Results 1 to 10 of 10

Thread: I believe there's a RAT (Remote administration tool) and key-logger on my computer

  1. #1
    Junior Member
    Join Date
    Jun 2016
    Posts
    11

    Exclamation I believe there's a RAT (Remote administration tool) and key-logger on my computer

    To whom it may concern, I have reason to believe that my computer has been compromised with a RAT. I have had money stolen, steam items stolen and according to Steam support items that got traded were traded from my IP address, which confirmed the fact that I was compromised.

    Would greatly appreciate any help. I also accidentally downloaded the Farbar recovery scan tool to downloads and did the log scan from there before I realized the "BEFORE You POST" thread specified not to. I'm not sure how much this affects your work here, but if it's too detrimental just let me know what I need to do and I'll try to correct it.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-06-2016 01
    Ran by Caleb (administrator) on CAZTOP (21-06-2016 18:03:39)
    Running from C:\Users\Caleb\Downloads
    Loaded Profiles: Caleb (Available Profiles: Caleb)
    Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (Intel Corporation) C:\Windows\System32\igfxCUIService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
    (Intel Corporation) C:\Windows\System32\DptfPolicyCriticalService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe
    (ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe
    (Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
    (ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
    (ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
    (Intel Corporation) C:\Windows\System32\igfxEM.exe
    (Intel Corporation) C:\Windows\System32\igfxHK.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    (Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
    (Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
    (NetSupport Ltd) C:\Users\Caleb\Help\info.exe
    (CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\main.exe
    (Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
    (Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    (Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
    (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
    (The CefSharp Authors) C:\Program Files (x86)\Razer\Razer Cortex\Cef\CefSharp.BrowserSubprocess.exe
    () C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
    (WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    (Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    (Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
    (Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.10586.168_none_76587b40265ca57e\TiWorker.exe
    (Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\WINDOWS\system32\DptfPolicyLpmServiceHelper.exe [114048 2013-10-18] (Intel Corporation)
    HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-01-20] (NVIDIA Corporation)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
    HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3216032 2013-12-13] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\ASUSWSLoader.exe [63296 2013-08-16] ()
    HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [95192 2013-03-09] (CyberLink Corp.)
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [593216 2015-08-31] (Razer Inc.)
    HKLM-x32\...\Run: [RazerCortex] => C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe [98256 2015-11-13] (Razer Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2850384 2016-06-18] (Valve Corporation)
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Spotify Web Helper] => C:\Users\Caleb\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-05-26] (Spotify Ltd)
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Spotify] => C:\Users\Caleb\AppData\Roaming\Spotify\Spotify.exe [6858864 2016-05-26] (Spotify Ltd)
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50615936 2016-01-18] (Skype Technologies S.A.)
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Update] => C:\Users\Caleb\Help\info.exe [30128 2008-10-14] (NetSupport Ltd)
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-16] (Piriform Ltd)
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
    ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
    ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
    BootExecute: autocheck autochk * sdnclean64.exe

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.42.129
    Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
    Tcpip\..\Interfaces\{22d3981b-573b-45a2-96a7-4cc00dbc2dc7}: [DhcpNameServer] 192.168.42.129
    Tcpip\..\Interfaces\{d33ed0f6-410c-4dc8-bc95-93037a63529c}: [DhcpNameServer] 192.168.43.1
    Tcpip\..\Interfaces\{dc533aa1-cab1-455b-82f8-be14c50e7341}: [DhcpNameServer] 10.1.1.1

    Internet Explorer:
    ==================
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus13.msn.com/?pc=ASJB
    HKU\S-1-5-21-581702097-4065236420-1632052791-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com/?pc=ASJB
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-13] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-13] (Oracle Corporation)

    FireFox:
    ========
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-22] ()
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-22] ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-10-24] (Intel Corporation)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-10-24] (Intel Corporation)
    FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-13] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-13] (Oracle Corporation)
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
    FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-06] ()
    FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [No File]
    FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [No File]

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.google.com.au/
    CHR StartupUrls: Default -> "chrome://newtab/"
    CHR Profile: C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Slides) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-20]
    CHR Extension: (BetterTTV) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-03]
    CHR Extension: (Google Docs) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-20]
    CHR Extension: (Google Drive) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
    CHR Extension: (YouTube) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
    CHR Extension: (Google Search) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
    CHR Extension: (Google Sheets) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-20]
    CHR Extension: (Google Docs Offline) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
    CHR Extension: (AdBlock) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-03]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
    CHR Extension: (Global Twitch Emotes) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgniedifoejifjkndekolimjeclnokkb [2016-05-05]
    CHR Extension: (Gmail) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe [71680 2013-08-16] (ASUS Cloud Corporation) [File not signed]
    S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1257504 2015-12-23] ()
    R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-10-18] (Intel Corporation)
    R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [116680 2013-10-18] (Intel Corporation)
    R2 DptfPolicyCriticalService; C:\Windows\system32\DptfPolicyCriticalService.exe [148160 2013-10-18] (Intel Corporation)
    R2 DptfPolicyLpmService; C:\Windows\system32\DptfPolicyLpmService.exe [126952 2013-10-18] (Intel Corporation)
    R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227936 2013-11-09] (WildTangent)
    S2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2016-03-14] (Hi-Rez Studios) [File not signed]
    R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2016-01-20] (Intel Corporation)
    S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [827392 2013-09-03] (Intel(R) Corporation) [File not signed]
    R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-10-24] (Intel Corporation)
    R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-10-24] (Intel Corporation)
    R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-01-20] (NVIDIA Corporation)
    S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1289968 2016-05-29] (Overwolf LTD)
    R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [188072 2015-09-24] ()
    R2 RzKLService; C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe [129168 2015-11-13] (Razer Inc.)
    S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 athr; C:\Windows\System32\drivers\athw10x.sys [4325544 2015-06-26] (Qualcomm Atheros Communications, Inc.)
    S3 ATP; C:\Windows\System32\drivers\AsusTP.sys [101368 2015-09-23] (ASUS Corporation)
    R3 DptfDevDram; C:\Windows\system32\DRIVERS\DptfDevDram.sys [145640 2013-10-18] (Intel Corporation)
    R3 DptfDevPch; C:\Windows\system32\DRIVERS\DptfDevPch.sys [116752 2013-10-18] (Intel Corporation)
    R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [289744 2013-10-18] (Intel Corporation)
    R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [494296 2013-10-18] (Intel Corporation)
    R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-06] ( )
    R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-10-24] (Intel Corporation)
    R2 plctrl; C:\Program Files\ASUS\P4G\plctrl.sys [14136 2014-01-04] (Windows (R) Win 7 DDK provider)
    R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [895256 2015-07-07] (Realtek )
    R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [751632 2015-05-14] (Realsil Semiconductor Corporation)
    S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [50392 2015-08-14] (Razer Inc)
    R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [37184 2015-09-23] (Razer, Inc.)
    R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [129472 2015-06-27] (Razer, Inc.)
    U5 rzudd; C:\Windows\System32\Drivers\rzudd.sys [202952 2015-10-03] (Razer Inc)
    R3 ScpVBus; C:\Windows\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
    R3 sshid; C:\Windows\System32\drivers\sshid.sys [51400 2016-01-28] (SteelSeries ApS)
    S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
    S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-06-21 18:03 - 2016-06-21 18:04 - 00020137 _____ C:\Users\Caleb\Downloads\FRST.txt
    2016-06-21 18:02 - 2016-06-21 18:03 - 00000000 ____D C:\FRST
    2016-06-21 18:01 - 2016-06-21 18:01 - 02387456 _____ (Farbar) C:\Users\Caleb\Downloads\FRST64.exe
    2016-06-21 18:01 - 2016-06-21 18:01 - 01738240 _____ (Farbar) C:\Users\Caleb\Downloads\FRST.exe
    2016-06-21 18:00 - 2016-06-21 18:00 - 00002310 _____ C:\Users\Caleb\Desktop\Tweaking.com - Registry Backup.lnk
    2016-06-21 18:00 - 2016-06-21 18:00 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-CAZTOP-Windows-10-Home-(64-bit).dat
    2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
    2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\RegBackup
    2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
    2016-06-21 17:59 - 2016-06-21 18:00 - 00018113 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
    2016-06-21 17:59 - 2016-06-21 17:59 - 05523840 _____ (Tweaking.com) C:\Users\Caleb\Downloads\tweaking.com_registry_backup_setup.exe
    2016-06-13 23:14 - 2016-06-13 23:14 - 00000044 _____ C:\Users\Caleb\Desktop\Draft for 6.88.txt
    2016-06-09 19:07 - 2016-06-09 19:05 - 00144121 ___RT C:\Users\Caleb\Desktop\13137149 136522 09-Jun-2016 11 58 58.PDF
    2016-06-08 17:19 - 2016-06-08 17:19 - 00000638 _____ C:\Users\Caleb\Downloads\download_interview
    2016-06-02 17:37 - 2016-06-02 17:42 - 26968178 _____ C:\Users\Caleb\Downloads\coffeemix1.0.wav
    2016-05-27 12:55 - 2016-05-27 13:48 - 00000000 ____D C:\Users\Caleb\Downloads\Flume - Skin (2016) FLAC
    2016-05-27 12:44 - 2016-06-16 02:26 - 00000000 ____D C:\Users\Caleb\Downloads\Random songs
    2016-05-27 12:39 - 2016-05-27 12:40 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Winamp
    2016-05-27 12:39 - 2016-05-27 12:39 - 00001050 _____ C:\Users\Public\Desktop\Winamp.lnk
    2016-05-27 12:39 - 2016-05-27 12:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
    2016-05-27 12:39 - 2016-05-27 12:39 - 00000000 ____D C:\Program Files (x86)\Winamp
    2016-05-27 12:37 - 2016-05-27 12:38 - 10328598 _____ (Nullsoft, Inc.) C:\Users\Caleb\Downloads\winamp5666_full_en-us_redux.exe
    2016-05-25 18:13 - 2016-05-25 18:13 - 00000000 ____D C:\Program Files\Common Files\AV
    2016-05-25 17:50 - 2016-05-25 17:50 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
    2016-05-25 17:49 - 2016-05-25 18:38 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-05-25 17:49 - 2016-05-25 18:12 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-05-25 17:49 - 2016-05-25 17:49 - 00001462 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
    2016-05-25 17:49 - 2016-05-25 17:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
    2016-05-25 17:49 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
    2016-05-25 17:35 - 2016-05-25 17:41 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Caleb\Downloads\spybot-2.4.exe
    2016-05-25 16:20 - 2016-05-25 16:20 - 00000826 _____ C:\Users\Caleb\Downloads\App (1).xaml
    2016-05-25 16:19 - 2016-05-25 16:19 - 00000826 _____ C:\Users\Caleb\Downloads\App.xaml
    2016-05-25 16:00 - 2016-05-25 16:00 - 00242479 _____ C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_107.zip
    2016-05-25 15:56 - 2016-05-25 15:56 - 00000000 ____D C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_1789
    2016-05-25 15:55 - 2016-05-25 15:55 - 00242479 _____ C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_1789.zip

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-06-21 18:03 - 2015-10-30 17:24 - 00000000 ____D C:\WINDOWS\AppReadiness
    2016-06-21 18:01 - 2015-10-30 17:11 - 00000000 ____D C:\WINDOWS\CbsTemp
    2016-06-21 17:41 - 2015-10-30 17:21 - 00000000 ____D C:\WINDOWS\INF
    2016-06-21 17:41 - 2015-10-01 14:42 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2016-06-21 17:41 - 2015-03-20 17:54 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2016-06-21 17:40 - 2015-03-20 17:50 - 00000075 _____ C:\Users\Caleb\AppData\Roaming\sp_data.sys
    2016-06-21 17:38 - 2015-03-20 17:54 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2016-06-21 17:37 - 2016-04-05 18:17 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
    2016-06-21 17:37 - 2015-03-20 18:02 - 00000000 ____D C:\Program Files (x86)\Steam
    2016-06-21 17:37 - 2015-03-20 17:47 - 00000000 __SHD C:\Users\Caleb\IntelGraphicsProfiles
    2016-06-21 17:36 - 2016-01-25 08:05 - 00000000 ____D C:\Users\Caleb
    2016-06-21 17:35 - 2016-01-25 08:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2016-06-21 13:06 - 2015-09-04 21:17 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2016-06-21 01:07 - 2015-10-30 17:24 - 00000000 ____D C:\WINDOWS\system32\NDF
    2016-06-20 23:42 - 2015-09-03 23:51 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\TS3Client
    2016-06-20 20:48 - 2015-10-30 17:24 - 00000000 ___HD C:\Program Files\WindowsApps
    2016-06-20 07:47 - 2016-01-23 03:47 - 00000000 ____D C:\Program Files (x86)\Hearthstone
    2016-06-20 07:47 - 2016-01-21 12:48 - 00000000 ____D C:\Users\Caleb\AppData\Local\Battle.net
    2016-06-20 07:47 - 2016-01-21 12:39 - 00000000 ____D C:\Program Files (x86)\Battle.net
    2016-06-19 22:43 - 2015-03-20 17:55 - 00002274 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2016-06-19 22:43 - 2015-03-20 17:55 - 00002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2016-06-16 18:22 - 2015-03-22 13:29 - 00000000 ____D C:\WINDOWS\system32\MRT
    2016-06-16 18:18 - 2015-03-22 13:29 - 142482544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2016-06-16 03:14 - 2015-10-30 16:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
    2016-06-09 23:29 - 2016-03-29 12:21 - 00000000 ____D C:\Users\Caleb\Help
    2016-06-09 16:18 - 2016-05-07 22:17 - 00000000 ____D C:\Program Files (x86)\Overwolf
    2016-06-07 13:40 - 2015-06-20 10:52 - 00000000 ____D C:\Users\Caleb\AppData\Local\ElevatedDiagnostics
    2016-06-03 23:47 - 2015-04-21 18:16 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\vlc
    2016-06-03 23:20 - 2016-05-03 12:25 - 00000000 ___RD C:\Users\Caleb\Desktop\Random Pictures
    2016-06-03 21:19 - 2016-05-03 12:26 - 00000000 ___RD C:\Users\Caleb\Desktop\Anti Virus and Registry cleaner
    2016-06-03 21:18 - 2016-05-03 12:26 - 00000000 ___RD C:\Users\Caleb\Desktop\Random notes
    2016-06-01 17:05 - 2015-04-21 18:57 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\BitTorrent
    2016-06-01 17:04 - 2016-01-31 21:54 - 00000000 ____D C:\WINDOWS\Minidump
    2016-05-27 13:16 - 2016-01-20 20:03 - 00000000 ____D C:\Users\Caleb\AppData\Local\Spotify
    2016-05-27 13:14 - 2016-01-20 19:56 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Spotify
    2016-05-25 19:01 - 2015-06-30 04:11 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2016-05-25 11:46 - 2016-05-14 11:44 - 00005672 _____ C:\Users\Caleb\AppData\Roaming\1.txt
    2016-05-25 01:22 - 2015-08-18 20:35 - 00000021 _____ C:\Users\Caleb\AppData\Roaming\zxc.bat
    2016-05-23 18:00 - 2016-04-01 20:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClipGrab
    2016-05-23 18:00 - 2016-04-01 20:52 - 00000000 ____D C:\Program Files (x86)\ClipGrab

