Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Agent.Trace but MBAM can't remove it


  • This topic is locked This topic is locked
25 replies to this topic

#1 spaceace76

spaceace76

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 19 December 2016 - 02:57 PM

I have been attempting to remove a Trojan that I believe has been stealing my data and personal info. Every time I run a Malwarebytes scan, the virus comes up and is quarantined. If I restart the computer, the virus comes back and just keeps returning anytime I restart the system. If I don't scan and remove the trojan it simply generates more malware programs over and over. It seems MB isn't getting to the root of the issue. 

 

I also recently started getting this dialogue upon startup:

 

"netprotocol.exe

Application has generated an exception that could not be handled"

 

followed my some error codes, and a choice to close or debug. As far as I can tell this is malware too and it doesn't show up in the MB scans.

 

I have had trouble installing a few programs (such as java 64 bit and JDownloader) and I think malware may be causing the issue there as well. 

 

Here is my FRST log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2016
Ran by Chris (administrator) on DESKTOP-HA96UUL (19-12-2016 14:41:30)
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris & Guest1)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\SpaceAgent.exe
() C:\Windows\AutoKMS\AutoKMS.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(AOMEI Tech Co., Ltd.) C:\Program Files (x86)\AOMEI Backupper\ABService.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe
( ) C:\Windows\System32\dlcxcoms.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe
(Scarlet.Crush Productions) C:\Program Files\Nefarious\ScpService.exe
(Focusrite Audio Engineering Ltd.) C:\Program Files\Focusrite\Focusrite Control\Server\ControlServer.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Game Booster\RzKLService.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe
() C:\Program Files (x86)\HDD Regenerator\hrsrv.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe
(Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
() D:\Chris\Downloads\openhardwaremonitor-v0.7.1-beta\OpenHardwareMonitor\OpenHardwareMonitor.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Electronic Arts) C:\Users\Chris\AppData\Roaming\ShellExecution.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe
(Microsoft) C:\ProgramData\CLMonitor.exe
() C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\vksts.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe
() C:\Program Files (x86)\Dell Photo AIO Printer 926\dlcxmon.exe
() C:\Program Files (x86)\Dell Photo AIO Printer 926\memcard.exe
(Logitech, Inc.) C:\Program Files\Logitech\LogiOptions\LogiOptions.exe
(Logitech, Inc.) C:\ProgramData\Logishrd\LogiOptions\Software\Current\LogiOptionsMgr.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Dekisoft) C:\Program Files (x86)\Monitor Off Utility\monoff.exe
(Intel Corporation) C:\Windows\System\hkcmd.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
() C:\Program Files (x86)\Air Mouse\Air Mouse\Air Mouse.exe
(PowerISO Computing, Inc.) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Scarlet.Crush Productions) C:\Program Files\Nefarius Software Solutions\ScpToolkit\ScpTrayApp.exe
(Elias Fotinis) C:\Program Files (x86)\DeskPins\DeskPins.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Jeroen Pelgrims) C:\Users\Chris\AppData\Local\Apps\2.0\5P3Q3K2D.AGA\PJZTN3VA.3LO\soun..tion_0000000000000000_0002.0004_f839aedc2aa2d7a7\SoundSwitch.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\Air Mouse\Air Mouse\UIHelperDesktop.exe
() C:\Program Files (x86)\Shell Extension Monitor\ShellExtension.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex DLNA Server.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Michael Thummerer Software Design) C:\Program Files (x86)\UPNP Host\upnphost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8529152 2015-10-08] (Realtek Semiconductor)
HKLM\...\Run: [CsrHCRPServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe [1134288 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CsrAudioguiCtrl] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe [511696 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CsrSyncMLServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe [244944 2012-03-22] ()
HKLM\...\Run: [vksts] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\vksts.exe [25792 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [HarmonyUserStartup] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe [39128 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CSRHarmonySkypePlugin] => C:\Program Files (x86)\CSR\CSR Harmony Wireless Software Stack\CSRHarmonySkypePlugin.exe [146656 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [TrayApplication] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe [529616 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.)
HKLM\...\Run: [dlcxmon.exe] => C:\Program Files (x86)\Dell Photo AIO Printer 926\dlcxmon.exe [292336 2007-01-12] ()
HKLM\...\Run: [MemoryCardManager] => C:\Program Files (x86)\Dell Photo AIO Printer 926\memcard.exe [304008 2006-11-03] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508104 2015-07-29] (Adobe Systems Incorporated)
HKLM\...\Run: [LogiOptions] => C:\Program Files\Logitech\LogiOptions\LogiOptions.exe [1724536 2016-07-29] (Logitech, Inc.)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [8029576 2016-11-23] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2786768 2016-11-29] (Malwarebytes)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-12-06] (Apple Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [180224 2010-04-12] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [HDD Regenerator] => C:\Program Files (x86)\HDD Regenerator\Shell.exe [90336 2013-05-08] ()
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [FaxCenterServer] => C:\Program Files (x86)\Dell PC Fax\fm3032.exe [312200 2006-11-03] ()
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [${_APP_NAME}] => C:\Program Files (x86)\WellWeWeb\CheVolume\CheVolume.exe
HKLM-x32\...\Run: [UPNP Host] => C:\Program Files (x86)\UPNP Host\upnphost.exe [282112 2016-12-05] (Michael Thummerer Software Design)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [Dekisoft Monitor Off Utility] => C:\Program Files (x86)\Monitor Off Utility\monoff.exe [303104 2011-03-20] (Dekisoft)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [Intel® Common Interface] => C:\Windows\system\hkcmd.exe [30208 2015-10-27] (Intel Corporation)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [13082608 2016-12-15] (Plex, Inc.)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [NET Tools Monitor] => C:\Users\Chris\AppData\Roaming\NET Tools\netprotocol.exe [493056 2016-12-14] (Michael Thummerer Software Design)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [GoogleChromeAutoLaunch_4E6299B33FA0592A57BB7C6E94F010D2] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [935768 2016-12-08] (Google Inc.)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\RunOnce: [Uninstall C:\Users\Chris\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Chris\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64"
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\MountPoints2: {52441c34-6db8-11e5-9bce-fcaa14c3d409} - "F:\setup.exe" 
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Chris\AppData\Roaming\ShellExecution.exe" <==== ATTENTION
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [31744 2015-10-30] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [13082608 2016-12-15] (Plex, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2016-12-19]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CheVolume.lnk [2016-07-25]
ShortcutTarget: CheVolume.lnk -> C:\Program Files (x86)\WellWeWeb\CheVolume\CheVolume.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Mobile Mouse.lnk [2016-01-20]
ShortcutTarget: Mobile Mouse.lnk -> C:\Program Files (x86)\Air Mouse\Air Mouse\Air Mouse.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScpToolkit Tray Notifications.lnk [2015-12-17]
ShortcutTarget: ScpToolkit Tray Notifications.lnk -> C:\Program Files\Nefarius Software Solutions\ScpToolkit\ScpTrayApp.exe (Scarlet.Crush Productions)
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeskPins.lnk [2015-10-25]
ShortcutTarget: DeskPins.lnk -> C:\Program Files (x86)\DeskPins\DeskPins.exe (Elias Fotinis)
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoundSwitch.appref-ms [2015-10-08] ()
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{db4e18f3-5b14-4e02-9e96-c723026e5c02}: [DhcpNameServer] 192.168.2.1
ManualProxies: 
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office16\OCHelper.dll [2016-01-13] (Microsoft Corporation)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL [2016-01-13] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office16\OCHelper.dll [2015-07-31] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\new\bin\ssv.dll [2016-12-16] (Oracle Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office16\GROOVEEX.DLL [2016-01-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\new\bin\jp2ssv.dll [2016-12-16] (Oracle Corporation)
Handler: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-01-13] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-01-13] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\Office16\MSOSB.DLL [2016-01-13] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-01-13] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2011-01-19] (Skype Technologies)
 
