PDA

View Full Version : I believe there's a RAT (Remote administration tool) and key-logger on my computer



shenb0t
2016-06-21, 11:34
To whom it may concern, I have reason to believe that my computer has been compromised with a RAT. I have had money stolen, steam items stolen and according to Steam support items that got traded were traded from my IP address, which confirmed the fact that I was compromised.

Would greatly appreciate any help. I also accidentally downloaded the Farbar recovery scan tool to downloads and did the log scan from there before I realized the "BEFORE You POST" thread specified not to. I'm not sure how much this affects your work here, but if it's too detrimental just let me know what I need to do and I'll try to correct it.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-06-2016 01
Ran by Caleb (administrator) on CAZTOP (21-06-2016 18:03:39)
Running from C:\Users\Caleb\Downloads
Loaded Profiles: Caleb (Available Profiles: Caleb)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyCriticalService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(NetSupport Ltd) C:\Users\Caleb\Help\info.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\main.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(The CefSharp Authors) C:\Program Files (x86)\Razer\Razer Cortex\Cef\CefSharp.BrowserSubprocess.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.10586.168_none_76587b40265ca57e\TiWorker.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\WINDOWS\system32\DptfPolicyLpmServiceHelper.exe [114048 2013-10-18] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-01-20] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3216032 2013-12-13] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\ASUSWSLoader.exe [63296 2013-08-16] ()
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [95192 2013-03-09] (CyberLink Corp.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [593216 2015-08-31] (Razer Inc.)
HKLM-x32\...\Run: [RazerCortex] => C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe [98256 2015-11-13] (Razer Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2850384 2016-06-18] (Valve Corporation)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Spotify Web Helper] => C:\Users\Caleb\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-05-26] (Spotify Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Spotify] => C:\Users\Caleb\AppData\Roaming\Spotify\Spotify.exe [6858864 2016-05-26] (Spotify Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50615936 2016-01-18] (Skype Technologies S.A.)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Update] => C:\Users\Caleb\Help\info.exe [30128 2008-10-14] (NetSupport Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-16] (Piriform Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.42.129
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{22d3981b-573b-45a2-96a7-4cc00dbc2dc7}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{d33ed0f6-410c-4dc8-bc95-93037a63529c}: [DhcpNameServer] 192.168.43.1
Tcpip\..\Interfaces\{dc533aa1-cab1-455b-82f8-be14c50e7341}: [DhcpNameServer] 10.1.1.1

Internet Explorer:
==================
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus13.msn.com/?pc=ASJB
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com/?pc=ASJB
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-13] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-13] (Oracle Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-22] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-22] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-10-24] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-10-24] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-06] ()
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [No File]
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [No File]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com.au/
CHR StartupUrls: Default -> "chrome://newtab/"
CHR Profile: C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-20]
CHR Extension: (BetterTTV) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-03]
CHR Extension: (Google Docs) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-20]
CHR Extension: (Google Drive) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Sheets) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-20]
CHR Extension: (Google Docs Offline) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
CHR Extension: (AdBlock) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Global Twitch Emotes) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgniedifoejifjkndekolimjeclnokkb [2016-05-05]
CHR Extension: (Gmail) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe [71680 2013-08-16] (ASUS Cloud Corporation) [File not signed]
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1257504 2015-12-23] ()
R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-10-18] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [116680 2013-10-18] (Intel Corporation)
R2 DptfPolicyCriticalService; C:\Windows\system32\DptfPolicyCriticalService.exe [148160 2013-10-18] (Intel Corporation)
R2 DptfPolicyLpmService; C:\Windows\system32\DptfPolicyLpmService.exe [126952 2013-10-18] (Intel Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227936 2013-11-09] (WildTangent)
S2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2016-03-14] (Hi-Rez Studios) [File not signed]
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2016-01-20] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [827392 2013-09-03] (Intel(R) Corporation) [File not signed]
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-10-24] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-10-24] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-01-20] (NVIDIA Corporation)
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1289968 2016-05-29] (Overwolf LTD)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [188072 2015-09-24] ()
R2 RzKLService; C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe [129168 2015-11-13] (Razer Inc.)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\drivers\athw10x.sys [4325544 2015-06-26] (Qualcomm Atheros Communications, Inc.)
S3 ATP; C:\Windows\System32\drivers\AsusTP.sys [101368 2015-09-23] (ASUS Corporation)
R3 DptfDevDram; C:\Windows\system32\DRIVERS\DptfDevDram.sys [145640 2013-10-18] (Intel Corporation)
R3 DptfDevPch; C:\Windows\system32\DRIVERS\DptfDevPch.sys [116752 2013-10-18] (Intel Corporation)
R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [289744 2013-10-18] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [494296 2013-10-18] (Intel Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-06] ( )
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-10-24] (Intel Corporation)
R2 plctrl; C:\Program Files\ASUS\P4G\plctrl.sys [14136 2014-01-04] (Windows (R) Win 7 DDK provider)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [895256 2015-07-07] (Realtek )
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [751632 2015-05-14] (Realsil Semiconductor Corporation)
S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [50392 2015-08-14] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [37184 2015-09-23] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [129472 2015-06-27] (Razer, Inc.)
U5 rzudd; C:\Windows\System32\Drivers\rzudd.sys [202952 2015-10-03] (Razer Inc)
R3 ScpVBus; C:\Windows\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R3 sshid; C:\Windows\System32\drivers\sshid.sys [51400 2016-01-28] (SteelSeries ApS)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-21 18:03 - 2016-06-21 18:04 - 00020137 _____ C:\Users\Caleb\Downloads\FRST.txt
2016-06-21 18:02 - 2016-06-21 18:03 - 00000000 ____D C:\FRST
2016-06-21 18:01 - 2016-06-21 18:01 - 02387456 _____ (Farbar) C:\Users\Caleb\Downloads\FRST64.exe
2016-06-21 18:01 - 2016-06-21 18:01 - 01738240 _____ (Farbar) C:\Users\Caleb\Downloads\FRST.exe
2016-06-21 18:00 - 2016-06-21 18:00 - 00002310 _____ C:\Users\Caleb\Desktop\Tweaking.com - Registry Backup.lnk
2016-06-21 18:00 - 2016-06-21 18:00 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-CAZTOP-Windows-10-Home-(64-bit).dat
2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\RegBackup
2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2016-06-21 17:59 - 2016-06-21 18:00 - 00018113 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
2016-06-21 17:59 - 2016-06-21 17:59 - 05523840 _____ (Tweaking.com) C:\Users\Caleb\Downloads\tweaking.com_registry_backup_setup.exe
2016-06-13 23:14 - 2016-06-13 23:14 - 00000044 _____ C:\Users\Caleb\Desktop\Draft for 6.88.txt
2016-06-09 19:07 - 2016-06-09 19:05 - 00144121 ___RT C:\Users\Caleb\Desktop\13137149 136522 09-Jun-2016 11 58 58.PDF
2016-06-08 17:19 - 2016-06-08 17:19 - 00000638 _____ C:\Users\Caleb\Downloads\download_interview
2016-06-02 17:37 - 2016-06-02 17:42 - 26968178 _____ C:\Users\Caleb\Downloads\coffeemix1.0.wav
2016-05-27 12:55 - 2016-05-27 13:48 - 00000000 ____D C:\Users\Caleb\Downloads\Flume - Skin (2016) FLAC
2016-05-27 12:44 - 2016-06-16 02:26 - 00000000 ____D C:\Users\Caleb\Downloads\Random songs
2016-05-27 12:39 - 2016-05-27 12:40 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Winamp
2016-05-27 12:39 - 2016-05-27 12:39 - 00001050 _____ C:\Users\Public\Desktop\Winamp.lnk
2016-05-27 12:39 - 2016-05-27 12:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
2016-05-27 12:39 - 2016-05-27 12:39 - 00000000 ____D C:\Program Files (x86)\Winamp
2016-05-27 12:37 - 2016-05-27 12:38 - 10328598 _____ (Nullsoft, Inc.) C:\Users\Caleb\Downloads\winamp5666_full_en-us_redux.exe
2016-05-25 18:13 - 2016-05-25 18:13 - 00000000 ____D C:\Program Files\Common Files\AV
2016-05-25 17:50 - 2016-05-25 17:50 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
2016-05-25 17:49 - 2016-05-25 18:38 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-05-25 17:49 - 2016-05-25 18:12 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-05-25 17:49 - 2016-05-25 17:49 - 00001462 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-05-25 17:49 - 2016-05-25 17:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-05-25 17:49 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2016-05-25 17:35 - 2016-05-25 17:41 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Caleb\Downloads\spybot-2.4.exe
2016-05-25 16:20 - 2016-05-25 16:20 - 00000826 _____ C:\Users\Caleb\Downloads\App (1).xaml
2016-05-25 16:19 - 2016-05-25 16:19 - 00000826 _____ C:\Users\Caleb\Downloads\App.xaml
2016-05-25 16:00 - 2016-05-25 16:00 - 00242479 _____ C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_107.zip
2016-05-25 15:56 - 2016-05-25 15:56 - 00000000 ____D C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_1789
2016-05-25 15:55 - 2016-05-25 15:55 - 00242479 _____ C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_1789.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-21 18:03 - 2015-10-30 17:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-21 18:01 - 2015-10-30 17:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-06-21 17:41 - 2015-10-30 17:21 - 00000000 ____D C:\WINDOWS\INF
2016-06-21 17:41 - 2015-10-01 14:42 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-21 17:41 - 2015-03-20 17:54 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-21 17:40 - 2015-03-20 17:50 - 00000075 _____ C:\Users\Caleb\AppData\Roaming\sp_data.sys
2016-06-21 17:38 - 2015-03-20 17:54 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-21 17:37 - 2016-04-05 18:17 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-06-21 17:37 - 2015-03-20 18:02 - 00000000 ____D C:\Program Files (x86)\Steam
2016-06-21 17:37 - 2015-03-20 17:47 - 00000000 __SHD C:\Users\Caleb\IntelGraphicsProfiles
2016-06-21 17:36 - 2016-01-25 08:05 - 00000000 ____D C:\Users\Caleb
2016-06-21 17:35 - 2016-01-25 08:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-21 13:06 - 2015-09-04 21:17 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-06-21 01:07 - 2015-10-30 17:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-06-20 23:42 - 2015-09-03 23:51 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\TS3Client
2016-06-20 20:48 - 2015-10-30 17:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-20 07:47 - 2016-01-23 03:47 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-06-20 07:47 - 2016-01-21 12:48 - 00000000 ____D C:\Users\Caleb\AppData\Local\Battle.net
2016-06-20 07:47 - 2016-01-21 12:39 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-06-19 22:43 - 2015-03-20 17:55 - 00002274 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-19 22:43 - 2015-03-20 17:55 - 00002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-16 18:22 - 2015-03-22 13:29 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-06-16 18:18 - 2015-03-22 13:29 - 142482544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-06-16 03:14 - 2015-10-30 16:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2016-06-09 23:29 - 2016-03-29 12:21 - 00000000 ____D C:\Users\Caleb\Help
2016-06-09 16:18 - 2016-05-07 22:17 - 00000000 ____D C:\Program Files (x86)\Overwolf
2016-06-07 13:40 - 2015-06-20 10:52 - 00000000 ____D C:\Users\Caleb\AppData\Local\ElevatedDiagnostics
2016-06-03 23:47 - 2015-04-21 18:16 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\vlc
2016-06-03 23:20 - 2016-05-03 12:25 - 00000000 ___RD C:\Users\Caleb\Desktop\Random Pictures
2016-06-03 21:19 - 2016-05-03 12:26 - 00000000 ___RD C:\Users\Caleb\Desktop\Anti Virus and Registry cleaner
2016-06-03 21:18 - 2016-05-03 12:26 - 00000000 ___RD C:\Users\Caleb\Desktop\Random notes
2016-06-01 17:05 - 2015-04-21 18:57 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\BitTorrent
2016-06-01 17:04 - 2016-01-31 21:54 - 00000000 ____D C:\WINDOWS\Minidump
2016-05-27 13:16 - 2016-01-20 20:03 - 00000000 ____D C:\Users\Caleb\AppData\Local\Spotify
2016-05-27 13:14 - 2016-01-20 19:56 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Spotify
2016-05-25 19:01 - 2015-06-30 04:11 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-05-25 11:46 - 2016-05-14 11:44 - 00005672 _____ C:\Users\Caleb\AppData\Roaming\1.txt
2016-05-25 01:22 - 2015-08-18 20:35 - 00000021 _____ C:\Users\Caleb\AppData\Roaming\zxc.bat
2016-05-23 18:00 - 2016-04-01 20:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClipGrab
2016-05-23 18:00 - 2016-04-01 20:52 - 00000000 ____D C:\Program Files (x86)\ClipGrab

==================== Files in the root of some directories =======

2016-05-14 11:44 - 2016-05-25 11:46 - 0005672 _____ () C:\Users\Caleb\AppData\Roaming\1.txt
2015-09-04 00:02 - 2015-09-04 00:03 - 0186318 _____ () C:\Users\Caleb\AppData\Roaming\1.zip
2015-09-04 00:02 - 2016-04-28 18:15 - 0000035 _____ () C:\Users\Caleb\AppData\Roaming\2.txt
2015-05-28 15:39 - 2015-05-28 15:39 - 0535758 _____ () C:\Users\Caleb\AppData\Roaming\browsers.exe
2015-08-29 08:56 - 2015-08-29 08:56 - 0879616 _____ () C:\Users\Caleb\AppData\Roaming\keys.exe
2016-04-27 17:04 - 2016-04-28 18:16 - 0006505 _____ () C:\Users\Caleb\AppData\Roaming\pass123231words.txt
2016-03-29 22:38 - 2016-04-28 18:16 - 0005242 _____ () C:\Users\Caleb\AppData\Roaming\passichrom.txt
2015-03-20 17:50 - 2016-06-21 17:40 - 0000075 _____ () C:\Users\Caleb\AppData\Roaming\sp_data.sys
2015-08-18 20:35 - 2016-05-25 01:22 - 0000021 _____ () C:\Users\Caleb\AppData\Roaming\zxc.bat
2016-04-05 18:19 - 2016-04-05 18:19 - 0000000 _____ () C:\Users\Caleb\AppData\Local\{3D43062E-F32D-40A8-8692-57867DD1DC68}
2015-12-21 13:46 - 2015-12-21 13:46 - 0000000 _____ () C:\Users\Caleb\AppData\Local\{D79DD814-D638-447E-AFB8-7F950653B791}
2016-01-25 08:02 - 2016-01-25 08:02 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2013-12-13 13:04 - 2012-09-07 21:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2013-12-13 13:04 - 2009-07-22 20:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2013-12-13 13:04 - 2012-09-07 21:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

Files to move or delete:
====================
C:\Users\Caleb\updt.cmd
C:\Users\Caleb\wrar.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-15 17:14

==================== End of FRST.txt ============================


aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2016-06-21 18:09:28
-----------------------------
18:09:28.402 OS Version: Windows x64 6.2.9200
18:09:28.402 Number of processors: 4 586 0x4501
18:09:28.403 ComputerName: CAZTOP UserName: Caleb
18:09:29.108 Initialize success
18:09:29.147 VM: initialized successfully
18:09:29.148 VM: Intel CPU supported
18:09:35.729 VM: disk I/O iaStorA.sys
18:15:43.420 AVAST engine defs: 16062002
18:17:13.927 The log file has been saved successfully to "C:\Users\Caleb\Desktop\aswMBR.txt"

Juliet
2016-06-21, 15:32
Is this a company computer or computer which is used by multiple people?


