Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

comp reinstalls with infection, windows cant update, dns changes


  • This topic is locked This topic is locked
18 replies to this topic

#1 kistonw

kistonw

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 10 April 2016 - 01:11 PM

in the passed this has been my only working pc so it was either go days without being able to use comp, or try to fix myself. have a 2nd pc I can use till I can shed some light on this. have a windows 10 usb stick frm store, using it to boot and reinstall windows still ends up with the same problems. viruses scanners find nothing, except roguekiller which finds my altered dns setting. formatted and reinstalled multiple times, cant update windows. comps been in safe mode almost since the second the install was finished, its the only way to have some sense of control. havnt tried updating windows since this format go-around, would prefer to just sit in safemode till I can get help.

 

FRST LOG

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by kiston (administrator) on TRASHMACHINE (10-04-2016 11:08:31)
Running from C:\Users\kiston\Desktop
Loaded Profiles: kiston & user (Available Profiles: kiston & user)
Platform: Windows 10 Home (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Reason Software Company Inc.) C:\Program Files\Reason\Security\rsUI.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
() C:\Users\kiston\Desktop\RogueKiller.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

BootExecute: autocheck autochk /r \??\C:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{531cb7a8-5bd3-414e-9f08-2a6391bff998}: [NameServer] 208.67.222.222,208.67.220.220
Tcpip\..\Interfaces\{531cb7a8-5bd3-414e-9f08-2a6391bff998}: [DhcpNameServer] 71.10.216.1 71.10.216.2

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-1323568086-1110516886-4081173146-1002 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [10900888 2016-01-06] (Emsisoft Ltd)
S2 MBAMService; \ [0 ] () <==== ATTENTION (zero byte File/Folder)
S2 rsEngineSvc; C:\Program Files\Reason\Security\rsEngineSvc.exe [80144 2015-08-12] (Reason Software Company Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)
S4 Browser; %SystemRoot%\System32\browser.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [102912 2016-04-06] (Advanced Micro Devices)
S1 epp; C:\EEK\bin64\epp.sys [124080 2016-02-11] (Emsisoft Ltd)
S3 MBAMProtector; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
S3 MWAC; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [587264 2015-07-10] (Realtek                                            )
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-04-10] ()
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
S2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
U3 aswMBR; C:\Users\kiston\AppData\Local\Temp\aswMBR.sys [62728 2016-04-10] () [File not signed]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-10 10:54 - 2016-04-10 10:54 - 00016148 _____ C:\Windows\system32\TRASHMACHINE_kiston_HistoryPrediction.bin
2016-04-10 10:33 - 2016-04-10 10:33 - 00000937 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2016-04-10 10:33 - 2016-04-10 10:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2016-04-10 10:32 - 2016-04-10 10:54 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2016-04-10 10:30 - 2016-04-10 10:30 - 00002431 _____ C:\Users\kiston\Desktop\aswMBR.txt
2016-04-10 10:30 - 2016-04-10 10:30 - 00000512 _____ C:\Users\kiston\Desktop\MBR.dat
2016-04-10 08:12 - 2016-04-10 10:32 - 212514840 _____ (Emsisoft Ltd. ) C:\Users\kiston\Desktop\EmsisoftAntiMalwareSetup_bc.exe
2016-04-10 08:12 - 2016-04-10 08:12 - 05198336 _____ (AVAST Software) C:\Users\kiston\Desktop\aswMBR.exe
2016-04-10 04:11 - 2016-04-10 04:11 - 00000416 _____ C:\Windows\Tasks\ReasonSecurityScheduledScan.job
2016-04-10 04:10 - 2016-04-10 07:41 - 00000956 _____ C:\Users\Public\Desktop\Reason Core Security.lnk
2016-04-10 04:10 - 2016-04-10 04:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reason Core Security
2016-04-10 04:10 - 2016-04-10 04:10 - 00000000 ____D C:\Program Files\Reason
2016-04-10 04:05 - 2016-04-10 04:05 - 00026389 _____ C:\Users\kiston\Desktop\Shortcut.txt
2016-04-10 02:36 - 2016-04-10 02:52 - 00433338 _____ C:\TDSSKiller.3.1.0.9_10.04.2016_02.36.57_log.txt
2016-04-10 02:24 - 2016-04-10 10:54 - 00000000 ____D C:\EEK
2016-04-10 01:24 - 2016-04-10 01:25 - 00221884 _____ C:\TDSSKiller.3.1.0.9_10.04.2016_01.24.05_log.txt
2016-04-10 00:23 - 2016-04-10 01:48 - 00830266 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-04-10 00:09 - 2016-04-10 00:09 - 00000207 _____ C:\Windows\tweaking.com-regbackup-TRASHMACHINE-Windows-10-Home-(64-bit).dat
2016-04-10 00:09 - 2016-04-10 00:09 - 00000000 ____D C:\RegBackup
2016-04-09 23:53 - 2016-04-09 23:53 - 00002236 _____ C:\Users\kiston\Desktop\Tweaking.com - Windows Repair.lnk
2016-04-09 23:53 - 2016-04-09 23:53 - 00000574 _____ C:\Windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job
2016-04-09 23:52 - 2016-04-09 23:53 - 00186956 _____ C:\Windows\Tweaking.com - Windows Repair Setup Log.txt
2016-04-09 22:46 - 2016-04-09 23:53 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-04-09 22:46 - 2016-04-09 23:53 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2016-04-09 22:46 - 2016-04-09 22:46 - 00002327 _____ C:\Users\kiston\Desktop\Tweaking.com - Technicians Toolbox.lnk
2016-04-09 22:44 - 2016-04-10 07:46 - 00000896 _____ C:\Users\kiston\Desktop\MTB.txt
2016-04-09 22:43 - 2016-04-10 02:24 - 227630056 _____ C:\Users\kiston\Desktop\EmsisoftEmergencyKit.exe
2016-04-09 22:43 - 2016-04-09 22:44 - 00891392 _____ (Farbar) C:\Users\kiston\Desktop\MiniToolBox.exe
2016-04-09 22:42 - 2016-04-09 22:46 - 00018585 _____ C:\Windows\Tweaking.com - Technicians Toolbox Setup Log.txt
2016-04-09 22:41 - 2016-04-09 23:52 - 21080792 _____ (Tweaking.com) C:\Users\kiston\Desktop\tweaking.com_windows_repair_aio_setup.exe
2016-04-09 22:41 - 2016-04-09 22:42 - 06373968 _____ (Tweaking.com) C:\Users\kiston\Desktop\tweaking.com_technicians_toolbox_setup.exe
2016-04-09 22:23 - 2016-04-10 08:26 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-04-09 22:19 - 2016-04-09 22:21 - 00503424 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.19.11_log.txt
2016-04-09 22:13 - 2016-04-09 22:17 - 00004332 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.13.39_log.txt
2016-04-09 22:13 - 2016-04-09 22:13 - 00000490 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.13.36_log.txt
2016-04-09 22:13 - 2016-04-09 22:13 - 00000000 ____D C:\ProgramData\RogueKiller
2016-04-09 22:12 - 2016-04-09 22:13 - 00221680 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.12.10_log.txt
2016-04-09 20:33 - 2016-04-09 22:11 - 00438756 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_20.33.54_log.txt
2016-04-09 20:30 - 2016-04-10 11:08 - 00006075 _____ C:\Users\kiston\Desktop\FRST.txt
2016-04-09 20:30 - 2016-04-10 11:08 - 00000000 ____D C:\FRST
2016-04-09 20:30 - 2016-04-10 10:55 - 00016886 _____ C:\Users\kiston\Desktop\Addition.txt
2016-04-09 20:29 - 2016-04-09 22:13 - 19765320 _____ C:\Users\kiston\Desktop\RogueKiller.exe
2016-04-09 20:28 - 2016-04-09 20:30 - 02374144 _____ (Farbar) C:\Users\kiston\Desktop\FRST64.exe
2016-04-09 20:22 - 2016-04-10 04:10 - 04257344 _____ (Reason Software Company Inc.) C:\Users\kiston\Desktop\reason-core-security-setup.exe
2016-04-09 14:20 - 2016-04-10 07:46 - 00002896 _____ C:\Users\kiston\Desktop\Rkill.txt
2016-04-09 14:20 - 2016-04-09 20:33 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\kiston\Desktop\iexplore.exe
2016-04-09 14:20 - 2016-04-09 14:20 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\kiston\Desktop\asfd.exe
2016-04-09 14:05 - 2016-04-09 14:13 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-04-09 14:04 - 2016-04-09 14:13 - 00000000 ____D C:\Users\kiston\Desktop\mbar
2016-04-09 11:29 - 2016-04-09 11:29 - 06850588 _____ C:\Users\kiston\Desktop\mbam-chameleon-3.1.29.0.zip
2016-04-09 11:28 - 2016-04-09 14:04 - 16563352 _____ (Malwarebytes Corp.) C:\Users\kiston\Desktop\mbar-1.09.3.1001.exe
2016-04-09 11:27 - 2016-04-10 08:04 - 00000556 _____ C:\Users\kiston\Desktop\JRT.txt
2016-04-09 11:27 - 2016-04-10 02:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-09 11:27 - 2016-04-09 11:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-09 11:26 - 2016-04-09 11:26 - 01610352 _____ (Malwarebytes) C:\Users\kiston\Desktop\JRT.exe
2016-04-09 11:25 - 2016-04-09 11:27 - 22851472 _____ (Malwarebytes ) C:\Users\kiston\Desktop\mbam-setup-2.2.1.1043.exe
2016-04-09 11:21 - 2016-04-09 11:21 - 00016148 _____ C:\Windows\system32\TRASHMACHINE_user_HistoryPrediction.bin
2016-04-08 21:27 - 2016-04-08 21:27 - 00000000 ____D C:\Users\kiston\Documents\League of Legends
2016-04-08 20:47 - 2016-04-08 20:49 - 00000000 ____D C:\Users\kiston\AppData\Local\Comms
2016-04-08 20:41 - 2016-04-08 20:41 - 00000000 ____D C:\Users\kiston\AppData\Roaming\LolClient
2016-04-08 19:32 - 2016-04-08 19:32 - 00000000 ____D C:\ProgramData\Riot Games
2016-04-08 19:31 - 2016-04-08 19:31 - 00001585 _____ C:\Users\Public\Desktop\League of Legends.lnk
2016-04-08 19:31 - 2016-04-08 19:31 - 00000000 ____D C:\Riot Games
2016-04-08 19:31 - 2016-04-08 19:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\League of Legends
2016-04-08 19:28 - 2016-04-08 19:28 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Macromedia
2016-04-08 19:21 - 2016-04-08 19:31 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Riot Games
2016-04-08 19:19 - 2016-04-08 19:19 - 27864920 _____ (Riot Games) C:\Users\kiston\Downloads\LeagueofLegends_NA_Installer_9_15_2014.exe
2016-04-08 19:08 - 2016-04-10 02:20 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2016-04-08 19:06 - 2016-04-08 19:06 - 00000000 ____D C:\Windows\pss
2016-04-08 18:27 - 2016-04-08 18:28 - 124766480 _____ (Microsoft Corporation) C:\Users\kiston\Downloads\msert.exe
2016-04-08 18:20 - 2016-04-08 18:20 - 143659408 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-08 18:17 - 2016-04-08 18:20 - 55550688 _____ (Microsoft Corporation) C:\Users\kiston\Downloads\Windows-KB890830-x64-V5.34.exe
2016-04-08 18:06 - 2016-04-08 18:06 - 00000000 ____D C:\Users\kiston\AppData\Local\MicrosoftEdge
2016-04-08 18:02 - 2016-04-08 18:02 - 00016148 _____ C:\Windows\system32\DESKTOP-L0NOFG7_kiston_HistoryPrediction.bin
2016-04-08 17:47 - 2016-04-08 17:47 - 00016148 _____ C:\Windows\system32\DESKTOP-L0NOFG7_user_HistoryPrediction.bin
2016-04-08 17:47 - 2016-04-08 17:47 - 00000000 ____D C:\Users\kiston\AppData\Roaming\ATI
2016-04-08 17:47 - 2016-04-08 17:47 - 00000000 ____D C:\Users\kiston\AppData\Local\ATI
2016-04-08 17:47 - 2016-04-08 17:47 - 00000000 ____D C:\Users\kiston\AppData\Local\AMD
2016-04-08 17:46 - 2016-04-08 17:46 - 00000000 _____ C:\Recovery.txt
2016-04-08 17:43 - 2016-04-08 17:43 - 00002364 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-04-08 17:43 - 2016-04-08 17:43 - 00000000 ___RD C:\Users\user\OneDrive
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Roaming\ATI
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Roaming\Adobe
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\VirtualStore
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\Packages
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\ATI
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\AMD
2016-04-08 17:41 - 2016-04-08 17:41 - 00000020 ___SH C:\Users\user\ntuser.ini
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\My Documents
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\Documents\My Videos
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\Documents\My Pictures
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\Documents\My Music
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 ____D C:\Users\user\AppData\Local\TileDataLayer
2016-04-08 17:33 - 2016-04-10 02:22 - 00000000 ____D C:\ProgramData\AMD
2016-04-08 17:32 - 2016-04-08 17:32 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2016-04-08 17:32 - 2016-04-08 17:32 - 00000000 ____D C:\Program Files\AMD
2016-04-08 17:32 - 2016-04-08 17:32 - 00000000 ____D C:\AMD
2016-04-08 17:32 - 2015-12-08 20:39 - 00301728 _____ (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 47794160 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 39720944 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 30775792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atio6axx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 27544560 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl12cl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 25320432 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 22327280 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl12cl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 15725552 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticaldd64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 14310896 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 10211016 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 09355016 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdxc64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 08982432 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6a.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 08864920 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 08009360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 07683096 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdxc32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 07482560 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 06686192 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmantle64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 05216240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmantle32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 03471376 _____ C:\Windows\SysWOW64\atiumdva.cap
2016-04-08 17:31 - 2016-04-08 17:31 - 03437632 _____ C:\Windows\system32\atiumd6a.cap
2016-04-08 17:31 - 2016-04-08 17:31 - 01256432 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiadlxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 01223544 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 01196032 _____ C:\Windows\system32\amdocl_as64.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 01070592 _____ C:\Windows\system32\amdocl_ld64.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 01004032 _____ C:\Windows\SysWOW64\amdocl_as32.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00935408 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00935408 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00874480 _____ (AMD) C:\Windows\system32\coinst_15.20.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00833800 _____ C:\Windows\system32\amdicdxx.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00807424 _____ C:\Windows\SysWOW64\amdocl_ld32.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00737410 _____ C:\Windows\system32\atiicdxx.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00683504 _____ (AMD) C:\Windows\system32\atieclxx.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00662400 _____ C:\Windows\SysWOW64\atiapfxx.blb
2016-04-08 17:31 - 2016-04-08 17:31 - 00662400 _____ C:\Windows\system32\atiapfxx.blb
2016-04-08 17:31 - 2016-04-08 17:31 - 00631792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdlvr64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00524272 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdlvr32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00471320 _____ C:\Windows\system32\amdmiracast.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00451056 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atidemgy.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00375792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiapfxx.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00341488 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODE.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00322868 _____ C:\Windows\system32\ativvaxy_vi.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00321200 _____ C:\Windows\system32\ativvaxy_vi_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00255808 _____ C:\Windows\system32\ativvaxy_cz_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00255472 _____ (AMD) C:\Windows\system32\atiesrxx.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00250884 _____ C:\Windows\system32\ativvaxy_FJ.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00249088 _____ C:\Windows\system32\ativvaxy_FJ_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00243696 _____ C:\Windows\system32\clinfo.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00234420 _____ C:\Windows\system32\ativvaxy_cik.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00232752 _____ C:\Windows\system32\ativvaxy_cik_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00213488 _____ C:\Windows\system32\amdgfxinfo64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00199664 _____ (AMD) C:\Windows\system32\atitmm64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00198640 _____ C:\Windows\SysWOW64\amdgfxinfo32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00177344 _____ C:\Windows\system32\ativce03.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00175648 _____ C:\Windows\system32\amde31a.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00168944 _____ C:\Windows\system32\atieah64.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00165360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6txx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00152560 _____ C:\Windows\SysWOW64\atieah32.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00150512 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00143344 _____ C:\Windows\system32\amdhdl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00143056 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00136176 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantle64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00132080 _____ C:\Windows\SysWOW64\amdhdl32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00130064 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiu9p64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00122352 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantle32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00112360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00111600 _____ C:\Windows\system32\hsa-thunk64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00111088 _____ C:\Windows\SysWOW64\hsa-thunk.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00103408 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantleaxl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00100816 _____ C:\Windows\system32\ativce02.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00096752 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantleaxl32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00088000 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atimpc64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00088000 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdpcom64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00083952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6pxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00081160 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00081160 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00078320 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00078320 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiglpxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00073712 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00071152 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalrt64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00068080 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00064496 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalcl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00060912 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00059888 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODCLI.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00059376 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmmcl6.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00057840 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00052208 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\ati2erec.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00048112 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmmcl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00038384 _____ (AMD) C:\Windows\system32\atimuixx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00012784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\detoured.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00012784 _____ (Microsoft Corporation) C:\Windows\system32\detoured.dll
2016-04-08 17:30 - 2016-04-10 02:23 - 00000000 ____D C:\Users\kiston\AppData\Local\ElevatedDiagnostics
2016-04-08 17:14 - 2016-04-08 17:14 - 00002341 _____ C:\Users\kiston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-04-08 17:14 - 2016-04-08 17:14 - 00000000 ___RD C:\Users\kiston\OneDrive
2016-04-08 17:13 - 2016-04-08 17:13 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2016-04-08 17:12 - 2016-04-08 17:12 - 00000000 ____D C:\Users\kiston\AppData\Local\Publishers
2016-04-08 17:11 - 2016-04-10 00:34 - 00000000 ____D C:\Users\kiston\AppData\Local\Packages
2016-04-08 17:11 - 2016-04-08 17:43 - 00000000 ____D C:\Users\kiston
2016-04-08 17:11 - 2016-04-08 17:42 - 00000000 ___RD C:\Users\Public\AccountPictures
2016-04-08 17:11 - 2016-04-08 17:11 - 00016148 _____ C:\Windows\system32\DESKTOP-L0NOFG7_defaultuser0_HistoryPrediction.bin
2016-04-08 17:11 - 2016-04-08 17:11 - 00000020 ___SH C:\Users\kiston\ntuser.ini
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\My Documents
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\Documents\My Videos
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\Documents\My Pictures
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\Documents\My Music
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Adobe
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 ____D C:\Users\kiston\AppData\Local\VirtualStore
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 ____D C:\Users\kiston\AppData\Local\TileDataLayer
2016-04-08 16:58 - 2016-04-10 02:16 - 00830266 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-08 16:56 - 2015-07-10 03:59 - 02718208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2016-04-08 16:55 - 2016-04-08 19:09 - 00000000 ____D C:\ProgramData\USOShared
2016-04-08 16:54 - 2016-04-09 11:17 - 00000006 _____ C:\Windows\Tasks\SA.DAT
2016-04-08 16:54 - 2016-04-08 16:54 - 00279456 _____ C:\Windows\Minidump\040816-35921-01.dmp
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\My Documents
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\All Users
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Documents and Settings
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 ____D C:\Windows\Minidump
2016-04-08 16:53 - 2016-04-08 16:53 - 281350174 _____ C:\Windows\MEMORY.DMP
2016-04-08 16:50 - 2016-04-08 16:50 - 00000000 _____ C:\Windows\ativpsrm.bin
2016-04-08 16:48 - 2016-04-08 16:48 - 00000000 ____D C:\Windows\ServiceProfiles
2016-04-08 16:48 - 2016-04-08 16:48 - 00000000 _____ C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2016-04-08 16:47 - 2016-04-10 02:12 - 00189240 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-08 13:41 - 2016-04-08 17:11 - 00000000 ___DC C:\Windows\Panther
2016-04-08 13:41 - 2016-04-08 13:41 - 00008192 _____ C:\Windows\system32\config\userdiff
2016-04-08 13:41 - 2016-04-08 13:41 - 00000000 ____D C:\Windows\InfusedApps
2016-04-08 13:41 - 2016-04-08 13:41 - 00000000 ____D C:\Windows.old
2016-04-08 13:40 - 2016-04-08 13:40 - 00000000 ____D C:\Windows\Setup
2016-04-08 13:40 - 2016-04-08 13:40 - 00000000 ____D C:\Windows\OCR
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\winrm
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\WCN
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\sysprep
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\0409
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\winrm
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\WCN
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\slmgr
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\Printing_Admin_Scripts
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\0409
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\DigitalLocker
2016-04-08 13:36 - 2015-07-10 04:01 - 00792568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-04-08 13:36 - 2015-07-10 04:01 - 00178168 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-04-08 13:35 - 2016-04-10 02:04 - 00000000 ____D C:\Windows\AppReadiness
2016-04-08 13:35 - 2016-04-10 00:33 - 00000000 ___RD C:\Windows\DevicesFlow
2016-04-08 13:35 - 2016-04-10 00:28 - 00000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_225
2016-04-08 13:35 - 2016-04-10 00:11 - 00000768 _____ C:\Windows\system32\Drivers\etc\hosts_bak_712
2016-04-08 13:35 - 2016-04-09 10:09 - 00000000 ____D C:\Windows\appcompat
2016-04-08 13:35 - 2016-04-08 18:59 - 00000000 ____D C:\Windows\system32\NDF
2016-04-08 13:35 - 2016-04-08 17:46 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-04-08 13:35 - 2016-04-08 17:39 - 00000000 ____D C:\Windows\system32\spool
2016-04-08 13:35 - 2016-04-08 17:39 - 00000000 ____D C:\Windows\system32\setup
2016-04-08 13:35 - 2016-04-08 17:39 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-04-08 13:35 - 2016-04-08 17:12 - 00000000 ___RD C:\Windows\PurchaseDialog
2016-04-08 13:35 - 2016-04-08 17:12 - 00000000 ___RD C:\Windows\PrintDialog
2016-04-08 13:35 - 2016-04-08 17:12 - 00000000 ___RD C:\Windows\MiracastView
2016-04-08 13:35 - 2016-04-08 17:12 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2016-04-08 13:35 - 2016-04-08 16:56 - 00000000 ____D C:\Windows\rescache
2016-04-08 13:35 - 2016-04-08 16:55 - 00000000 ____D C:\ProgramData\USOPrivate
2016-04-08 13:35 - 2016-04-08 16:51 - 00000000 ____D C:\Windows\system32\Sysprep
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\SysWOW64\F12
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\SysWOW64\DiagSvcs
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\system32\F12
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\system32\dsc
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\system32\DiagSvcs
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\setup
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\MUI
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\Com
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\WinBioPlugIns
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\SystemResetPlatform
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\oobe
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\MUI
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\migwiz
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\Dism
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\Com
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\IME
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\Help
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Windows Journal
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Windows Defender
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Common Files\System
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 __SHD C:\Program Files\Windows Sidebar
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 __SHD C:\Program Files (x86)\Windows Sidebar
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 __RSD C:\Windows\Media
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\SysWOW64\Nui
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\SysWOW64\Configuration
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\system32\Nui
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\system32\Configuration
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\Downloaded Program Files
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___RD C:\Windows\Offline Web Pages
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___RD C:\Windows\DesktopTileResources
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___RD C:\Users\Public\Libraries
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Web
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Vss
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\tracing
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\TAPI
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\WinMetadata
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\SMI
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\ras
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\NDF
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\MsDtc
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\Ipmi
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\InputMethod
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\IME
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\icsxml
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicyUsers
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\downlevel
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\Bthprops
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\AppLocker
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SystemResources
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SystemApps
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\WinMetadata
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\winevt
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\WinBioDatabase
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\SecureBootUpdates
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\ras
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\ProximityToast
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\PointOfService
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\MsDtc
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\MailContactsCalendarSync
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\Macromed
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\Ipmi
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\InputMethod
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\inetsrv
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\IME
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\icsxml
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\ias
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\downlevel
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\config\Journal
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\Bthprops
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\appraiser
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\AppLocker
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\System
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SKB
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\ShellNew
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\security
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\schemas
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SchCache
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Resources
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Registration
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Provisioning
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\PLA
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Performance
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\ModemLogs
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\LiveKernelReports
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\L2Schemas
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\InputMethod
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Globalization
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\ELAMBKUP
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Cursors
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Branding
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\ProgramData\Comms
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files\Windows NT
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files\Windows Multimedia Platform
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files\Common Files\Services
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files (x86)\Windows NT
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files (x86)\Windows Multimedia Platform
2016-04-08 13:35 - 2016-04-08 13:32 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2016-04-08 13:35 - 2016-04-08 13:32 - 00215943 _____ C:\Windows\SysWOW64\dssec.dat
2016-04-08 13:35 - 2016-04-08 13:32 - 00215943 _____ C:\Windows\system32\dssec.dat
2016-04-08 13:35 - 2016-04-08 13:32 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2016-04-08 13:35 - 2016-04-08 13:32 - 00017463 _____ C:\Windows\system32\Drivers\etc\services
2016-04-08 13:35 - 2016-04-08 13:32 - 00015462 _____ C:\Windows\system32\OEMDefaultAssociations.xml
2016-04-08 13:35 - 2016-04-08 13:32 - 00008798 _____ C:\Windows\SysWOW64\icrav03.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00008798 _____ C:\Windows\system32\icrav03.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00003683 _____ C:\Windows\system32\Drivers\etc\lmhosts.sam
2016-04-08 13:35 - 2016-04-08 13:32 - 00001988 _____ C:\Windows\SysWOW64\ticrf.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00001988 _____ C:\Windows\system32\ticrf.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00001358 _____ C:\Windows\system32\Drivers\etc\protocol
2016-04-08 13:35 - 2016-04-08 13:32 - 00000858 _____ C:\Windows\system32\DefaultQuestions.json
2016-04-08 13:35 - 2016-04-08 13:32 - 00000741 _____ C:\Windows\SysWOW64\NOISE.DAT
2016-04-08 13:35 - 2016-04-08 13:32 - 00000741 _____ C:\Windows\system32\NOISE.DAT
2016-04-08 13:35 - 2016-04-08 13:32 - 00000407 _____ C:\Windows\system32\Drivers\etc\networks
2016-04-08 13:35 - 2016-04-08 13:32 - 00000389 _____ C:\Windows\system32\AutoWorkplace.exe.config
2016-04-08 13:35 - 2016-04-08 13:32 - 00000219 _____ C:\Windows\system.ini
2016-04-08 13:35 - 2016-04-08 13:32 - 00000092 _____ C:\Windows\win.ini
2016-04-08 13:33 - 2016-04-10 02:16 - 00000000 ____D C:\Windows\INF
2016-04-08 13:28 - 2016-04-10 02:04 - 00000000 ____D C:\Windows\CbsTemp
2016-04-08 13:23 - 2016-04-10 02:12 - 00131072 ___SH C:\Windows\system32\config\BBI
2016-04-08 13:23 - 2016-04-08 16:54 - 00032768 ___SH C:\Windows\system32\config\ELAM
2016-04-08 13:23 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\servicing
2016-04-08 13:23 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\SMI
2016-04-08 13:23 - 2015-07-10 02:11 - 00000164 _____ C:\Windows\system32\config\FP
2016-04-08 13:02 - 2016-04-08 17:46 - 00000000 ____D C:\$SysReset
2016-04-06 05:09 - 2016-04-06 05:09 - 00103424 _____ (Advanced Micro Devices) C:\Windows\system32\DelayAPO.dll
2016-04-06 05:09 - 2016-04-06 05:09 - 00102912 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\AtihdWT6.sys
2016-04-06 05:04 - 2016-04-08 17:31 - 21648880 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmdag.sys
2016-04-06 05:04 - 2016-04-08 17:31 - 12088000 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atidxx64.dll
2016-04-06 05:04 - 2016-04-08 17:31 - 01479808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\aticfx64.dll
2016-04-06 05:04 - 2016-04-08 17:31 - 00674288 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmpag.sys
2016-04-06 05:04 - 2016-04-08 17:31 - 00162232 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiuxp64.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 01978240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 01065720 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6v.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00442368 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIDEMGX.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00204952 _____ C:\Windows\SysWOW64\ativvsvl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00204952 _____ C:\Windows\system32\ativvsvl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00157144 _____ C:\Windows\SysWOW64\ativvsva.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00157144 _____ C:\Windows\system32\ativvsva.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00118784 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atibtmon.exe
2016-04-06 05:04 - 2016-04-06 05:04 - 00059392 _____ (ATI Technologies, Inc.) C:\Windows\system32\atiedu64.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00053248 _____ C:\Windows\system32\amdverag.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00043520 _____ (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00038177 _____ C:\Windows\atiogl.xml
2016-04-06 05:04 - 2016-04-06 05:04 - 00026936 _____ C:\Windows\SysWOW64\ativvsnl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00026936 _____ C:\Windows\system32\ativvsnl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00003917 _____ C:\Windows\SysWOW64\atipblag.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00003917 _____ C:\Windows\system32\atipblag.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00000025 _____ C:\Windows\SysWOW64\ativvsny.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00000025 _____ C:\Windows\system32\ativvsny.dat

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

Some files in TEMP:
====================
C:\Users\kiston\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-04-08 16:47

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 11 April 2016 - 09:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
S2 MBAMService; \ [0 ] () <==== ATTENTION (zero byte File/Folder)
S4 Browser; %SystemRoot%\System32\browser.dll [X]
S3 MBAMProtector; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
S3 MWAC; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

I need to review the Addition.txt file that was created by the Farbar tool.

Please post the contents with your next reply.

Please let me know what problem persists with this computer.

#3 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 11 April 2016 - 09:30 AM

Hello sir. First off thanks for your time. I'm going to run the fix in safemode, then boot into normal mode. Or should I boot into normal mode --> restart after fix?

 

I thought I replied to this almost instantly but I replied to the email and not the thread >.<



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 11 April 2016 - 09:33 AM

Best to do it in Normal Mode if you can.

#5 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 11 April 2016 - 09:55 AM

After all that, it didnt post? ok sorry if unclear but ima just cut to the chase for us both. this is new addition text, not the one i 4got to post earlier, so this one is frm now. *wafter clicking update and security in settings, window just closes.
 
fixlog =
Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by kiston (2016-04-11 07:38:16) Run:1
Running from C:\Users\kiston\Desktop
Loaded Profiles: kiston (Available Profiles: kiston & user)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
S2 MBAMService; \ [0 ] () <==== ATTENTION (zero byte File/Folder)
S4 Browser; %SystemRoot%\System32\browser.dll [X]
S3 MBAMProtector; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
S3 MWAC; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
MBAMService => service removed successfully
Browser => service removed successfully
MBAMProtector => Unable to stop service.
MBAMProtector => service removed successfully
MWAC => service not found.
MBAMSwissArmy => Unable to stop service.
MBAMSwissArmy => service removed successfully
wfpcapture => service removed successfully
EmptyTemp: => 144.5 MB temporary data Removed.
 

The system needed a reboot.
 
==== End of Fixlog 07:38:36 ====


addition =​
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by kiston (2016-04-11 07:49:11)
Running from C:\Users\kiston\Desktop
Windows 10 Home (X64) (2016-04-09 00:11:18)
Boot Mode: Normal
==========================================================
 

==================== Accounts: =============================
 
Administrator (S-1-5-21-1323568086-1110516886-4081173146-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1323568086-1110516886-4081173146-503 - Limited - Disabled)
Guest (S-1-5-21-1323568086-1110516886-4081173146-501 - Limited - Disabled)
kiston (S-1-5-21-1323568086-1110516886-4081173146-1001 - Administrator - Enabled) => C:\Users\kiston
user (S-1-5-21-1323568086-1110516886-4081173146-1002 - Limited - Enabled) => C:\Users\user
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 11.0 - Emsisoft Ltd.)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.13.258 - SurfRight B.V.)
League of Legends (HKLM-x32\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
League of Legends (x32 Version: 3.0.1 - Riot Games) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Reason Core Security (HKLM-x32\...\Reason Core Security) (Version: 1.1.0.0 - Reason Software Company Inc.)
Tweaking.com - Technicians Toolbox (HKLM-x32\...\Tweaking.com - Technicians Toolbox) (Version: 1.2.0 - Tweaking.com)
Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 3.8.5 - Tweaking.com)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {63C2EB26-9F94-41AD-AC76-CAA70C2B64FC} - System32\Tasks\Microsoft\Windows\SetupSQMTask => C:\Windows\SYSTEM32\OOBE\SETUPSQM.EXE [2015-07-10] (Microsoft Corporation)
Task: {7C88636C-F65F-45D3-A8E8-AB8AFBC9C3DF} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\Windows\system32\MRT.exe [2016-04-08] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
Task: C:\Windows\Tasks\ReasonSecurityScheduledScan.job => C:\Program Files\Reason\Security\rsUI.exe
Task: C:\Windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)Tweaking.com - Windows Repair)Created By Tweaking.com
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-07-10 04:00 - 2015-07-10 04:00 - 00032768 _____ () C:\Windows\SYSTEM32\licensemanagerapi.dll
2015-07-10 03:59 - 2015-07-10 03:59 - 00403968 _____ () C:\Windows\System32\diagtrack_wininternal.dll
2015-07-10 04:00 - 2015-07-10 04:00 - 02498296 _____ () C:\Windows\system32\CoreUIComponents.dll
2015-07-10 04:00 - 2015-07-10 04:00 - 02498296 _____ () C:\Windows\System32\CoreUIComponents.dll
2015-07-10 03:59 - 2015-07-10 03:59 - 00429056 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 06579712 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 00471040 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 02274816 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 00210432 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 

==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\37216004.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\37216004.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 

==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 

==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-04-08 13:35 - 2016-04-10 08:26 - 00000768 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 208.67.222.222 - 208.67.220.220
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: BthHFSrv => 3
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: CDPSvc => 3
MSCONFIG\Services: CryptSvc => 3
MSCONFIG\Services: fhsvc => 3
MSCONFIG\Services: FontCache => 2
MSCONFIG\Services: icssvc => 3
MSCONFIG\Services: IEEtwCollectorService => 3
MSCONFIG\Services: PolicyAgent => 3
MSCONFIG\Services: PrintNotify => 3
MSCONFIG\Services: RetailDemo => 3
MSCONFIG\Services: SharedAccess => 3
MSCONFIG\Services: SmsRouter => 3
MSCONFIG\Services: StorSvc => 3
MSCONFIG\Services: svsvc => 3
MSCONFIG\Services: swprv => 3
MSCONFIG\Services: TabletInputService => 3
MSCONFIG\Services: TapiSrv => 3
MSCONFIG\Services: XblAuthManager => 3
MSCONFIG\Services: XblGameSave => 3
MSCONFIG\Services: XboxNetApiSvc => 3
HKLM\...\StartupApproved\Run32: => "StartCCC"
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\...\StartupApproved\Run: => "OneDrive"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
 
==================== Restore Points =========================
 
Check "winmgmt" service or repair WMI.
 

==================== Faulty Device Manager Devices =============
 
Name: AMD High Definition Audio Device
Description: AMD High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Advanced Micro Devices
Service: AtiHDAudioService
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
Name: Generic- Multi-Card USB Device
Description: Disk drive
Class Guid: {4d36e967-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard disk drives)
Service: disk
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 

==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/11/2016 07:49:33 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.
 

Operation:
   Instantiating VSS server
 
Error: (04/11/2016 07:49:33 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
]
 

Operation:
   Instantiating VSS server
 
Error: (04/11/2016 07:49:08 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:49:08Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:48:38 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:48:38Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:48:08 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:48:08Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:47:38 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:47:38Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:47:08 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:47:08Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:46:38 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:46:38Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:46:08 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:46:08Z. Error Code: 0x80040154.
 
Error: (04/11/2016 07:45:38 AM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-18T14:45:38Z. Error Code: 0x80040154.
 

System errors:
=============
Error: (04/11/2016 07:42:45 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session1 service terminated with the following error:
%%1753
 
Error: (04/11/2016 07:42:16 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session1 service terminated with the following error:
%%1753
 
Error: (04/11/2016 07:40:00 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Delivery Optimization service terminated with the following service-specific error:
%%2147942414
 
Error: (04/11/2016 07:39:49 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.
 
Error: (04/11/2016 07:39:47 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Task Scheduler service depends on the System Events Broker service which failed to start because of the following error:
%%1058
 
Error: (04/11/2016 07:38:49 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The WWAN AutoConfig service terminated with the following error:
%%997
 
Error: (04/11/2016 07:38:47 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
%%1056
 
Error: (04/11/2016 07:38:34 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session1 service terminated with the following error:
%%1753
 
Error: (04/11/2016 07:38:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (04/11/2016 07:38:17 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).
 

==================== Memory info ===========================
 
Processor: AMD Athlon™ II X4 645 Processor
Percentage of memory in use: 25%
Total physical RAM: 5886.05 MB
Available physical RAM: 4392.69 MB
Total Virtual: 7550.05 MB
Available Virtual: 5788.63 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.02 GB) (Free:908.95 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: EDD6888F)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Edited by nasdaq, 12 April 2016 - 06:58 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 12 April 2016 - 07:00 AM

Your log is clean.

Lets have a look at this.

Check "winmgmt" service or repair WMI.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#7 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 April 2016 - 08:54 AM

DUDE WHAT THE bleep I just spent an hour on this goddamn reply

 

sigh

 

ok well please bare with me, consider my suspicions, but don't be afraid to tell me I'm a paranoid tripping ass and to stop bugging u, I wouldn't blame ya.

 

I believe whatever the hell I have/had for a while is/was able to inject, or infect programs I launch. it might sound far fetched but there are sooo many inconsistencies i cant ignore.

 

over the passed year certain services have acted weird, but were windows services so it was very hard, especially with most ppl claiming its legit. id reformat, monitor the suspected service, and it would prompt me randomly when that service was modified, followed by abnormalities in my comp. never resolved. could be nothing, but today rpcs5, wininit, audiosrv, eventlog, wcmsvc, wrscvc, services, and lsass have opened ports, and are listening.

 

my last format  go around, couple days ago before posting here, scanners would find viruses and infections. a lot of the time the suspected file would be a system file or service. for example runtimebroker I observed was acting funny. Then a scan found specifically found runtimebroker to be malicious. this format go around, ive found dealply.pup aswell as a couple occurences of tr.zeus and removed them, I have the logs but I hope that doesn't affect anthing you'd like to do.

 

inside a task folder for mailcalendars, I found a livedomain list with a bunnnnch of sites. not sure if they are malicious but was hoping you could shed some light if I posted a few

yo.willcomlive.jp
yongbongin.net
yorkmail.cuny.edu
yotes.collegeofidaho.edu
yuc.conalep.edu.mx
zbavitu.com
zbavitu.de
zbavitu.net
zbnc.edu.cn
zhertam.com
zonahiphop.cl
zonaime.com
zurna.net

 

when I got u the new addition txt, I noticed some files with an [x] that I believe u terminated from the first frst log. are these ok?

S3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [587264 2015-07-10] (Realtek                                            )
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-04-11] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 UdeCx; system32\drivers\udecx.sys [X]
S0 WindowsTrustedRTProxy; System32\drivers\WindowsTrustedRTProxy.sys [X]​

 

also through ​browsing suspected files ive found text documents in like Chinese, references to sites like peter pesters ive never heard of, and what seems to be logging of possibly malicious activies. ive had this e: drive that i cant open, cant scan, cant really do bleep with, but its always popping up... for a WHILE. recently i found a text document that referred to it, so ima ask if u can go over a lil fraction of wats inside the text to see if it sounds out of the ordinary :

 

 

2016-04-08 12:02:48, Warning                      Failed to copying source file E:\$WINDOWS.~BT\Sources\Rollback\evtlogs\System.evtx to E:\Windows\Logs\PBR\Rollback\System.evtx. Error: 0x00000003
2016-04-08 12:02:48, Info                         Source logs dir X:\Windows\Panther\UnattendGC not present
2016-04-08 12:02:48, Info                         RjvPCopySetupLogs completed
2016-04-08 12:02:48, Info                          Sucessfully wrote to file E:\Windows\Logs\PBR\build.txt
2016-04-08 12:02:48, Info                         RjvPCopyAllLogFiles returning TRUE
2016-04-08 12:02:48, Info                         Entering RjvPCreateLogDirectory E:
2016-04-08 12:02:48, Info                         Entering RjvPCreateDirectory
2016-04-08 12:02:48, Info                         RjvPCreateDirectory returning  TRUE
2016-04-08 12:02:48, Info                         Entering RjvPCreateDirectory
2016-04-08 12:02:48, Info                         RjvPCreateDirectory returning  TRUE
2016-04-08 12:02:48, Info                         Entering RjvPCreateDirectory
2016-04-08 12:02:48, Info                         RjvPCreateDirectory returning  TRUE
2016-04-08 12:02:48, Info                         RjvPCreateLogDirectory returning  TRUE
2016-04-08 12:02:48, Info                         Set RJV_STATE member bOsDriveNotAccessible to 0, in function RjvInitializeEngine
2016-04-08 12:02:48, Info                         Trace started in file E:\$SysReset\Logs\RjvTrace_Configure.etl
2016-04-08 12:02:48, Info                         Entering RjvPLoadBitLockerComponents
 
2016-04-08 12:02:48, Info                         RjvPLoadBitLockerComponents returning TRUE
 
2016-04-08 12:02:48, Info                         Entering RjvPGetApplicationDir
2016-04-08 12:02:48, Info                         RjvPGetApplicationDir is X:\windows\system32 returning 1
2016-04-08 12:02:48, Info                         Set current app dir to X:\windows\system32
2016-04-08 12:02:48, Info                         Entering RjvPCheckIfFastApplyIsEnabled
 
2016-04-08 12:02:48, Info                         RegQueryValueEx() failed.
2016-04-08 12:02:48, Info                         RjvPCheckIfFastApplyIsEnabled returning
 
2016-04-08 12:02:48, Info                         Trace started in file E:\$SysReset\Logs\AsimovEvents.etl
2016-04-08 12:02:48, Info                         Entering RjvPIsMediaBoot
2016-04-08 12:02:48, Info                         Launch type is SystemDisk
2016-04-08 12:02:48, Info                         RjvPIsMediaBoot returning FALSE
2016-04-08 12:02:48, Info                         Wimboot not enabled on target OS

what you asked for

 

 

Farbar Service Scanner Version: 27-01-2016
Ran by kiston (administrator) on 12-04-2016 at 06:25:08
Running from "C:\Users\kiston\Desktop"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 

Windows Firewall:
=============
 
Firewall Disabled Policy:
==================
 

System Restore:
============
VSS Service is not running. Checking service configuration:
The start type of VSS service is set to Disabled. The default start type is 3.
The ImagePath of VSS service is OK.
 

System Restore Policy:
========================
 

Security Center:
============
 

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 

Windows Autoupdate Disabled Policy:
============================
 

Windows Defender:
==============
 
Other Services:
==============
 

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 

**** End of log ****
 
"Your log is clean.

Lets have a look at this.

Check "winmgmt" service or repair WMI.​"
 
i assumed this part was in the fss thing but i don't know where the box to check off that setting is at? currently windows update still closes at that screen. I can open windows defender, then open the settings to get to the tab under windows update, but if I click anything with update it just termiates the window. chkdsk and sfc scan recently (not since we started) always came up ok. it might not even be possible, but id assume the filerepository that my windows checks is corrupt
 
hitmanpro just showed me this which I guess supports my theory that launched programs are getting infected. (earlywarning system/ no action taken)

tweaking repair for windows

Scoring (22.0)

Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.

Time indicates that the file appeared recently on this computer.

frst:

Scoring (24.0)

Program has no publisher information but prompts the user for permission elevation.

Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

Authors name is missing in version info. This is not common to most programs.

Version control is missing. This file is probably created by an individual. This is not typical for most programs.

Time indicates that the file appeared recently on this computer.

Forensic Cluster

-37.9s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\53BB87200FF4D7AF9FA4FF49DC45F130_B429FF96EA4461A6A4A1663501152393

-37.9s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\53BB87200FF4D7AF9FA4FF49DC45F130_B429FF96EA4461A6A4A1663501152393

-18.1s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C8F841FB02DEC8C10108028DB86A08D_22DE92DA13E2D7C26591C288BAE7E871

-18.1s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C8F841FB02DEC8C10108028DB86A08D_22DE92DA13E2D7C26591C288BAE7E871

* C:\Users\kiston\Desktop\FRST64.exe

2.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\69\66197CFC7104AA6D.dat

2.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\1\69\66197CFC7104AA6D.dat

2.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\1\69\

2.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\69\

29.3s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B604BBD3F5DA5856D362A1D94451A8C6_2A08B24C9CC562ED9F3BDB32D13FA2A0

29.3s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B604BBD3F5DA5856D362A1D94451A8C6_2A08B24C9CC562ED9F3BDB32D13FA2A0

46.2s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_5F5269AC0D922158A5B542020448A2D3

46.2s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_5F5269AC0D922158A5B542020448A2D3

46.4s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\99E7D179A416539E7B659C228E8F1AA4_08478F7A5BE57824CFD3A65F8A253598

46.4s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\99E7D179A416539E7B659C228E8F1AA4_08478F7A5BE57824CFD3A65F8A253598

64.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

64.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

64.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_6EDACA91DF0270DF0689ACF979725840

64.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_6EDACA91DF0270DF0689ACF979725840

66.5s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\1\80\4830E0A62EC6162C.dat

69.2s C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CDC7B704-C71B-4069-8B4D-AC74BB59ED18}

84.3s C:\Users\kiston\Desktop\iexplore.exe

84.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

84.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_E1EDEF0C21AE75D448F7327475DF4C9E

84.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3781B4A3713292956206932165FA4132_6AECD7A77410F5461FC87BAABFCF62DC

84.5s C:\Users\kiston\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3781B4A3713292956206932165FA4132_6AECD7A77410F5461FC87BAABFCF62DC

85.2s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\79\

85.2s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\1\79\

85.2s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\79\A05934A4BE7CE317.dat

85.2s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\1\79\A05934A4BE7CE317.dat

 

both downloaded from this site. I'm not surprised honestly, it seems to infect anything I download. a few months ago I was so fed up I gave up and formatted and onnnly installed league of legends on computer. I guess it had nothing else to infect cuz I could've sworn my league of legends was infected. I think I was right?

 

 

like my 10th, but last edit and ima make sure of that. reason core (downloaded from here) detected a threat (the fss u told me to download) as a medium risk threat called threat.generic.variant

 

 

 

https://www.virustotal.com/en/file/1cb35a93213562911d4e4218effcb9fc5a946b6e1a99509bcd2b5c936898d159/analysis/1460201711/ - frst

 

https://www.virustotal.com/en/file/b5793fb24a045581074007ffbc623d912ca00cab3fbf8c1509999ea341c5cef6/analysis/1460473137/ - fss

 

if it wasn't these two, itd be the next two. just trying to give all the info I can


 

 


Edited by kistonw, 12 April 2016 - 10:00 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 12 April 2016 - 10:09 AM


Lets reset some of the services.

Please Download Tweaking.com - Windows Repair from Here
[list]
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    07 - Repair Internet Explorer
    08 - Repair MDAC/MS Jet
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    19 - Repair Volume Shadow Copy Service
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    Check the Windows Updates.

    I only need to know if you have any difficulties with this computer and what they are.




#9 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 April 2016 - 11:46 AM

Sorry for the delay. Did everything as mentioned, but I walked away during the program process and came back to the system restart prompt and hit yes. I didn't get to save the errors except for the pre scan, which showed a fixed reparse point. Instantly I had a ton of security and maintence messages from the passed few days start showing, and windows update actually stays on the screen.

The computers security gradually degrades, regardless of how clean it becomes. This would be the spot I was in after every clean install, which eventually lead to today's situation and a seemingly infected Windows usb.

Difference is the fixitlog, and updated router security. Am I g2g?

Everything seems good at the moment, Windows is updating.

Edited by kistonw, 12 April 2016 - 11:55 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 12 April 2016 - 01:33 PM

updated router security. Am I g2g?

Yes.

#11 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 April 2016 - 02:07 PM

Comp downloaded all the updates, but t when it had to restart it kept giving me an error saying to try to restart later. I manually restarted, and it started installing the updates. after a while it's now undoing the changes. Also the default apps in the settings screen had everything saying "twinui". would u suggest sfc scan now? Comp isn't updated with latest security and it doesn't have a reliable AV atm


Edit:
Unsure what to do. Comp reverted back to before I ran tweaking. Action center doesn't pop up again.

Edited by kistonw, 12 April 2016 - 02:26 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 12 April 2016 - 02:33 PM

. Also the default apps in the settings screen had everything saying "twinui"


Not familiar with this. Check it out.
https://www.slightfuture.com/technote/what-is-twinui

===

Quoted from your Addition.txt log.

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


This is the Microsoft Default security software for Windows 10.

If you wish to use an other free one check this article.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

===

Can you please run the Farbar tool in normal mode and post a fresh FRST log for my review.

#13 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 12 April 2016 - 02:49 PM

haha its getting realllllly annoying - btw I meant the way my comp runs. takes me like 5 tries to post something. I know I said it before, but my suspicisions are usually in the right area, and I believe the text I produced referring to E: drive and the phrase "unattend" means its malicious. before posting here, I was noticing that whenever I came from being afk, once I woke m ycomputer up, bitdefender (at the time uninfected) would find 2-3 infections. Also, I havnt been able to access, read, scan, do anything really with E: drive. yet it would show up constantly, and when I would click on it id get "acess is denied" or (more recent/common) "insert a drive into e:" scanners would show e along with c: and any cds/usbs I had plugged at the time, but any time id click E: it'd report there was no e.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-04-2016 01
Ran by kiston (administrator) on TRASHMACHINE (12-04-2016 12:40:34)
Running from C:\Users\kiston\Desktop
Loaded Profiles: kiston (Available Profiles: kiston & user & tony)
Platform: Windows 10 Home (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Malwarebytes) C:\Program Files (x86)\chikoni\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\chikoni\mbamscheduler.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Malwarebytes) C:\Program Files (x86)\chikoni\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 

==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [9234848 2016-01-06] (Emsisoft Ltd)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{531cb7a8-5bd3-414e-9f08-2a6391bff998}: [NameServer] 208.67.222.222,208.67.220.220
Tcpip\..\Interfaces\{531cb7a8-5bd3-414e-9f08-2a6391bff998}: [DhcpNameServer] 71.10.216.1 71.10.216.2
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [10900888 2016-01-06] (Emsisoft Ltd)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-04-10] (SurfRight B.V.)
R2 MBAMScheduler; C:\Program Files (x86)\chikoni\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\chikoni\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 epp; C:\EEK\bin64\epp.sys [124080 2016-02-11] (Emsisoft Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-04-12] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [587264 2015-07-10] (Realtek                                            )
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-04-11] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 UdeCx; system32\drivers\udecx.sys [X]
S0 WindowsTrustedRTProxy; System32\drivers\WindowsTrustedRTProxy.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-12 12:39 - 2016-04-12 12:39 - 02375168 _____ (Farbar) C:\Users\kiston\Desktop\FRST64.exe
2016-04-12 12:18 - 2016-04-12 12:18 - 00002335 _____ C:\Users\tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-04-12 12:18 - 2016-04-12 12:18 - 00000000 ___RD C:\Users\tony\OneDrive
2016-04-12 12:18 - 2016-04-12 12:18 - 00000000 ____D C:\Users\tony\AppData\Roaming\Adobe
2016-04-12 12:18 - 2016-04-12 12:18 - 00000000 ____D C:\Users\tony\AppData\Local\VirtualStore
2016-04-12 12:18 - 2016-04-12 12:18 - 00000000 ____D C:\Users\tony\AppData\Local\TileDataLayer
2016-04-12 12:18 - 2016-04-12 12:18 - 00000000 ____D C:\Users\tony\AppData\Local\Packages
2016-04-12 12:17 - 2016-04-12 12:18 - 00000000 ____D C:\Users\tony
2016-04-12 12:17 - 2016-04-12 12:17 - 00000020 ___SH C:\Users\tony\ntuser.ini
2016-04-12 12:17 - 2016-04-12 12:17 - 00000000 _SHDL C:\Users\tony\My Documents
2016-04-12 12:17 - 2016-04-12 12:17 - 00000000 _SHDL C:\Users\tony\Documents\My Videos
2016-04-12 12:17 - 2016-04-12 12:17 - 00000000 _SHDL C:\Users\tony\Documents\My Pictures
2016-04-12 12:17 - 2016-04-12 12:17 - 00000000 _SHDL C:\Users\tony\Documents\My Music
2016-04-12 12:09 - 2016-03-08 00:10 - 00829944 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-04-12 12:09 - 2016-03-08 00:10 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-04-12 11:50 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\system32\oobe
2016-04-12 10:40 - 2016-04-12 10:47 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-12 10:40 - 2016-04-12 10:42 - 00000000 ____D C:\Windows\system32\MRT
2016-04-12 08:39 - 2016-04-12 08:40 - 00005622 _____ C:\Users\kiston\Desktop\Tweaking.com - Windows Repair - Pre-Scan.txt
2016-04-12 08:30 - 2016-04-12 08:30 - 00002236 _____ C:\Users\kiston\Desktop\Tweaking.com - Windows Repair.lnk
2016-04-12 08:30 - 2016-04-12 08:30 - 00000574 _____ C:\Windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job
2016-04-12 08:30 - 2016-04-12 08:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-04-12 08:13 - 2016-04-12 08:13 - 21105944 _____ (Tweaking.com) C:\Users\kiston\Downloads\tweaking.com_windows_repair_aio_setup.exe
2016-04-12 08:12 - 2016-04-12 08:12 - 19134976 _____ C:\Users\kiston\Downloads\tweaking.com_windows_repair_aio.zip
2016-04-12 08:11 - 2016-04-12 08:11 - 00000000 _____ C:\Users\kiston\Desktop\New Text Document (2).txt
2016-04-12 06:41 - 2016-04-12 06:41 - 00000000 ____D C:\Users\kiston\AppData\Local\Microsoft_Corporation
2016-04-12 06:06 - 2016-04-12 06:25 - 00002808 _____ C:\Users\kiston\Desktop\FSS.txt
2016-04-11 20:44 - 2016-04-12 08:15 - 00009905 _____ C:\Users\kiston\Desktop\New Text Document.txt
2016-04-11 19:31 - 2016-04-11 19:31 - 00000000 ___RD C:\Users\kiston\Documents\Notes
2016-04-11 18:37 - 2016-04-11 18:37 - 00003890 _____ C:\TDSSKiller.3.1.0.9_11.04.2016_18.37.45_log.txt
2016-04-11 18:35 - 2016-04-11 18:36 - 00220956 _____ C:\TDSSKiller.3.1.0.9_11.04.2016_18.35.55_log.txt
2016-04-11 18:11 - 2016-04-11 20:43 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-04-11 07:42 - 2016-04-12 07:35 - 00000000 ____D C:\Users\kiston\AppData\Local\CrashDumps
2016-04-11 07:38 - 2016-04-11 07:38 - 00002314 _____ C:\Users\kiston\Desktop\Fixlog.txt
2016-04-11 05:01 - 2016-04-12 12:37 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-11 05:01 - 2016-04-11 05:01 - 00001047 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-11 05:01 - 2016-04-11 05:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\chikoni
2016-04-11 05:01 - 2016-04-11 05:01 - 00000000 ____D C:\Program Files (x86)\chikoni
2016-04-11 05:01 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-11 05:01 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-11 05:01 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-11 04:30 - 2016-04-11 04:31 - 22851472 _____ (Malwarebytes ) C:\Users\kiston\Desktop\mbam-setup-2.2.1.1043.exe
2016-04-10 16:24 - 2016-04-10 16:24 - 00000740 _____ C:\Windows\system32\.crusader
2016-04-10 15:07 - 2016-04-10 15:27 - 691011584 _____ C:\Users\kiston\Desktop\bitdefender-rescue-cd.iso
2016-04-10 14:14 - 2016-04-10 14:14 - 00016148 _____ C:\Windows\system32\TRASHMACHINE_kiston_HistoryPrediction.bin
2016-04-10 13:57 - 2016-04-12 07:27 - 00001966 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2016-04-10 13:57 - 2016-04-10 13:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2016-04-10 13:57 - 2016-04-10 13:57 - 00000000 ____D C:\Program Files\HitmanPro
2016-04-10 13:56 - 2016-04-10 16:24 - 00000000 ____D C:\ProgramData\HitmanPro
2016-04-10 13:56 - 2016-04-10 13:57 - 11441744 _____ (SurfRight B.V.) C:\Users\kiston\Desktop\HitmanPro_x64.exe
2016-04-10 13:53 - 2016-04-10 13:53 - 00000000 ____D C:\AdwCleaner
2016-04-10 13:52 - 2016-04-10 13:52 - 03465280 _____ C:\Users\kiston\Desktop\AdwCleaner.exe
2016-04-10 10:33 - 2016-04-10 10:33 - 00000937 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2016-04-10 10:33 - 2016-04-10 10:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2016-04-10 10:32 - 2016-04-12 12:38 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2016-04-10 10:30 - 2016-04-10 10:30 - 00002431 _____ C:\Users\kiston\Desktop\aswMBR.txt
2016-04-10 10:30 - 2016-04-10 10:30 - 00000512 _____ C:\Users\kiston\Desktop\MBR.dat
2016-04-10 08:12 - 2016-04-10 10:32 - 212514840 _____ (Emsisoft Ltd. ) C:\Users\kiston\Desktop\EmsisoftAntiMalwareSetup_bc.exe
2016-04-10 08:12 - 2016-04-10 08:12 - 05198336 _____ (AVAST Software) C:\Users\kiston\Desktop\aswMBR.exe
2016-04-10 04:11 - 2016-04-10 04:11 - 00000416 _____ C:\Windows\Tasks\ReasonSecurityScheduledScan.job
2016-04-10 04:10 - 2016-04-12 10:29 - 00000000 ____D C:\Program Files\Reason
2016-04-10 04:05 - 2016-04-10 04:05 - 00026389 _____ C:\Users\kiston\Desktop\Shortcut.txt
2016-04-10 02:36 - 2016-04-10 02:52 - 00433338 _____ C:\TDSSKiller.3.1.0.9_10.04.2016_02.36.57_log.txt
2016-04-10 02:24 - 2016-04-10 10:54 - 00000000 ____D C:\EEK
2016-04-10 01:24 - 2016-04-10 01:25 - 00221884 _____ C:\TDSSKiller.3.1.0.9_10.04.2016_01.24.05_log.txt
2016-04-10 00:23 - 2016-04-12 08:51 - 00830266 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-04-10 00:09 - 2016-04-10 00:09 - 00000207 _____ C:\Windows\tweaking.com-regbackup-TRASHMACHINE-Windows-10-Home-(64-bit).dat
2016-04-10 00:09 - 2016-04-10 00:09 - 00000000 ____D C:\RegBackup
2016-04-09 23:52 - 2016-04-12 08:30 - 00722348 _____ C:\Windows\Tweaking.com - Windows Repair Setup Log.txt
2016-04-09 22:46 - 2016-04-12 08:30 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2016-04-09 22:44 - 2016-04-10 07:46 - 00000896 _____ C:\Users\kiston\Desktop\MTB.txt
2016-04-09 22:43 - 2016-04-10 02:24 - 227630056 _____ C:\Users\kiston\Desktop\EmsisoftEmergencyKit.exe
2016-04-09 22:43 - 2016-04-09 22:44 - 00891392 _____ (Farbar) C:\Users\kiston\Desktop\MiniToolBox.exe
2016-04-09 22:42 - 2016-04-09 22:46 - 00018585 _____ C:\Windows\Tweaking.com - Technicians Toolbox Setup Log.txt
2016-04-09 22:19 - 2016-04-09 22:21 - 00503424 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.19.11_log.txt
2016-04-09 22:13 - 2016-04-09 22:17 - 00004332 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.13.39_log.txt
2016-04-09 22:13 - 2016-04-09 22:13 - 00000490 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.13.36_log.txt
2016-04-09 22:13 - 2016-04-09 22:13 - 00000000 ____D C:\ProgramData\RogueKiller
2016-04-09 22:12 - 2016-04-09 22:13 - 00221680 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_22.12.10_log.txt
2016-04-09 20:33 - 2016-04-09 22:11 - 00438756 _____ C:\TDSSKiller.3.1.0.9_09.04.2016_20.33.54_log.txt
2016-04-09 20:30 - 2016-04-12 12:40 - 00005968 _____ C:\Users\kiston\Desktop\FRST.txt
2016-04-09 20:30 - 2016-04-12 12:40 - 00000000 ____D C:\FRST
2016-04-09 20:30 - 2016-04-11 07:49 - 00017075 _____ C:\Users\kiston\Desktop\Addition.txt
2016-04-09 20:29 - 2016-04-09 22:13 - 19765320 _____ C:\Users\kiston\Desktop\RogueKiller.exe
2016-04-09 20:22 - 2016-04-10 04:10 - 04257344 _____ (Reason Software Company Inc.) C:\Users\kiston\Desktop\reason-core-security-setup.exe
2016-04-09 14:20 - 2016-04-11 19:36 - 00002454 _____ C:\Users\kiston\Desktop\Rkill.txt
2016-04-09 14:20 - 2016-04-09 20:33 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\kiston\Desktop\iexplore.exe
2016-04-09 14:20 - 2016-04-09 14:20 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\kiston\Desktop\asfd.exe
2016-04-09 14:05 - 2016-04-09 14:13 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-04-09 14:04 - 2016-04-09 14:13 - 00000000 ____D C:\Users\kiston\Desktop\mbar
2016-04-09 11:29 - 2016-04-09 11:29 - 06850588 _____ C:\Users\kiston\Desktop\mbam-chameleon-3.1.29.0.zip
2016-04-09 11:28 - 2016-04-09 14:04 - 16563352 _____ (Malwarebytes Corp.) C:\Users\kiston\Desktop\mbar-1.09.3.1001.exe
2016-04-09 11:27 - 2016-04-11 19:38 - 00000556 _____ C:\Users\kiston\Desktop\JRT.txt
2016-04-09 11:27 - 2016-04-09 11:27 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-09 11:26 - 2016-04-09 11:26 - 01610352 _____ (Malwarebytes) C:\Users\kiston\Desktop\JRT.exe
2016-04-09 11:21 - 2016-04-09 11:21 - 00016148 _____ C:\Windows\system32\TRASHMACHINE_user_HistoryPrediction.bin
2016-04-08 21:27 - 2016-04-08 21:27 - 00000000 ____D C:\Users\kiston\Documents\League of Legends
2016-04-08 20:47 - 2016-04-08 20:49 - 00000000 ____D C:\Users\kiston\AppData\Local\Comms
2016-04-08 20:41 - 2016-04-08 20:41 - 00000000 ____D C:\Users\kiston\AppData\Roaming\LolClient
2016-04-08 19:32 - 2016-04-08 19:32 - 00000000 ____D C:\ProgramData\Riot Games
2016-04-08 19:31 - 2016-04-08 19:31 - 00001585 _____ C:\Users\Public\Desktop\League of Legends.lnk
2016-04-08 19:31 - 2016-04-08 19:31 - 00000000 ____D C:\Riot Games
2016-04-08 19:31 - 2016-04-08 19:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\League of Legends
2016-04-08 19:28 - 2016-04-08 19:28 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Macromedia
2016-04-08 19:21 - 2016-04-08 19:31 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Riot Games
2016-04-08 19:19 - 2016-04-08 19:19 - 27864920 _____ (Riot Games) C:\Users\kiston\Downloads\LeagueofLegends_NA_Installer_9_15_2014.exe
2016-04-08 19:08 - 2016-04-11 07:25 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2016-04-08 19:06 - 2016-04-08 19:06 - 00000000 ____D C:\Windows\pss
2016-04-08 18:27 - 2016-04-08 18:28 - 124766480 _____ (Microsoft Corporation) C:\Users\kiston\Downloads\msert.exe
2016-04-08 18:20 - 2016-04-12 10:40 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-08 18:17 - 2016-04-08 18:20 - 55550688 _____ (Microsoft Corporation) C:\Users\kiston\Downloads\Windows-KB890830-x64-V5.34.exe
2016-04-08 18:06 - 2016-04-08 18:06 - 00000000 ____D C:\Users\kiston\AppData\Local\MicrosoftEdge
2016-04-08 18:02 - 2016-04-08 18:02 - 00016148 _____ C:\Windows\system32\DESKTOP-L0NOFG7_kiston_HistoryPrediction.bin
2016-04-08 17:47 - 2016-04-08 17:47 - 00016148 _____ C:\Windows\system32\DESKTOP-L0NOFG7_user_HistoryPrediction.bin
2016-04-08 17:47 - 2016-04-08 17:47 - 00000000 ____D C:\Users\kiston\AppData\Roaming\ATI
2016-04-08 17:47 - 2016-04-08 17:47 - 00000000 ____D C:\Users\kiston\AppData\Local\ATI
2016-04-08 17:47 - 2016-04-08 17:47 - 00000000 ____D C:\Users\kiston\AppData\Local\AMD
2016-04-08 17:46 - 2016-04-08 17:46 - 00000000 _____ C:\Recovery.txt
2016-04-08 17:43 - 2016-04-08 17:43 - 00002364 _____ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-04-08 17:43 - 2016-04-08 17:43 - 00000000 ___RD C:\Users\user\OneDrive
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Roaming\ATI
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Roaming\Adobe
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\VirtualStore
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\Packages
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\ATI
2016-04-08 17:42 - 2016-04-08 17:42 - 00000000 ____D C:\Users\user\AppData\Local\AMD
2016-04-08 17:41 - 2016-04-08 17:41 - 00000020 ___SH C:\Users\user\ntuser.ini
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\My Documents
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\Documents\My Videos
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\Documents\My Pictures
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 _SHDL C:\Users\user\Documents\My Music
2016-04-08 17:41 - 2016-04-08 17:41 - 00000000 ____D C:\Users\user\AppData\Local\TileDataLayer
2016-04-08 17:33 - 2016-04-10 02:22 - 00000000 ____D C:\ProgramData\AMD
2016-04-08 17:32 - 2016-04-08 17:32 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2016-04-08 17:32 - 2016-04-08 17:32 - 00000000 ____D C:\Program Files\AMD
2016-04-08 17:32 - 2016-04-08 17:32 - 00000000 ____D C:\AMD
2016-04-08 17:32 - 2015-12-08 20:39 - 00301728 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 47794160 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 39720944 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 30775792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atio6axx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 27544560 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\amdocl12cl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 25320432 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 22327280 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl12cl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 15725552 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticaldd64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 14310896 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 10211016 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 09355016 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdxc64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 08982432 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6a.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 08864920 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 08009360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 07683096 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdxc32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 07482560 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 06686192 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmantle64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 05216240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmantle32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 03471376 _____ C:\Windows\SysWOW64\atiumdva.cap
2016-04-08 17:31 - 2016-04-08 17:31 - 03437632 _____ C:\Windows\system32\atiumd6a.cap
2016-04-08 17:31 - 2016-04-08 17:31 - 01256432 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiadlxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 01223544 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 01196032 _____ C:\Windows\system32\amdocl_as64.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 01070592 _____ C:\Windows\system32\amdocl_ld64.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 01004032 _____ C:\Windows\SysWOW64\amdocl_as32.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00935408 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00935408 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00874480 _____ (AMD) C:\Windows\system32\coinst_15.20.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00833800 _____ C:\Windows\system32\amdicdxx.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00807424 _____ C:\Windows\SysWOW64\amdocl_ld32.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00737410 _____ C:\Windows\system32\atiicdxx.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00683504 _____ (AMD) C:\Windows\system32\atieclxx.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00662400 _____ C:\Windows\SysWOW64\atiapfxx.blb
2016-04-08 17:31 - 2016-04-08 17:31 - 00662400 _____ C:\Windows\system32\atiapfxx.blb
2016-04-08 17:31 - 2016-04-08 17:31 - 00631792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdlvr64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00524272 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdlvr32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00471320 _____ C:\Windows\system32\amdmiracast.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00451056 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atidemgy.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00375792 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiapfxx.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00341488 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODE.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00322868 _____ C:\Windows\system32\ativvaxy_vi.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00321200 _____ C:\Windows\system32\ativvaxy_vi_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00255808 _____ C:\Windows\system32\ativvaxy_cz_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00255472 _____ (AMD) C:\Windows\system32\atiesrxx.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00250884 _____ C:\Windows\system32\ativvaxy_FJ.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00249088 _____ C:\Windows\system32\ativvaxy_FJ_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00243696 _____ C:\Windows\system32\clinfo.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00234420 _____ C:\Windows\system32\ativvaxy_cik.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00232752 _____ C:\Windows\system32\ativvaxy_cik_nd.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00213488 _____ C:\Windows\system32\amdgfxinfo64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00199664 _____ (AMD) C:\Windows\system32\atitmm64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00198640 _____ C:\Windows\SysWOW64\amdgfxinfo32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00177344 _____ C:\Windows\system32\ativce03.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00175648 _____ C:\Windows\system32\amde31a.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00168944 _____ C:\Windows\system32\atieah64.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00165360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6txx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00152560 _____ C:\Windows\SysWOW64\atieah32.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00150512 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00143344 _____ C:\Windows\system32\amdhdl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00143056 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00136176 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantle64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00132080 _____ C:\Windows\SysWOW64\amdhdl32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00130064 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiu9p64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00122352 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantle32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00112360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00111600 _____ C:\Windows\system32\hsa-thunk64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00111088 _____ C:\Windows\SysWOW64\hsa-thunk.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00103408 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantleaxl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00100816 _____ C:\Windows\system32\ativce02.dat
