrameHost.exe        4,272 K    86,616 K    2632    Application Frame Host    Microsoft Corporation    (Verified) Microsoft Windows
csrss.exe        1,220 K    3,560 K    520            
dllhost.exe        4,676 K    41,920 K    2552    COM Surrogate    Microsoft Corporation    (Verified) Microsoft Windows
HelpPane.exe        3,596 K    100,932 K    3032    Microsoft Help and Support    Microsoft Corporation    (Verified) Microsoft Windows
lsass.exe        4,360 K    31,908 K    728    Local Security Authority Process    Microsoft Corporation    (Verified) Microsoft Windows Publisher
MsMpEng.exe        81,928 K    39,980 K    1552            
notepad.exe        2,528 K    18,988 K    376    Notepad    Microsoft Corporation    (Verified) Microsoft Windows
notepad.exe        2,648 K    77,560 K    3352    Notepad    Microsoft Corporation    (Verified) Microsoft Windows
notepad.exe        2,612 K    77,532 K    3168    Notepad    Microsoft Corporation    (Verified) Microsoft Windows
procexp.exe        2,436 K    9,624 K    2288    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com    (Verified) Microsoft Corporation
RuntimeBroker.exe        6,148 K    83,236 K    2464    Runtime Broker    Microsoft Corporation    (Verified) Microsoft Windows
SearchUI.exe    Suspended    23,460 K    234,336 K    2360    Search and Cortana application    Microsoft Corporation    (Verified) Microsoft Windows
ShellExperienceHost.exe    Suspended    37,592 K    207,596 K    2244    Windows Shell Experience Host    Microsoft Corporation    (Verified) Microsoft Windows
sihost.exe        4,688 K    64,856 K    1972    Shell Infrastructure Host    Microsoft Corporation    (Verified) Microsoft Windows
smss.exe        364 K    1,184 K    412            
svchost.exe        1,096 K    21,856 K    1040    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        1,552 K    23,352 K    996    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        1,580 K    20,736 K    1724    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        10,420 K    44,860 K    1224    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        5,756 K    53,296 K    1536    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        8,076 K    32,256 K    84    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        3,484 K    27,756 K    1032    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        4,448 K    43,964 K    1100    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        13,464 K    86,388 K    480    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        3,460 K    21,820 K    892    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
svchost.exe        5,756 K    58,200 K    828    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
TabTip32.exe        1,180 K    19,708 K    2648    Touch Keyboard and Handwriting Panel Helper    Microsoft Corporation    (Verified) Microsoft Windows
wininit.exe        1,044 K    4,960 K    584            
winlogon.exe        1,984 K    27,096 K    656    Windows Logon Application    Microsoft Corporation    (Verified) Microsoft Windows
WmiPrvSE.exe        3,524 K    10,292 K    792    WMI Provider Host    Microsoft Corporation    (Verified) Microsoft Windows
RogueKillerX64.exe    < 0.01    492,796 K    530,144 K    2732    Anti-malware remediation tool    Adlice Software    (Verified) Adlice
ctfmon.exe    < 0.01    2,132 K    36,548 K    2096    CTF Loader    Microsoft Corporation    (Verified) Microsoft Windows
svchost.exe    < 0.01    7,220 K    41,808 K    1092    Host Process for Windows Services    Microsoft Corporation    (Verified) Microsoft Windows Publisher
services.exe    < 0.01    2,260 K    5,952 K    720            
TabTip.exe    < 0.01    2,476 K    73,752 K    1948    Touch Keyboard and Handwriting Panel    Microsoft Corporation    (Verified) Microsoft Windows
thunderbird.exe    < 0.01    152,832 K    300,612 K    3024    Thunderbird    Mozilla Corporation    (Verified) Mozilla Corporation
csrss.exe    0.01    1,752 K    5,864 K    596            
explorer.exe    0.03    44,064 K    269,340 K    1548    Windows Explorer    Microsoft Corporation    (Verified) Microsoft Windows
System    0.06    140 K    5,272 K    4            
FRST64.exe    0.07    24,540 K    118,328 K    4032    Farbar Recovery Scan Tool    Farbar    (No signature was present in the subject) Farbar
Interrupts    0.07    0 K    0 K    n/a    Hardware Interrupts and DPCs        
dwm.exe    0.38    60,392 K    164,092 K    76    Desktop Window Manager    Microsoft Corporation    (Verified) Microsoft Windows
firefox.exe    0.67    585,792 K    743,240 K    3376    Firefox    Mozilla Corporation    (Verified) Mozilla Corporation
procexp64.exe    1.12    37,708 K    58,372 K    1364    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com    (Verified) Microsoft Corporation
System Idle Process    97.57    0 K    4 K    0            

 

OK--What do I do next?


  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP

In Rogue Killer check these two 

 

[Tr.Kovter][File] C:\Users\Pat\AppData\Local\bcae17\143b65.lnk [[email protected]] C:\Users\Pat\AppData\Local\bcae17\bb6366.bat -> Found
[Tr.Kovter][File] C:\Users\Pat\AppData\Local\bcae17\b28a81.d1225ac -> Found

 

and let Rogue Killer remove them.

 

Are you still not able to go into regular mode?

 

See if you can get the free Avast to download and install:

 

 
Click on Download then choose the free version.
 
 
Download, Save, and right click and Run As Administrator.
 
Once it installs (reboot may be required - decline any optional offers and please stick with the free non demo version) and updates then have it do a boot-time scan.
 
 
 It takes like 6 hours so I usually let it run at night.
 
 
Click on the Avast ball.  Then click on Protection, then on Antivirus, then on Other Scans then on Boot-time Scan.  Click on Install Special Definitions.  Click on Run on Next PC Reboot.
 
  Reboot and let it run a scan.  It may take hours.
Once it finishes it should load windows.   Mute your speakers so it doesn't wake you up when Windows boots.
 
When you reboot you will see the scan start.  It will tell you where it saves its log.  Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.   This is a hidden location so you will need to tell Windows to let you see it:
 
 
Copy and paste the text from the log to a Reply when done.
 

 


  • 0

#9
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

I went back into Rogue Killer (still logged in in Safe Mode) and checked the 2 items above (Actually, there were several items pre-checked and I unchecked all but the 2 you listed) and had RK delete them.

 

Then I restarted and tried to go back into Normal Mode. Still not able to get into email or internet.  I went back into Safe Mode and downloaded and installed Avast and restarted the computer and tried both normal mode and safe mode. In Normal Mode Win Patrol indicated that Avast had disabled Windows Defender. Avast wouldn't open whether I tried as administrator or just open in either normal or safe mode, so I thought the install wasn't complete because each time I got a popup alert that " UI Failed to Load- AV Service Not Responding" with buttons to select exit or Restart Service. Restart Service did no good, so I went back into Safe Mode and downloaded Avast again and I got the same popup alert as before. 


Edited by pb204, 28 March 2017 - 03:49 PM.

  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP

Any anti-virus should disable Windows Defender.  You don't want two running.

 

See if you can do this:

 

Open an elevated command prompt:
 
 
 
If you open an elevated command prompt it will by default open in c:\Windows\system32
 
Once you have an elevated command prompt:
 
Type(with an Enter after each line):
 DISM  /Online  /Cleanup-Image  /RestoreHealth
 
 (I use two spaces so you can be sure to see where one space goes.)
This will take a while to complete.  Once the prompt returns:
 
Reboot.  Open an elevated Command Prompt again and type (with an Enter after the line):
 
sfc  /scannow

 

 

 
 
 
This will also take a few minutes.  
 
When it finishes it will say one of the following:
 
Windows did not find any integrity violations (a good thing)
Windows Resource Protection found corrupt files and repaired them (a good thing)
Windows Resource Protection found corrupt files but was unable to fix some (or all) of them (not a good thing)
 
If you get the last result then type:
 
findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \junk.txt 

 

 

 
Hit Enter.  Then type::
 
notepad  \junk.txt 
 
Hit Enter. 
 
 Copy the text from notepad and paste it into a reply.
 
 
After you finish SFC, regardless of the result:
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

  • 0

Advertisements


#11
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

I am currently running the Avast start up scan that you instructed me to do in the next to last message. I am sending this message from another computer.  I had completely shut down the problem computer last night (Yesterday, I was doing restarts between actions). When I logged on this morning in normal mode, I got a message from Win Patrol asking me to accept the new Avast program.  I never got that message yesterday when I restarted. When I accepted, I was able to open Avast and follow your instructions. It has been running the start up with the "getting Windows ready" message since about 10 am.  When I get you the message logs from the Avast scan, should I proceed with your next instructions, or wait till you review the Avast log?

 

Thanks again  


  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP

You can go ahead with the other instructions.  


  • 0

#13
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

The Avast scan switched to a black screen showing  what it was scanning.  The last thing I noticed was that it was at 7% and there was a corrupted Adobe Reader temp file.  Now it is on the password login screen and my wifi keyboard and mouse are inoperative and the touchscreen keyboard doesn't come up on the screen if I turn off the mouse, so I can't log on.  Is something wrong or is this part of the scan process?  Should I try to power down or wait?  It is a little over 3 hours since I started the scan.


  • 0

#14
pb204

pb204

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

Now there is a series of dots in the password block.  So does this mean Avast is doing something, or did I accidently put something in the block when I tried to operate the keyboard?


  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP

The scan can take 6 hours or more which is why I let it run at night.  When the scan has control you can't do anything else with the PC since Windows hasn't completely loaded.  I never tried to do anything while it was running so can't tell you but if it stops looking at files for very long then it's time to force a shutdown.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP