Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

msi log shows rootkit changing registry and cloaking itself


  • This topic is locked This topic is locked
16 replies to this topic

#1 Tacohouse

Tacohouse

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 29 October 2016 - 09:10 AM

all my saved logs have disappeared and alot of files are in a different location name changed or gone either hidden or deleted im not sure when i go to run malwarebytes anti rootkit a small window appears and says registry affected by rootkit.....i ran rkill and it shows that it had alot of missing dlls and it stopped a couple of services i dont have a name for what the rootkit is but it is hidden msi log file said cloaking process complete and one of the msi log files i had that disappeared (i got a chance to look at a little bit of it before it disappeared) said that all the major changes would take place after reboot i haven't rebooted yetScan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-10-2016
Ran by Taco (administrator) on TACO (29-10-2016 09:06:35)
Running from C:\Users\Taco\Downloads
Loaded Profiles: Taco (Available Profiles: Taco & DefaultAppPool)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Ransomware\MB3Service.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Pixart Imaging Inc) C:\Windows\System32\TiltWheelMouse.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MouseDriver] => C:\WINDOWS\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8844032 2016-01-26] (Realtek Semiconductor)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes Anti-Ransomware] => C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe [722896 2016-08-26] (Malwarebytes)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2651088 2016-10-28] (Malwarebytes Corporation)
HKLM-x32\...\Run: [ZALFree] => C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe [8980016 2015-11-05] (Zemana Ltd.)
HKU\S-1-5-21-1823378645-228841874-2807899765-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8944344 2016-09-28] (Piriform Ltd)
HKU\S-1-5-21-1823378645-228841874-2807899765-1001\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [5736912 2016-10-13] (SecureMix LLC)
AppInit_DLLs: C:\PROGRA~2\KEYCRY~1\KEYCRY~4.DLL => C:\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll [95712 2015-11-05] (Zemana Ltd.)
AppInit_DLLs-x32: C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL => C:\Program Files (x86)\KeyCryptSDK\KeyCrypt32(1).dll [86936 2015-11-05] (Zemana Ltd.)
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{73109ce9-9d79-4dbd-a354-3cd32f3c6a60}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{e624cc4e-757d-4c2c-96ae-da83d9364f27}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =

FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-10-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-10-19] (Google Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default [2016-10-29]
CHR Extension: (Google Slides) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-10-24]
CHR Extension: (Google Docs) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-10-24]
CHR Extension: (Google Drive) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-24]
CHR Extension: (YouTube) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-10-24]
CHR Extension: (Adblock Plus) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-26]
CHR Extension: (Google Sheets) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-10-24]
CHR Extension: (Google Docs Offline) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-10-24]
CHR Extension: (Avast Online Security) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-10-25]
CHR Extension: (Disconnect) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeoacafpbcihiomhlakheieifhpjdfeo [2016-10-29]
CHR Extension: (Ghostery) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-10-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-24]
CHR Extension: (Gmail) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-10-24]
CHR Extension: (Chrome Media Router) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-24]
CHR Extension: (Privacy Badger) - C:\Users\Taco\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkehgijcmpdhfbdbbnkijodmdjhbjlgp [2016-10-29]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4344272 2016-10-13] (SecureMix LLC)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [354936 2016-01-14] (Intel Corporation)
R2 MB3Service; C:\Program Files\Malwarebytes\Anti-Ransomware\MB3Service.exe [3291088 2016-08-26] (Malwarebytes)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-10-28] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2142728 2016-10-25] (Electronic Arts)
R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2209296 2016-10-25] (Electronic Arts)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ElcMouLFlt; C:\WINDOWS\System32\drivers\ElcMouLFlt.sys [28648 2015-09-11] (ELECOM)
R3 ElcMouUFlt; C:\WINDOWS\System32\drivers\ElcMouUFlt.sys [27624 2015-09-11] (ELECOM)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77416 2016-10-28] ()
R1 gwdrv; C:\WINDOWS\system32\DRIVERS\gwdrv.sys [33152 2015-05-28] (SecureMix LLC)
S3 iaStorB; C:\WINDOWS\System32\drivers\iaStorB.sys [559576 2015-05-20] (Intel Corporation)
S3 iaStorS; C:\WINDOWS\System32\drivers\iaStorS.sys [665592 2015-06-04] (Intel Corporation)
R3 keycrypt; C:\WINDOWS\System32\DRIVERS\KeyCrypt64.sys [143904 2015-11-05] (Zemana Ltd.)
R3 KillerEth; C:\WINDOWS\System32\drivers\e2xw10x64.sys [162120 2016-09-16] (Qualcomm Atheros, Inc.)
R0 MB3SwissArmy; C:\WINDOWS\System32\drivers\MB3SwissArmy.sys [228800 2016-10-29] (Malwarebytes)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [91072 2016-10-29] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-10-29] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
S0 megasas2i; C:\WINDOWS\System32\drivers\MegaSas2i.sys [64352 2016-10-05] (Avago Technologies)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 NIWinCDEmu; C:\WINDOWS\System32\drivers\NIWinCDEmu.sys [111696 2016-10-25] ()
S3 rccfg; C:\WINDOWS\System32\drivers\rccfg.sys [22552 2015-05-11] (AMD, Inc.)
S3 rcraid; C:\WINDOWS\System32\drivers\rcraid.sys [540184 2015-05-11] (AMD, Inc.)
R3 t_mouse.sys; C:\WINDOWS\system32\DRIVERS\t_mouse.sys [6144 2013-04-09] ()
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-29 09:06 - 2016-10-29 09:06 - 00013053 _____ C:\Users\Taco\Downloads\FRST.txt
2016-10-29 09:06 - 2016-10-29 09:06 - 00000000 ____D C:\FRST
2016-10-29 09:02 - 2016-10-29 09:06 - 02408448 _____ (Farbar) C:\Users\Taco\Downloads\FRST64.exe
2016-10-29 06:42 - 2016-10-29 06:50 - 00132922 _____ C:\TDSSKiller.3.1.0.11_29.10.2016_06.42.27_log.txt
2016-10-29 06:41 - 2016-10-29 06:42 - 00068758 _____ C:\TDSSKiller.3.1.0.11_29.10.2016_06.41.30_log.txt
2016-10-29 06:41 - 2016-10-29 06:41 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Taco\Downloads\tdsskiller.exe
2016-10-29 06:41 - 2016-10-29 06:41 - 00250064 ____N (Kaspersky Lab, Yury Parshin) C:\WINDOWS\system32\Drivers\84091730.sys
2016-10-29 06:09 - 2016-10-29 06:55 - 00000000 ____D C:\Users\Taco\Desktop\mbar
2016-10-29 06:08 - 2016-10-29 06:09 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Taco\Downloads\mbar-1.09.3.1001.exe
2016-10-29 06:03 - 2016-10-29 06:42 - 00005536 _____ C:\Users\Taco\Desktop\Rkill.txt
2016-10-29 06:02 - 2016-10-29 06:03 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Taco\Downloads\iExplore.exe
2016-10-29 05:32 - 2016-10-29 05:32 - 00000000 ____D C:\Program Files\Killer Networking
2016-10-29 04:24 - 2016-10-29 06:21 - 00000000 ____D C:\Users\Taco\AppData\Local\CrashDumps
2016-10-29 03:33 - 2016-10-29 03:33 - 00001970 _____ C:\Users\Public\Desktop\GlassWire.lnk
2016-10-29 03:33 - 2016-10-29 03:33 - 00000000 ____D C:\Users\Taco\AppData\Local\GlassWire
2016-10-29 03:33 - 2016-10-29 03:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire
2016-10-29 03:33 - 2016-10-29 03:33 - 00000000 ____D C:\ProgramData\GlassWire
2016-10-29 03:33 - 2016-10-29 03:33 - 00000000 ____D C:\Program Files (x86)\GlassWire
2016-10-29 03:33 - 2015-05-28 23:30 - 00008392 _____ C:\WINDOWS\system32\Drivers\gwdrv.cat
2016-10-29 03:33 - 2015-05-28 23:15 - 00033152 _____ (SecureMix LLC) C:\WINDOWS\system32\Drivers\gwdrv.sys
2016-10-29 03:25 - 2016-10-29 03:25 - 00228800 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MB3SwissArmy.sys
2016-10-29 03:25 - 2016-10-29 03:25 - 00091072 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2016-10-29 03:25 - 2016-10-29 03:25 - 00001946 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Ransomware.lnk
2016-10-29 03:25 - 2016-10-29 03:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-10-29 03:25 - 2016-10-29 03:25 - 00000000 ____D C:\ProgramData\MalwarebytesARW
2016-10-29 03:25 - 2016-10-29 03:25 - 00000000 ____D C:\Program Files\Malwarebytes
2016-10-29 03:17 - 2016-10-29 03:18 - 00066564 _____ C:\TDSSKiller.3.1.0.11_29.10.2016_03.17.37_log.txt
2016-10-29 03:14 - 2016-10-29 03:14 - 00001209 _____ C:\Users\Public\Desktop\AntiLogger Free.lnk
2016-10-29 03:14 - 2016-10-29 03:14 - 00000000 ____D C:\Users\Taco\AppData\Local\Zemana
2016-10-29 03:14 - 2016-10-29 03:14 - 00000000 ____D C:\Users\Taco\AppData\Local\AntiLogger Free
2016-10-29 03:14 - 2016-10-29 03:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiLogger Free
2016-10-29 03:14 - 2016-10-29 03:14 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
2016-10-29 03:14 - 2016-10-29 03:14 - 00000000 ____D C:\Program Files (x86)\KeyCryptSDK
2016-10-29 03:14 - 2015-11-05 15:00 - 00143904 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\KeyCrypt64.sys
2016-10-29 01:20 - 2016-10-29 01:26 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2016-10-28 22:20 - 2016-10-28 22:20 - 00000000 ____D C:\WINDOWS\Panther
2016-10-28 10:19 - 2016-10-28 10:19 - 00002846 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2016-10-28 10:19 - 2016-10-28 10:19 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-10-28 10:19 - 2016-10-28 10:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-10-28 10:19 - 2016-10-28 10:19 - 00000000 ____D C:\Program Files\CCleaner
2016-10-27 21:49 - 2016-10-27 21:49 - 00000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2016-10-27 21:49 - 2016-10-27 21:49 - 00000000 _SHDL C:\Users\DefaultAppPool\My Documents
2016-10-27 21:49 - 2016-10-27 21:49 - 00000000 _SHDL C:\Users\DefaultAppPool\Documents\My Videos
2016-10-27 21:49 - 2016-10-27 21:49 - 00000000 _SHDL C:\Users\DefaultAppPool\Documents\My Pictures
2016-10-27 21:49 - 2016-10-27 21:49 - 00000000 _SHDL C:\Users\DefaultAppPool\Documents\My Music
2016-10-27 21:49 - 2016-10-27 21:49 - 00000000 ____D C:\Users\DefaultAppPool
2016-10-27 16:48 - 2016-10-27 16:48 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2016-10-27 16:30 - 2016-10-27 16:30 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Macromedia
2016-10-27 16:15 - 2016-10-27 16:15 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2016-10-26 01:23 - 2016-10-26 01:23 - 00000000 ____D C:\Users\Public\Documents\Celemony
2016-10-25 23:40 - 2016-10-25 23:40 - 00000000 ____D C:\Users\Taco\AppData\Local\Native Instruments
2016-10-25 23:39 - 2016-10-25 23:39 - 00000000 __HDC C:\ProgramData\{3A633AE9-5307-4E4D-ACED-C8739F84CB10}
2016-10-25 23:37 - 2016-10-25 23:37 - 00000000 __HDC C:\ProgramData\{A4240964-232B-4D4C-AE9F-AB84A9948A34}
2016-10-25 23:36 - 2016-10-25 23:36 - 00000000 __HDC C:\ProgramData\{0CF1F946-2AAE-48A9-BD6C-DF71FE72E1D1}
2016-10-25 23:34 - 2016-10-25 23:34 - 00001117 _____ C:\Users\Public\Desktop\Guitar Rig 5.lnk
2016-10-25 23:34 - 2016-10-25 23:34 - 00000000 __HDC C:\ProgramData\{DA31E3B5-AD7E-4759-A162-75CF964B70AC}
2016-10-25 23:25 - 2016-10-25 23:40 - 00000000 ____D C:\Users\Taco\Documents\Native Instruments
2016-10-25 23:25 - 2016-10-25 23:39 - 00000000 ____D C:\Users\Public\Documents\Guitar Rig 5 Player MFXP
2016-10-25 23:25 - 2016-10-25 23:25 - 00000000 __HDC C:\ProgramData\{F21A5765-AACF-4530-991E-CE1346273F96}
2016-10-25 23:25 - 2016-10-25 23:25 - 00000000 __HDC C:\ProgramData\{A2B67EC8-CE44-4813-AAC0-BACC1FAF50BE}
2016-10-25 23:25 - 2016-10-25 23:25 - 00000000 __HDC C:\ProgramData\{00E0164B-B182-4800-96DA-F8D39B3A7189}
2016-10-25 23:25 - 2016-10-25 23:25 - 00000000 ____D C:\Users\Public\Documents\Reaktor Factory Selection
2016-10-25 23:24 - 2016-10-25 23:37 - 00001082 _____ C:\Users\Public\Desktop\Reaktor 5.lnk