    ==================== Files in the root of some directories =======

    2016-05-14 11:44 - 2016-05-25 11:46 - 0005672 _____ () C:\Users\Caleb\AppData\Roaming\1.txt
    2015-09-04 00:02 - 2015-09-04 00:03 - 0186318 _____ () C:\Users\Caleb\AppData\Roaming\1.zip
    2015-09-04 00:02 - 2016-04-28 18:15 - 0000035 _____ () C:\Users\Caleb\AppData\Roaming\2.txt
    2015-05-28 15:39 - 2015-05-28 15:39 - 0535758 _____ () C:\Users\Caleb\AppData\Roaming\browsers.exe
    2015-08-29 08:56 - 2015-08-29 08:56 - 0879616 _____ () C:\Users\Caleb\AppData\Roaming\keys.exe
    2016-04-27 17:04 - 2016-04-28 18:16 - 0006505 _____ () C:\Users\Caleb\AppData\Roaming\pass123231words.txt
    2016-03-29 22:38 - 2016-04-28 18:16 - 0005242 _____ () C:\Users\Caleb\AppData\Roaming\passichrom.txt
    2015-03-20 17:50 - 2016-06-21 17:40 - 0000075 _____ () C:\Users\Caleb\AppData\Roaming\sp_data.sys
    2015-08-18 20:35 - 2016-05-25 01:22 - 0000021 _____ () C:\Users\Caleb\AppData\Roaming\zxc.bat
    2016-04-05 18:19 - 2016-04-05 18:19 - 0000000 _____ () C:\Users\Caleb\AppData\Local\{3D43062E-F32D-40A8-8692-57867DD1DC68}
    2015-12-21 13:46 - 2015-12-21 13:46 - 0000000 _____ () C:\Users\Caleb\AppData\Local\{D79DD814-D638-447E-AFB8-7F950653B791}
    2016-01-25 08:02 - 2016-01-25 08:02 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
    2013-12-13 13:04 - 2012-09-07 21:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
    2013-12-13 13:04 - 2009-07-22 20:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
    2013-12-13 13:04 - 2012-09-07 21:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

    Files to move or delete:
    ====================
    C:\Users\Caleb\updt.cmd
    C:\Users\Caleb\wrar.exe


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-06-15 17:14

    ==================== End of FRST.txt ============================


    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2016-06-21 18:09:28
    -----------------------------
    18:09:28.402 OS Version: Windows x64 6.2.9200
    18:09:28.402 Number of processors: 4 586 0x4501
    18:09:28.403 ComputerName: CAZTOP UserName: Caleb
    18:09:29.108 Initialize success
    18:09:29.147 VM: initialized successfully
    18:09:29.148 VM: Intel CPU supported
    18:09:35.729 VM: disk I/O iaStorA.sys
    18:15:43.420 AVAST engine defs: 16062002
    18:17:13.927 The log file has been saved successfully to "C:\Users\Caleb\Desktop\aswMBR.txt"
    Attached Files Attached Files
    Last edited by tashi; 2016-06-21 at 18:36. Reason: Copy pasted logs into topic, as per FAQ. :-)

  2. #2
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,818

    Default

    Is this a company computer or computer which is used by multiple people?


    When not in use keep this disabled.
    NetSupport Ltd, Desktop Remote Control

    ~~~~~~~~~~~~~~~~~~~~~~~~
    Scan the files/following free online scanner services.
    Please go to one of the below sites to scan the following files:

    click on Browse, and upload the following file for analysis:

    C:\Users\Caleb\AppData\Roaming\browsers.exe

    Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
    If it says already scanned -- click "reanalyze now"
    Please post the results in your next reply.

    Also, please have the below files scanned as well and post the links in your reply.

    C:\Users\Caleb\AppData\Roaming\keys.exe
    C:\ProgramData\SetStretch.cmd
    C:\ProgramData\SetStretch.exe


    ~~~~~~~~~~~~~~~~

    Running from C:\Users\Caleb\Downloads
    Yes, we'll need to move it to ensure the scripts run correctly.

    Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
    Go to an open spot on your desktop, right click and select PASTE
    You should now have Farbar Recovery Scan Tool on your desktop.


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-13] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-13] (Oracle Corporation)
    FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-13] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-13] (Oracle Corporation)
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
    FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [No File]
    FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [No File]
    C:\Users\Caleb\updt.cmd
    C:\Users\Caleb\wrar.exe
    Task: {14FADA1A-7D53-4F67-9BC2-590C15F77E6E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {48B5A126-8761-4C07-B2EA-85747F145030} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {57141E3B-8C66-4086-B2D9-02319B02CB17} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {5C8A5D85-6964-4C7D-954E-E0AC91A0B35E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {74899711-683A-4B7F-B3D3-9D5434A602A6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {8B6B09B3-FD6C-4DCC-88C8-8286EDCA6F90} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {959B3F12-85BE-4501-BA2D-9F046CB0D519} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {9B1791E0-1BC3-4E56-9F47-DB64B6E0ADF3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {A271B922-3B38-46AE-B6EC-5660569EF1BA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {D6AE4369-F5E9-44F6-A2B2-A016C32533C7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {D7F0F612-13CC-4B35-AFE4-EFC658A07E0B} - System32\Tasks\Weaekmyg => C:\PROGRA~1\MODEBI~1\Suonkhuc.bat <==== ATTENTION
    EmptyTemp:
    Hosts:
    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

    AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
    • Right-click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click Scan.
    • Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
    • Click Clean.
    • Follow the prompts and allow your computer to reboot.
    • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.




    ======================================================



    Please download Junkware Removal Tool
    or from here http://downloads.malwarebytes.org/file/jrt
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    ***
    please post
    Information of requested files scanned
    Fixlog.txt
    AdwCleaner[C1].txt
    JRT.txt
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Jun 2016
    Posts
    11

    Default

    Hi Juliet, thanks for responding; To answer your first question, this is my personal computer.


    The following is the scan results for C:\Users\Caleb\AppData\Roaming\browsers.exe
    https://www.virustotal.com/en/file/d...is/1466519595/

    C:\Users\Caleb\AppData\Roaming\keys.exe
    https://www.virustotal.com/en/file/3...is/1466519741/

    C:\ProgramData\SetStretch.cmd
    https://www.virustotal.com/en/file/a...is/1466520074/

    C:\ProgramData\SetStretch.exe
    https://www.virustotal.com/en/file/a...is/1466520415/


    Appreciate the help so far, it has been insightful.
    Attached Files Attached Files

  4. #4
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,818

    Default

    might want to consider changing all passwords and other potentially revealed information (e.g., credit card numbers, PIN). from a known clean computer.

    ~~~~~~~~~~~~~~~~~~~~~~~~~`

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Users\Caleb\AppData\Roaming\browsers.exe
    C:\Users\Caleb\AppData\Roaming\keys.exe
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~`
    Malwarebytes Anti-Rootkit
    • Download Malwarebytes Anti-Rootkit
    • Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
    • Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
    • Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
    • Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
    • After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
    • Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
    • If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.



    • Please click by the introduction screen on the Next button to continue.




    • Next you will see the Update Database screen.
    • Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.




    • When the update has finished, click on the Next button.



    • Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
    • Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.




    • When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
    • Make sure everything is selected and that the option to create a restore point is checked.
    • Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
    • Click on Yes button to restart your computer.

    • There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
    • The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
      • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.

    • The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.


    ~~~~~~~~~~~~~~~~``

    What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.



    ESET Online Scan
    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
    • Please download ESET Online Scan and save the file to your Desktop.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Double-click esetsmartinstaller_enu.exe to run the programme.
    • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
    • Agree to the Terms of Use once more and click Start. Allow components to download.
    • Place a checkmark next to Enable detection of potentially unwanted applications.
    • Click Advanced settings. Place a checkmark next to:
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

    • Ensure Remove found threats is unchecked.
    • Click Start.
    • Wait for the scan to finish. Please be patient as this can take some time.
    • Upon completion, click . If no threats were found, skip the next two bullet points.
    • Click and save the file to your Desktop, naming it something such as "MyEsetScan".
    • Push the Back button.
    • Place a checkmark next to and click .
    • Re-enable your anti-virus software.
    • Copy the contents of the log and paste in your next reply.


    ****
    please post
    Fixlog.txt
    MBAR log
    Eset log
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #5
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,818

    Default

    I forgot to add this tool

    Please remove any usb or external drives from the computer before you run this scan!


    Please download RogueKiller and save it to your desktop.

    You can check here if you're not sure if your computer is 32-bit or 64-bit
    • Download RogueKiller to your desktop.

    • Quit all running programs.
    • For Windows XP, double-click to start.
    • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
    • Read and accept the EULA (End User Licene Agreement)
    • Click Scan to scan the system.
    • When the scan completes Close the program > Don't Fix anything!
    • Don't run any other options, they're not all bad!!
    • Post back the report which should be located on your desktop.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  6. #6
    Junior Member
    Join Date
    Jun 2016
    Posts
    11

    Default

    Okay, I've done everything you've said to the best of my ability.
    I was unable to see the images you used when describing how to obtain the logs for the ESET scan so I had to use my best common sense, hopefully it's right!
    Also the Rogue Killer report was not saved to my desktop after scanning, for some reason it was in my ProgramData even though I downloaded the program to my desktop (at least so I thought). The report saved as a JSON file, I converted it to a txt so I could upload it here.

    Sorry if I've wasted any of your time if any of these are incorrect.

    I will update all my passwords, etc, tomorrow. I still have the logs of what all my passwords and details for every website I've registered too, so I'll just go off that and change it all tomorrow on my second computer.
    Attached Files Attached Files

  7. #7
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,818

    Default

    RogueKiller threw it out as a Java script. From what I could piece together nothing nefarious was found.


    By chance have you reported to the correct Steam authorities/support your account had been hacked?.
    Did you even have Steam Guard enabled?
    from what I've tried to read they will help to restore things back to normal?
    ~~~~~~~~~~

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Users\Caleb\AppData\Roaming\BitTorrent\updates\7.9.3_40101.exe
    C:\Users\Caleb\Downloads\ccsetup517.exe
    EmptyTemp:
    Hosts:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~`

    Since you had a bad file related to Bit Torrent:
    I see you have peer-to-peer (P2P) file sharing software installed on your computer (Bit Torrent). I advise you avoid P2P file sharing programmes; they are a security risk which can make your computer susceptible to malware. File sharing networks are thoroughly infected and infested with malware - worms, backdoor Trojans, IRCBots, and rootkits propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. The best way to reduce the risk of infection is to avoid these types of web sites and not use P2P applications. Please read the following articles for more information.

    Your P2P software can be removed by following the instructions below.
    • Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
    • Search for the aforementioned programme(s), right-click and click Uninstall.

    ~~~~~~~~~~~~~~~~~~~~~~~~~


    Update Outdated Software
    Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

    ~~~~~~~~~~~~~~~~~~~~~``


    Disable Java in Your Browser
    Due to frequent exploits involving Java vulnerabilities we recommend you disable Java in your browser.
    For information on Java vulnerabilities, please read the following article (point #7).
    • Press the Windows Key + s on your keyboard at the same time. Type Java Control Panel (or javacpl) in the search bar.
    • Click on the Java Control Panel. Once opened, click the Security tab.
    • Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser. [/*]
    • Click Apply. When the Windows User Account Control (UAC) appears, allow permissions to make the changes.
    • Click OK in the Java Plug-in confirmation window.
    • Restart your browser(s) for changes to take effect.
    • More information can be found here and here.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #8
    Junior Member
    Join Date
    Jun 2016
    Posts
    11

    Default

    Thanks for all you've done, you have been incredibly helpful to me and I appreciate it greatly.

    I contacted relevant authorities, they know about the compromise and the unauthorized transactions. I'm still in the process of correcting it all.
    Yes, I have Steam Guard enabled and did so at the time, it didn't really matter when my Steam was already logged in while they had full access to my computer.
    They haven't really been much help, but I think I'll be reimbursed (although they haven't told me if they will or not).


    Yes; I'm aware of the dangers of file sharing websites and programs and I'm sure you'll be glad to know that I certainly learned my lesson after all that has happened.

    Everything is up to date and Java has been disabled in my browser. I also ran the final fix in Farbar.


    Once again, thanks for the help. I'm glad I was able to find someone on the good side of the internet for once!

  9. #9
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,818

    Default

    Once again, thanks for the help. I'm glad I was able to find someone on the good side of the internet for once!
    LOL, yes, I try to remain on the good side!

    DelFix

    • Please download DelFix or from Here and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Click the Run button.
    • -- This will remove the specialized tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


    ***************


    • AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
    • CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
    • Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
    • Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
    • NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
    • Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
    • Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
    • SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
    • Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
    • Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.


    ****

    Want to help others? Join the ClassRoom and learn how.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  10. #10
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,818

    Default

    Glad we could help.

    Since this issue appears resolved ... this Topic is closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •