I believe there's a RAT (Remote administration tool) and key-logger on my computer

**shenb0t** · 2016-06-21, 10:34

To whom it may concern, I have reason to believe that my computer has been compromised with a RAT. I have had money stolen, steam items stolen and according to Steam support items that got traded were traded from my IP address, which confirmed the fact that I was compromised.

Would greatly appreciate any help. I also accidentally downloaded the Farbar recovery scan tool to downloads and did the log scan from there before I realized the "BEFORE You POST" thread specified not to. I'm not sure how much this affects your work here, but if it's too detrimental just let me know what I need to do and I'll try to correct it.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-06-2016 01
Ran by Caleb (administrator) on CAZTOP (21-06-2016 18:03:39)
Running from C:\Users\Caleb\Downloads
Loaded Profiles: Caleb (Available Profiles: Caleb)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmService.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyCriticalService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyConfigTDPService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe
(Intel Corporation) C:\Windows\System32\DptfParticipantProcessorService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUS) C:\Program Files\ASUS\P4G\BatteryLife.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
(ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Windows\System32\DptfPolicyLpmServiceHelper.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(NetSupport Ltd) C:\Users\Caleb\Help\info.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\main.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(The CefSharp Authors) C:\Program Files (x86)\Razer\Razer Cortex\Cef\CefSharp.BrowserSubprocess.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.10586.168_none_76587b40265ca57e\TiWorker.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DptfPolicyLpmServiceHelper] => C:\WINDOWS\system32\DptfPolicyLpmServiceHelper.exe [114048 2013-10-18] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-01-20] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3216032 2013-12-13] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\ASUSWSLoader.exe [63296 2013-08-16] ()
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [95192 2013-03-09] (CyberLink Corp.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [593216 2015-08-31] (Razer Inc.)
HKLM-x32\...\Run: [RazerCortex] => C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe [98256 2015-11-13] (Razer Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2850384 2016-06-18] (Valve Corporation)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Spotify Web Helper] => C:\Users\Caleb\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-05-26] (Spotify Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Spotify] => C:\Users\Caleb\AppData\Roaming\Spotify\Spotify.exe [6858864 2016-05-26] (Spotify Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50615936 2016-01-18] (Skype Technologies S.A.)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [Update] => C:\Users\Caleb\Help\info.exe [30128 2008-10-14] (NetSupport Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-16] (Piriform Ltd)
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-26] (ASUS Cloud Corporation.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.42.129
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{22d3981b-573b-45a2-96a7-4cc00dbc2dc7}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{d33ed0f6-410c-4dc8-bc95-93037a63529c}: [DhcpNameServer] 192.168.43.1
Tcpip\..\Interfaces\{dc533aa1-cab1-455b-82f8-be14c50e7341}: [DhcpNameServer] 10.1.1.1

Internet Explorer:
==================
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://asus13.msn.com/?pc=ASJB
HKU\S-1-5-21-581702097-4065236420-1632052791-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com/?pc=ASJB
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-581702097-4065236420-1632052791-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-13] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-13] (Oracle Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-22] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-22] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-10-24] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-10-24] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-13] (Oracle Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-06] ()
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [No File]
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\Caleb\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [No File]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com.au/
CHR StartupUrls: Default -> "chrome://newtab/"
CHR Profile: C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-20]
CHR Extension: (BetterTTV) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-03]
CHR Extension: (Google Docs) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-20]
CHR Extension: (Google Drive) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28]
CHR Extension: (Google Sheets) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-20]
CHR Extension: (Google Docs Offline) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
CHR Extension: (AdBlock) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Global Twitch Emotes) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgniedifoejifjkndekolimjeclnokkb [2016-05-05]
CHR Extension: (Gmail) - C:\Users\Caleb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-30]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe [71680 2013-08-16] (ASUS Cloud Corporation) [File not signed]
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1257504 2015-12-23] ()
R2 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [117704 2013-10-18] (Intel Corporation)
R2 DptfPolicyConfigTDPService; C:\Windows\system32\DptfPolicyConfigTDPService.exe [116680 2013-10-18] (Intel Corporation)
R2 DptfPolicyCriticalService; C:\Windows\system32\DptfPolicyCriticalService.exe [148160 2013-10-18] (Intel Corporation)
R2 DptfPolicyLpmService; C:\Windows\system32\DptfPolicyLpmService.exe [126952 2013-10-18] (Intel Corporation)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227936 2013-11-09] (WildTangent)
S2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2016-03-14] (Hi-Rez Studios) [File not signed]
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2016-01-20] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [827392 2013-09-03] (Intel(R) Corporation) [File not signed]
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-10-24] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-10-24] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-01-20] (NVIDIA Corporation)
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1289968 2016-05-29] (Overwolf LTD)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [188072 2015-09-24] ()
R2 RzKLService; C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe [129168 2015-11-13] (Razer Inc.)
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\drivers\athw10x.sys [4325544 2015-06-26] (Qualcomm Atheros Communications, Inc.)
S3 ATP; C:\Windows\System32\drivers\AsusTP.sys [101368 2015-09-23] (ASUS Corporation)
R3 DptfDevDram; C:\Windows\system32\DRIVERS\DptfDevDram.sys [145640 2013-10-18] (Intel Corporation)
R3 DptfDevPch; C:\Windows\system32\DRIVERS\DptfDevPch.sys [116752 2013-10-18] (Intel Corporation)
R3 DptfDevProc; C:\Windows\system32\DRIVERS\DptfDevProc.sys [289744 2013-10-18] (Intel Corporation)
R3 DptfManager; C:\Windows\system32\DRIVERS\DptfManager.sys [494296 2013-10-18] (Intel Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-06] ( )
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-10-24] (Intel Corporation)
R2 plctrl; C:\Program Files\ASUS\P4G\plctrl.sys [14136 2014-01-04] (Windows (R) Win 7 DDK provider)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [895256 2015-07-07] (Realtek )
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [751632 2015-05-14] (Realsil Semiconductor Corporation)
S3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [50392 2015-08-14] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [37184 2015-09-23] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [129472 2015-06-27] (Razer, Inc.)
U5 rzudd; C:\Windows\System32\Drivers\rzudd.sys [202952 2015-10-03] (Razer Inc)
R3 ScpVBus; C:\Windows\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R3 sshid; C:\Windows\System32\drivers\sshid.sys [51400 2016-01-28] (SteelSeries ApS)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-21 18:03 - 2016-06-21 18:04 - 00020137 _____ C:\Users\Caleb\Downloads\FRST.txt
2016-06-21 18:02 - 2016-06-21 18:03 - 00000000 ____D C:\FRST
2016-06-21 18:01 - 2016-06-21 18:01 - 02387456 _____ (Farbar) C:\Users\Caleb\Downloads\FRST64.exe
2016-06-21 18:01 - 2016-06-21 18:01 - 01738240 _____ (Farbar) C:\Users\Caleb\Downloads\FRST.exe
2016-06-21 18:00 - 2016-06-21 18:00 - 00002310 _____ C:\Users\Caleb\Desktop\Tweaking.com - Registry Backup.lnk
2016-06-21 18:00 - 2016-06-21 18:00 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-CAZTOP-Windows-10-Home-(64-bit).dat
2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\RegBackup
2016-06-21 18:00 - 2016-06-21 18:00 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2016-06-21 17:59 - 2016-06-21 18:00 - 00018113 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
2016-06-21 17:59 - 2016-06-21 17:59 - 05523840 _____ (Tweaking.com) C:\Users\Caleb\Downloads\tweaking.com_registry_backup_setup.exe
2016-06-13 23:14 - 2016-06-13 23:14 - 00000044 _____ C:\Users\Caleb\Desktop\Draft for 6.88.txt
2016-06-09 19:07 - 2016-06-09 19:05 - 00144121 ___RT C:\Users\Caleb\Desktop\13137149 136522 09-Jun-2016 11 58 58.PDF
2016-06-08 17:19 - 2016-06-08 17:19 - 00000638 _____ C:\Users\Caleb\Downloads\download_interview
2016-06-02 17:37 - 2016-06-02 17:42 - 26968178 _____ C:\Users\Caleb\Downloads\coffeemix1.0.wav
2016-05-27 12:55 - 2016-05-27 13:48 - 00000000 ____D C:\Users\Caleb\Downloads\Flume - Skin (2016) FLAC
2016-05-27 12:44 - 2016-06-16 02:26 - 00000000 ____D C:\Users\Caleb\Downloads\Random songs
2016-05-27 12:39 - 2016-05-27 12:40 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Winamp
2016-05-27 12:39 - 2016-05-27 12:39 - 00001050 _____ C:\Users\Public\Desktop\Winamp.lnk
2016-05-27 12:39 - 2016-05-27 12:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
2016-05-27 12:39 - 2016-05-27 12:39 - 00000000 ____D C:\Program Files (x86)\Winamp
2016-05-27 12:37 - 2016-05-27 12:38 - 10328598 _____ (Nullsoft, Inc.) C:\Users\Caleb\Downloads\winamp5666_full_en-us_redux.exe
2016-05-25 18:13 - 2016-05-25 18:13 - 00000000 ____D C:\Program Files\Common Files\AV
2016-05-25 17:50 - 2016-05-25 17:50 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
2016-05-25 17:49 - 2016-05-25 18:38 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-05-25 17:49 - 2016-05-25 18:12 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-05-25 17:49 - 2016-05-25 17:49 - 00001462 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2016-05-25 17:49 - 2016-05-25 17:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-05-25 17:49 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2016-05-25 17:35 - 2016-05-25 17:41 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Caleb\Downloads\spybot-2.4.exe
2016-05-25 16:20 - 2016-05-25 16:20 - 00000826 _____ C:\Users\Caleb\Downloads\App (1).xaml
2016-05-25 16:19 - 2016-05-25 16:19 - 00000826 _____ C:\Users\Caleb\Downloads\App.xaml
2016-05-25 16:00 - 2016-05-25 16:00 - 00242479 _____ C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_107.zip
2016-05-25 15:56 - 2016-05-25 15:56 - 00000000 ____D C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_1789
2016-05-25 15:55 - 2016-05-25 15:55 - 00242479 _____ C:\Users\Caleb\Downloads\OldTMforW10_[winaero.com]_1789.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-21 18:03 - 2015-10-30 17:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-21 18:01 - 2015-10-30 17:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-06-21 17:41 - 2015-10-30 17:21 - 00000000 ____D C:\WINDOWS\INF
2016-06-21 17:41 - 2015-10-01 14:42 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-21 17:41 - 2015-03-20 17:54 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-21 17:40 - 2015-03-20 17:50 - 00000075 _____ C:\Users\Caleb\AppData\Roaming\sp_data.sys
2016-06-21 17:38 - 2015-03-20 17:54 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-21 17:37 - 2016-04-05 18:17 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-06-21 17:37 - 2015-03-20 18:02 - 00000000 ____D C:\Program Files (x86)\Steam
2016-06-21 17:37 - 2015-03-20 17:47 - 00000000 __SHD C:\Users\Caleb\IntelGraphicsProfiles
2016-06-21 17:36 - 2016-01-25 08:05 - 00000000 ____D C:\Users\Caleb
2016-06-21 17:35 - 2016-01-25 08:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-21 13:06 - 2015-09-04 21:17 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-06-21 01:07 - 2015-10-30 17:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-06-20 23:42 - 2015-09-03 23:51 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\TS3Client
2016-06-20 20:48 - 2015-10-30 17:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-20 07:47 - 2016-01-23 03:47 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-06-20 07:47 - 2016-01-21 12:48 - 00000000 ____D C:\Users\Caleb\AppData\Local\Battle.net
2016-06-20 07:47 - 2016-01-21 12:39 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-06-19 22:43 - 2015-03-20 17:55 - 00002274 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-19 22:43 - 2015-03-20 17:55 - 00002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-16 18:22 - 2015-03-22 13:29 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-06-16 18:18 - 2015-03-22 13:29 - 142482544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-06-16 03:14 - 2015-10-30 16:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2016-06-09 23:29 - 2016-03-29 12:21 - 00000000 ____D C:\Users\Caleb\Help
2016-06-09 16:18 - 2016-05-07 22:17 - 00000000 ____D C:\Program Files (x86)\Overwolf
2016-06-07 13:40 - 2015-06-20 10:52 - 00000000 ____D C:\Users\Caleb\AppData\Local\ElevatedDiagnostics
2016-06-03 23:47 - 2015-04-21 18:16 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\vlc
2016-06-03 23:20 - 2016-05-03 12:25 - 00000000 ___RD C:\Users\Caleb\Desktop\Random Pictures
2016-06-03 21:19 - 2016-05-03 12:26 - 00000000 ___RD C:\Users\Caleb\Desktop\Anti Virus and Registry cleaner
2016-06-03 21:18 - 2016-05-03 12:26 - 00000000 ___RD C:\Users\Caleb\Desktop\Random notes
2016-06-01 17:05 - 2015-04-21 18:57 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\BitTorrent
2016-06-01 17:04 - 2016-01-31 21:54 - 00000000 ____D C:\WINDOWS\Minidump
2016-05-27 13:16 - 2016-01-20 20:03 - 00000000 ____D C:\Users\Caleb\AppData\Local\Spotify
2016-05-27 13:14 - 2016-01-20 19:56 - 00000000 ____D C:\Users\Caleb\AppData\Roaming\Spotify
2016-05-25 19:01 - 2015-06-30 04:11 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-05-25 11:46 - 2016-05-14 11:44 - 00005672 _____ C:\Users\Caleb\AppData\Roaming\1.txt
2016-05-25 01:22 - 2015-08-18 20:35 - 00000021 _____ C:\Users\Caleb\AppData\Roaming\zxc.bat
2016-05-23 18:00 - 2016-04-01 20:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClipGrab
2016-05-23 18:00 - 2016-04-01 20:52 - 00000000 ____D C:\Program Files (x86)\ClipGrab

==================== Files in the root of some directories =======

2016-05-14 11:44 - 2016-05-25 11:46 - 0005672 _____ () C:\Users\Caleb\AppData\Roaming\1.txt
2015-09-04 00:02 - 2015-09-04 00:03 - 0186318 _____ () C:\Users\Caleb\AppData\Roaming\1.zip
2015-09-04 00:02 - 2016-04-28 18:15 - 0000035 _____ () C:\Users\Caleb\AppData\Roaming\2.txt
2015-05-28 15:39 - 2015-05-28 15:39 - 0535758 _____ () C:\Users\Caleb\AppData\Roaming\browsers.exe
2015-08-29 08:56 - 2015-08-29 08:56 - 0879616 _____ () C:\Users\Caleb\AppData\Roaming\keys.exe
2016-04-27 17:04 - 2016-04-28 18:16 - 0006505 _____ () C:\Users\Caleb\AppData\Roaming\pass123231words.txt
2016-03-29 22:38 - 2016-04-28 18:16 - 0005242 _____ () C:\Users\Caleb\AppData\Roaming\passichrom.txt
2015-03-20 17:50 - 2016-06-21 17:40 - 0000075 _____ () C:\Users\Caleb\AppData\Roaming\sp_data.sys
2015-08-18 20:35 - 2016-05-25 01:22 - 0000021 _____ () C:\Users\Caleb\AppData\Roaming\zxc.bat
2016-04-05 18:19 - 2016-04-05 18:19 - 0000000 _____ () C:\Users\Caleb\AppData\Local\{3D43062E-F32D-40A8-8692-57867DD1DC68}
2015-12-21 13:46 - 2015-12-21 13:46 - 0000000 _____ () C:\Users\Caleb\AppData\Local\{D79DD814-D638-447E-AFB8-7F950653B791}
2016-01-25 08:02 - 2016-01-25 08:02 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2013-12-13 13:04 - 2012-09-07 21:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2013-12-13 13:04 - 2009-07-22 20:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2013-12-13 13:04 - 2012-09-07 21:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

Files to move or delete:
====================
C:\Users\Caleb\updt.cmd
C:\Users\Caleb\wrar.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-15 17:14

==================== End of FRST.txt ============================

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2016-06-21 18:09:28
-----------------------------
18:09:28.402 OS Version: Windows x64 6.2.9200
18:09:28.402 Number of processors: 4 586 0x4501
18:09:28.403 ComputerName: CAZTOP UserName: Caleb
18:09:29.108 Initialize success
18:09:29.147 VM: initialized successfully
18:09:29.148 VM: Intel CPU supported
18:09:35.729 VM: disk I/O iaStorA.sys
18:15:43.420 AVAST engine defs: 16062002
18:17:13.927 The log file has been saved successfully to "C:\Users\Caleb\Desktop\aswMBR.txt"

Thread: I believe there's a RAT (Remote administration tool) and key-logger on my computer

Thread Tools

Display

Threaded View

I believe there's a RAT (Remote administration tool) and key-logger on my computer

Tags for this Thread

Posting Permissions