2016-10-25 23:24 - 2016-10-25 23:36 - 00001087 _____ C:\Users\Public\Desktop\Kontakt 5.lnk
2016-10-25 23:24 - 2016-10-25 23:25 - 00000000 ____D C:\Users\Public\Documents\Kontakt Factory Selection Library
2016-10-25 23:24 - 2016-10-25 23:24 - 00000000 __HDC C:\ProgramData\{A9158F4E-7914-4019-808A-D4D4993E9958}
2016-10-25 23:22 - 2016-10-25 23:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Native Instruments
2016-10-25 23:22 - 2016-10-25 23:37 - 00000000 ____D C:\Program Files\Vstplugins
2016-10-25 23:22 - 2016-10-25 23:37 - 00000000 ____D C:\Program Files\Native Instruments
2016-10-25 23:22 - 2016-10-25 23:33 - 00000000 ____D C:\Program Files\Common Files\Native Instruments
2016-10-25 23:22 - 2016-10-25 23:22 - 00001132 _____ C:\Users\Public\Desktop\Service Center.lnk
2016-10-25 23:22 - 2016-10-25 23:22 - 00000000 __HDC C:\ProgramData\{95B4F0ED-951F-4D36-B068-5EC1C4C19C14}
2016-10-25 23:22 - 2016-10-25 23:22 - 00000000 ____D C:\ProgramData\Native Instruments
2016-10-25 23:19 - 2016-10-25 23:19 - 00111696 _____ C:\WINDOWS\system32\Drivers\NIWinCDEmu.sys
2016-10-25 23:19 - 2016-10-25 23:19 - 00000000 ____D C:\Program Files (x86)\Native Instruments
2016-10-25 23:17 - 2016-10-25 23:17 - 00001089 _____ C:\Users\Taco\Desktop\PreSonus Universal Control.lnk
2016-10-25 23:17 - 2016-10-25 23:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PreSonus
2016-10-25 23:05 - 2016-10-26 01:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celemony
2016-10-25 23:05 - 2016-10-26 01:23 - 00000000 ____D C:\Program Files\Common Files\Celemony
2016-10-25 23:05 - 2016-10-26 01:23 - 00000000 ____D C:\Program Files\Celemony
2016-10-25 23:05 - 2016-10-26 01:23 - 00000000 ____D C:\Program Files (x86)\Celemony
2016-10-25 23:05 - 2016-10-25 23:05 - 00000000 ____D C:\ProgramData\Celemony Software GmbH
2016-10-25 23:05 - 2016-10-25 23:05 - 00000000 ____D C:\Program Files\Common Files\VST3
2016-10-25 23:05 - 2016-10-25 23:05 - 00000000 ____D C:\Program Files\Common Files\VST2
2016-10-25 23:05 - 2016-10-25 23:05 - 00000000 ____D C:\Program Files\Common Files\Avid
2016-10-25 23:04 - 2016-10-25 23:04 - 00000000 ____D C:\ProgramData\Temporary
2016-10-25 22:59 - 2016-10-26 01:17 - 00000000 ____D C:\Users\Taco\Documents\Studio One
2016-10-25 22:57 - 2016-10-25 22:59 - 00000000 ____D C:\ProgramData\PreSonus
2016-10-25 22:57 - 2016-10-25 22:57 - 00001048 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Studio One 3 x64.lnk
2016-10-25 22:57 - 2016-10-25 22:57 - 00001036 _____ C:\Users\Public\Desktop\Studio One 3 x64.lnk
2016-10-25 22:57 - 2016-10-25 22:57 - 00000000 ____D C:\Users\Taco\AppData\Roaming\PreSonus
2016-10-25 22:57 - 2016-03-17 07:28 - 00125872 _____ (GEAR Software Inc.) C:\WINDOWS\system32\GEARAspi64.dll
2016-10-25 22:57 - 2016-03-17 07:28 - 00106928 _____ (GEAR Software Inc.) C:\WINDOWS\SysWOW64\GEARAspi.dll
2016-10-25 22:57 - 2016-03-17 07:28 - 00034472 _____ (GEAR Software Inc.) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2016-10-25 22:56 - 2016-10-25 23:17 - 00000000 ____D C:\Program Files\PreSonus
2016-10-25 22:56 - 2016-10-25 23:05 - 00000000 ____D C:\Program Files\Common Files\Propellerhead Software
2016-10-25 22:52 - 2016-10-25 22:52 - 00001062 _____ C:\Users\Public\Desktop\Origin.lnk
2016-10-25 22:52 - 2016-10-25 22:52 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Origin
2016-10-25 22:52 - 2016-10-25 22:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Origin
2016-10-25 22:52 - 2016-10-25 22:52 - 00000000 ____D C:\Program Files (x86)\Origin
2016-10-25 22:49 - 2016-10-25 22:52 - 00000000 ____D C:\ProgramData\Origin
2016-10-25 22:49 - 2016-10-25 22:49 - 00000000 ____D C:\Users\Taco\AppData\Local\Origin
2016-10-25 22:49 - 2016-10-25 22:49 - 00000000 ____D C:\Users\Taco\.QtWebEngineProcess
2016-10-25 22:49 - 2016-10-25 22:49 - 00000000 ____D C:\Users\Taco\.Origin
2016-10-25 21:38 - 2016-10-25 21:38 - 00003632 _____ C:\WINDOWS\System32\Tasks\CreateExplorerShellUnelevatedTask
2016-10-25 21:38 - 2016-10-25 21:38 - 00001477 _____ C:\DelFix.txt
2016-10-25 21:38 - 2016-10-25 21:38 - 00000000 ____D C:\WINDOWS\ERUNT
2016-10-25 18:45 - 2016-10-25 18:46 - 00000000 _____ C:\Recovery.txt
2016-10-25 16:30 - 2016-10-25 16:30 - 00000000 ____D C:\Users\Taco\AppData\LocalLow\Adobe
2016-10-25 16:30 - 2016-10-25 16:30 - 00000000 ____D C:\Users\Taco\AppData\Local\CEF
2016-10-25 16:29 - 2016-10-27 16:15 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-10-25 16:28 - 2016-10-25 16:30 - 00000000 ____D C:\Users\Taco\AppData\Local\Adobe
2016-10-25 15:56 - 2016-10-25 15:56 - 00002385 _____ C:\Users\Public\Desktop\IntelProcessor Diagnostic Tool 64bit.lnk
2016-10-25 15:56 - 2016-10-25 15:56 - 00000000 ____D C:\Users\Taco\AppData\Local\Downloaded Installations
2016-10-25 15:56 - 2016-10-25 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel Corporation
2016-10-25 15:56 - 2016-10-25 15:56 - 00000000 ____D C:\Program Files\Intel Corporation
2016-10-24 22:43 - 2016-10-24 22:43 - 00000000 ____D C:\WINDOWS\SysWOW64\BestPractices
2016-10-24 22:43 - 2016-10-24 22:43 - 00000000 ____D C:\WINDOWS\system32\BestPractices
2016-10-24 22:43 - 2016-10-24 22:43 - 00000000 ____D C:\inetpub
2016-10-22 14:41 - 2016-10-22 14:41 - 00008192 _____ C:\WINDOWS\system32\config\userdiff
2016-10-22 14:41 - 2016-10-22 14:41 - 00000000 ____D C:\Program Files\Reference Assemblies
2016-10-22 14:41 - 2016-10-22 14:41 - 00000000 ____D C:\Program Files\MSBuild
2016-10-22 14:41 - 2016-10-22 14:41 - 00000000 ____D C:\Program Files (x86)\Reference Assemblies
2016-10-22 14:41 - 2016-10-22 14:41 - 00000000 ____D C:\Program Files (x86)\MSBuild
2016-10-22 14:41 - 2016-05-25 17:31 - 01166520 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationNative_v0300.dll
2016-10-22 14:41 - 2016-05-25 17:31 - 00124624 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2016-10-22 14:41 - 2016-05-25 17:31 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
2016-10-22 14:41 - 2016-05-25 14:03 - 00778936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationNative_v0300.dll
2016-10-22 14:41 - 2016-05-25 14:03 - 00103120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2016-10-22 14:41 - 2016-05-25 14:03 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TsWpfWrp.exe
2016-10-22 11:51 - 2016-10-22 11:51 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2016-10-22 11:50 - 2016-10-22 21:59 - 00000000 ____D C:\Users\Taco\AppData\Local\ConnectedDevicesPlatform
2016-10-22 11:50 - 2016-10-22 11:50 - 00000020 ___SH C:\Users\Taco\ntuser.ini
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default\My Documents
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2016-10-22 11:48 - 2016-10-22 11:48 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2016-10-22 11:47 - 2016-10-28 22:26 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-10-22 11:47 - 2016-10-22 11:47 - 00007623 _____ C:\WINDOWS\diagwrn.xml
2016-10-22 11:47 - 2016-10-22 11:47 - 00007623 _____ C:\WINDOWS\diagerr.xml
2016-10-22 11:47 - 2016-10-22 11:47 - 00003416 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-10-22 11:47 - 2016-10-22 11:47 - 00003192 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-10-22 11:47 - 2016-10-22 11:47 - 00002820 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task
2016-10-22 11:47 - 2016-10-22 11:47 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
2016-10-22 11:47 - 2016-10-22 11:47 - 00000000 ____D C:\ProgramData\USOShared
2016-10-22 11:46 - 2016-10-22 11:46 - 00022744 _____ C:\WINDOWS\system32\emptyregdb.dat
2016-10-22 11:45 - 2016-10-22 11:45 - 00001519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-10-22 11:45 - 2016-07-16 06:41 - 02716672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2016-10-22 11:44 - 2016-10-28 22:31 - 01266942 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-10-22 11:44 - 2016-10-25 22:49 - 00000000 ____D C:\Users\Taco
2016-10-22 11:44 - 2016-10-22 11:46 - 00000000 ____D C:\WINDOWS\system32\config\bbimigrate
2016-10-22 11:44 - 2016-10-22 11:44 - 00932736 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2016-10-22 11:44 - 2016-10-22 11:44 - 00000000 _SHDL C:\Users\Taco\My Documents
2016-10-22 11:44 - 2016-10-22 11:44 - 00000000 _SHDL C:\Users\Taco\Documents\My Videos
2016-10-22 11:44 - 2016-10-22 11:44 - 00000000 _SHDL C:\Users\Taco\Documents\My Pictures
2016-10-22 11:44 - 2016-10-22 11:44 - 00000000 _SHDL C:\Users\Taco\Documents\My Music
2016-10-22 11:43 - 2016-10-29 08:59 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2016-10-22 11:43 - 2016-10-29 05:15 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-10-22 11:43 - 2016-10-22 11:45 - 00000000 ____D C:\Program Files\Intel
2016-10-22 11:43 - 2016-10-22 11:43 - 00000200 _____ C:\WINDOWS\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
2016-10-22 11:43 - 2016-10-22 11:43 - 00000000 ____D C:\WINDOWS\SysWOW64\RTCOM
2016-10-22 11:43 - 2016-10-22 11:43 - 00000000 ____D C:\WINDOWS\ServiceProfiles
2016-10-22 11:43 - 2016-10-22 11:43 - 00000000 ____D C:\Program Files\Realtek
2016-10-22 11:43 - 2016-01-14 17:33 - 00082432 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.DLL
2016-10-22 11:00 - 2016-10-22 11:12 - 00000000 ____D C:\ESD
2016-10-22 02:23 - 2016-10-29 06:55 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-10-21 17:18 - 2016-10-22 03:19 - 00007597 _____ C:\Users\Taco\AppData\Local\Resmon.ResmonCfg
2016-10-21 16:33 - 2016-10-26 18:08 - 00000000 ____D C:\WINDOWS\pss
2016-10-20 15:38 - 2016-10-26 18:29 - 00001166 _____ C:\Users\Public\Desktop\Spybot Anti-Beacon.lnk
2016-10-20 15:38 - 2016-10-22 11:46 - 00000000 ____D C:\WINDOWS\SysWOW64\PolicyDefinitions
2016-10-20 15:38 - 2016-10-22 11:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot Anti-Beacon
2016-10-20 15:38 - 2016-10-20 15:38 - 00000000 ____D C:\Program Files (x86)\Spybot Anti-Beacon
2016-10-20 12:22 - 2016-10-20 12:22 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Skype
2016-10-19 23:32 - 2016-10-19 23:32 - 00000000 ____D C:\Program Files (x86)\Realtek
2016-10-19 23:30 - 2016-10-25 23:35 - 00000000 ____D C:\ProgramData\Package Cache
2016-10-19 23:18 - 2016-10-19 23:18 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Intel Corporation
2016-10-19 23:18 - 2016-10-19 23:18 - 00000000 ____D C:\ProgramData\Intel
2016-10-19 23:15 - 2016-10-19 23:15 - 00000000 ____D C:\Users\Taco\Intel
2016-10-19 23:10 - 2016-10-25 16:25 - 00025640 ____N (Windows ® Server 2003 DDK provider) C:\WINDOWS\gdrv.sys
2016-10-19 23:10 - 2016-10-22 11:46 - 00000000 ____D C:\WINDOWS\SysWOW64\GBT_DL_OBJ
2016-10-19 23:10 - 2016-10-19 23:10 - 00019422 _____ C:\WINDOWS\system32\results.xml
2016-10-19 22:40 - 2016-10-19 21:52 - 00000000 ___HD C:\Program Files (x86)\Temp
2016-10-19 22:40 - 2016-01-06 03:23 - 02826832 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\RtlExUpd.dll
2016-10-19 22:35 - 2016-10-19 22:35 - 00000000 ____D C:\ProgramData\Downloaded Installations
2016-10-19 22:35 - 2016-10-19 22:35 - 00000000 _____ C:\Users\Taco\AppData\Local\Driver_LOM_8161Present.flag
2016-10-19 22:32 - 2016-10-19 22:32 - 00000724 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel® HD Graphics Control Panel.lnk
2016-10-19 22:32 - 2016-10-19 22:32 - 00000712 _____ C:\Users\Public\Desktop\Intel® HD Graphics Control Panel.lnk
2016-10-19 22:28 - 2016-10-29 04:24 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-10-19 22:28 - 2016-10-24 21:41 - 00000000 ____D C:\Program Files (x86)\Gigabyte
2016-10-19 22:22 - 2016-10-29 03:29 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-10-19 22:22 - 2016-10-28 17:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2016-10-19 22:22 - 2016-10-28 17:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2016-10-19 22:21 - 2016-10-29 06:04 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-10-19 22:21 - 2016-10-26 18:09 - 00001171 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-10-19 22:21 - 2016-10-22 11:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-10-19 22:21 - 2016-10-19 22:21 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-10-19 22:21 - 2016-10-19 22:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-10-19 22:21 - 2016-03-10 16:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-10-19 22:21 - 2016-03-10 16:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-10-19 22:21 - 2016-03-10 16:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-10-19 22:04 - 2016-10-28 23:34 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Kodi
2016-10-19 22:03 - 2016-10-22 11:46 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kodi
2016-10-19 22:03 - 2016-10-19 22:03 - 00000000 ____D C:\Program Files (x86)\Kodi
2016-10-19 22:02 - 2016-10-22 11:45 - 00000000 ____D C:\WINDOWS\system32\asg
2016-10-19 22:02 - 2016-10-22 11:27 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-10-19 22:02 - 2016-10-22 11:27 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-10-19 22:02 - 2016-10-22 11:07 - 00000904 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-10-19 22:02 - 2016-10-22 09:52 - 00000900 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-10-19 22:02 - 2016-10-19 22:11 - 00000000 ____D C:\Users\Taco\AppData\Local\Google
2016-10-19 22:02 - 2016-10-19 22:02 - 00000000 ____D C:\WINDOWS\SXSBack
2016-10-19 22:02 - 2016-10-19 22:02 - 00000000 ____D C:\Program Files (x86)\Google
2016-10-19 21:58 - 2016-10-19 22:02 - 00000000 ____D C:\Users\Taco\AppData\Local\MicrosoftEdge
2016-10-19 21:56 - 2016-10-19 21:56 - 00000000 ____D C:\Users\Taco\AppData\Local\PeerDistRepub
2016-10-19 21:52 - 2016-10-28 00:52 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-10-19 21:51 - 2016-01-26 21:04 - 03195648 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtPgEx64.dll
2016-10-19 21:51 - 2016-01-26 21:04 - 02894976 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RTSnMg64.cpl
2016-10-19 21:51 - 2016-01-26 21:04 - 00532384 _____ (SRS Labs, Inc.) C:\WINDOWS\system32\SRSTSX64.dll
2016-10-19 21:51 - 2016-01-26 21:04 - 00221968 _____ (SRS Labs, Inc.) C:\WINDOWS\system32\SRSTSH64.dll
2016-10-19 21:51 - 2016-01-26 21:04 - 00209536 _____ (SRS Labs, Inc.) C:\WINDOWS\system32\SRSHP64.dll
2016-10-19 21:51 - 2016-01-26 21:04 - 00166208 _____ (SRS Labs, Inc.) C:\WINDOWS\system32\SRSWOW64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 04779776 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RTKVHD64.sys
2016-10-19 21:51 - 2016-01-26 21:03 - 03769493 _____ C:\WINDOWS\system32\Drivers\RTAIODAT.DAT
2016-10-19 21:51 - 2016-01-26 21:03 - 03283248 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtkApi64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 03282032 _____ (Fortemedia Corporation) C:\WINDOWS\system32\FMAPO64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 03080784 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RltkAPO64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 02050184 _____ (Waves Audio Ltd.) C:\WINDOWS\system32\MaxxAudioEQ64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 02036992 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RCoInstII64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 01977072 _____ (Creative Technology Ltd.) C:\WINDOWS\system32\MBAPO264.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 01743632 _____ (Creative Technology Ltd.) C:\WINDOWS\SysWOW64\MBAPO232.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 01356504 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RTCOM64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00574760 _____ (Andrea Electronics Corporation) C:\WINDOWS\system32\AERTAC64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00410040 _____ (Creative Technology Ltd.) C:\WINDOWS\system32\MBWrp64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00387320 _____ (Dolby Laboratories, Inc.) C:\WINDOWS\system32\RTEEP64A.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00343712 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtlCPAPI64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00330568 _____ (Waves Audio Ltd.) C:\WINDOWS\system32\MaxxAudioAPO20.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00321720 _____ (Dolby Laboratories, Inc.) C:\WINDOWS\system32\RP3DHT64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00321720 _____ (Dolby Laboratories, Inc.) C:\WINDOWS\system32\RP3DAA64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00214840 _____ (Dolby Laboratories, Inc.) C:\WINDOWS\system32\RTEED64A.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00192992 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtkCfg64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00122320 _____ (Real Sound Lab SIA) C:\WINDOWS\system32\CONEQMSAPOGUILibrary.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00118600 _____ (Andrea Electronics Corporation) C:\WINDOWS\system32\AERTAR64.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00110992 _____ (Dolby Laboratories, Inc.) C:\WINDOWS\system32\RTEEL64A.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00088352 _____ (Dolby Laboratories, Inc.) C:\WINDOWS\system32\RTEEG64A.dll
2016-10-19 21:51 - 2016-01-26 21:03 - 00041096 _____ (Creative Technology Ltd.) C:\WINDOWS\system32\Drivers\MBfilt64.sys
2016-10-19 21:51 - 2016-01-26 21:03 - 00023704 _____ (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtkCoLDR64.dll
2016-10-19 21:49 - 2016-10-19 21:50 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-10-19 21:49 - 2016-10-19 21:49 - 143495576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-10-19 21:49 - 2016-10-19 21:49 - 00000000 _____ C:\WINDOWS\system32\GfxValDisplayLog.bin
2016-10-19 21:47 - 2016-06-30 22:57 - 00059392 _____ (Microsoft Corporation) C:\WINDOWS\system32\cdpreference.exe
2016-10-19 21:47 - 2016-06-30 22:40 - 00034304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Speech.Pal.dll
2016-10-19 21:41 - 2016-10-29 05:15 - 00000000 __SHD C:\Users\Taco\IntelGraphicsProfiles
2016-10-19 21:41 - 2016-10-19 22:31 - 00000000 ____D C:\Intel
2016-10-19 21:41 - 2016-10-19 21:41 - 00000000 ____D C:\Program Files (x86)\Intel
2016-10-19 21:18 - 2016-10-19 21:18 - 00000000 ____D C:\Users\Taco\AppData\Local\Comms
2016-10-19 21:09 - 2016-10-19 21:09 - 00000000 ____D C:\Users\Taco\AppData\Local\ActiveSync
2016-10-19 21:08 - 2016-10-22 11:51 - 00002360 _____ C:\Users\Taco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-10-19 21:08 - 2016-10-22 11:51 - 00000000 ___RD C:\Users\Taco\OneDrive
2016-10-19 21:07 - 2016-10-28 10:26 - 00000000 ____D C:\Users\Taco\AppData\Local\Packages
2016-10-19 21:07 - 2016-10-27 17:31 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-10-19 21:07 - 2016-10-25 16:30 - 00000000 ____D C:\Users\Taco\AppData\Roaming\Adobe
2016-10-19 21:07 - 2016-10-19 21:07 - 00000000 ____D C:\Users\Taco\AppData\Local\VirtualStore
2016-10-19 21:07 - 2016-10-19 21:07 - 00000000 ____D C:\Users\Taco\AppData\Local\TileDataLayer
2016-10-19 21:07 - 2016-10-19 21:07 - 00000000 ____D C:\Users\Taco\AppData\Local\Publishers
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Videos
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Pictures
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Music
2016-10-19 21:04 - 2016-10-19 21:04 - 00000000 _SHDL C:\Documents and Settings

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-10-29 07:40 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF
2016-10-29 04:25 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-10-28 22:20 - 2016-07-16 01:04 - 00131072 _____ C:\WINDOWS\system32\config\BBI
2016-10-28 21:00 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\rescache
2016-10-28 16:11 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-10-28 10:26 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps
2016-10-28 10:24 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2016-10-27 17:30 - 2016-07-16 06:47 - 00015425 _____ C:\WINDOWS\system32\OEMDefaultAssociations.xml
2016-10-27 17:30 - 2016-07-16 06:47 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-10-27 17:30 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2016-10-27 17:30 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\oobe
2016-10-27 17:30 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-10-27 17:30 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2016-10-27 16:11 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-10-25 22:52 - 2016-07-16 06:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-10-24 22:43 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\inetsrv
2016-10-24 22:43 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2016-10-24 18:30 - 2016-07-16 06:49 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-10-24 18:30 - 2016-07-16 06:49 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-10-22 14:43 - 2016-07-16 06:47 - 00028672 _____ C:\WINDOWS\system32\config\BCD-Template
2016-10-22 14:41 - 2016-07-16 06:44 - 00172032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iisRtl.dll
2016-10-22 14:41 - 2016-07-16 06:44 - 00050688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\admwprox.dll
2016-10-22 14:41 - 2016-07-16 06:44 - 00026112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ahadmin.dll
2016-10-22 14:41 - 2016-07-16 06:44 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iisreset.exe
2016-10-22 14:41 - 2016-07-16 06:44 - 00011264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wamregps.dll
2016-10-22 14:41 - 2016-07-16 06:44 - 00010240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iisrstap.dll
2016-10-22 14:41 - 2016-07-16 06:43 - 00203776 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisRtl.dll
2016-10-22 14:41 - 2016-07-16 06:43 - 00055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\admwprox.dll
2016-10-22 14:41 - 2016-07-16 06:43 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ahadmin.dll
2016-10-22 14:41 - 2016-07-16 06:43 - 00019456 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisreset.exe
2016-10-22 14:41 - 2016-07-16 06:43 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wamregps.dll
2016-10-22 14:41 - 2016-07-16 06:43 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisrstap.dll
2016-10-22 13:44 - 2016-07-16 09:29 - 00000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ___SD C:\WINDOWS\SysWOW64\F12
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ___SD C:\WINDOWS\system32\F12
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ___SD C:\WINDOWS\system32\dsc
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ___SD C:\WINDOWS\system32\DiagSvcs
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ___RD C:\Program Files\Windows Defender
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\setup
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\setup
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\migwiz
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\lv-LV
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\lt-LT
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\et-EE
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\es-MX
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\en-GB
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\ShellExperiences
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\Provisioning
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\bcastdvr
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-10-22 13:44 - 2016-07-16 06:47 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-10-22 13:44 - 2016-07-16 01:04 - 00000000 ____D C:\WINDOWS\SysWOW64\Dism
2016-10-22 13:44 - 2016-07-16 01:04 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2016-10-22 13:44 - 2016-07-16 01:04 - 00000000 ____D C:\WINDOWS\system32\Dism
2016-10-22 11:47 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\WinBioDatabase
2016-10-22 11:47 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\Registration
2016-10-22 11:47 - 2016-07-16 06:47 - 00000000 ____D C:\ProgramData\USOPrivate
2016-10-22 11:47 - 2016-07-16 01:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2016-10-22 11:47 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\Tasks_Migrated
2016-10-22 11:46 - 2016-07-16 06:47 - 00000000 __RHD C:\Users\Public\Libraries
2016-10-22 11:45 - 2016-07-16 09:15 - 00000000 ____D C:\WINDOWS\OCR
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\SysWOW64\winrm
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\SysWOW64\WCN
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\SysWOW64\slmgr
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\SysWOW64\Printing_Admin_Scripts
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\system32\winrm
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\system32\WCN
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\system32\slmgr
2016-10-22 11:45 - 2016-07-16 09:14 - 00000000 ____D C:\WINDOWS\system32\Printing_Admin_Scripts
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ___SD C:\WINDOWS\SysWOW64\DiagSvcs
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\oobe
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\MUI
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\es-MX
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\spool
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\MUI
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\IME
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\Help
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-10-22 11:45 - 2016-07-16 06:47 - 00000000 ____D C:\Program Files\Common Files\System
2016-10-22 11:45 - 2015-11-19 05:38 - 00000000 ____D C:\WINDOWS\SysWOW64\XPSViewer
2016-10-22 11:45 - 2015-10-30 01:28 - 00000000 ____D C:\Users\Default.migrated
2016-10-22 11:43 - 2016-07-16 06:47 - 00000000 ___RD C:\WINDOWS\PrintDialog
2016-10-22 11:43 - 2016-07-16 06:47 - 00000000 ___RD C:\WINDOWS\MiracastView
2016-10-22 09:55 - 2015-11-19 05:45 - 00824976 _____ C:\WINDOWS\system32\prfh0416.dat
2016-10-22 09:55 - 2015-11-19 05:45 - 00166606 _____ C:\WINDOWS\system32\prfc0416.dat
2016-10-22 09:55 - 2015-11-19 05:42 - 00856164 _____ C:\WINDOWS\system32\perfh00C.dat
2016-10-22 09:55 - 2015-11-19 05:42 - 00168936 _____ C:\WINDOWS\system32\perfc00C.dat
2016-10-22 09:55 - 2015-11-19 05:38 - 00850256 _____ C:\WINDOWS\system32\perfh00A.dat
2016-10-22 09:55 - 2015-11-19 05:38 - 00175102 _____ C:\WINDOWS\system32\perfc00A.dat
2016-10-19 21:44 - 2015-10-30 02:19 - 00635904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqsnap.dll
2016-10-19 21:44 - 2015-10-30 02:19 - 00014848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqcertui.dll
2016-10-19 21:06 - 2015-11-19 06:06 - 00000000 ____D C:\WINDOWS\CSC