When not in use keep this disabled.
NetSupport Ltd, Desktop Remote Control

~~~~~~~~~~~~~~~~~~~~~~~~
Scan the files/following free online scanner services.
Please go to one of the below sites to scan the following files:

http://i.imgur.com/nWhGEI3.png VirusTotal (https://www.virustotal.com/#file) (File & URL)
http://i.imgur.com/MJUfyKX.png Jotti's Malware Scan (http://virusscan.jotti.org/en-gb) (File)
http://i.imgur.com/XeTvs74.png Dr.Web Online Check (http://online.us.drweb.com/?url=1) (URL)
http://i.imgur.com/5v676cC.png Trend Micro Site Safety Center (http://global.sitesafety.trendmicro.com/) (URL)
http://i.imgur.com/2tXp7dz.png Norton Safe Web (http://safeweb.norton.com/) (URL)

click on Browse, and upload the following file for analysis:

C:\Users\Caleb\AppData\Roaming\browsers.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Also, please have the below files scanned as well and post the links in your reply.

C:\Users\Caleb\AppData\Roaming\keys.exe
C:\ProgramData\SetStretch.cmd
C:\ProgramData\SetStretch.exe

~~~~~~~~~~~~~~~~

Running from C:\Users\Caleb\Downloads
Yes, we'll need to move it to ensure the scripts run correctly.

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-13] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [No File]
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [No File]
C:\Users\Caleb\updt.cmd
C:\Users\Caleb\wrar.exe
Task: {14FADA1A-7D53-4F67-9BC2-590C15F77E6E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {48B5A126-8761-4C07-B2EA-85747F145030} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {57141E3B-8C66-4086-B2D9-02319B02CB17} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {5C8A5D85-6964-4C7D-954E-E0AC91A0B35E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {74899711-683A-4B7F-B3D3-9D5434A602A6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {8B6B09B3-FD6C-4DCC-88C8-8286EDCA6F90} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {959B3F12-85BE-4501-BA2D-9F046CB0D519} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {9B1791E0-1BC3-4E56-9F47-DB64B6E0ADF3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A271B922-3B38-46AE-B6EC-5660569EF1BA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D6AE4369-F5E9-44F6-A2B2-A016C32533C7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {D7F0F612-13CC-4B35-AFE4-EFC658A07E0B} - System32\Tasks\Weaekmyg => C:\PROGRA~1\MODEBI~1\Suonkhuc.bat <==== ATTENTION
EmptyTemp:
Hosts:
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and save the file to your Desktop.
Right-click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click http://i.imgur.com/A49sxPr.png Scan.
Upon completion, click http://i.imgur.com/6cyn5v5.png Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
Click http://i.imgur.com/MqHawIb.png Clean.
Follow the prompts and allow your computer to reboot.
After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.




======================================================



Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


***
please post
Information of requested files scanned
Fixlog.txt
AdwCleaner[C1].txt
JRT.txt

shenb0t
2016-06-21, 18:21
Hi Juliet, thanks for responding; To answer your first question, this is my personal computer.


The following is the scan results for C:\Users\Caleb\AppData\Roaming\browsers.exe
https://www.virustotal.com/en/file/da612341c7176acee2a7d34b2ca2cfa713b3278d6552e0bac846dca30ee9218a/analysis/1466519595/

C:\Users\Caleb\AppData\Roaming\keys.exe
https://www.virustotal.com/en/file/3b0cc84ac4a6cb77f225c1f3e14813755def38b66bba7d004a7054040e520585/analysis/1466519741/

C:\ProgramData\SetStretch.cmd
https://www.virustotal.com/en/file/a1a0dcc0bcae48654dbd7fb6a1942e18e93a07e593715abc9b38a9b3ba2b54b3/analysis/1466520074/

C:\ProgramData\SetStretch.exe
https://www.virustotal.com/en/file/a84b5e69527a9f91dae964ed40022a2a77c1fe45b7a381a335202ec3927d140b/analysis/1466520415/


Appreciate the help so far, it has been insightful.

Juliet
2016-06-21, 21:21
might want to consider changing all passwords and other potentially revealed information (e.g., credit card numbers, PIN). from a known clean computer.

~~~~~~~~~~~~~~~~~~~~~~~~~`

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)




start
CreateRestorePoint:
CloseProcesses:
C:\Users\Caleb\AppData\Roaming\browsers.exe
C:\Users\Caleb\AppData\Roaming\keys.exe
EmptyTemp:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~~`
Malwarebytes Anti-Rootkit

Download Malwarebytes Anti-Rootkit (http://downloads.malwarebytes.org/file/mbar)
Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.

http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkit1_zps4613be8c.png


Please click by the introduction screen on the Next button to continue.


http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkit2update_zpsf85fca28.png


Next you will see the Update Database screen.
Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.


http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkitupdatecomplete_zpscf9f4cdb.png


When the update has finished, click on the Next button.

http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkitscan_zps9b346fe7.png


Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.


http://i1269.photobucket.com/albums/jj590/OCD-WTT/MBAMAnti-Rootkitscan-results_zps9f0fdf8e.png


When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
Make sure everything is selected and that the option to create a restore point is checked.
Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
Click on Yes button to restart your computer.


There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.

For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.


The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.


~~~~~~~~~~~~~~~~``

What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.



http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:

Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology


Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://i.imgur.com/KN1w2nv.png and click http://i.imgur.com/SzOC1p0.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.



****
please post
Fixlog.txt
MBAR log
Eset log

Juliet
2016-06-21, 21:46
I forgot to add this tool

Please remove any usb or external drives from the computer before you run this scan!


Please download RogueKiller and save it to your desktop.

You can check here (http://support.microsoft.com/kb/827218) if you're not sure if your computer is 32-bit or 64-bit

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) to your desktop.


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

shenb0t
2016-06-22, 03:57
Okay, I've done everything you've said to the best of my ability.
I was unable to see the images you used when describing how to obtain the logs for the ESET scan so I had to use my best common sense, hopefully it's right!
Also the Rogue Killer report was not saved to my desktop after scanning, for some reason it was in my ProgramData even though I downloaded the program to my desktop (at least so I thought). The report saved as a JSON file, I converted it to a txt so I could upload it here.

Sorry if I've wasted any of your time if any of these are incorrect.

I will update all my passwords, etc, tomorrow. I still have the logs of what all my passwords and details for every website I've registered too, so I'll just go off that and change it all tomorrow on my second computer.

Juliet
2016-06-22, 05:01
RogueKiller threw it out as a Java script. From what I could piece together nothing nefarious was found.


By chance have you reported to the correct Steam authorities/support your account had been hacked?.
Did you even have Steam Guard enabled?
from what I've tried to read they will help to restore things back to normal?
~~~~~~~~~~

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CreateRestorePoint:
CloseProcesses:
C:\Users\Caleb\AppData\Roaming\BitTorrent\updates\7.9.3_40101.exe
C:\Users\Caleb\Downloads\ccsetup517.exe
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~`

Since you had a bad file related to Bit Torrent:
I see you have peer-to-peer (P2P) file sharing software installed on your computer (Bit Torrent). I advise you avoid P2P file sharing programmes; they are a security risk which can make your computer susceptible to malware. File sharing networks are thoroughly infected and infested with malware - worms (http://en.wikipedia.org/wiki/Computer_worm), backdoor Trojans (http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99), IRCBots (http://en.wikipedia.org/wiki/IRC_bot), and rootkits (http://en.wikipedia.org/wiki/Rootkit) propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. The best way to reduce the risk of infection is to avoid these types of web sites and not use P2P applications. Please read the following articles for more information.

Risks of File-Sharing Technology (http://www.us-cert.gov/cas/tips/ST05-007.html)
P2P Software User Advisories (http://aresgalaxy.sourceforge.net/p2prisks.htm)
More malware is traveling on P2P networks these days (http://www.computerworld.com/s/article/9240067/More_malware_is_traveling_on_P2P_networks_these_days)

Your P2P software can be removed by following the instructions below.

Press the Windows Key http://i.imgur.com/pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
Search for the aforementioned programme(s), right-click and click Uninstall.

~~~~~~~~~~~~~~~~~~~~~~~~~


http://i.imgur.com/CXrghb6.png Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

http://i.imgur.com/j8JVMVP.jpg Java (http://java.com/en/download/index.jsp) (watch out for "Optional Offers" or bundled software)
http://i.imgur.com/Qlf57ne.png Mozilla Firefox (http://www.mozilla.org/en-US/firefox/new/) (instructions (https://support.mozilla.org/en-US/kb/update-firefox-latest-version) to update through programme)
http://i.imgur.com/u9DsAVv.png Follow these instructions to check for and download the latest Windows Updates (http://www.update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&&thankspage=5).


~~~~~~~~~~~~~~~~~~~~~``


http://i.imgur.com/zANS9oB.png Disable Java in Your Browser
Due to frequent exploits involving Java vulnerabilities we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/?p=2316622) (point #7).

Press the Windows Key http://i.imgur.com/pdKOQKY.png + s on your keyboard at the same time. Type Java Control Panel (or javacpl) in the search bar.
Click on the Java Control Panel. Once opened, click the Security tab.
Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser. [/*]
Click Apply. When the http://i.imgur.com/AVOiBNU.jpg Windows User Account Control (UAC) appears, allow permissions to make the changes.
Click OK in the Java Plug-in confirmation window.
Restart your browser(s) for changes to take effect.
More information can be found here (http://www.java.com/en/download/help/disable_browser.xml) and here (http://www.techsupportforum.com/forums/f284/disable-java-in-browsers-683721.html).

shenb0t
2016-06-22, 05:54
Thanks for all you've done, you have been incredibly helpful to me and I appreciate it greatly.

I contacted relevant authorities, they know about the compromise and the unauthorized transactions. I'm still in the process of correcting it all.
Yes, I have Steam Guard enabled and did so at the time, it didn't really matter when my Steam was already logged in while they had full access to my computer.
They haven't really been much help, but I think I'll be reimbursed (although they haven't told me if they will or not).


Yes; I'm aware of the dangers of file sharing websites and programs and I'm sure you'll be glad to know that I certainly learned my lesson after all that has happened.

Everything is up to date and Java has been disabled in my browser. I also ran the final fix in Farbar.


Once again, thanks for the help. I'm glad I was able to find someone on the good side of the internet for once! :2thumb: :bow:

Juliet
2016-06-22, 14:46
Once again, thanks for the help. I'm glad I was able to find someone on the good side of the internet for once!
LOL, yes, I try to remain on the good side!

DelFix


Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
Activate UAC
Remove disinfection tools
Click the Run button.
-- This will remove the specialized tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


***************


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


AdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://i.imgur.com/6YRrgUC.png Malwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://i.imgur.com/jv4nhMJ.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://i.imgur.com/DgW1XL2.png Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://i.imgur.com/j1OLIec.png SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://i.imgur.com/sHjS79L.png Unchecky (http://unchecky.com/) automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
http://i.imgur.com/JEP5iWI.png Web of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.



****

Want to help others? Join the ClassRoom (http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html) and learn how.

Juliet
2016-06-25, 13:57
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.