When I start Malwrebytes I get an error

[Docfxit]

When I try to start Malwarebytes I get this error:

http://

I have tried uninstalling Malwarebytes.  Re-Installing Malwarebytes.

I have tried running the clean program after uninstalling.

I have tried rebooting.

I have downloaded the latest version of Farbar and run the scan.

Please let me know what I should do to get Malwarebytes running.

Thank you,

Docfxit

Addition.txt

FRST.txt

[Valinorum]

Hi ,

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

• Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
• Please do not install any new software while we are working on this system as it may hinder our process.
• Malware removal is a complicated process and so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
• Please do not try to fix anything without being asked.
• Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
• Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from the internet and you will not always be able to access this thread.
• Back up your data. I will not knowingly suggest you any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
• If you are confused about any instruction, stop and ask. Do not keep on going.
• Do not repeat the steps if you face any problems.
• I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
• Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
• The fixes are for your system only. Please refrain from using these fixes on another system as it may do serious damage.
  

---

• Step #1 Run Malwarebytes' Anti-Rootkit
  Please download Malwarebytes Anti-Rootkit from here and extract the content to your Desktop.
  
  • Update the program if asked.
  • In the Scan System option check all the boxes and click on Scan.
  • Click on Cleanup button after the scan and wait patiently. Reboot the computer if asked.
  • After the clean-up process; locate two logs in the mbar folder namely--
    
    • mbar-log-scan-date.txt; and
    • system-log.txt
  • Copy and paste the contents of the log in your next reply.

[Docfxit]

Thank you for working on this for me.

After extracting the files and before running the program I received this window:

I will think I should press Yes.

Docfxit

[Docfxit]

I have finished running Malwarebytes Anti-Rootkit

Thank you,

Docfxit

mbar-log-2017-08-20 (08-57-23).txt

system-log.txt

[Valinorum]

Hi,

There are many software installed in your PC which are used to malware searching or software development. Do you work in this side? Also, did you rename FRST.exe?

Did you configure the following proxy setting?

FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> autoconfig_url", "socks=127.0.0.1:1080"

FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> gopher", "socks=127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> gopher_port", 1080
FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> socks", "127.0.0.1"
FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> socks_port", 1080
FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> socks_remote_dns", true
FF NetworkProxy: Mozilla\Firefox\Profiles\5zpin98r.default -> type", 2

Did you opt for Google Chrome Developer build?
Please uninstall the following: 

Absolute Uninstaller 5.3.1.21
Glary Undelete 5.0.1.19
Glary Utilities 5.78

• Step #2 Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  •  
  • Open Notepad.exe. Do not use any other text editor software;
  • Copy and Paste the contents inside the code-box to your Notepad --
    

    Start
    CreateRestorePoint:
    CloseProcesses:
    EmptyTemp:
    Task: {0F8819C8-DC74-4D67-9F53-777A4E1380D8} - no filepath
    Task: {5D6BBC01-6619-49D2-80D6-998D6952A414} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {6CA9EE9A-FD38-45AA-8A94-E846FA67B524} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
    Task: {7945F2D3-3918-4A58-9B34-31613AFBC751} - \SUPERAntiSpyware Scheduled Task d31f9943-67c0-4568-92b4-e0316d2af779 -> No File <==== ATTENTION
    Task: {A4D032EE-573D-4AD3-807A-E1ED85E0828D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {AE64F66A-19BF-4D69-9D37-7952C3016A89} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {CB47F2F0-E2B4-4073-A8D2-B969B1B45C7F} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {D39CB961-4CE9-47DE-B5F3-F94584A94861} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {DAC366E5-3FE0-4B02-9447-61B81050558F} - \SUPERAntiSpyware Scheduled Task 90aecc41-908d-4fd1-b8d7-cf0950464a61 -> No File <==== ATTENTION
    Shortcut: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ??pl?r?r.lnk -> C:\Program Files\Internet Explorer\iexplore.bat (No File)
    Shortcut: C:\Users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Int?rn?t ??pl?r?r (N? ?dd-?ns).lnk -> C:\Program Files\Internet Explorer\iexplore.bat (No File)
    GroupPolicy: Restriction ? <==== ATTENTION
    GroupPolicyScripts: Restriction <==== ATTENTION
    Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
    Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File
    SearchScopes: HKU\S-1-5-21-33363916-3624155930-1669969999-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}
    SearchScopes: HKU\S-1-5-21-33363916-3624155930-1669969999-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}
    S2 Axence nVision; "C:\Programs\nVision\nVision.exe" /startedbyscm:095BC718-40E30993-NTServerService [X] <==== ATTENTION
    S2 Axence nVision Agent 2; "C:\Program Files\Axence\nVision Agent 2\nVisionA.exe" /startedbyscm:3C6AEED3-40E36551-AgentNTService [X] <==== ATTENTION
    S3 AxDBSrvr; C:\Programs\nVision\AxDBSrvr.exe [X]
    S2 AXDBSRVRA; C:\Program Files\Axence\nVision Agent 2\AxDBSrvrA.exe [X]
    File: C:\Windows\System32\nvwmi.exe
    End

  • Click on File > Save as...
    