==================== Files in the root of some directories =======

2016-10-19 22:35 - 2016-10-19 22:35 - 0000000 _____ () C:\Users\Taco\AppData\Local\Driver_LOM_8161Present.flag
2016-10-21 17:18 - 2016-10-22 03:19 - 0007597 _____ () C:\Users\Taco\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-10-22 11:43

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-10-2016
Ran by Taco (29-10-2016 09:06:59)
Running from C:\Users\Taco\Downloads
Windows 10 Pro Version 1607 (X64) (2016-10-22 16:48:13)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1823378645-228841874-2807899765-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1823378645-228841874-2807899765-503 - Limited - Disabled)
Guest (S-1-5-21-1823378645-228841874-2807899765-501 - Limited - Disabled)
Taco (S-1-5-21-1823378645-228841874-2807899765-1001 - Administrator - Enabled) => C:\Users\Taco

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AntiLogger Free version 1.8.2.320 (HKLM-x32\...\{A80DB23D-0618-405B-89D9-28F99814E287}_is1) (Version: 1.8.2.320 - Zemana Ltd.)
CCleaner (HKLM\...\CCleaner) (Version: 5.23 - Piriform)
GlassWire 1.2 (remove only) (HKLM-x32\...\GlassWire 1.2) (Version: 1.2.76 - SecureMix LLC)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.71 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Intel Processor Diagnostic Tool 64bit (HKLM\...\{E8EB0A84-C19C-4520-8671-56D4D4123D37}) (Version: 3.0.0.25 - Intel Corporation)
Intel® Chipset Device Software (x32 Version: 10.0.26 - Intel® Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4364 - Intel Corporation)
Killer Drivers (HKLM\...\{0C4F7310-A64A-49CD-BBE1-D979902342B7}) (Version: 1.0.750 - Rivet Networks)
Kodi (HKU\S-1-5-21-1823378645-228841874-2807899765-1001\...\Kodi) (Version: - XBMC-Foundation)
Malwarebytes Anti-Exploit version 1.9.1.1235 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1235 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Malwarebytes Anti-Ransomware version 0.9.17.661 (HKLM\...\{6CA75021-FBB0-41A5-B95C-FC1C9E0421F0}_is1) (Version: 0.9.17.661 - Malwarebytes)
Melodyne 4 (HKLM-x32\...\{16DF894D-FC3F-4B87-908D-671E201CD7A8}) (Version: 4.00.0203 - Celemony Software GmbH)
Melodyne Runtime 4.1 (x64) (HKLM\...\{721E4E34-AF7C-4345-93F9-282CCC8CCCB5}) (Version: 1.0.2 - Celemony Software GmbH)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Native Instruments Guitar Rig 5 (HKLM-x32\...\Native Instruments Guitar Rig 5) (Version: 5.2.2.8 - Native Instruments)
Native Instruments Guitar Rig Factory Selection for Maschine (HKLM-x32\...\Native Instruments Guitar Rig Factory Selection for Maschine) (Version: - Native Instruments)
Native Instruments Komplete 8 Players (HKLM-x32\...\Native Instruments Komplete 8 Players) (Version: - Native Instruments)
Native Instruments Kontakt 5 (HKLM-x32\...\Native Instruments Kontakt 5) (Version: 5.6.1.48 - Native Instruments)
Native Instruments Kontakt Factory Selection (HKLM-x32\...\Native Instruments Kontakt Factory Selection) (Version: - Native Instruments)
Native Instruments Reaktor 5 (HKLM-x32\...\Native Instruments Reaktor 5) (Version: 5.9.3.1344 - Native Instruments)
Native Instruments Reaktor Factory Selection (HKLM-x32\...\Native Instruments Reaktor Factory Selection) (Version: - Native Instruments)
Native Instruments Service Center (HKLM-x32\...\Native Instruments Service Center) (Version: - Native Instruments)
Origin (HKLM-x32\...\Origin) (Version: 10.2.1.38915 - Electronic Arts, Inc.)
PreSonus Studio One 3 x64 (HKLM\...\PreSonus Studio One 3) (Version: 3.3.1.39379 - PreSonus Audio Electronics)
PreSonus Universal Control 1.7.4 (HKLM\...\PreSonus Universal Control_is1) (Version: 1.7.4 - PreSonus Audio Electronics)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7727 - Realtek Semiconductor Corp.)
Sample Production Bit Checker x64 (HKLM\...\{1FFA19A6-D46D-4993-B39E-394EB92781A4}) (Version: 1.0.7.0 - Intel Corporation)
Spybot Anti-Beacon (HKLM-x32\...\{419A7FCF-93E1-474D-BFE9-987CF3F90C88}_is1) (Version: 1.5 - Safer-Networking Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1823378645-228841874-2807899765-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Taco\AppData\Local\Microsoft\OneDrive\17.3.6517.0809_1\FileCoAuth.exe (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {29764ED1-22A5-4F9C-A2C3-575B4D9042FC} - System32\Tasks\Safer-Networking\Spybot Anti-Beacon\Refresh Anti-Beacon immunization => C:\Program Files (x86)\Spybot Anti-Beacon\SDAntiBeacon.exe [2015-10-19] (Safer-Networking Ltd.)
Task: {2C71F3E3-9E53-47C3-BA5D-E278FB31E031} - System32\Tasks\CreateExplorerShellUnelevatedTask => /NOUACCHECK
Task: {337F601D-0518-4B24-9746-F5262103CDEE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-10-19] (Google Inc.)
Task: {D7755A89-85B9-44E7-AA91-31D9F67A1C81} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-10-19] (Google Inc.)
Task: {DED03788-AA91-461E-BFA6-D867196B6A24} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-09-28] (Piriform Ltd)
Task: {E115B9F3-0AEB-4F78-85FC-5B8008A0CA38} - System32\Tasks\OneDrive Standalone Update Task => C:\Users\Taco\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe [2016-10-20] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-10-29 03:25 - 2016-08-26 09:37 - 01175504 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-RANSOMWARE\arwlib.dll
2016-07-16 06:42 - 2016-07-16 06:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-10-22 12:20 - 2016-09-15 12:25 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-10-22 12:20 - 2016-09-15 12:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-10-22 12:20 - 2016-09-15 12:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-10-22 11:51 - 2016-10-22 11:51 - 01864384 _____ () C:\Users\Taco\AppData\Local\Microsoft\OneDrive\17.3.6517.0809_1\amd64\ClientTelemetry.dll
2016-01-14 17:33 - 2016-01-14 17:33 - 00384120 _____ () C:\WINDOWS\system32\igfxTray.exe
2016-10-22 12:20 - 2016-09-06 23:56 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-10-22 12:20 - 2016-10-05 04:35 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-10-29 03:25 - 2016-04-14 18:38 - 00745984 _____ () C:\Program Files\Malwarebytes\Anti-Ransomware\QtQuick\Controls\qtquickcontrolsplugin.dll
2016-10-27 16:09 - 2016-10-14 22:41 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-10-27 16:09 - 2016-10-14 22:34 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-10-27 16:09 - 2016-10-14 22:34 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-10-27 16:09 - 2016-10-14 22:34 - 02424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-10-27 16:09 - 2016-10-14 22:38 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-10-22 11:27 - 2016-10-20 03:56 - 02367080 _____ () C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.71\libglesv2.dll
2016-10-22 11:27 - 2016-10-20 03:56 - 00107112 _____ () C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.71\libegl.dll
2016-10-25 22:52 - 2016-10-25 22:52 - 02493440 _____ () C:\Program Files (x86)\Origin\libGLESv2.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\WINDOWS\system32\Drivers\iaStorB.sys:com.dropbox.attributes [168]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\iaStorS.sys:com.dropbox.attributes [168]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\rccfg.sys:com.dropbox.attributes [168]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\rcraid.sys:com.dropbox.attributes [168]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\71530138.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\82222355.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\88568615.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\71530138.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\82222355.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\88568615.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-10-30 02:24 - 2016-10-28 22:31 - 00004760 ____A C:\WINDOWS\system32\Drivers\etc\hosts

0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nstac.net
0.0.0.0 df.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com.nsatc.net
0.0.0.0 redir.metaservices.microsoft.com
0.0.0.0 reports.wes.df.telemetry.microsoft.com
0.0.0.0 services.wes.df.telemetry.microsoft.com
0.0.0.0 settings-sandbox.data.microsoft.com
0.0.0.0 settings-win.data.microsoft.com
0.0.0.0 sqm.df.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 telemetry.appex.bing.net
0.0.0.0 telemetry.microsoft.com
0.0.0.0 telemetry.urs.microsoft.com
0.0.0.0 vortex-sandbox.data.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 vortex.data.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 watson.ppe.telemetry.microsoft.com
0.0.0.0 wes.df.telemetry.microsoft.com
0.0.0.0 vortex-bn2.metron.live.com.nsatc.net
0.0.0.0 vortex-cy2.metron.live.com.nsatc.net
0.0.0.0 watson.live.com
0.0.0.0 watson.microsoft.com
0.0.0.0 feedback.search.microsoft.com

There are 75 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1823378645-228841874-2807899765-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Taco\Downloads\XRx47FD.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: lfsvc => 3
HKLM\...\StartupApproved\StartupFolder: => "Killer Network Manager.lnk"
HKU\S-1-5-21-1823378645-228841874-2807899765-1001\...\StartupApproved\Run: => "OneDrive"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{57003C60-DDC9-400C-BD5F-B00A3172FAF8}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{B92AD28C-52AA-4517-927C-6736ECFFA1E6}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [WCF-NetTcpActivator-In-TCP-64bit] => (Allow) LPort=808
FirewallRules: [{87A80A73-EEA5-4BDA-B6A9-ACDA0634FD9D}] => (Allow) C:\Program Files\PreSonus\Studio One 3\Studio One.exe
FirewallRules: [TCP Query User{809DBB75-DDB9-4324-A3A5-199CC93028DF}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{75D584D6-1A99-4698-9748-E3356D61ADD1}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [TCP Query User{2A76026E-0702-41BA-A0F6-751E7E9BC85E}C:\program files (x86)\google\chrome\application\chrome.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{E60BDDB6-4B17-4630-A40F-4577F1373FBC}C:\program files (x86)\google\chrome\application\chrome.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [{55D3CC6D-80C1-4BF9-A5ED-CC221C254D42}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{15525CA2-4C45-44AF-BE8E-B7342FF23BA7}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe

==================== Restore Points =========================

25-10-2016 21:38:48 End of disinfection
27-10-2016 16:15:37 Removed Adobe Acrobat Reader DC.
29-10-2016 05:32:03 Installed Killer Drivers.

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (10/29/2016 08:18:01 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


==================== Memory info ===========================

Processor: Intel® Core™ i7-4790K CPU @ 4.00GHz
Percentage of memory in use: 24%
Total physical RAM: 16229.7 MB
Available physical RAM: 12209.84 MB
Total Virtual: 19173.7 MB
Available Virtual: 14660.78 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.3 GB) (Free:78.56 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 0283332E)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.3 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 02 November 2016 - 08:59 AM.
Posted logs


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:52 PM

Posted 01 November 2016 - 05:23 AM

Tacohouse:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil and I am a trainee in the Bleeping Computer Malware Removal Study Hall. I would like to address you by your first name, if that is alright with you since we will be working together.

I will be assisting you with your computer issues. All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic. That could take a few days. Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:52 PM

Posted 02 November 2016 - 02:45 PM

Tacohouse:

Thank you for your patience while I analyzed your FRST logs and consulted with the Malware Response Instructor assigned to supervise me while I deal with your issues.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.
OK, let's get started ...

 

Tacohouse said

all my saved logs have disappeared and alot of files are in a different location name changed or gone either hidden or deleted im not sure when i go to run malwarebytes anti rootkit a small window appears and says registry affected by rootkit.....i ran rkill and it shows that it had alot of missing dlls and it stopped a couple of services i dont have a name for what the rootkit is but it is hidden msi log file said cloaking process complete and one of the msi log files i had that disappeared (i got a chance to look at a little bit of it before it disappeared) said that all the major changes would take place after reboot i haven't rebooted yet

 

.

 

:step1: I have a number of questions for you because I am not sure that I understand the issues that you are having with your computer:

  • Have you set any policy restrictions on your computer?
  • Which "saved logs" disappeared?
  • When did they disappear?
  • In which folder(s) were they located?
  • What major changes were going to take place after reboot, and which application informed you of that: RKill, Malwarebytes Anti-Rootkit, or some other program?
  • Are there other issues with your computer? If so, please describe them in detail.

.

:step2: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

CreateRestorePoint:

2016-10-25 23:37 - 2016-10-25 23:37 - 00000000 __HDC C:\ProgramData\{A4240964-232B-4D4C-AE9F-AB84A9948A34}
2016-10-25 23:36 - 2016-10-25 23:36 - 00000000 __HDC C:\ProgramData\{0CF1F946-2AAE-48A9-BD6C-DF71FE72E1D1}
Folder: C:\WINDOWS\system32\asg

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Right click FRST64.exe, and select "Run as Administrator".
Then press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.

.

:step3: I would like to see what RKill is reporting as missing .dll's. I am not sure that RKill has kept up with the latest Windows Anniversary Update, which you are running, so they might be "false detections."
Please run RKill again. Instructions below:
Please download Rkill by Grinler from one of the 3 links below (if one of them does not work, try another...) and save it to your desktop:

  • rkill.scr
  • rkill.com
  • rkill.exe
  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista or above, please right-click on it and select Run As Administrator.)
  • Note: You may have to run Rkill a few times before it is successful. As a reminder, you may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents into your reply (the file is also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as any malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

.

:step4: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply.

Don't forget to re-enable your antivirus when finished!

.

:step5: Please launch Malwarebytes Anti-Malware which you have installed on your computer.

  • On the Dashboard, select Settings.
  • Click on Detection and Protection.
  • Ensure that Scan for rootkits is checked. If not, check it.
  • If you are notified the Database is out of date, click Update Now.
  • Click Scan now.
  • When completed, click the down arrow on Export Log and select Text file (*.txt).
  • Save the file to your desktop as MBAM.txt.
  • Click Apply Actions, then restart your computer, if requested.
  • Please copy and paste the contents of MBAM.txt into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#4 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 02 November 2016 - 04:50 PM

I have a number of questions for you because I am not sure that I understand the issues that you are having with your computer:

  • Have you set any policy restrictions on your computer?no i have spybot anti beacon which should cancel group policy and security audit altogether
  • Which "saved logs" disappeared?it was an MSI log i didnt activate anything that would make logs for msi in the first place
  • When did they disappear?shortly after i posted this problem on bleeping computer
  • In which folder(s) were they located?they just popped up after installing a network driver for msi
  • What major changes were going to take place after reboot, and which application informed you of that: RKill, Malwarebytes Anti-Rootkit, or some other program?MSI informed me i think the log said something about taking control of tcp/ip
  • Are there other issues with your computer? If so, please describe them in detail.i have glasswire its showing my settings icon is sending info out through the network to where i dont know


#5 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 02 November 2016 - 04:58 PM

fixlog

Attached Files



#6 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 02 November 2016 - 05:04 PM

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/02/2016 05:03:09 PM in x64 mode.
Windows Version: Windows 10 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 
 * agp440 [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  0.0.0.0 choice.microsoft.com
  0.0.0.0 choice.microsoft.com.nstac.net
  0.0.0.0 df.telemetry.microsoft.com
  0.0.0.0 oca.telemetry.microsoft.com
  0.0.0.0 oca.telemetry.microsoft.com.nsatc.net
  0.0.0.0 redir.metaservices.microsoft.com
  0.0.0.0 reports.wes.df.telemetry.microsoft.com
  0.0.0.0 services.wes.df.telemetry.microsoft.com
  0.0.0.0 settings-sandbox.data.microsoft.com
  0.0.0.0 settings-win.data.microsoft.com
  0.0.0.0 sqm.df.telemetry.microsoft.com
  0.0.0.0 sqm.telemetry.microsoft.com
  0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
  0.0.0.0 telecommand.telemetry.microsoft.com
  0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
  0.0.0.0 telemetry.appex.bing.net
  0.0.0.0 telemetry.microsoft.com
  0.0.0.0 telemetry.urs.microsoft.com
  0.0.0.0 vortex-sandbox.data.microsoft.com
  0.0.0.0 vortex-win.data.microsoft.com
 
  20 out of 107 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 11/02/2016 05:03:14 PM
Execution time: 0 hours(s), 0 minute(s), and 5 seconds(s)


#7 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 02 November 2016 - 05:34 PM

malwarebytes log

Attached Files



#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:52 PM

Posted 04 November 2016 - 04:17 AM

Tacohouse:

Thank you for your logs. I would prefer if you would copy and paste the logs into your replies rather than attach them. It makes it faster for me, and my supervisor, to review them. Thank you for your understanding and cooperation.

The FRST fixlog is incomplete. You did not include the command: "Folder: C:\WINDOWS\system32\asg". I am going to prepare a new fixlist.txt to run that command and to remove the Group Policy Restriction.

Glasswire is a firewall, so it is probable that it is "calling home." I would not be concerned about that, unless there is something suspicious happening otherwise.

My "msi", I take that you are referring to a Windows installer log file. Is that correct?

I ran RKill on my computer, which is also Windows 10 Pro x64, Build 1607. My RKill output was identical to yours. As I suggested, I don't think that RKill has been updated yet for Build 1607. I know that there are no issues with my computer.
 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/03/2016 02:05:14 PM in x64 mode.
Windows Version: Windows 10 Pro

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* gagp30kx [Missing Service]
* IEEtwCollectorService [Missing Service]
* IoQos [Missing Service]
* nv_agp [Missing Service]
* TimeBroker [Missing Service]
* uagp35 [Missing Service]
* uliagpkx [Missing Service]
* WcsPlugInService [Missing Service]
* wpcfltr [Missing Service]
* WSService [Missing Service]

* agp440 [Missing ImagePath]

* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 11/03/2016 02:05:26 PM
Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)


.

:step1: Please run FRST again. Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.
 

CreateRestorePoint:

GroupPolicyScripts\User: Restriction <======= ATTENTION
Folder: C:\WINDOWS\system32\asg

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Right click FRST64.exe, and select "Run as Administrator".
Then press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.

.

:step2: Please run the ESET scan that I requested as Step :step4: in my previous post.

.

:step3: Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log into your reply.

.

:step4: Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List Devices

Click Go and then copy and paste the contents of the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#9 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 04 November 2016 - 06:23 PM

the msi thats one of the symbols on my motherboard so i thing they just might be a co creator of the motherboard and the msi log came from one of the driver logs farbar wont run my pc keeps freezing my windows defender just shut off by itself and just notified me that i have a trojan:win32/varpes.j!cl



#10 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 04 November 2016 - 06:25 PM

defender says it cant find the rest but i think at this point it may not be savable and i might need to reformat i dont have anything on here i need backed up



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:52 PM

Posted 06 November 2016 - 05:46 AM

Tacohouse:

Thank you for your replies. I am not sure that I understand what you mean by an MSI symbol on your motherboard?
 

defender says it cant find the rest but i think at this point it may not be savable and i might need to reformat i dont have anything on here i need backed up


That would be an extreme step. I am not seeing any serious malware, so far, in the first set of FRST logs that you provided.

It is your computer, however, so if you want to format it and start over, that is your decision. Please let me know if that is what you want to do, and I will ask a Moderator to conclude this topic.

Personally, if it was my computer, I would do another RKill run, and follow that with an ESET online scan, as I previously instructed you to do in this post, Steps :step3: and :step4:

There was a recent issue with the Farbar Recovery and Scan Tool (FRST) in the last few days that has been fixed. It would go into an infinite update loop. If that was the problem that you encountered, please try to run the short "fixlist.txt" file that I provided to you in my previous post and copy and paste the fixlog.txt into your next reply, after downloading the newest version of FRST64.exe from here.

If you are not going to format your computer right now, then I would also appreciate if you would also run the Farbar Service Scanner and the Farbar MiniToolBox scan, as I previously requested, in this post, Steps :step3: and :step4:.

Please let me know what you decide to do. Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 06 November 2016 - 12:35 PM

Well the drivers come from msi company I was just saying that's the company I download the infected driver from which is also where the msi logs were coming from....... I can't do the first step my computer freezes when I try to run farbar to apply the fix log the oc freezes i rebooted still doesn't work also while I'm trying to add the fix log all my anti virus and malware protection programs are disabling themselves when I try to open to fix by reactivating those programs the computer freezes I've practically lost control to most things on the pc only certain programs run such as chrome and Windows updates other than that any other program I try to run the computer freezes and all I can do at that point is force reboot

#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:52 PM

Posted 06 November 2016 - 03:18 PM

Tacohouse:

 

Thank you for your post.  I am sorry to hear that you are experiencing such serious issues.

 

Thank you also for letting me know that your computer is manufactured by Micro Star International.  That is useful information.

 

As I said, the initial set of FRST logs did not show any obvious signs of serious malware.  I am suspecting a driver or OS issue.

 

QUESTION:  Did your computer come with Windows 10 installed, or did you do an upgrade or clean install from a previous version of Windows?

 

 

 

:step1: Please left click the Windows logo (former Start button) and the bottom left of your screen and type in "Device Manager".

Please launch Device Manager, and check all devices for any with a warning symbol, usually a yellow exclamation mark in a triangle.  If you find any such devices, please attach a screen shot for examination to your next post.

 

.

 

:step2: I would like you to check the system integrity of your Windows 10 OS installation.

 

  • Please right click the Windows logo (formerly the start button) at the bottom left of your screen.
  • Please select  "Command Prompt (Admin)"
  • Please type the following command and press the <Enter> key: sfc /scannow  (Please note that there is a space between 'sfc" and "/scannow".)
  • It should take about 20 minutes to run, if there are no serious errors.
  • If the System File Checker reports that some errors were fixed, but some remain; please reboot your computer and run the System File Checker from an Administrator Command Prompt, again.
  • If the System File Checker again reports that some errors were fixed, but some remain, please reboot your computer and run it a third time.
  • If "Resource Integrity Violations" (errors) are reported that could not be corrected, or were not corrected after a third SFC run, then please navigate to the folder: C:\Windows\Logs\CBS and copy the file "cbs.log" to your desktop immediately.  I am asking you do that because that file is dynamic, so I want to be able to examine a copy that is unchanged from the time that the System File Checker was run.
  • If there are errors that couldn't be corrected, let me know and I will provide you with instructions as to how to upload the file to Bleeping Computer for examination.  Those files are usually much too large to attach.

.

 

Thank you and have a great day.  Good luck!

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#14 Tacohouse

Tacohouse
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 08 November 2016 - 05:31 PM

Nothing seems to be responding so I think I'm just going to go ahead and reformat all my stuff is backed up already im very sorry for wasting your time I really appreciate your time and what you guys do to help I do feel bad and again sorry I wasted everyone's time I can't thank yall enough for trying to help much appreciate.

#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:52 PM

Posted 09 November 2016 - 10:31 AM

Tacohouse:

Thank you for your post. You have not been wasting my time. We are here to help.

Below are the steps that I would take, in the order that I would take them, to optimize the chances of a positive outcome, since you appear determined to take drastic action to resolve your problems, which might be indeed be necessary if nothing is working properly.

:step1: If you did a clean install of Windows 10; or, if it came installed on your computer, it would be less risky to do a Windows 10 reset. For more information, go to this link, and click on "Reset this PC".

:step2: If you did an upgrade to Windows 10, and you suspect that the upgrade became corrupted, then you should explore doing a "factory reset" (see this link). That will ensure that the correct drivers are installed for the version Windows that the computer shipped with, and that they are compatible with the MSI motherboard.

:step3: I would consider a straight reformatting of the hard drive and reinstallation of Windows 10 to be a last resort, as Microsoft might install generic Windows drivers that are not compatible with one or more of the devices on your computer.

I am reasonably confident that you do not have active malware on your computer, based on an analysis of your initial FRST logs. I also note that you had previously run TDSSKiller, so I doubt very much that there is a rootkit hiding.

My guess is that you have a driver incompatibility issue and/or OS file system issues.

Please let me know what you decide and how it goes. It will assist us all to know what resolves your issues, so that others can be helped.

I am available should you require possible future malware removal assistance. You should be aware that there are many Forums here, dedicated to various Operating Systems, and hardware and other issues, so you should avail yourself of the expertise here, if you run into further problems.

Good luck and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users