Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

"Norton has detected suspicious amount of outbound traffic"

In Progress 
7K views 32 replies 5 participants last post by  kevinf80 
#1 ·
Hey all! So every once in a while I get this pop up:
Rectangle Font Screenshot Parallel Software

So I run NPE and the results are always the same.... "Nothing found". After about the 5th time of this happening, I decided to go into the firewall settings to see if I can find anything. I found that a LOT of programs/apps had inbound and outbound access. I went through and blocked everything I was positive didn't need internet access, and everything else I changed to "Inbound only". This seemed to work for a while, then I got another pop up. I went back into firewall settings, and the programs I switched to "Inbound only" now have an "In/Out" rule listed below the "Inbound only" rule and both boxes in front are checked. Anyone have any ideas or suggestions? Are these 2 separate issues? Or are they related? Thanks.

My O/S is Windows 8. I have both Malewarebytes and SUPERantispyware on my machine, and run one or the other every night and both come up empty. (Sas comes up with cookies but that's it. Nothing major)
 

Attachments

See less See more
2
#3 ·
These are the programs that currently have In/Out access:
Adobe Flash Player 21.0 r0
Auto Update Implementation
Firefox
Host Process For Windows Services
Live Updater
Malewarebytes
SUPERantispyware
System
Web Helper
Windows Host Process(Rundll32)
Windows SQM Consolidator
 
#7 ·
In my initial post I stated that there were originally a lot of programs that had I/O access. I then said that I went through and changed all of the rules to either "Blocked", or "In only".
Right now, the list below are the only programs that have I/O access:
Adobe Flash Player 21.0 r0
Auto Update Implementation
Firefox
Host Process For Windows Services
Live Updater
Malewarebytes
SUPERantispyware
System
Web Helper
Windows Host Process(Rundll32)
Windows SQM Consolidator
 
#13 ·
Cool. Thanks. Wasn't sure how things worked when a post was moved from one forum to another. Thought maybe the person that was helping me before would follow this

And since I forgot to include it before:
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 8, 64 bit
Processor: AMD E1-1500 APU with Radeon(tm) HD Graphics, AMD64 Family 20 Model 2 Stepping 0
Processor Count: 2
RAM: 7897 Mb
Graphics Card: AMD Radeon HD 7310 Graphics, 256 Mb
Hard Drives: C: Total - 459743 MB, Free - 349061 MB;
Motherboard: Gateway, SX2110G
Antivirus: Norton Internet Security, Updated and Enabled
 
#14 ·
Hello ........ and welcome to TSG,

My screen name is kevinf80, i`m here to help check system, continue as follows please:

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.

Let me see those logs in your reply...

Thank you,

Kevin...
 
#15 ·
Hey Kevin! Thanks for taking on my problem. Hopefully it doesn't prove to be too much of a pain.
Here are the files you requested:

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/01/2016 03:03:32 PM in x64 mode.
Windows Version: Windows 8

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\Joel\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe (PID: 2908) [UP-HEUR]
* C:\Users\Joel\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe (PID: 2940) [UP-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 05/01/2016 03:04:50 PM
Execution time: 0 hours(s), 1 minute(s), and 18 seconds(s)

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:01-05-2016
Ran by Joel (administrator) on LIONSDEN (01-05-2016 15:07:38)
Running from C:\Temp
Loaded Profiles: Joel (Available Profiles: Joel & Administrator)
Platform: Windows 8 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Nero AG) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
() C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\ScheduleService.exe
(Acer Incorporated) C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
(BitTorrent Inc.) C:\Users\Joel\AppData\Roaming\uTorrent\uTorrent.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\nis.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\nis.exe
() C:\Program Files\OpenVPN\bin\openvpn-gui.exe
(The OpenVPN Project) C:\Program Files\OpenVPN\bin\openvpn.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_213.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_213.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12921488 2012-07-02] (Realtek Semiconductor)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-09] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-11-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-15] (Symantec Corporation)
HKLM-x32\...\Run: [APSDaemon] => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
HKLM-x32\...\Run: [BackupNowEZ4Tray] => C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\Bunez4Tray.exe [1093832 2014-11-06] (NTI Corporation)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1282120 2013-05-02] (CANON INC.)
ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Internet Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Internet Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Internet Security\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{8930B784-7FDD-4061-9F32-C8629723DE96}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{B5B6E80B-A4BF-4B04-90ED-573BA531BD03}: [DhcpNameServer] 75.75.76.76 75.75.75.75