    • Inside the File Name box type fixlist.txt;
    • From the Save as type drop down list, choose All Files
  • Save the file to your Desktop;
  • Re-run FRST.exe and click Fix;
    
    • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
  • After the completion, a log will be produced;
  • Copy and Paste the contents of the log in your next reply.

---

• Step #3 Fix with AdwCleaner
  
  • Download AdwCleaner to your Desktop from the following link.
    
    • Download Link
  • Right-click on AdwCleaner.exe and choose Run as administrator;
  • Click on Tools>Option and put a tick mark as shown in the image below;
    
  • Click on Scan and let the program run unhindered;
  • When done, click on Clean and allow the system to reboot after it is done;
  • A log will be opened automatically after the restart. If not, it is located in C:\AdwCleaner\AdwCleaner[CX].txt, where X is replaced with a number;
  • Copy and Paste the contents of this log in your reply.

---

• Step #4 ESET Online Scanner
  Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information. 
  
  • Download esetsmartinstaller_enu.exe by clicking here.
  • Right-click on the program and choose Run as administrator.
  • Accept their terms and condition and proceed.
  • Install Add-On/Active X if prompted.
  • From the Computer Scan Setting check the following box --
    
    • Enable detection for potentially unwanted programs
  • Click on Advanced Setting --
    
    • Check the box beside Remove Found Threats;
    • Check the box beside Scan archives
    • Check the box beside Scan for potentially unsafe applications
    • Check the box beside Enable Anti-Stealth Technology
  • Click on Start and wait for the virus signature database to update.
  • The online scan will begin automatically and can take several hours.
    
    • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
  • After the Scan finishes --
    
    • If no threats were found:
      
      • Put a checkmark in Uninstall application on close.
      • Close the program and report that nothing was found
    • If threats were found:
      
      • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
      • Copy and Paste contents of the log file in your next reply.
  
  Note: Enable your security programs afterwards.

---

[Docfxit]

I do have a lot of programs installed.  I do support a lot of people.

I did not rename FRST.exe

I did configure socks=127.0.0.1 port 1080.  I'm not using it right now.  I use when I go to a public hotspot to SSH into my work desktop.  The work desktop re-routs me out to the internet securely.

I did not opt for Google Chrome Developer build.  I don't like Chrome and I don't want it on this PC.  Where did you find it?

I have Uninstalled:

Absolute Uninstaller 5.3.1.21
Glary Undelete 5.0.1.19
Glary Utilities 5.78

I have followed your instructions for Step #2  Log attached.

I have followed your instructions for Step #3  Log attached.

I have followed your instructions for Step #4  Log attached.

Thank you very much for helping me clean this computer.

Docfxit

FRST.txt

AdwCleaner[C0].txt

log.txt

[Valinorum]

Uninstall Google Chome from your PC then. There should be a Fixlog.txt on your Desktop. Please, attach it along with a fresh set of FRST scan logs for my perusal. 

[Docfxit]

A few days ago I tried uninstalling Google Chrome when you asked it I had installed the developers edition.  I have looked to find it.  I don't see it in Programs and Features to uninstall.  I have done a search for chrome.*, Google.*.  I have have run the chrome_cleanup_tool.exe and found nothing.  Please let me know where it is so I can remove it.

I don't see a Fixlog.txt  any place on my PC. 

I have run FRST with the scan option.  Attached are the logs.

Thank you,

Docfxit

FRST.txt

Addition.txt

[Docfxit]

I found in the registry the following entries.  I have removed them.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\CNS\]
"IgnoreGoogleChrome"="False"

[HKEY_CURRENT_USER\Software\Google\Chrome\]

[HKEY_CURRENT_USER\Software\Google\Chrome\\Extensions]

[HKEY_CURRENT_USER\Software\Google\Chrome\\NativeMessagingHosts]

[HKEY_CURRENT_USER\Software\Google\Chrome\\NativeMessagingHosts\com.webex.meeting]
@="C:\\Users\\Gary\\AppData\\Local\\WebEx\\ChromeNativeHost\\manifest.json"

[HKEY_CURRENT_USER\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):C0,DE,59,BC,67,D7,D2,01

[HKEY_CURRENT_USER\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}\]
"ap"="-dev-multi-chrome"

[HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\]
"ap"="2.0-dev-multi-chrome"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IEDevTools\Options\UAString\]
"Chrome"="Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\]

[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Shockwave 12\3rdptycode\DeclineCount\Chrome\]
"count"="12"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\]

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\Extensions\ccahoghmggldkcdjiebjkidpfongdfbl]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\Extensions\cifnddnffldieaamihfkhkdgnbhfmaci]
"version"="8.1.0.1"
"path"="C:\\PROGRAMS\\FOXIT SOFTWARE\\Foxit PhantomPDF\\plugins\\Creator\\ChromeAddin\\ChromeAddin.crx"
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\Extensions\efaidnbmnnnibpcajpcglclefindmkaj]
"path"="C:\\Programs\\Adobe\\Acrobat 11.0\\Acrobat\\Browser\\WCChromeExtn\\WCChromeExtn.crx"
"update_url"="https://clients2.google.com/service/update2/crx"
"version"="11.0.6.70"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\Extensions\gannpgaobkkhmpomoijebaigcapoeebl]
"update_url"="https://clients2.google.com/service/update2/crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\NativeMessagingHosts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\NativeMessagingHosts\com.adobe.acrobat.chrome_webcapture]
@="C:\\Programs\\Adobe\\Acrobat 11.0\\Acrobat\\Browser\\WCChromeExtn\\manifest.json"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\NativeMessagingHosts\com.bitdefender.wallet.v19]
@="C:\\Programs\\Bitdefender\\Bitdefender 2017\\bdwtxcr.json"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\\NativeMessagingHosts\com.foxit.chromeaddin]
@="C:\\PROGRAMS\\FOXIT SOFTWARE\\Foxit PhantomPDF\\plugins\\Creator\\ChromeAddin\\com.foxit.chromeaddin-win.json"

[HKEY_LOCAL_MACHINE\SOFTWARE\Google\No Chrome Offer Until\]
"Irfan Skiljan"=dword:013377BB
"Hewlett-Packard Development Company, LP"=dword:0133C839
"Piriform Ltd"=dword:0133C968
"SUPERAntiSpyware"=dword:0133EC8C

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP LaserJet M603 PCL6 #1\DsDriver\]
"printBinNames"=hex(7):20,00,41,00,75,00,74,00,6F,00,6D,00,61,00,74,00,69,00,63,00,61,00,6C,00,6C,00,79,00,20,00,53,00,65,00,6C,00,65,00,63,00,74,00,00,00,20,00,50,00,72,00,69,00,6E,00,74,00,65,00,72,00,20,00,61,00,75,00,74,00,6F,00,20,00,73,00,65,00,6C,00,65,00,63,00,74,00,00,00,20,00,4D,00,61,00,6E,00,75,00,61,00,6C,00,20,00,46,00,65,00,65,00,64,00,20,00,69,00,6E,00,20,00,54,00,72,00,61,00,79,00,20,00,31,00,00,00,20,00,54,00,72,00,61,00,79,00,20,00,31,00,00,00,20,00,54,00,72,00,61,00,79,00,20,00,32,00,00,00,20,00,45,00,6E,00,76,00,65,00,6C,00,6F,00,70,00,65,00,20,00,46,00,65,00,65,00,64,00,65,00,72,00,00,00,55,00,6E,00,73,00,70,00,65,00,63,00,69,00,66,00,69,00,65,00,64,00,00,00,50,00,6C,00,61,00,69,00,6E,00,00,00,50,00,72,00,65,00,70,00,72,00,69,00,6E,00,74,00,65,00,64,00,00,00,4C,00,65,00,74,00,74,00,65,00,72,00,68,00,65,00,61,00,64,00,00,00,4D,00,6F,00,6E,00,6F,00,63,00,68,00,72,00,6F,00,6D,00,65,00,20,00,4C,00,61,00,73,00,65,00,72,00,20,00,54,00,72,00,61,00,6E,00,73,00,70,00,00,00,50,00,72,00,65,00,70,00,75,00,6E,00,63,00,68,00,65,00,64,00,00,00,4C,00,61,00,62,00,65,00,6C,00,73,00,00,00,42,00,6F,00,6E,00,64,00,00,00,52,00,65,00,63,00,79,00,63,00,6C,00,65,00,64,00,00,00,43,00,6F,00,6C,00,6F,00,72,00,65,00,64,00,00,00,4C,00,69,00,67,00,68,00,74,00,20,00,36,00,30,00,2D,00,37,00,34,00,67,00,00,00,43,00,61,00,72,00,64,00,73,00,74,00,6F,00,63,00,6B,00,20,00,31,00,37,00,36,00,2D,00,32,00,32,00,30,00,67,00,00,00,52,00,6F,00,75,00,67,00,68,00,00,00,48,00,50,00,20,00,45,00,63,00,6F,00,53,00,4D,00,41,00,52,00,54,00,20,00,4C,00,69,00,74,00,65,00,00,00,52,00,65,00,74,00,61,00,69,00,6C,00,20,00,53,00,68,00,65,00,6C,00,66,00,20,00,45,00,64,00,67,00,65,00,20,00,4C,00,61,00,62,00,65,00,6C,00,00,00,45,00,6E,00,76,00,65,00,6C,00,6F,00,70,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP LaserJet M603 PCL6 #2\DsDriver\]
"printBinNames"=hex(7):20,00,41,00,75,00,74,00,6F,00,6D,00,61,00,74,00,69,00,63,00,61,00,6C,00,6C,00,79,00,20,00,53,00,65,00,6C,00,65,00,63,00,74,00,00,00,20,00,50,00,72,00,69,00,6E,00,74,00,65,00,72,00,20,00,61,00,75,00,74,00,6F,00,20,00,73,00,65,00,6C,00,65,00,63,00,74,00,00,00,20,00,4D,00,61,00,6E,00,75,00,61,00,6C,00,20,00,46,00,65,00,65,00,64,00,20,00,69,00,6E,00,20,00,54,00,72,00,61,00,79,00,20,00,31,00,00,00,20,00,54,00,72,00,61,00,79,00,20,00,31,00,00,00,20,00,54,00,72,00,61,00,79,00,20,00,32,00,00,00,20,00,45,00,6E,00,76,00,65,00,6C,00,6F,00,70,00,65,00,20,00,46,00,65,00,65,00,64,00,65,00,72,00,00,00,55,00,6E,00,73,00,70,00,65,00,63,00,69,00,66,00,69,00,65,00,64,00,00,00,50,00,6C,00,61,00,69,00,6E,00,00,00,50,00,72,00,65,00,70,00,72,00,69,00,6E,00,74,00,65,00,64,00,00,00,4C,00,65,00,74,00,74,00,65,00,72,00,68,00,65,00,61,00,64,00,00,00,4D,00,6F,00,6E,00,6F,00,63,00,68,00,72,00,6F,00,6D,00,65,00,20,00,4C,00,61,00,73,00,65,00,72,00,20,00,54,00,72,00,61,00,6E,00,73,00,70,00,00,00,50,00,72,00,65,00,70,00,75,00,6E,00,63,00,68,00,65,00,64,00,00,00,4C,00,61,00,62,00,65,00,6C,00,73,00,00,00,42,00,6F,00,6E,00,64,00,00,00,52,00,65,00,63,00,79,00,63,00,6C,00,65,00,64,00,00,00,43,00,6F,00,6C,00,6F,00,72,00,65,00,64,00,00,00,4C,00,69,00,67,00,68,00,74,00,20,00,36,00,30,00,2D,00,37,00,34,00,67,00,00,00,43,00,61,00,72,00,64,00,73,00,74,00,6F,00,63,00,6B,00,20,00,31,00,37,00,36,00,2D,00,32,00,32,00,30,00,67,00,00,00,52,00,6F,00,75,00,67,00,68,00,00,00,48,00,50,00,20,00,45,00,63,00,6F,00,53,00,4D,00,41,00,52,00,54,00,20,00,4C,00,69,00,74,00,65,00,00,00,52,00,65,00,74,00,61,00,69,00,6C,00,20,00,53,00,68,00,65,00,6C,00,66,00,20,00,45,00,64,00,67,00,65,00,20,00,4C,00,61,00,62,00,65,00,6C,00,00,00,45,00,6E,00,76,00,65,00,6C,00,6F,00,70,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP LaserJet M603 PCL6 #3\DsDriver\]
"printBinNames"=hex(7):20,00,41,00,75,00,74,00,6F,00,6D,00,61,00,74,00,69,00,63,00,61,00,6C,00,6C,00,79,00,20,00,53,00,65,00,6C,00,65,00,63,00,74,00,00,00,20,00,50,00,72,00,69,00,6E,00,74,00,65,00,72,00,20,00,61,00,75,00,74,00,6F,00,20,00,73,00,65,00,6C,00,65,00,63,00,74,00,00,00,20,00,4D,00,61,00,6E,00,75,00,61,00,6C,00,20,00,46,00,65,00,65,00,64,00,20,00,69,00,6E,00,20,00,54,00,72,00,61,00,79,00,20,00,31,00,00,00,20,00,54,00,72,00,61,00,79,00,20,00,31,00,00,00,20,00,54,00,72,00,61,00,79,00,20,00,32,00,00,00,20,00,45,00,6E,00,76,00,65,00,6C,00,6F,00,70,00,65,00,20,00,46,00,65,00,65,00,64,00,65,00,72,00,00,00,55,00,6E,00,73,00,70,00,65,00,63,00,69,00,66,00,69,00,65,00,64,00,00,00,50,00,6C,00,61,00,69,00,6E,00,00,00,50,00,72,00,65,00,70,00,72,00,69,00,6E,00,74,00,65,00,64,00,00,00,4C,00,65,00,74,00,74,00,65,00,72,00,68,00,65,00,61,00,64,00,00,00,4D,00,6F,00,6E,00,6F,00,63,00,68,00,72,00,6F,00,6D,00,65,00,20,00,4C,00,61,00,73,00,65,00,72,00,20,00,54,00,72,00,61,00,6E,00,73,00,70,00,00,00,50,00,72,00,65,00,70,00,75,00,6E,00,63,00,68,00,65,00,64,00,00,00,4C,00,61,00,62,00,65,00,6C,00,73,00,00,00,42,00,6F,00,6E,00,64,00,00,00,52,00,65,00,63,00,79,00,63,00,6C,00,65,00,64,00,00,00,43,00,6F,00,6C,00,6F,00,72,00,65,00,64,00,00,00,4C,00,69,00,67,00,68,00,74,00,20,00,36,00,30,00,2D,00,37,00,34,00,67,00,00,00,43,00,61,00,72,00,64,00,73,00,74,00,6F,00,63,00,6B,00,20,00,31,00,37,00,36,00,2D,00,32,00,32,00,30,00,67,00,00,00,52,00,6F,00,75,00,67,00,68,00,00,00,48,00,50,00,20,00,45,00,63,00,6F,00,53,00,4D,00,41,00,52,00,54,00,20,00,4C,00,69,00,74,00,65,00,00,00,52,00,65,00,74,00,61,00,69,00,6C,00,20,00,53,00,68,00,65,00,6C,00,66,00,20,00,45,00,64,00,67,00,65,00,20,00,4C,00,61,00,62,00,65,00,6C,00,00,00,45,00,6E,00,76,00,65,00,6C,00,6F,00,70,00,65,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1EA1613833271DD4F9B087368A178752\]