2016-04-08 17:31 - 2016-04-08 17:31 - 00096752 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantleaxl32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00088000 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atimpc64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00088000 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdpcom64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00083952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6pxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00081160 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00081160 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00078320 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00078320 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiglpxx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00073712 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00071152 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalrt64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00068080 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00064496 _____ (Advanced Micro Devices Inc.) C:\Windows\system32\aticalcl64.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00060912 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00059888 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIODCLI.exe
2016-04-08 17:31 - 2016-04-08 17:31 - 00059376 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmmcl6.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00057840 _____ (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00052208 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\ati2erec.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00048112 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmmcl.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00038384 _____ (AMD) C:\Windows\system32\atimuixx.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00012784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\detoured.dll
2016-04-08 17:31 - 2016-04-08 17:31 - 00012784 _____ (Microsoft Corporation) C:\Windows\system32\detoured.dll
2016-04-08 17:30 - 2016-04-10 02:23 - 00000000 ____D C:\Users\kiston\AppData\Local\ElevatedDiagnostics
2016-04-08 17:14 - 2016-04-08 17:14 - 00002341 _____ C:\Users\kiston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-04-08 17:14 - 2016-04-08 17:14 - 00000000 ___RD C:\Users\kiston\OneDrive
2016-04-08 17:13 - 2016-04-08 17:13 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2016-04-08 17:12 - 2016-04-08 17:12 - 00000000 ____D C:\Users\kiston\AppData\Local\Publishers
2016-04-08 17:11 - 2016-04-12 12:18 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-04-08 17:11 - 2016-04-10 00:34 - 00000000 ____D C:\Users\kiston\AppData\Local\Packages
2016-04-08 17:11 - 2016-04-08 17:43 - 00000000 ____D C:\Users\kiston
2016-04-08 17:11 - 2016-04-08 17:11 - 00016148 _____ C:\Windows\system32\DESKTOP-L0NOFG7_defaultuser0_HistoryPrediction.bin
2016-04-08 17:11 - 2016-04-08 17:11 - 00000020 ___SH C:\Users\kiston\ntuser.ini
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\My Documents
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\Documents\My Videos
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\Documents\My Pictures
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 _SHDL C:\Users\kiston\Documents\My Music
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 ____D C:\Users\kiston\AppData\Roaming\Adobe
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 ____D C:\Users\kiston\AppData\Local\VirtualStore
2016-04-08 17:11 - 2016-04-08 17:11 - 00000000 ____D C:\Users\kiston\AppData\Local\TileDataLayer
2016-04-08 16:58 - 2016-04-12 12:17 - 00830266 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-08 16:56 - 2015-07-10 03:59 - 02718208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2016-04-08 16:55 - 2016-04-08 19:09 - 00000000 ____D C:\ProgramData\USOShared
2016-04-08 16:54 - 2016-04-12 09:09 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-08 16:54 - 2016-04-08 16:54 - 00279456 _____ C:\Windows\Minidump\040816-35921-01.dmp
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\My Documents
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\Default User
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Users\All Users
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 _SHDL C:\Documents and Settings
2016-04-08 16:54 - 2016-04-08 16:54 - 00000000 ____D C:\Windows\Minidump
2016-04-08 16:53 - 2016-04-08 16:53 - 281350174 _____ C:\Windows\MEMORY.DMP
2016-04-08 16:50 - 2016-04-08 16:50 - 00000000 _____ C:\Windows\ativpsrm.bin
2016-04-08 16:48 - 2016-04-08 16:48 - 00000000 ____D C:\Windows\ServiceProfiles
2016-04-08 16:48 - 2016-04-08 16:48 - 00000000 _____ C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2016-04-08 16:47 - 2016-04-12 12:07 - 00189240 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-08 13:41 - 2016-04-12 10:30 - 00000000 ___DC C:\Windows\Panther
2016-04-08 13:41 - 2016-04-08 13:41 - 00008192 _____ C:\Windows\system32\config\userdiff
2016-04-08 13:41 - 2016-04-08 13:41 - 00000000 ____D C:\Windows\InfusedApps
2016-04-08 13:41 - 2016-04-08 13:41 - 00000000 ____D C:\Windows.old
2016-04-08 13:40 - 2016-04-08 13:40 - 00000000 ____D C:\Windows\Setup
2016-04-08 13:40 - 2016-04-08 13:40 - 00000000 ____D C:\Windows\OCR
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\winrm
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\WCN
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\sysprep
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\slmgr
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\0409
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\winrm
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\WCN
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\slmgr
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\Printing_Admin_Scripts
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\0409
2016-04-08 13:39 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\DigitalLocker
2016-04-08 13:35 - 2016-04-12 12:38 - 00000000 ____D C:\Windows\AppReadiness
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ___SD C:\Windows\SysWOW64\F12
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ___SD C:\Windows\system32\F12
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ___RD C:\Windows\PurchaseDialog
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\system32\WinBioPlugIns
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\system32\SystemResetPlatform
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\system32\Dism
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\system32\appraiser
2016-04-08 13:35 - 2016-04-12 12:05 - 00000000 ____D C:\Windows\Provisioning
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ___RD C:\Windows\DevicesFlow
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ____D C:\Windows\L2Schemas
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ____D C:\Program Files\Windows Multimedia Platform
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ____D C:\Program Files\Windows Journal
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-04-08 13:35 - 2016-04-12 12:04 - 00000000 ____D C:\Program Files (x86)\Windows Multimedia Platform
2016-04-08 13:35 - 2016-04-11 20:44 - 00000000 ____D C:\Windows\system32\MailContactsCalendarSync
2016-04-08 13:35 - 2016-04-11 19:21 - 00000000 ____D C:\Windows\system32\SecureBootUpdates
2016-04-08 13:35 - 2016-04-10 00:28 - 00000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_225
2016-04-08 13:35 - 2016-04-10 00:11 - 00000768 _____ C:\Windows\system32\Drivers\etc\hosts_bak_712
2016-04-08 13:35 - 2016-04-09 10:09 - 00000000 ____D C:\Windows\appcompat
2016-04-08 13:35 - 2016-04-08 18:59 - 00000000 ____D C:\Windows\system32\NDF
2016-04-08 13:35 - 2016-04-08 17:46 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-04-08 13:35 - 2016-04-08 17:39 - 00000000 ____D C:\Windows\system32\spool
2016-04-08 13:35 - 2016-04-08 17:39 - 00000000 ____D C:\Windows\system32\setup
2016-04-08 13:35 - 2016-04-08 17:39 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-04-08 13:35 - 2016-04-08 17:12 - 00000000 ___RD C:\Windows\PrintDialog
2016-04-08 13:35 - 2016-04-08 17:12 - 00000000 ___RD C:\Windows\MiracastView
2016-04-08 13:35 - 2016-04-08 16:56 - 00000000 ____D C:\Windows\rescache
2016-04-08 13:35 - 2016-04-08 16:55 - 00000000 ____D C:\ProgramData\USOPrivate
2016-04-08 13:35 - 2016-04-08 16:51 - 00000000 ____D C:\Windows\system32\Sysprep
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\SysWOW64\DiagSvcs
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\system32\dsc
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ___SD C:\Windows\system32\DiagSvcs
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\setup
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\MUI
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\SysWOW64\Com
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\MUI
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\migwiz
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\system32\Com
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\IME
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\Help
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Windows Defender
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Common Files\System
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-04-08 13:35 - 2016-04-08 13:39 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 __SHD C:\Program Files\Windows Sidebar
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 __SHD C:\Program Files (x86)\Windows Sidebar
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 __RSD C:\Windows\Media
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\SysWOW64\Nui
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\SysWOW64\Configuration
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\system32\Nui
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\system32\Configuration
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___SD C:\Windows\Downloaded Program Files
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___RD C:\Windows\Offline Web Pages
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___RD C:\Windows\DesktopTileResources
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ___RD C:\Users\Public\Libraries
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Web
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Vss
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\tracing
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\TAPI
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\WinMetadata
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\SMI
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\ras
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\NDF
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\MsDtc
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\Ipmi
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\InputMethod
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\IME
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\icsxml
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicyUsers
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\downlevel
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\Bthprops
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\AppLocker
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SystemResources
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SystemApps
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\WinMetadata
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\winevt
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\WinBioDatabase
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\ras
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\ProximityToast
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\PointOfService
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\Macromed
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\Ipmi
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\InputMethod
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\inetsrv
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\IME
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\icsxml
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\ias
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\downlevel
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\config\Journal
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\Bthprops
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\AppLocker
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\System
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SKB
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\ShellNew
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\security
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\schemas
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\SchCache
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Resources
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Registration
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\PLA
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Performance
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\ModemLogs
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\LiveKernelReports
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\InputMethod
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Globalization
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\ELAMBKUP
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Cursors
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\Branding
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\ProgramData\Comms
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files\Windows NT
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files\Common Files\Services
2016-04-08 13:35 - 2016-04-08 13:35 - 00000000 ____D C:\Program Files (x86)\Windows NT
2016-04-08 13:35 - 2016-04-08 13:32 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2016-04-08 13:35 - 2016-04-08 13:32 - 00215943 _____ C:\Windows\SysWOW64\dssec.dat
2016-04-08 13:35 - 2016-04-08 13:32 - 00215943 _____ C:\Windows\system32\dssec.dat
2016-04-08 13:35 - 2016-04-08 13:32 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2016-04-08 13:35 - 2016-04-08 13:32 - 00017463 _____ C:\Windows\system32\Drivers\etc\services
2016-04-08 13:35 - 2016-04-08 13:32 - 00015462 _____ C:\Windows\system32\OEMDefaultAssociations.xml
2016-04-08 13:35 - 2016-04-08 13:32 - 00008798 _____ C:\Windows\SysWOW64\icrav03.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00008798 _____ C:\Windows\system32\icrav03.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00003683 _____ C:\Windows\system32\Drivers\etc\lmhosts.sam
2016-04-08 13:35 - 2016-04-08 13:32 - 00001988 _____ C:\Windows\SysWOW64\ticrf.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00001988 _____ C:\Windows\system32\ticrf.rat
2016-04-08 13:35 - 2016-04-08 13:32 - 00001358 _____ C:\Windows\system32\Drivers\etc\protocol
2016-04-08 13:35 - 2016-04-08 13:32 - 00000858 _____ C:\Windows\system32\DefaultQuestions.json
2016-04-08 13:35 - 2016-04-08 13:32 - 00000741 _____ C:\Windows\SysWOW64\NOISE.DAT
2016-04-08 13:35 - 2016-04-08 13:32 - 00000741 _____ C:\Windows\system32\NOISE.DAT
2016-04-08 13:35 - 2016-04-08 13:32 - 00000407 _____ C:\Windows\system32\Drivers\etc\networks
2016-04-08 13:35 - 2016-04-08 13:32 - 00000389 _____ C:\Windows\system32\AutoWorkplace.exe.config
2016-04-08 13:35 - 2016-04-08 13:32 - 00000219 _____ C:\Windows\system.ini
2016-04-08 13:35 - 2016-04-08 13:32 - 00000092 _____ C:\Windows\win.ini
2016-04-08 13:33 - 2016-04-12 12:29 - 00000000 ____D C:\Windows\INF
2016-04-08 13:28 - 2016-04-12 10:45 - 00000000 ____D C:\Windows\CbsTemp
2016-04-08 13:23 - 2016-04-10 21:08 - 00131072 ___SH C:\Windows\system32\config\BBI
2016-04-08 13:23 - 2016-04-08 16:54 - 00032768 ___SH C:\Windows\system32\config\ELAM
2016-04-08 13:23 - 2016-04-08 13:39 - 00000000 ____D C:\Windows\servicing
2016-04-08 13:23 - 2016-04-08 13:35 - 00000000 ____D C:\Windows\system32\SMI
2016-04-08 13:23 - 2015-07-10 02:11 - 00000164 _____ C:\Windows\system32\config\FP
2016-04-08 13:02 - 2016-04-08 17:46 - 00000000 ____D C:\$SysReset
2016-04-06 05:09 - 2016-04-06 05:09 - 00103424 _____ (Advanced Micro Devices) C:\Windows\system32\DelayAPO.dll
2016-04-06 05:04 - 2016-04-08 17:31 - 21648880 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmdag.sys
2016-04-06 05:04 - 2016-04-08 17:31 - 12088000 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atidxx64.dll
2016-04-06 05:04 - 2016-04-08 17:31 - 01479808 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\aticfx64.dll
2016-04-06 05:04 - 2016-04-08 17:31 - 00674288 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\Drivers\atikmpag.sys
2016-04-06 05:04 - 2016-04-08 17:31 - 00162232 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiuxp64.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 01978240 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 01065720 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atiumd6v.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00442368 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIDEMGX.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00204952 _____ C:\Windows\SysWOW64\ativvsvl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00204952 _____ C:\Windows\system32\ativvsvl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00157144 _____ C:\Windows\SysWOW64\ativvsva.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00157144 _____ C:\Windows\system32\ativvsva.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00118784 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atibtmon.exe
2016-04-06 05:04 - 2016-04-06 05:04 - 00059392 _____ (ATI Technologies, Inc.) C:\Windows\system32\atiedu64.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00053248 _____ C:\Windows\system32\amdverag.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00043520 _____ (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
2016-04-06 05:04 - 2016-04-06 05:04 - 00038177 _____ C:\Windows\atiogl.xml
2016-04-06 05:04 - 2016-04-06 05:04 - 00026936 _____ C:\Windows\SysWOW64\ativvsnl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00026936 _____ C:\Windows\system32\ativvsnl.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00003917 _____ C:\Windows\SysWOW64\atipblag.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00003917 _____ C:\Windows\system32\atipblag.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00000025 _____ C:\Windows\SysWOW64\ativvsny.dat
2016-04-06 05:04 - 2016-04-06 05:04 - 00000025 _____ C:\Windows\system32\ativvsny.dat
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-04-12 10:25 - 2016-02-13 07:21 - 00000000 ___HD C:\$WINDOWS.~BT
 
Some files in TEMP:
====================
C:\Users\kiston\AppData\Local\Temp\dllnt_dump.dll
C:\Users\kiston\AppData\Local\Temp\rscp_setup.exe
 

==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 

LastRegBack: 2016-04-08 16:47
 
==================== End of FRST.txt ============================
 
I luckily make it to this point so ill add the rest ina sec
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:10-04-2016 01
Ran by kiston (2016-04-12 12:41:41)
Running from C:\Users\kiston\Desktop
Windows 10 Home (X64) (2016-04-09 00:11:18)
Boot Mode: Normal
==========================================================
 

==================== Accounts: =============================
 
Administrator (S-1-5-21-1323568086-1110516886-4081173146-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1323568086-1110516886-4081173146-503 - Limited - Disabled)
Guest (S-1-5-21-1323568086-1110516886-4081173146-501 - Limited - Disabled)
kiston (S-1-5-21-1323568086-1110516886-4081173146-1001 - Administrator - Enabled) => C:\Users\kiston
tony (S-1-5-21-1323568086-1110516886-4081173146-1004 - Administrator - Enabled) => C:\Users\tony
user (S-1-5-21-1323568086-1110516886-4081173146-1002 - Limited - Enabled) => C:\Users\user
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 11.0 - Emsisoft Ltd.)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.13.258 - SurfRight B.V.)
League of Legends (HKLM-x32\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
League of Legends (x32 Version: 3.0.1 - Riot Games) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 3.8.6 - Tweaking.com)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {23AF1F13-5536-4429-AE6E-A2ED0CC2EBFB} - \Microsoft\Windows\Sysmain\ResPriStaticDbSync -> No File <==== ATTENTION
Task: {2BCB4413-49FF-4002-A2A5-379DCAC11A6F} - \Microsoft\Windows\Shell\FamilySafetyMonitor -> No File <==== ATTENTION
Task: {2DCFEEB3-5973-4282-9149-4233FF87CFC6} - \Microsoft\Windows\Registry\RegIdleBackup -> No File <==== ATTENTION
Task: {35FD1E98-8812-42FB-9954-CB895B99CCDA} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: {389C6A9D-24A0-4215-B936-8FD76708C2B1} - \Microsoft\Windows\UpdateOrchestrator\Reboot -> No File <==== ATTENTION
Task: {3E91E64E-4F9D-4C09-A5AD-CDF962C041DC} - \Microsoft\Windows\WindowsUpdate\sihboot -> No File <==== ATTENTION
Task: {42622B49-0FCC-4AA2-85A7-120E1DC76105} - \Microsoft\Windows\Task Manager\Interactive -> No File <==== ATTENTION
Task: {472E295A-D2E8-40BD-8DAC-30784633823D} - \Microsoft\Windows\WindowsUpdate\Scheduled Start -> No File <==== ATTENTION
Task: {4FE3481D-8572-4918-9B96-722C8675C2FD} - \Microsoft\Windows\Shell\FamilySafetyRefresh -> No File <==== ATTENTION
Task: {605A02D6-5625-4FFA-9213-8E1159190D30} - \Microsoft\Windows\WOF\WIM-Hash-Management -> No File <==== ATTENTION
Task: {63C2EB26-9F94-41AD-AC76-CAA70C2B64FC} - \Microsoft\Windows\SetupSQMTask -> No File <==== ATTENTION
Task: {66D2A720-3587-4FCD-9986-3F6E454033FC} - \Microsoft\Windows\CloudExperienceHost\CreateObjectTask -> No File <==== ATTENTION
Task: {67321D36-38E5-4ABD-9E4E-7ACC39D97B36} - \Microsoft\Windows\Feedback\Siuf\DmClient -> No File <==== ATTENTION
Task: {70CFDACB-27C8-4C50-99A8-9C034BDCE679} - \Microsoft\Windows\FileHistory\File History (maintenance mode) -> No File <==== ATTENTION
Task: {70EDB817-E61B-485C-8B0C-959FF05E23AE} - \Microsoft\Windows\UpdateOrchestrator\Resume On Boot -> No File <==== ATTENTION
Task: {784C5341-4C48-4CEA-9D6E-EAA0ED72D154} - \Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers -> No File <==== ATTENTION
Task: {7C88636C-F65F-45D3-A8E8-AB8AFBC9C3DF} - \Microsoft\Windows\RemovalTools\MRT_ERROR_HB -> No File <==== ATTENTION
Task: {7D5A7EB9-7CC7-4EDA-B6A4-93409EEE2E79} - \Microsoft\Windows\WS\License Validation -> No File <==== ATTENTION
Task: {8B29A927-7D75-4F86-95F3-B05A5DBC6269} - \Microsoft\Windows\WindowsUpdate\Automatic App Update -> No File <==== ATTENTION
Task: {975CA382-D4D0-4ECF-B425-2A2D8725655F} - \Microsoft\Windows\SystemRestore\SR -> No File <==== ATTENTION
Task: {988AF780-2316-47B9-958C-0B677BD42629} - \Microsoft\Windows\Sysmain\HybridDriveCacheRebalance -> No File <==== ATTENTION
Task: {A535BF13-8A75-454B-95F7-D683CBC24454} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
Task: {A554B443-3927-4009-B513-C70B2B52C7A7} - \Microsoft\Windows\Shell\CreateObjectTask -> No File <==== ATTENTION
Task: {A8342C24-8C07-4C04-A95F-31117505060D} - \Microsoft\Windows\Shell\IndexerAutomaticMaintenance -> No File <==== ATTENTION
Task: {B25195DA-0C51-4801-95BD-E46DD49D759F} - \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector -> No File <==== ATTENTION
Task: {B4964342-F9DA-4130-8BD2-C9B06A709FF5} - \Microsoft\Windows\WOF\WIM-Hash-Validation -> No File <==== ATTENTION
Task: {BB650F5A-EEA7-4301-9AFC-F0BDED2A8121} - \Microsoft\Windows\WindowsUpdate\sih -> No File <==== ATTENTION
Task: {CA0A39CB-894B-4151-8B71-288F11BC89B1} - \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange -> No File <==== ATTENTION
Task: {CA1CBE65-7A47-4854-8CA7-1C53A3918B97} - \Microsoft\Windows\WS\WSTask -> No File <==== ATTENTION
Task: {CD9DBB1A-3416-45CC-A4B5-CF75138C47C1} - \Microsoft\Windows\WCM\WiFiTask -> No File <==== ATTENTION
Task: {CDF79CB0-BF5B-4A26-93F8-D18CCA3EB37E} - \Microsoft\Windows\UpdateOrchestrator\Maintenance Install -> No File <==== ATTENTION
Task: {D1A8046D-90FA-4C72-B6FF-00DCBAF34D37} - \Microsoft\Windows\UpdateOrchestrator\Schedule Scan -> No File <==== ATTENTION
Task: {D2F918F6-BFBD-40B6-B228-85495E421B11} - \Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate -> No File <==== ATTENTION
Task: {D591FDC2-4875-4809-A62F-0DEF7B2CC853} - \Microsoft\Windows\Workplace Join\Automatic-Device-Join -> No File <==== ATTENTION
Task: {DF79E20C-9CE4-4040-8A59-9872CE1DD54F} - \Microsoft\Windows\UpdateOrchestrator\Battery Saver Deferred Install -> No File <==== ATTENTION
Task: {E025CDF0-3E59-41F9-A165-8FA5AC8316FD} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {E253BB82-67D4-4FF8-86BA-7C72D0BC7AAF} - \Microsoft\Windows\UPnP\UPnPHostConfig -> No File <==== ATTENTION
Task: {E6F1106A-DC58-4B3B-8A92-AF55EBAF5FDE} - \Microsoft\Windows\Plug and Play\Plug and Play Cleanup -> No File <==== ATTENTION
Task: {E7854B4B-AC09-4E55-85E5-2C8A6999AC32} - \Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver -> No File <==== ATTENTION
Task: {EF946C38-1A8B-4E95-BAF3-97027219A0D4} - \Microsoft\Windows\Plug and Play\Device Install Group Policy -> No File <==== ATTENTION
Task: {FB227C95-03EF-46A1-B8B2-BB91EAF43C94} - \Microsoft\Windows\Plug and Play\Device Install Reboot Required -> No File <==== ATTENTION
Task: {FFB2B9C7-470E-4850-AE71-8D96A6A25609} - \Microsoft\Windows\Sysmain\WsSwapAssessmentTask -> No File <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
Task: C:\Windows\Tasks\ReasonSecurityScheduledScan.job => C:\Program Files\Reason\Security\rsUI.exe
Task: C:\Windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)Tweaking.com - Windows Repair)Created By Tweaking.com
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-07-10 04:00 - 2015-07-10 04:00 - 00032768 _____ () C:\Windows\SYSTEM32\licensemanagerapi.dll
2015-07-10 03:59 - 2015-07-10 03:59 - 00403968 _____ () C:\Windows\System32\diagtrack_wininternal.dll
2015-07-10 04:00 - 2015-07-10 04:00 - 02498296 _____ () C:\Windows\System32\CoreUIComponents.dll
2015-07-10 04:00 - 2015-07-10 04:00 - 02498296 _____ () C:\Windows\system32\CoreUIComponents.dll
2015-07-10 03:59 - 2015-07-10 03:59 - 00429056 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 06579712 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 00471040 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 02274816 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2015-07-10 04:00 - 2015-07-10 06:14 - 00210432 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 

==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\37216004.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\37216004.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 

==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 

==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2016-04-08 13:35 - 2016-04-12 10:27 - 00000768 ____A C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 208.67.222.222 - 208.67.220.220
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: BthHFSrv => 3
MSCONFIG\Services: bthserv => 3
MSCONFIG\Services: CDPSvc => 3
MSCONFIG\Services: CryptSvc => 3
MSCONFIG\Services: fhsvc => 3
MSCONFIG\Services: FontCache => 2
MSCONFIG\Services: icssvc => 3
MSCONFIG\Services: IEEtwCollectorService => 3
MSCONFIG\Services: PolicyAgent => 3
MSCONFIG\Services: PrintNotify => 3
MSCONFIG\Services: RetailDemo => 3
MSCONFIG\Services: SharedAccess => 3
MSCONFIG\Services: SmsRouter => 3
MSCONFIG\Services: StorSvc => 3
MSCONFIG\Services: svsvc => 3
MSCONFIG\Services: swprv => 3
MSCONFIG\Services: TabletInputService => 3
MSCONFIG\Services: TapiSrv => 3
MSCONFIG\Services: XblAuthManager => 3
MSCONFIG\Services: XblGameSave => 3
MSCONFIG\Services: XboxNetApiSvc => 3
HKLM\...\StartupApproved\Run: => "emsisoft anti-malware"
HKLM\...\StartupApproved\Run32: => "StartCCC"
HKU\S-1-5-21-1323568086-1110516886-4081173146-1001\...\StartupApproved\Run: => "OneDrive"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [ProximityUxHost-Sharing-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\proximityuxhost.exe
FirewallRules: [CoreNet-DHCPV6-Out] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{EB10F0D8-3B64-44DC-A6F2-7C62DBEFDD46}] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{84646A46-77AC-451C-8698-449DBCD491AD}] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{32C06588-4304-473B-AFEC-ACF5456EF974}] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{F1C2C420-011D-42B1-B693-3D219B92DECE}] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{83B001E4-AB7F-4C7C-9E79-F0CDD67F1DB1}] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{3E1F2527-9DB0-42CF-ACD1-BC0BD2ADE613}] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [{21AA7608-0E42-4AF7-BB21-D07AC19C10D5}] => (Block) %SystemRoot%\system32\svchost.exe
 
==================== Restore Points =========================
 
12-04-2016 10:02:06 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: AMD High Definition Audio Device
Description: AMD High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Advanced Micro Devices
Service: AtiHDAudioService
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
Name: Generic- Multi-Card USB Device
Description: Disk drive
Class Guid: {4d36e967-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard disk drives)
Service: disk
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 

==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/12/2016 12:41:56 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:41:56Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:41:26 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:41:26Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:40:56 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:40:56Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:40:26 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:40:26Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:39:56 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:39:56Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:39:26 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:39:26Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:38:56 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:38:56Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:38:26 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:38:26Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:37:42 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:37:42Z. Error Code: 0x80040154.
 
Error: (04/12/2016 12:37:12 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User: )
Description: Failed to schedule Software Protection service for re-start at 2116-03-19T19:37:12Z. Error Code: 0x80040154.
 

System errors:
=============
Error: (04/12/2016 12:39:42 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session1 service terminated with the following error:
%%1753
 
Error: (04/12/2016 12:20:02 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session2 service terminated with the following error:
%%1753
 
Error: (04/12/2016 12:15:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session1 service terminated with the following error:
%%1753
 
Error: (04/12/2016 12:15:25 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Sync Host_Session1 service terminated with the following error:
%%1753
 
Error: (04/12/2016 12:14:29 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800f0922: Cumulative Update for Windows 10 for x64-based Systems (KB3140745).
 
Error: (04/12/2016 12:14:29 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800f0922: Security Update for Adobe Flash Player for Windows 10 for x64-based Systems (KB3144756).
 
Error: (04/12/2016 12:14:29 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800f0922: Update for Windows 10 for x64-based Systems (KB3125217).
 
Error: (04/12/2016 12:14:29 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800f0922: Cumulative Update for Windows 10 for x64-based Systems (KB3147461).
 
Error: (04/12/2016 12:14:29 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800f0922: Security Update for Adobe Flash Player for Windows 10 for x64-based Systems (KB3154132).
 
Error: (04/12/2016 12:13:09 PM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.
 

==================== Memory info ===========================
 
Processor: AMD Athlon™ II X4 645 Processor
Percentage of memory in use: 29%
Total physical RAM: 5886.05 MB
Available physical RAM: 4134.01 MB
Total Virtual: 6846.05 MB
Available Virtual: 4915.09 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.02 GB) (Free:899.94 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: EDD6888F)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

well like I said every program I launch seems to inevitably become infected... so theres no real point in getting an anti virus atm. and considering I had defender since the start, and its been saying its enabled, its not reliable.

 

EDIT: BTW - the account tony is an account I made after the updates failed, to see if maybe making a new acc would bring back the default settings. turns out edge / start menu don't even open.


Edited by kistonw, 12 April 2016 - 03:52 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 PM

Posted 13 April 2016 - 07:32 AM

Error found on your Addition.txt log.
Code 19: Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged

I suggest reetpre to a Last Known Good Configuration
Follow the instructions on this page.
https://technet.microsoft.com/en-us/library/cc772156(v=ws.10).aspx

When completed run the Farbar tool and post the new logs for my review.

Let me know what problem persists.

#15 kistonw

kistonw
  • Topic Starter

  • Banned
  • 49 posts
  • OFFLINE
  •  
  • Local time:11:30 PM

Posted 13 April 2016 - 08:02 AM

Error found on your Addition.txt log.
Code 19: Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged

I suggest reetpre to a Last Known Good Configuration
Follow the instructions on this page.
https://technet.microsoft.com/en-us/library/cc772156(v=ws.10).aspx

When completed run the Farbar tool and post the new logs for my review.

Let me know what problem persists.

u got it, just posting to let u know I'm here. i didn't delete the software just uninstalled. will edit this within the next 5

Welp my bad, it's sitting at "getting Windows ready, don't turn off the pc". This was before it actually shut down. Will edit again in an hour.

Ok so I uninstalled the device, scanned for hardware changes, and it came up as a audio device under other devices before it sat at "getting Windows ready" when I restarted in safe mode. I just logged into Windows, but I assumed a recovery screen would pop up to prompt me to use the "last configuration" thing like in Windows 7. I've never used or seen that button in Windows 10 so did I do something wrong? I ran fsrt, still in safe mode, but I didn't choose safemode with networking.

Reboot into normal mode, rerun fsrt and post?
Or reboot into safemode with networking and post a safe-mode-ran fsrt log?

Edited by kistonw, 13 April 2016 - 09:39 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users