Internet Explorer:
==================
HKU\S-1-5-21-2730430174-1467852721-39410326-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
SearchScopes: HKLM -> DefaultScope {E520406F-F294-4792-BB07-C014BCF66373} URL =
SearchScopes: HKLM -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2730430174-1467852721-39410326-1001 -> DefaultScope {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2730430174-1467852721-39410326-1001 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\IPS\IPSBHO.DLL => No File
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
Toolbar: HKU\S-1-5-21-2730430174-1467852721-39410326-1001 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Joel\AppData\Roaming\Mozilla\Firefox\Profiles\2s60xj4o.default
FF Homepage: hxxps://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-08] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-08] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Joel\AppData\Roaming\Mozilla\Firefox\Profiles\2s60xj4o.default\extensions\artur.dubovoy@gmail.com [2016-04-02]
FF Extension: Adblock Plus - C:\Users\Joel\AppData\Roaming\Mozilla\Firefox\Profiles\2s60xj4o.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFAddon
FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFAddon [2016-03-18]
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_22.5.2.15\coFFAddon

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-16]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-16]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2015-10-16] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2451456 2012-07-13] (Realsil Microelectronics Inc.) [File not signed]
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-27] ()
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\NIS.exe [289080 2016-02-26] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
R2 NTI Backup Now EZ 4 Scheduler; C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\ScheduleService.exe [95432 2014-11-06] ()
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [38200 2015-08-04] (The OpenVPN Project)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16056 2015-07-06] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [96768 2012-11-06] (Advanced Micro Devices)
R3 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.2.15\Definitions\BASHDefs\20160418.001\BHDrvx64.sys [1766640 2016-03-09] (Symantec Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
R3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1606000.08E\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3265256 2012-09-20] (Broadcom Corporation)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-11-18] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2015-11-18] (Symantec Corporation)
R3 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.2.15\Definitions\IPSDefs\20160429.016\IDSvia64.sys [767224 2016-02-13] (Symantec Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.2.15\Definitions\VirusDefs\20160501.001\ENG64.SYS [138488 2015-10-27] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.2.15\Definitions\VirusDefs\20160501.001\EX64.SYS [2148080 2015-10-27] (Symantec Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SRTSP; C:\Windows\System32\Drivers\NISx64\1606000.08E\SRTSP64.SYS [928504 2016-02-23] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\NISx64\1606000.08E\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)
R3 SymEFASI; C:\Windows\system32\drivers\NISx64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-23] (Symantec Corporation)
S0 SymELAM; C:\Windows\System32\drivers\NISx64\1606000.08E\SymELAM.sys [24192 2015-07-10] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-10-02] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\NISx64\1606000.08E\Ironx64.SYS [295664 2016-02-23] (Symantec Corporation)
R3 SymNetS; C:\Windows\System32\Drivers\NISx64\1606000.08E\SYMNETS.SYS [577768 2016-02-23] (Symantec Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-06] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [281944 2015-07-06] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-01 15:07 - 2016-05-01 15:07 - 00000000 ____D C:\FRST
2016-05-01 15:03 - 2016-05-01 15:04 - 00002562 _____ C:\Users\Joel\Desktop\Rkill.txt
2016-04-30 23:07 - 2016-05-01 12:19 - 00000000 ____D C:\Users\Joel\AppData\LocalLow\uTorrent

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-01 15:07 - 2015-09-26 00:25 - 00000000 ____D C:\Users\Joel\AppData\Roaming\uTorrent
2016-05-01 15:07 - 2013-11-14 21:34 - 00000000 ____D C:\Temp
2016-05-01 12:25 - 2012-07-26 03:28 - 00848230 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-05-01 12:25 - 2012-07-26 01:37 - 00000000 ____D C:\WINDOWS\Inf
2016-05-01 12:18 - 2012-07-26 03:22 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-05-01 12:18 - 2012-07-26 01:26 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-04-30 22:44 - 2012-07-26 01:26 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-04-30 18:25 - 2015-09-26 07:39 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-04-30 17:50 - 2015-09-25 19:38 - 00000000 ____D C:\Users\Joel\AppData\Roaming\vlc
2016-04-30 17:25 - 2015-10-06 14:27 - 00005632 _____ C:\Users\Joel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-04-27 23:52 - 2015-11-26 16:02 - 00000000 ____D C:\Program Files (x86)\Steam
2016-04-27 23:44 - 2015-09-25 19:49 - 00000000 ____D C:\Users\Joel\AppData\Local\CrashDumps
2016-04-27 20:07 - 2015-11-26 17:28 - 00000000 ____D C:\Users\Joel\AppData\Local\NPE
2016-04-27 18:28 - 2015-10-16 14:01 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-04-23 23:06 - 2014-12-28 17:31 - 00000000 ____D C:\RippedCD's
2016-04-23 13:47 - 2012-07-26 04:12 - 00000000 ____D C:\WINDOWS\system32\FxsTmp
2016-04-23 13:40 - 2016-02-02 15:43 - 00000000 ____D C:\ProgramData\CanonIJPLM
2016-04-12 13:01 - 2015-09-25 18:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-11 17:34 - 2015-10-15 19:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-09 19:08 - 2015-11-07 15:04 - 00000000 ____D C:\Users\Joel\AppData\Roaming\Audacity
2016-04-07 00:24 - 2015-09-26 07:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware

==================== Files in the root of some directories =======

2015-10-06 14:27 - 2016-04-30 17:25 - 0005632 _____ () C:\Users\Joel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-04-24 05:18

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:01-05-2016
Ran by Joel (2016-05-01 15:08:53)
Running from C:\Temp
Windows 8 (X64) (2015-09-25 21:40:38)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2730430174-1467852721-39410326-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-2730430174-1467852721-39410326-501 - Limited - Disabled)
Joel (S-1-5-21-2730430174-1467852721-39410326-1001 - Administrator - Enabled) => C:\Users\Joel

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Enabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Enabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton Internet Security (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-2730430174-1467852721-39410326-1001\...\uTorrent) (Version: 3.4.6.42094 - BitTorrent Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20060 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.213 - Adobe Systems Incorporated)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
AMD Catalyst Install Manager (HKLM\...\{E3A51D8F-668B-4D7B-8CF5-99D00F89A4A5}) (Version: 8.0.903.0 - Advanced Micro Devices, Inc.)
Apple Application Support (64-bit) (HKLM\...\{CBF12D2F-CF64-4CB7-858B-2C1F21068E5F}) (Version: 4.1.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Camtasia Studio 8 (HKLM-x32\...\{BFA04EE0-8240-4667-8D53-45496A901C33}) (Version: 8.1.2.1327 - TechSmith Corporation)
Canon Easy-WebPrint EX (HKLM-x32\...\Easy-WebPrint EX) (Version: 1.6.0.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 4.0.0 - Canon Inc.)
Canon MG2500 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2500_series) (Version: 1.00 - Canon Inc.)
Canon MG2500 series On-screen Manual (HKLM-x32\...\Canon MG2500 series On-screen Manual) (Version: 7.6.1 - Canon Inc.)
Canon MG2500 series User Registration (HKLM-x32\...\Canon MG2500 series User Registration) (Version: - ‭Canon Inc.)
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 2.0.1 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 2.0.0 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.2.1 - Canon Inc.)
DTS+AC3 Filter (HKLM-x32\...\DtsFilter) (Version: - )
FFmpeg (Windows) for Audacity version 2.2.2 (HKLM-x32\...\{9C7E31E3-017F-434C-AC40-24431A354A1E}_is1) (Version: 2.2.2 - )
File Shredder 2.5 (HKLM\...\File Shredder_is1) (Version: - Pow Tools)
Gateway Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3012 - Gateway Incorporated)
Gateway Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Gateway Incorporated)
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.2.74.5237 - Gretech Corporation)
Hotkey Utility (HKLM-x32\...\{A6DC88AD-501A-44BC-884D-57435F972E2C}) (Version: 3.00.3004 - Gateway Incorporated)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3004 - Gateway Incorporated)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.32 - Irfan Skiljan)
iTunes (HKLM\...\{0D44E3A4-6C3D-45D7-B443-079509E5BE5D}) (Version: 12.3.2.35 - Apple Inc.)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3007 - Gateway Incorporated)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Menu Templates - Starter Kit (x32 Version: 9.6.0.0 - Nero AG) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 45.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.2 (x86 en-US)) (Version: 45.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.2.5941 - Mozilla)
Nero 9 Essentials (HKLM-x32\...\{466721eb-0623-4e46-87cb-42fa77b7e7ec}) (Version: - Nero AG)
Norton Internet Security (HKLM-x32\...\NIS) (Version: 22.6.0.142 - Symantec Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.51r2 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.14 - Symantec Corporation) Hidden
NTI Backup Now EZ 4 (HKLM-x32\...\InstallShield_{249E38A7-26F9-4C82-A95B-CDA5184A54CF}) (Version: 4.0.2.52 - NTI Corporation)
NTI Backup Now EZ 4 (x32 Version: 4.0.2.52 - NTI Corporation) Hidden
OpenVPN 2.3.8-I601 (HKLM\...\OpenVPN) (Version: 2.3.8-I601 - )
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6680 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.2.8400.30137 - Realtek Semiconductor Corp.)
Skyrim Creation Kit (HKLM-x32\...\Steam App 202480) (Version: - bgs.bethsoft.com)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1026 - SUPERAntiSpyware.com)
TAP-Windows 9.21.1 (HKLM\...\TAP-Windows) (Version: 9.21.1 - )
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version: - Bethesda Game Studios)
VirtualDub AIO 1.0.0.9 Beta (HKLM\...\{64072CE7-24BF-42D6-80C4-52469E1B531E}_is1) (Version: 1.0.0.9 - Wicked Gift)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VuePrint (HKLM-x32\...\VuePrint) (Version: - )
WinRAR 5.01 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {4515B119-080E-4028-A18A-9C3BCA0675DF} - System32\Tasks\Power Management => C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe [2013-01-18] (Acer Incorporated)
Task: {5A1750FF-10B1-4D67-9A8D-6C0589736E41} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Gateway\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {6DD97FDA-5ADC-471C-9C81-8094AF1149E5} - System32\Tasks\Hotkey Utility => C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [2012-09-20] (Acer Incorporated)
Task: {A45666DE-DBAD-4955-9D58-40DFB899130B} - System32\Tasks\ALU => C:\Program Files (x86)\Gateway\Live Updater\updater.exe [2013-01-22] ()
Task: {A88AE856-7367-413A-9642-3E32F37730B0} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\WSCStub.exe [2016-02-26] (Symantec Corporation)
Task: {C04AD02D-C7C2-4BFA-9376-EFE73D79D6F4} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\SymErr.exe [2016-02-10] (Symantec Corporation)
Task: {C0D879E9-ED3D-4205-A96F-2CDC2C0A97ED} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\22.6.0.142\SymErr.exe [2016-02-10] (Symantec Corporation)
Task: {CD4FD734-A69F-4CB1-8557-E8EFA15BCB71} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated)
Task: {E7B95659-A712-43A9-A917-3C1207A13DA3} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2016-02-26] (Symantec Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-10-13 06:45 - 2015-10-13 06:45 - 00085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-10-13 06:45 - 2015-10-13 06:45 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-02-02 15:44 - 2012-03-27 23:49 - 00140456 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2014-11-06 18:12 - 2014-11-06 18:12 - 00095432 _____ () C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\ScheduleService.exe
2015-08-04 09:14 - 2015-08-04 09:14 - 00424760 _____ () C:\Program Files\OpenVPN\bin\openvpn-gui.exe
2015-08-04 09:14 - 2015-08-04 09:14 - 00224856 _____ () C:\Program Files\OpenVPN\bin\liblzo2-2.dll
2015-08-04 09:14 - 2015-08-04 09:14 - 00122960 _____ () C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll
2014-11-06 18:12 - 2014-11-06 18:12 - 00065736 _____ () C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\XMLParser.dll
2014-11-06 18:12 - 2014-11-06 18:12 - 00053448 _____ () C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\SendMsgCallbackDll.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 01:26 - 2012-07-26 01:26 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2730430174-1467852721-39410326-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Joel\Desktop\grey-wolf_565_600x450.jpg
DNS Servers: 8.8.8.8 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run: => "RTHDVCPL"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Norton Online Backup"
HKLM\...\StartupApproved\Run32: => "APSDaemon"
HKLM\...\StartupApproved\Run32: => "BackupNowEZ4Tray"
HKLM\...\StartupApproved\Run32: => "CanonQuickMenu"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{21657737-7550-4D18-A010-37E57182D31B}] => (Allow) C:\Program Files (x86)\Acer Remote\ArcServer.exe
FirewallRules: [{D745E1F9-C59D-4B88-8DCE-644A5A48A039}] => (Allow) C:\Program Files (x86)\Acer Remote\ArcServer.exe
FirewallRules: [{240F5C17-E7FC-495D-B1BE-91B4866E0917}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe
FirewallRules: [{9A15F0A1-3194-4869-953C-B97442D47F84}] => (Allow) C:\Program Files (x86)\Spotify\spotify.exe
FirewallRules: [{312EBF72-76C9-40EF-AB2D-88EC2FFE0342}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
FirewallRules: [{F2885502-68B4-4202-AC00-67B92B0D7CE5}] => (Allow) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
FirewallRules: [{74C8EAB9-8669-4264-A9E7-3308B79F9BD0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{012D9689-2E15-414A-8926-D86DEB625DB4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{C2255A46-FC29-4990-8A57-ADDB390486BF}] => (Allow) C:\Users\Joel\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{858B40C7-785A-4502-A624-9AD5D5B4E200}] => (Allow) C:\Users\Joel\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{21B6E3A9-2D75-48BB-BF76-63EF3A247197}] => (Allow) C:\Users\Joel\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [{A6F67C36-DDF3-414C-B6B1-275912657214}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{854AF740-5B54-4D03-B01A-9A1BC849A857}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{5458C5E6-F545-4883-8626-BBF43C33BACB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0E81EBF2-1234-4174-9F41-1DF45AECC31E}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{328C1826-E16E-477A-8EBC-CA77E13B0161}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EAA983E2-3D2B-4506-81D1-044D39104326}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E38D3A39-BBDB-4ECF-860C-DBF98395903C}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{D581B09B-254D-4220-BFA0-ECA6D9284ED7}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{AE00173B-E59C-4BA3-B1FB-89E0A7930534}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{3F2301F4-2913-42FE-B658-A8E38A9E83B5}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [TCP Query User{5DFED10D-988C-4EC2-B7D3-F7F8F5E1EE78}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Allow) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [UDP Query User{11706C34-DECA-4FE3-AFE0-E2B8B31E862E}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Allow) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [{9D6EF76E-3C1D-45C7-9B26-4BCD7D22CDC3}] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [{C623E46D-4ED9-4B86-9BC8-C97FE471E653}] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [{55C65BFD-7EAA-4DFF-929B-1D71F897879B}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{BA014310-B55B-446B-870F-4F72CB8A2BB8}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Skyrim\SkyrimLauncher.exe
FirewallRules: [{F718BCD5-930C-40A3-8256-015CD4B657AE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Skyrim\SkyrimLauncher.exe
FirewallRules: [{3BC0CBD8-B482-45B2-B551-DAEDD583FE91}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Skyrim\CreationKit.exe
FirewallRules: [{BF76D767-104C-4A80-BD5B-D7527EB7616B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Skyrim\CreationKit.exe

==================== Restore Points =========================

10-04-2016 08:26:18 Scheduled Checkpoint
18-04-2016 03:02:12 Scheduled Checkpoint
19-04-2016 17:28:34 Removed Apple Application Support (32-bit)
27-04-2016 03:02:58 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (04/27/2016 11:44:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TESV.exe, version: 1.9.32.0, time stamp: 0x51437ce5
Faulting module name: TESV.exe, version: 1.9.32.0, time stamp: 0x51437ce5
Exception code: 0x40000015
Fault offset: 0x00376ae2
Faulting process id: 0xfcc
Faulting application start time: 0xTESV.exe0
Faulting application path: TESV.exe1
Faulting module path: TESV.exe2
Report Id: TESV.exe3
Faulting package full name: TESV.exe4
Faulting package-relative application ID: TESV.exe5

Error: (04/26/2016 09:54:40 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program GOM.EXE version 2.2.74.5237 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d60

Start Time: 01d1a027b51e1fc8

Termination Time: 47

Application Path: C:\Program Files (x86)\GRETECH\GomPlayer\GOM.EXE

Report Id: fcb1d67a-0c1a-11e6-8048-7427eab7e0e5

Faulting package full name:

Faulting package-relative application ID:

Error: (04/24/2016 02:02:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TESV.exe, version: 1.9.32.0, time stamp: 0x51437ce5
Faulting module name: TESV.exe, version: 1.9.32.0, time stamp: 0x51437ce5
Exception code: 0x40000015
Fault offset: 0x00376ae2
Faulting process id: 0x828
Faulting application start time: 0xTESV.exe0
Faulting application path: TESV.exe1
Faulting module path: TESV.exe2
Report Id: TESV.exe3
Faulting package full name: TESV.exe4
Faulting package-relative application ID: TESV.exe5

Error: (04/23/2016 12:44:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TESV.exe, version: 1.9.32.0, time stamp: 0x51437ce5
Faulting module name: TESV.exe, version: 1.9.32.0, time stamp: 0x51437ce5
Exception code: 0x40000015
Fault offset: 0x00376ae2
Faulting process id: 0x86c
Faulting application start time: 0xTESV.exe0
Faulting application path: TESV.exe1
Faulting module path: TESV.exe2
Report Id: TESV.exe3
Faulting package full name: TESV.exe4
Faulting package-relative application ID: TESV.exe5

Error: (04/21/2016 10:31:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 45.0.2.5941, time stamp: 0x57071d64
Faulting module name: mozglue.dll, version: 45.0.2.5941, time stamp: 0x57070ebc
Exception code: 0x80000003
Fault offset: 0x0000ec22
Faulting process id: 0x884
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (04/21/2016 08:37:07 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (04/17/2016 05:08:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program GOM.EXE version 2.2.74.5237 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 59c

Start Time: 01d198ed445c008e

Termination Time: 16

Application Path: C:\Program Files (x86)\GRETECH\GomPlayer\GOM.EXE

Report Id: 866e7e48-04e0-11e6-8037-7427eab7e0e5

Faulting package full name:

Faulting package-relative application ID:

Error: (04/17/2016 05:08:12 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program GOM.EXE version 2.2.74.5237 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 430

Start Time: 01d198ed2fccc9dc

Termination Time: 31

Application Path: C:\Program Files (x86)\GRETECH\GomPlayer\GOM.EXE

Report Id: 7b32e7a2-04e0-11e6-8037-7427eab7e0e5

Faulting package full name:

Faulting package-relative application ID:

Error: (04/10/2016 06:47:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 45.0.1.5918, time stamp: 0x56e8b7df
Faulting module name: mozglue.dll, version: 45.0.1.5918, time stamp: 0x56e8a981
Exception code: 0x80000003
Fault offset: 0x0000f0ea
Faulting process id: 0xc50
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

Error: (04/10/2016 04:06:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 45.0.1.5918, time stamp: 0x56e8b7df
Faulting module name: mozglue.dll, version: 45.0.1.5918, time stamp: 0x56e8a981
Exception code: 0x80000003
Fault offset: 0x0000f0ea
Faulting process id: 0x1068
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Faulting package full name: plugin-container.exe4
Faulting package-relative application ID: plugin-container.exe5

System errors:
=============
Error: (04/05/2016 01:58:45 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:57:16 AM on ‎4/‎5/‎2016 was unexpected.

Error: (03/31/2016 08:45:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Steam Client Service service failed to start due to the following error:
%%1053

Error: (03/31/2016 08:45:31 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

Error: (03/30/2016 11:51:34 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:50:47 PM on ‎3/‎30/‎2016 was unexpected.

Error: (03/29/2016 01:30:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Steam Client Service service failed to start due to the following error:
%%1053

Error: (03/29/2016 01:30:46 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

Error: (03/20/2016 11:33:03 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:32:11 PM on ‎3/‎20/‎2016 was unexpected.

Error: (03/20/2016 01:36:22 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:35:47 AM on ‎3/‎20/‎2016 was unexpected.

Error: (03/19/2016 11:17:46 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:16:57 PM on ‎3/‎19/‎2016 was unexpected.

Error: (03/16/2016 08:42:16 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070005: Security Update for Windows 8 for x64-based Systems (KB2920189).

==================== Memory info ===========================

Processor: AMD E1-1500 APU with Radeon(tm) HD Graphics
Percentage of memory in use: 22%
Total physical RAM: 7897.81 MB
Available physical RAM: 6116.84 MB
Total Virtual: 9113.81 MB
Available Virtual: 7303.37 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:448.97 GB) (Free:340.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 5CBDF615)

Partition: GPT.

==================== End of Addition.txt ============================
 
#19 ·
I did not see the file in your logs, I did note it in in an earlier reply you made.... It is not listed in any of the images you post...

Open FRST again, in the text field adjacent to "Search" type or copy/paste AutoUpdate.exe select the "Search files" tab...
Post the produced log...
 
#20 ·
Farbar Recovery Scan Tool (x64) Version:01-05-2016
Ran by Joel (2016-05-01 16:26:33)
Running from C:\Temp
Boot Mode: Normal

================== Search Files: "AutoUpdate.exe" =============

C:\Windows\WinSxS\amd64_microsoft-windows-notificationui_31bf3856ad364e35_6.2.9200.21408_none_49094ba8dd306711\AutoUpdate.exe
[2015-09-30 08:03][2015-10-08 03:19] 0021207 ____A () 4410E558B6D41E28BD97DA46E2B2CCE9 [File not signed]

C:\Windows\WinSxS\amd64_microsoft-windows-notificationui_31bf3856ad364e35_6.2.9200.17291_none_48175ba5c4621438\AutoUpdate.exe
[2015-09-30 08:03][2015-03-04 03:26] 0596480 ____A (Microsoft Corporation) 2BDB9601134B01AD8704019132DA5A55 [File is digitally signed]

C:\Windows\System32\AutoUpdate.exe
[2015-09-30 08:03][2015-03-04 03:26] 0596480 ____A (Microsoft Corporation) 2BDB9601134B01AD8704019132DA5A55 [File is digitally signed]

====== End of Search ======
 
#21 ·
As expected the file is clean, MD5 info confirms that. It is a system file and is installed to the correct folder... I do not see any obvious malware or infection in the FRST logs...

Run the following scans to recheck your system.....

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

Next,

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Next,

Go here: http://cdn10.zemana.com/AntiMalware/2.20.1.539/Zemana.AntiMalware.Setup.exe download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"



In the new window Select 1. Updates, when complete Select 2. Real Time Protection.



In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.



In the new window select "Scan"



When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab

The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)



On that screen select and highlite the scan details line, then select "Open Report"



Copy and paste that log to your reply...

post those logs to your reply....

Thanks,

Kevin
 
#24 ·
# AdwCleaner v5.115 - Logfile created 01/05/2016 at 17:34:45
# Updated 01/05/2016 by Xplode
# Database : 2016-05-01.2 [Server]
# Operating system : Windows 8 (X64)
# Username : Joel - LIONSDEN
# Running from : C:\Temp\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\yahooprovidedsearch
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
[-] Data Restored : HKU\S-1-5-21-2730430174-1467852721-39410326-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]

***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1304 bytes] - [01/05/2016 17:34:45]
C:\AdwCleaner\AdwCleaner[S1].txt - [1657 bytes] - [01/05/2016 17:32:12]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1450 bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 8 x64
Ran by Joel (Administrator) on Sun 05/01/2016 at 17:43:18.69
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 0

Registry: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 05/01/2016 at 17:45:29.88
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zemana AntiMalware 2.20.1.613 (Installed)

-------------------------------------------------------
Scan Result : Completed
Scan Date : 2016/5/1
Operating System : Windows 8 64-bit
Processor : 2X AMD E1-1500 APU with Radeon(tm) HD Graphics
BIOS Mode : UEFI
CUID : 0055D8E6BF0E1B457E10B0
Scan Type : Smart Scan
Duration : 3m 4s
Scanned Objects : 9607
Detected Objects : 0
Excluded Objects : 0
Read Level : SCSI
Auto Upload : ON
Detect All Extensions : OFF
Scan Documents : OFF
Domain Info : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

There are no detected objects
 
#25 ·
Up to now we are not finding any malware or infection that maybe responsible for the outbond activity... Can you block the following Firewall entries and see if the issue ceases...

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{C2255A46-FC29-4990-8A57-ADDB390486BF}] => (Allow) C:\Users\Joel\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{858B40C7-785A-4502-A624-9AD5D5B4E200}] => (Allow) C:\Users\Joel\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{A6F67C36-DDF3-414C-B6B1-275912657214}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{854AF740-5B54-4D03-B01A-9A1BC849A857}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{5458C5E6-F545-4883-8626-BBF43C33BACB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0E81EBF2-1234-4174-9F41-1DF45AECC31E}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{55C65BFD-7EAA-4DFF-929B-1D71F897879B}] => (Allow) C:\Program Files\iTunes\iTunes.exe

Thank you,

Kevin..
 
#26 ·
According to my Norton firewall settings (Norton is currently my active firewall), both iTunes and Bonjour are already blocked. I changed the settings for uTorrent.
So I'm not really sure how I'm supposed to know if this helps at all. I mean, don't these programs have to be running (not just loaded) on my computer in order for them to try and access the internet? I only actually use these programs once in a while, and as far as I can remember none of them were open any time I got that pop-up from Norton about suspicious outbound activity. Again, not trying to be difficult here. Just trying to understand
 
#27 ·
The problem is we are looking for a reason for an issue reported by your Security, Norton. It then tells you to run a stand alone program supplied by Norton, NPE. NPE then finds nothing wrong, so we wait for the merry-go-round to run again...
As NIS reports what is basically a failing by itself, it then fails to find a reason for the issue with another program supplied by Norton....
Maybe the answer is to remove NIS and install Kaspersky on a 30 day trial, see if he issue clears..
I`ve asked you to run usual analysing scans to look for a possible reason, we also come up blank on the malware front. Loooking at the Firewall settings in the FRST log does not really help, they only show the option as "allowed" that does not really confirm if that is inbound or outbound...

Run one more indepth scan, see if we have missed something obvious....

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.
If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

To perform the scan:

  • Select "Enable detection of potentially unwanted applications"
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under "Enable Stealth Technology select "Change" select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable security software!

Thank you,

Kevin...
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top