"68AB67CA3301FFFF7706000000000060"="C:\\Programs\\Adobe\\Acrobat 11.0\\Acrobat\\Browser\\WCChromeExtn\\WCChromeExtn.crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1EA1613833271DD4F9B087368A178752\68AB67CA3301FFFF7706000000000060\]
"File"="wcchromeextn.crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1FC30C985A00E31439F18CED70F7C4D2\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\CadetBlue\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1FC30C985A00E31439F18CED70F7C4D2\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\CadetBlue\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3067F926ED9912F4391E40C69F477209\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Lime\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3067F926ED9912F4391E40C69F477209\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Lime\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\33B533CFD632FF7428FB3891655FA451\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Yellow\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\33B533CFD632FF7428FB3891655FA451\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Yellow\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\343D50647180F14459BFC76A6122977B\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Orange\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\343D50647180F14459BFC76A6122977B\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Orange\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\37DD4111200875F4B8756F5ABD40035E\]
"AB9798B344027E11BAF100C092297F90"="C:\\PROGRAMS\\FOXIT SOFTWARE\\Foxit PhantomPDF\\plugins\\Creator\\ChromeAddin\\com.foxit.chromeaddin-win.json"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3CCE4EA4F9F732646AD2A1AA3B087648\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Coral\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3CCE4EA4F9F732646AD2A1AA3B087648\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Coral\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\52A21DC39D4797E4E972C8D885C9B231\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\LtGreen\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\52A21DC39D4797E4E972C8D885C9B231\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\LtGreen\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\578936055B216AE4DAFA7DC3EA79B34D\]
"AB9798B344027E11BAF100C092297F90"="02:\\SOFTWARE\\Google\\Chrome\\Extensions\\cifnddnffldieaamihfkhkdgnbhfmaci\\version"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5AFCC90E834E09C45A8DFAB7E2FF5193\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Turquoise\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5AFCC90E834E09C45A8DFAB7E2FF5193\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Turquoise\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\61251F5CF4248F4489B1B7E0C5220BC4\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Green\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\61251F5CF4248F4489B1B7E0C5220BC4\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Green\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\645A167E628A75642BA766D2E84567A8\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Violet\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\645A167E628A75642BA766D2E84567A8\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Violet\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7A39D73AC12816D47B7EBD74A5067E96\]
"68AB67CA3301FFFF7706000000000060"="C:\\Programs\\Adobe\\Acrobat 11.0\\Acrobat\\Browser\\WCFirefoxExtn\\chrome\\WCFirefoxExtn.jar"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7F4B94CEDBF699E5C90BC62EAD98988B\]
"3E6B44056D19765469E3842D283A1A78"="C:\\Program Files\\HP\\HP Officejet Pro 8620\\Bin\\HPGoogleChromeLauncher.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8934E9945CB43D94C9EC887EC3C55EA9\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Blue\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8934E9945CB43D94C9EC887EC3C55EA9\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Blue\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8C7377BE780A4884B870276E2535E0D2\]
"AB9798B344027E11BAF100C092297F90"="C:\\PROGRAMS\\FOXIT SOFTWARE\\Foxit PhantomPDF\\plugins\\Creator\\ChromeAddin\\ChromeAddin.crx"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ADF62504436AD264FA2F306EA479E133\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Fuschia\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ADF62504436AD264FA2F306EA479E133\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Fuschia\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CA5E0F0678B149145A46218F4B8D793F\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\DarkGray\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CA5E0F0678B149145A46218F4B8D793F\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\DarkGray\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CC014E78EBBAA174094E0E7324C9590D\]
"68AB67CA3301FFFF7706000000000060"="C:\\Programs\\Adobe\\Acrobat 11.0\\Acrobat\\Browser\\WCChromeExtn\\WCChromeNativeMessagingHost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CC014E78EBBAA174094E0E7324C9590D\68AB67CA3301FFFF7706000000000060\]
"File"="wcchromenativemessaginghost."

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D640AB7A350A0A2458874CE283D9E054\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Purple\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D640AB7A350A0A2458874CE283D9E054\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Purple\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED6E53275F6B9934F87DF1325224B8AD\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\BlueSteel\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED6E53275F6B9934F87DF1325224B8AD\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\BlueSteel\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FDC4E4D879034D34A9E3F22C9A93B8EF\]
"DA4014246CEBD144DA9E6F66F2EE4AAB"="C:\\Programs\\Intuit\\QuickBooks 2014\\Components\\Skin\\nirvana\\Chrome\\Red\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FDC4E4D879034D34A9E3F22C9A93B8EF\]
"1F10E25BE43D18345B0982FD3F0C6B74"="C:\\Programs\\QuickBooks 2017\\Components\\Skin\\nirvana\\Chrome\\Red\\frameBottom.png"

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPEnh\OSD\TouchPad\AppProfiles\Google Chrome\]
"AppExe"="chrome.exe"
"AppFriendlyName"="Google Chrome"

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPEnh\PlugInConfig\TouchPad\AppProfiles\Google Chrome\]

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPEnh\PlugInConfig\TouchPad\AppProfiles\Google Chrome\\3FingerGestures]
"ConfigID7KeyMacroV001"="ConfigID7KeyMacroBin"
"ConfigID3KeyMacroV001"="ConfigID3KeyMacroBin"
"ConfigID7KeyMacroBin"=hex(3):01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,09,04,09,04,00,00,00,00,09,04,00,00,00,00,00,00,01,00,00,00,00,00,00,00,12,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,01,00,38,20,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,25,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,01,00,4B,21,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,25,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,4B,E1,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,12,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,38,C0,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ConfigID3KeyMacroBin"=hex(3):01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,09,04,09,04,00,00,00,00,09,04,00,00,00,00,00,00,01,00,00,00,00,00,00,00,12,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,01,00,38,20,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,27,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,01,00,4D,21,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,27,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,4D,E1,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,12,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,38,C0,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPEnh\WindowsDatabase\Chrome_RenderWidgetHostHWND\]

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTPEnh\WindowsDatabase\Chrome_RenderWidgetHostHWND\\Win8]
"iFlags"=dword:20081002

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Defaults\AppProfiles\Google Chrome\]

[HKEY_LOCAL_MACHINE\SOFTWARE\Synaptics\SynTP\Defaults\AppProfiles\Google Chrome\\3FingerGestures]
"ActionID1"=dword:0000001C
"ActionID3"=dword:0000001C
"ActionID5"=dword:0000001C
"ActionID7"=dword:0000001C

[HKEY_USERS\.DEFAULT\Software\Google\Chrome\]

[HKEY_USERS\.DEFAULT\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):A6,DB,8B,BC,67,D7,D2,01

[HKEY_USERS\S-1-5-19\Software\Google\Chrome\]

[HKEY_USERS\S-1-5-19\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):20,40,5C,BC,67,D7,D2,01

[HKEY_USERS\S-1-5-20\Software\Google\Chrome\]

[HKEY_USERS\S-1-5-20\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):20,40,5C,BC,67,D7,D2,01

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-1003\Software\Google\Chrome\]

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-1003\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):85,B7,84,BC,67,D7,D2,01

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-1003\Software\TeamViewer\]
"Buddy_QuickPresExclusions"=hex(7):4E,00,65,00,76,00,65,00,72,00,77,00,69,00,6E,00,74,00,65,00,72,00,2E,00,65,00,78,00,65,00,00,00,63,00,68,00,72,00,6F,00,6D,00,65,00,2E,00,65,00,78,00,65,00,00,00,64,00,65,00,76,00,65,00,6E,00,76,00,2E,00,65,00,78,00,65,00,00,00,65,00,76,00,6F,00,6C,00,75,00,74,00,69,00,6F,00,6E,00,2E,00,65,00,78,00,65,00,00,00,6D,00,65,00,64,00,69,00,61,00,6D,00,6F,00,6E,00,6B,00,65,00,79,00,2E,00,65,00,78,00,65,00,00,00,6D,00,73,00,6E,00,6D,00,73,00,67,00,72,00,2E,00,65,00,78,00,65,00,00,00,6F,00,70,00,65,00,72,00,61,00,2E,00,65,00,78,00,65,00,00,00,70,00,73,00,72,00,2E,00,65,00,78,00,65,00,00,00,73,00,75,00,70,00,65,00,72,00,2E,00,65,00,78,00,65,00,00,00,76,00,73,00,77,00,69,00,6E,00,65,00,78,00,70,00,72,00,65,00,73,00,73,00,2E,00,65,00,78,00,65,00,00,00,76,00,77,00,64,00,65,00,78,00,70,00,72,00,65,00,73,00,73,00,2E,00,65,00,78,00,65,00,00,00,77,00,64,00,65,00,78,00,70,00,72,00,65,00,73,00,73,00,2E,00,65,00,78,00,65,00,00,00,77,00,6C,00,6D,00,61,00,69,00,6C,00,2E,00,65,00,78,00,65,00,00,00,77,00,6C,00,78,00,70,00,68,00,6F,00,74,00,6F,00,67,00,61,00,6C,00,6C,00,65,00,72,00,79,00,2E,00,65,00,78,00,65,00,00,00,00,00

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-1004\Software\Google\Chrome\]

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-1004\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):E3,0D,74,BC,67,D7,D2,01

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-500\Software\Google\Chrome\]

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-500\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):A2,C5,65,BC,67,D7,D2,01

[HKEY_USERS\S-1-5-21-33363916-3624155930-1669969999-500\Software\TeamViewer\]
"Buddy_QuickPresExclusions"=hex(7):4E,00,65,00,76,00,65,00,72,00,77,00,69,00,6E,00,74,00,65,00,72,00,2E,00,65,00,78,00,65,00,00,00,62,00,63,00,73,00,79,00,73,00,33,00,32,00,2E,00,65,00,78,00,65,00,00,00,63,00,61,00,64,00,76,00,61,00,6E,00,63,00,65,00,2E,00,65,00,78,00,65,00,00,00,63,00,68,00,72,00,6F,00,6D,00,65,00,2E,00,65,00,78,00,65,00,00,00,64,00,65,00,76,00,65,00,6E,00,76,00,2E,00,65,00,78,00,65,00,00,00,65,00,63,00,6C,00,69,00,70,00,73,00,65,00,2E,00,65,00,78,00,65,00,00,00,65,00,76,00,6F,00,6C,00,75,00,74,00,69,00,6F,00,6E,00,2E,00,65,00,78,00,65,00,00,00,6D,00,65,00,64,00,69,00,61,00,6D,00,6F,00,6E,00,6B,00,65,00,79,00,2E,00,65,00,78,00,65,00,00,00,6D,00,73,00,6E,00,6D,00,73,00,67,00,72,00,2E,00,65,00,78,00,65,00,00,00,6F,00,65,00,6D,00,2E,00,65,00,78,00,65,00,00,00,6F,00,70,00,65,00,72,00,61,00,2E,00,65,00,78,00,65,00,00,00,70,00,73,00,72,00,2E,00,65,00,78,00,65,00,00,00,73,00,75,00,70,00,65,00,72,00,2E,00,65,00,78,00,65,00,00,00,74,00,65,00,61,00,6D,00,76,00,69,00,65,00,77,00,65,00,72,00,2E,00,65,00,78,00,65,00,00,00,76,00,73,00,77,00,69,00,6E,00,65,00,78,00,70,00,72,00,65,00,73,00,73,00,2E,00,65,00,78,00,65,00,00,00,76,00,77,00,64,00,65,00,78,00,70,00,72,00,65,00,73,00,73,00,2E,00,65,00,78,00,65,00,00,00,77,00,64,00,65,00,78,00,70,00,72,00,65,00,73,00,73,00,2E,00,65,00,78,00,65,00,00,00,77,00,6C,00,6D,00,61,00,69,00,6C,00,2E,00,65,00,78,00,65,00,00,00,77,00,6C,00,78,00,70,00,68,00,6F,00,74,00,6F,00,67,00,61,00,6C,00,6C,00,65,00,72,00,79,00,2E,00,65,00,78,00,65,00,00,00,00,00

[HKEY_USERS\S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\Software\Google\Chrome\]

[HKEY_USERS\S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\Software\Google\Chrome\\TriggeredReset]
"ToolName"="Microsoft Windows Malicious Software Removal Tool - May 2017  "
"Timestamp"=hex(B):20,40,5C,BC,67,D7,D2,01

 

[Docfxit]

I found the following files related to Chrome.  I have removed them.

C:\Programs\Foxit Software\Foxit PhantomPDF\plugins\Creator\ChromeAddin\ChromeAddin.crx

C:\Programs\Foxit Software\Foxit PhantomPDF\plugins\Creator\ChromeAddin\com.foxit.chromeaddin-win.json

C:\Programs\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\manifest.json

C:\Programs\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx

C:\Programs\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

C:\Windows\Installer\$PatchCache$\Managed\68AB67CA3301FFFF7706000000000060\11.0.0\wcchromeextn.crx

C:\Windows\Installer\$PatchCache$\Managed\68AB67CA3301FFFF7706000000000060\11.0.0\wcchromenativemessaginghost

Docfxit

Edited August 25, 2017 by Docfxit

[Valinorum]

I asked because there was a few adware which used the Chrome Developer build for their intrusion. 

[Docfxit]

That's fine. 

What should I do now?

Docfxit

[Docfxit]

I ran FRST as you requested.  I have attached the results in post #8.  I'm waiting for the next instruction from you to get Malwarebytes working. 

Thank you,

Docfxit

[Valinorum]

• Step # Run Malwarebytes' Anti-Rootkit
  Please download Malwarebytes Anti-Rootkit from here and extract the content to your Desktop.
  
  • Update the program if asked.
  • In the Scan System option check all the boxes and click on Scan.
  • Click on Cleanup button after the scan and wait patiently. Reboot the computer if asked.
  • After the clean-up process; locate two logs in the mbar folder namely--
    
    • mbar-log-scan-date.txt; and
    • system-log.txt
  • Copy and paste the contents of the log in your next reply.

---

 
If you still get the error, try MBAM Clean and reinstall Malwarebytes Anti-Malware.

[Docfxit]

I ran Malwarebytes Anti-Rootkit. Log files attached.

I ran Clean mbam-clean-2.3.0.1001.exe.

I installed Malwarebytes mb3-setup-consumer-3.2.2.2018.exe

I'm getting an error when I start Malwarebytes:

 

Thanks for the help.

Docfxit

mbar-log-2017-09-01 (05-33-36).txt

system-log.txt

Edited September 1, 2017 by Docfxit

[Valinorum]

Can you perform a Clean Boot and check if you can install MBAM?

[Docfxit]

I have done a clean boot.  I am getting the same error when I install Malwarebytes.

Thanks for the help.

Docfxit

[Valinorum]

Hi, 

can you perform the Step 5 of the following thread: 

https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

Please, also attach a fresh set of FRST scan logs. 

[Docfxit]

Thank you for looking into this further.

Docfxit

FRST.txt

mb-check-results.zip

[Valinorum]

Hi Docfxit,

I need the Addition.txt  file as well. Please, re-run FRST and make sure to check the box beside Addition.txt. Attach the logs in your next reply.

[Docfxit]

Attached is the file.

Docfxit

Addition.txt

[Valinorum]

Hi,

Can you open a new user account with Admin Privilege and try to install MBAM there? 

 

[Docfxit]

I uninstalled MBAM from a new user with Total Uninstall.

After MBAM finished the Uninstall, Total Uninstall found and deleted the remaining items:

I ran MBAM clean.

I installed MBAM.  It installed and ran fine.

I logged off that user and logged into my normal user.  It ran fine.

That seemed to fix the problem. 

I have run the Uninstall procedure exactly as above in my normal user before and it didn't fix the problem.

Thank you very much for discovering the solution.

Docfxit

[Valinorum]

You are welcome.

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!