FireFox:
========
FF DefaultProfile: 
FF DefaultProfile: eubsuan3.default
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\eubsuan3.default [2016-12-17]
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\eubsuan3.default -> DuckDuckGo
FF Extension: (Firefox Hotfix) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\eubsuan3.default\Extensions\firefox-hotfix@mozilla.org.xpi [2016-11-21]
FF Extension: (Adblock Plus) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\eubsuan3.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-21]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2015-10-14] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_197.dll [2016-03-31] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-03-31] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\new\bin\dtplugin\npDeployJava1.dll [2016-12-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\new\bin\plugin2\npjp2.dll [2016-12-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-10-27] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npFoxitReaderPlugin.dll [2015-10-08] (Foxit Software Company)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-10-27] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2015-11-30] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2015-11-30] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2015-11-30] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2015-11-30] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2015-11-30] (Apple Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://search.yahoo.com/?type=523482&fr=yo-yhp-ch
CHR StartupUrls: Default -> "hxxps://search.yahoo.com/?type=523482&fr=yo-yhp-ch","hxxps://mysearch.avg.com?cid={6DB0DC47-0A78-4348-B42A-5D7D9DBDA939}&mid=07bdcdbb118b47d39627d16d67fa436a-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=oc011&coid=avgtbdisoc&cmpid=&pr=sa&d=2014-09-04 01:31:17&v=18.1.9.786&pid=safeguard&sg=&sap=hp","hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_ir_16_03&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FtDyE0D0AtByDzy0CyC0B0CtCzztByEtN0D0Tzu0StCyEyBzytN1L2XzutAtFtCyBtFyEtFtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyD0D0BtBtB0A0FyEtGtAzz0BtCtGzzyDtD0CtGtAtBtA0DtGyE0FtA0AyCzy0EyE0FzztByC2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0CyCtAtAyDzz0EtGtB0F0B0DtGyEyC0AyCtG0ByC0A0AtGtByEzztAzytD0CyCzy0D0DyD2QtN0A0LzuyE%26cr%3D772971987%26a%3Dwncy_ir_16_03%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro"
CHR DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> duckduckgo.com
CHR DefaultSuggestURL: Default -> hxxps://ac.duckduckgo.com/ac/?q={searchTerms}&type=list
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default [2016-12-19]
CHR Extension: (Google Slides) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-08]
CHR Extension: (Flash Video Downloader) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2016-12-06]
CHR Extension: (Google Docs) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-08]
CHR Extension: (Google Drive) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-08]
CHR Extension: (Adblock Plus) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-30]
CHR Extension: (Google Search) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Logitech Smooth Scrolling) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk [2015-10-14]
CHR Extension: (Google Sheets) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-08]
CHR Extension: (Google Docs Offline) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Chrometana - Redirect Bing Somewhere Better) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\kaicbfmipfpfpjmlbpejaoaflfdnabnc [2015-10-26]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-12-16]
CHR Extension: (Bing2Google) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgoehlfmhfafaiepckjikpphoklijedl [2016-01-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Print Friendly & PDF) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohlencieiipommannpdfcmfdpjjmeolj [2015-10-08]
CHR Extension: (Gmail) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-08]
CHR Extension: (Chrome Media Router) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AdobeActiveFileMonitor14.0; C:\Program Files\Adobe\Elements 14 Organizer\PhotoshopElementsFileAgent.exe [226016 2015-08-27] (Adobe Systems Incorporated)
R2 AMD FUEL Service; C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe [351944 2015-11-03] (Advanced Micro Devices, Inc.)
R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [121856 2016-07-08] (Advanced Micro Devices) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 Backupper Service; C:\Program Files (x86)\AOMEI Backupper\ABService.exe [29912 2015-09-15] (AOMEI Tech Co., Ltd.) [File not signed]
R2 BcmBtRSupport; C:\WINDOWS\system32\btwrsupportservice.exe [2297104 2015-10-12] (Broadcom Corporation.)
R2 BtSwitcherService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [64216 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CSRBtAudioService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [465624 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CsrBtOBEXService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [1041616 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CsrBtService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [825032 2012-03-22] (Cambridge Silicon Radio Limited)
R2 dlcx_device; C:\WINDOWS\system32\dlcxcoms.exe [566152 2006-11-03] ( )
R2 dlcx_device; C:\WINDOWS\SysWOW64\dlcxcoms.exe [532480 2006-10-11] ( ) [File not signed]
R2 Ds3Service; C:\Program Files\Nefarious\ScpService.exe [387072 2015-10-05] (Scarlet.Crush Productions) [File not signed]
R2 Focusrite Control Server; C:\Program Files\Focusrite\Focusrite Control\Server\ControlServer.exe [1212928 2016-06-30] (Focusrite Audio Engineering Ltd.) [File not signed]
R2 hddrsrv; C:\Program Files (x86)\HDD Regenerator\hrsrv.exe [82144 2013-05-08] ()
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
R2 PlexUpdateService; C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe [1919472 2016-12-15] (Plex, Inc.)
R2 RzKLService; C:\Program Files (x86)\Razer\Razer Game Booster\RzKLService.exe [105448 2013-11-22] (Razer Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10216688 2016-11-28] (TeamViewer GmbH)
R2 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2016-12-05] (Stas'M Corp.) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 ambakdrv; C:\WINDOWS\System32\ambakdrv.sys [30648 2015-02-25] () [File not signed]
R2 amdacpksd; C:\WINDOWS\system32\drivers\amdacpksd.sys [313760 2016-07-15] (Advanced Micro Devices)
S0 amdkmafd; C:\WINDOWS\System32\drivers\amdkmafd.sys [49448 2016-08-18] (Advanced Micro Devices, Inc.)
R2 ammntdrv; C:\WINDOWS\system32\ammntdrv.sys [151480 2015-02-25] () [File not signed]
R2 amwrtdrv; C:\WINDOWS\system32\amwrtdrv.sys [17848 2015-02-25] () [File not signed]
R2 AODDriver4.3; C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R2 AODDriver4.3.0; C:\Program Files (x86)\AMD\OverDrive\amd64\AODDriver2.sys [60104 2014-09-19] (Advanced Micro Devices)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [101376 2016-07-24] (Advanced Micro Devices)
S3 bcbtums; C:\WINDOWS\system32\drivers\bcbtums.sys [186152 2016-02-17] (Broadcom Corporation.)
S3 CsrBtPort; C:\WINDOWS\system32\DRIVERS\CsrBtPort.sys [2784968 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrpan; C:\WINDOWS\System32\drivers\csrpan.sys [39616 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrserial; C:\WINDOWS\system32\DRIVERS\csrserial.sys [61128 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusb; C:\WINDOWS\System32\Drivers\csrusb.sys [47296 2012-03-22] (Cambridge Silicon Radio Limited)
S3 csrusbfilter; C:\WINDOWS\System32\Drivers\csrusbfilter.sys [23752 2012-03-22] (Cambridge Silicon Radio Limited)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77408 2016-11-29] ()
S3 FocusriteUSB; C:\WINDOWS\System32\drivers\FocusriteUSB.sys [84496 2016-06-28] (Focusrite Audio Engineering Ltd.)
S3 FocusriteUSBAudio; C:\WINDOWS\system32\drivers\FocusriteUSBAudio.sys [45072 2016-06-28] (Focusrite Audio Engineering Ltd.)
S3 FocusriteUSBMidi; C:\WINDOWS\system32\drivers\FocusriteUSBMidi.sys [33808 2016-06-28] (Focusrite Audio Engineering Ltd.)
R3 FocusriteUSBSwRoot; C:\WINDOWS\System32\drivers\FocusriteUSBSwRoot.sys [92176 2016-06-28] (Focusrite Audio Engineering Ltd.)
R3 libusbK; C:\WINDOWS\System32\drivers\libusbK.sys [47200 2015-12-15] (hxxp://libusb-win32.sourceforge.net)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [176064 2016-12-19] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\drivers\farflt.sys [102856 2016-12-19] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [43968 2016-12-19] (Malwarebytes)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [250816 2016-12-19] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\drivers\mwac.sys [91584 2016-12-19] (Malwarebytes)
R0 pwdrvio; C:\WINDOWS\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
R0 PxHlpa64; C:\WINDOWS\System32\drivers\PxHlpa64.sys [56336 2013-09-03] (Corel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2015-06-22] (Realtek                                            )
R3 ScpVBus; C:\WINDOWS\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R1 VBoxUSBMon; C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys [127432 2015-09-16] (BigNox Corporation)
R0 vsock; C:\WINDOWS\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 WinRing0_1_2_0; D:\Chris\Downloads\openhardwaremonitor-v0.7.1-beta\OpenHardwareMonitor\OpenHardwareMonitor.sys [14544 2016-12-19] (OpenLibSys.org)
R1 XQHDrv; C:\WINDOWS\system32\DRIVERS\XQHDrv.sys [253384 2015-09-15] (BigNox Corporation)
R1 XQHDrv; C:\Windows\SysWOW64\DRIVERS\XQHDrv.sys [253384 2015-09-15] (BigNox Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-19 14:36 - 2016-12-19 14:36 - 00000000 ____D C:\Users\Chris\Desktop\FRST-OlderVersion
2016-12-19 14:22 - 2016-12-19 14:30 - 00003652 _____ C:\Users\Chris\Desktop\Rkill.txt
2016-12-19 14:22 - 2016-12-19 14:22 - 05659917 _____ (Swearware) C:\Users\Chris\Downloads\ComboFix.exe
2016-12-19 14:22 - 2016-12-19 14:22 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Chris\Downloads\rkill.exe
2016-12-19 14:21 - 2016-12-19 14:21 - 01663040 _____ (Malwarebytes) C:\Users\Chris\Downloads\JRT (1).exe
2016-12-19 14:19 - 2016-12-19 14:41 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Imminent
2016-12-19 14:16 - 2016-12-19 14:16 - 00001416 _____ C:\Users\Chris\Desktop\JRT.txt
2016-12-19 14:13 - 2016-12-19 14:13 - 01663040 _____ (Malwarebytes) C:\Users\Chris\Downloads\JRT.exe
2016-12-19 14:05 - 2016-12-19 14:05 - 03977168 _____ C:\Users\Chris\Downloads\AdwCleaner.exe
2016-12-19 13:57 - 2016-12-19 13:57 - 00000000 ____D C:\Users\Chris\Documents\Bluetooth Exchange Folder
2016-12-19 13:57 - 2016-12-19 13:57 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth
2016-12-19 13:57 - 2016-12-19 13:57 - 00000000 ____D C:\Users\Chris\AppData\Local\Broadcom
2016-12-19 13:57 - 2016-12-19 13:57 - 00000000 _____ C:\Users\Chris\Desktop\New Text Document.txt
2016-12-19 13:54 - 2016-12-19 13:54 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2016-12-19 13:53 - 2016-12-19 13:53 - 104167064 _____ (Igor Pavlov) C:\Users\Chris\Downloads\USB-BT4LE_win8.1_10_x64.exe
2016-12-19 13:53 - 2016-12-19 13:53 - 00000000 ____D C:\Program Files\WIDCOMM
2016-12-19 13:53 - 2016-02-17 14:00 - 00213312 _____ (Broadcom Corporation.) C:\WINDOWS\system32\Drivers\btwampfl.sys
2016-12-19 13:53 - 2016-02-17 14:00 - 00186152 _____ (Broadcom Corporation.) C:\WINDOWS\system32\Drivers\bcbtums.sys
2016-12-19 13:53 - 2015-12-16 22:18 - 00049952 _____ (Broadcom Corporation.) C:\WINDOWS\system32\Drivers\btwl2cap.sys
2016-12-19 13:53 - 2015-12-09 18:47 - 00262440 _____ (Broadcom Corporation.) C:\WINDOWS\system32\Drivers\btwavdt.sys
2016-12-19 13:53 - 2015-12-09 18:47 - 00212760 _____ (Broadcom Corporation.) C:\WINDOWS\system32\Drivers\btwaudio.sys
2016-12-19 12:15 - 2016-12-19 12:15 - 00001782 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-12-19 12:15 - 2016-12-19 12:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-12-19 12:15 - 2016-12-19 12:15 - 00000000 ____D C:\Program Files\iTunes
2016-12-19 12:15 - 2016-12-19 12:15 - 00000000 ____D C:\Program Files\iPod
2016-12-17 14:16 - 2016-12-19 14:09 - 00176064 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2016-12-17 14:15 - 2016-12-19 14:40 - 00102856 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2016-12-17 14:15 - 2016-12-19 14:40 - 00091584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2016-12-17 14:15 - 2016-12-19 14:39 - 00250816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-12-17 14:15 - 2016-12-19 13:02 - 00002053 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-17 14:15 - 2016-12-17 14:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-17 14:15 - 2016-12-17 14:15 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-17 14:15 - 2016-11-29 06:27 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2016-12-17 14:14 - 2016-12-19 14:40 - 00043968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-12-17 13:57 - 2016-12-17 13:57 - 08803648 _____ (Piriform Ltd) C:\Users\Chris\Downloads\ccsetup525.exe
2016-12-17 13:57 - 2016-12-17 13:57 - 00002870 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2016-12-17 13:57 - 2016-12-17 13:57 - 00000823 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-12-17 13:57 - 2016-12-17 13:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-12-17 13:57 - 2016-12-17 13:57 - 00000000 ____D C:\Program Files\CCleaner
2016-12-17 13:26 - 2016-12-17 13:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Plex Media Server
2016-12-17 13:26 - 2016-12-17 13:26 - 00000000 ____D C:\Program Files (x86)\Plex
2016-12-17 13:06 - 2016-12-17 13:10 - 00000000 ____D C:\JDownloader v2.0
2016-12-17 13:05 - 2016-12-17 13:05 - 00248946 _____ C:\Users\Chris\Downloads\Install JDownloader (1).rar
2016-12-17 13:05 - 2016-12-17 13:05 - 00000000 ____D C:\Users\Chris\Desktop\jd2
2016-12-16 17:21 - 2016-12-19 14:08 - 00000000 ____D C:\AdwCleaner
2016-12-16 17:21 - 2016-12-16 17:21 - 03977168 _____ C:\Users\Chris\Downloads\adwcleaner_6.041.exe
2016-12-16 04:09 - 2016-12-16 04:30 - 00000000 ____D C:\Users\Chris\Desktop\mbar
2016-12-16 04:09 - 2016-12-16 04:30 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-12-16 04:09 - 2016-12-16 04:09 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Chris\Downloads\mbar-1.09.3.1001.exe
2016-12-16 03:57 - 2016-12-16 03:57 - 00000000 ____N C:\Users\Chris\Downloads\JD2.lock
2016-12-16 03:57 - 2016-12-16 03:57 - 00000000 ____D C:\Users\Chris\Downloads\update
2016-12-16 03:56 - 2016-12-16 03:57 - 00000000 ____D C:\Users\Chris\Downloads\tmp
2016-12-16 01:59 - 2016-12-19 14:38 - 00024797 _____ C:\Users\Chris\Desktop\Addition.txt
2016-12-16 01:58 - 2016-12-19 14:41 - 00032068 _____ C:\Users\Chris\Desktop\FRST.txt
2016-12-16 01:58 - 2016-12-19 14:37 - 00000000 ____D C:\FRST
2016-12-16 01:57 - 2016-12-19 14:36 - 02420224 _____ (Farbar) C:\Users\Chris\Desktop\FRST64.exe
2016-12-16 01:41 - 2016-12-16 01:41 - 00001118 _____ C:\Users\Chris\Desktop\virus.txt
2016-12-16 00:32 - 2016-12-16 00:32 - 06705178 _____ C:\Users\Chris\Downloads\mbam-chameleon-3.1.33.0.zip
2016-12-16 00:30 - 2016-12-17 13:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-12-16 00:30 - 2016-12-16 00:30 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-12-16 00:28 - 2016-12-16 00:28 - 00737344 _____ (Oracle Corporation) C:\Users\Chris\Downloads\JavaSetup8u111 (1).exe
2016-12-16 00:18 - 2016-12-16 03:56 - 00000000 ____D C:\Program Files\JDownloader v2.0
2016-12-16 00:02 - 2016-12-16 00:02 - 00496816 _____ C:\Users\Chris\Desktop\JDownloader2Setup (2).exe
2016-12-15 01:57 - 2016-12-15 01:57 - 00546112 _____ C:\Users\Chris\Downloads\JDownloader2Setup (1).exe
2016-12-15 01:54 - 2016-12-16 00:30 - 00000000 ____D C:\Program Files (x86)\Java
2016-12-15 01:54 - 2016-12-15 01:54 - 00737344 _____ (Oracle Corporation) C:\Users\Chris\Downloads\JavaSetup8u111.exe
2016-12-15 01:30 - 2016-12-15 01:30 - 56501344 _____ (Oracle Corporation) C:\Users\Chris\Downloads\jre-8u60-setup.exe
2016-12-15 01:21 - 2016-12-15 01:24 - 00000000 ____D C:\Users\Chris\Downloads\libs
2016-12-15 01:21 - 2016-12-15 01:24 - 00000000 ____D C:\Users\Chris\Downloads\jd
2016-12-15 01:21 - 2016-12-15 01:24 - 00000000 ____D C:\Users\Chris\Downloads\extensions
2016-12-15 01:21 - 2016-12-15 01:21 - 00039624 _____ C:\Users\Chris\Downloads\license_german.txt
2016-12-15 01:21 - 2016-12-15 01:21 - 00032034 _____ C:\Users\Chris\Downloads\license.txt
2016-12-15 01:21 - 2016-12-15 01:21 - 00000319 _____ C:\Users\Chris\Downloads\build.json
2016-12-15 01:21 - 2016-12-15 01:21 - 00000000 ____D C:\Users\Chris\Downloads\translations
2016-12-15 01:21 - 2016-12-15 01:21 - 00000000 ____D C:\Users\Chris\Downloads\tools
2016-12-15 01:21 - 2016-12-15 01:21 - 00000000 ____D C:\Users\Chris\Downloads\themes
2016-12-15 01:21 - 2016-12-15 01:21 - 00000000 ____D C:\Users\Chris\Downloads\java
2016-12-15 01:20 - 2016-12-16 03:57 - 00000000 ____D C:\Users\Chris\Downloads\cfg
2016-12-15 01:18 - 2016-12-15 01:18 - 33055480 _____ (AppWork GmbH) C:\Users\Chris\Downloads\JDownloader2Setup.exe
2016-12-15 01:16 - 2016-12-15 01:45 - 00000000 ____D C:\Users\Chris\AppData\Local\JDownloader 2.0
2016-12-15 01:15 - 2016-12-15 01:15 - 00076504 _____ (AppWork GmbH) C:\Users\Chris\Downloads\WebInstaller.exe
2016-12-15 01:11 - 2016-12-15 01:11 - 00000000 ____D C:\Users\Chris\Downloads\Install JDownloader
2016-12-15 01:02 - 2016-12-15 01:02 - 00248946 _____ C:\Users\Chris\Downloads\Install JDownloader.rar
2016-12-15 01:02 - 2015-09-04 07:57 - 00298064 _____ C:\Users\Chris\Downloads\Install JDownloader.exe
2016-12-15 00:34 - 2016-12-15 00:34 - 00001040 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2016-12-15 00:34 - 2016-12-15 00:34 - 00001028 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2016-12-15 00:18 - 2016-12-15 00:18 - 00000000 _____ C:\Users\Chris\Desktop\app error.txt
2016-12-15 00:13 - 2016-12-15 00:13 - 00010227 _____ C:\Users\Chris\Desktop\thsf.xspf
2016-12-14 23:57 - 2016-12-19 14:41 - 00000032 _____ C:\Users\Chris\Documents\New text document.txt
2016-12-14 23:57 - 2016-12-14 23:57 - 00000000 ____D C:\Users\Chris\AppData\Roaming\NET Tools
2016-12-14 14:59 - 2016-12-14 14:59 - 00000000 ____D C:\Users\Chris\AppData\Local\Amazon Drive
2016-12-14 14:58 - 2016-12-14 14:58 - 00875192 _____ (Amazon) C:\Users\Chris\Downloads\AmazonDriveSetup (1).exe
2016-12-14 13:33 - 2016-12-14 13:26 - 01191936 __RSH () C:\WINDOWS\SysWOW64\ShellExecution.exe
2016-12-14 13:26 - 2016-12-14 13:26 - 00000000 _RSHD C:\Program Files (x86)\Shell Extension Monitor
2016-12-14 12:54 - 2016-12-14 12:54 - 01815552 _____ (Microsoft) C:\ProgramData\CLMonitor.exe
2016-12-14 12:54 - 2016-12-14 12:54 - 00000000 ____D C:\WINDOWS\System32\Tasks\Update
2016-12-14 06:05 - 2016-12-14 06:05 - 00000000 ____D C:\Users\Guest1\AppData\Local\Apple
2016-12-13 23:16 - 2016-12-13 23:16 - 00000000 ____D C:\Users\Guest1\AppData\Local\ElevatedDiagnostics
2016-12-13 22:55 - 2016-11-22 06:42 - 00384864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
2016-12-13 22:55 - 2016-11-22 05:43 - 03692040 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-12-13 22:55 - 2016-11-22 05:38 - 01540224 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2016-12-13 22:55 - 2016-11-22 05:38 - 00692136 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll
2016-12-13 22:55 - 2016-11-22 05:36 - 00159640 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcrypt.dll
2016-12-13 22:55 - 2016-11-22 05:35 - 00609056 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-12-13 22:55 - 2016-11-22 05:35 - 00075448 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2016-12-13 22:55 - 2016-11-22 05:04 - 02549456 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3d10warp.dll
2016-12-13 22:55 - 2016-11-22 05:03 - 01777280 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
2016-12-13 22:55 - 2016-11-22 05:02 - 01594416 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-12-13 22:55 - 2016-11-22 05:02 - 01399216 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
2016-12-13 22:55 - 2016-11-22 04:32 - 00119296 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataTimeUtil.dll
2016-12-13 22:55 - 2016-11-22 04:24 - 02938408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-12-13 22:55 - 2016-11-22 04:21 - 00019456 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidcertstorecheck.exe
2016-12-13 22:55 - 2016-11-22 04:17 - 00106896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcrypt.dll
2016-12-13 22:55 - 2016-11-22 04:16 - 00064072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appidapi.dll
2016-12-13 22:55 - 2016-11-22 04:13 - 00045056 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2016-12-13 22:55 - 2016-11-22 04:00 - 00161792 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidpolicyconverter.exe
2016-12-13 22:55 - 2016-11-22 03:59 - 00221696 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-12-13 22:55 - 2016-11-22 03:55 - 00431104 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcastdvr.exe
2016-12-13 22:55 - 2016-11-22 03:54 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-12-13 22:55 - 2016-11-22 03:50 - 00715776 _____ (Microsoft Corporation) C:\WINDOWS\system32\GamePanel.exe
2016-12-13 22:55 - 2016-11-22 03:49 - 02195640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3d10warp.dll
2016-12-13 22:55 - 2016-11-22 03:48 - 01522672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
2016-12-13 22:55 - 2016-11-22 03:47 - 01372312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-12-13 22:55 - 2016-11-22 03:47 - 01337240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll
2016-12-13 22:55 - 2016-11-22 03:35 - 00784896 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-12-13 22:55 - 2016-11-22 03:32 - 01386496 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-12-13 22:55 - 2016-11-22 03:27 - 01752576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-12-13 22:55 - 2016-11-22 03:20 - 00223744 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll
2016-12-13 22:55 - 2016-11-22 03:12 - 00094720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTimeUtil.dll
2016-12-13 22:55 - 2016-11-22 03:04 - 03587584 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-12-13 22:55 - 2016-11-22 02:57 - 03351040 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
2016-12-13 22:55 - 2016-11-22 02:54 - 00070656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppCapture.dll
2016-12-13 22:55 - 2016-11-22 02:53 - 01728000 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-12-13 22:55 - 2016-11-22 02:41 - 00348160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcastdvr.exe
2016-12-13 22:55 - 2016-11-22 02:38 - 00541184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GamePanel.exe
2016-12-13 22:55 - 2016-11-22 02:36 - 00766464 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
2016-12-13 22:55 - 2016-11-22 02:26 - 01388032 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-12-13 22:55 - 2016-11-22 02:26 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-12-13 22:55 - 2016-11-22 02:21 - 01526272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-12-13 22:55 - 2016-11-22 02:15 - 22373376 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-12-13 22:55 - 2016-11-22 02:14 - 04895744 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-12-13 22:55 - 2016-11-22 02:02 - 24610304 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-12-13 22:55 - 2016-11-22 02:01 - 13392384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-12-13 22:55 - 2016-11-22 01:59 - 03671040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
2016-12-13 22:55 - 2016-11-22 01:55 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-12-13 22:55 - 2016-11-22 01:49 - 07839232 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-12-13 22:55 - 2016-11-22 01:35 - 19350016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-12-13 22:55 - 2016-11-22 01:34 - 18670080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-12-13 22:55 - 2016-11-22 01:34 - 12134400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-12-13 22:55 - 2016-11-22 01:32 - 03663872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-12-13 22:55 - 2016-11-22 01:17 - 05658624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-12-13 14:28 - 2016-12-13 14:28 - 00000000 ____D C:\Users\Guest1\AppData\Local\PeerDistRepub
2016-12-12 18:31 - 2016-12-13 21:52 - 00000000 ____D C:\Users\Chris\Desktop\time lapse pizza
2016-12-12 12:41 - 2016-12-12 12:35 - 01127936 __RSH (Electronic Arts) C:\Users\Chris\AppData\Roaming\ShellExecution.exe
2016-12-12 12:35 - 2016-12-16 17:34 - 00003298 _____ C:\WINDOWS\System32\Tasks\Shell Extension Service
2016-12-12 12:35 - 2016-12-14 13:26 - 00000000 _RSHD C:\Users\Chris\AppData\Roaming\Shell Extension
2016-12-12 12:35 - 2016-12-14 12:54 - 00000000 _RSHD C:\ProgramData\Shell Extension Monitor
2016-12-12 12:35 - 2016-12-12 12:35 - 00001607 __RSH C:\ProgramData\Shell Extension Service
2016-12-12 02:31 - 2016-12-12 02:31 - 00875192 _____ (Amazon) C:\Users\Chris\Downloads\AmazonDriveSetup.exe
2016-12-11 17:10 - 2016-12-11 17:10 - 00000000 ____D C:\Users\Guest1\AppData\Local\WellWeWeb
2016-12-06 12:59 - 2016-12-06 12:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Radeon Settings
2016-12-05 23:50 - 2016-12-05 23:50 - 00000000 ____D C:\Users\Guest1\AppData\Local\Comms
2016-12-05 23:41 - 2016-12-05 23:41 - 00000000 ____D C:\Users\Guest1\AppData\LocalLow\AMD
2016-12-05 23:34 - 2016-12-05 23:34 - 00003346 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task
2016-12-05 23:34 - 2016-12-05 23:34 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Logishrd
2016-12-05 23:34 - 2016-12-05 23:34 - 00000000 ____D C:\Users\Guest1\AppData\Local\ActiveSync
2016-12-05 23:33 - 2016-12-13 17:18 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Apple Computer
2016-12-05 23:33 - 2016-12-05 23:34 - 00002366 _____ C:\Users\Guest1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-12-05 23:33 - 2016-12-05 23:34 - 00000000 ___RD C:\Users\Guest1\OneDrive
2016-12-05 23:33 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Skype
2016-12-05 23:33 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Logitech
2016-12-05 23:33 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\DellFaxCtr
2016-12-05 23:33 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Local\Publishers
2016-12-05 23:33 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Local\AMD
2016-12-05 23:33 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Local\Adobe
2016-12-05 23:32 - 2016-12-05 23:52 - 00000000 ____D C:\Users\Guest1\AppData\Local\Packages
2016-12-05 23:32 - 2016-12-05 23:49 - 00000000 ____D C:\Users\Guest1\AppData\Local\Google
2016-12-05 23:32 - 2016-12-05 23:41 - 00002332 _____ C:\Users\Guest1\Desktop\Google Chrome.lnk
2016-12-05 23:32 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Adobe
2016-12-05 23:32 - 2016-12-05 23:33 - 00000000 ____D C:\Users\Guest1
2016-12-05 23:32 - 2016-12-05 23:32 - 00000020 ___SH C:\Users\Guest1\ntuser.ini
2016-12-05 23:32 - 2016-12-05 23:32 - 00000000 _SHDL C:\Users\Guest1\My Documents
2016-12-05 23:32 - 2016-12-05 23:32 - 00000000 _SHDL C:\Users\Guest1\Documents\My Videos
2016-12-05 23:32 - 2016-12-05 23:32 - 00000000 _SHDL C:\Users\Guest1\Documents\My Pictures
2016-12-05 23:32 - 2016-12-05 23:32 - 00000000 _SHDL C:\Users\Guest1\Documents\My Music
2016-12-05 23:32 - 2016-12-05 23:32 - 00000000 ____D C:\Users\Guest1\AppData\Local\VirtualStore
2016-12-05 23:32 - 2016-12-05 23:32 - 00000000 ____D C:\Users\Guest1\AppData\Local\TileDataLayer
2016-12-05 23:32 - 2016-06-06 22:14 - 00000000 ____D C:\Users\Guest1\AppData\Roaming\Macromedia
2016-12-05 23:32 - 2015-12-15 12:02 - 00000000 ____D C:\Users\Guest1\AppData\Local\Microsoft Help
2016-12-05 23:29 - 2016-12-05 23:29 - 01289728 _____ (Stas'M Corp.) C:\Users\Chris\AppData\Roaming\Rdp.exe
2016-12-05 23:29 - 2016-12-05 23:29 - 00000000 ____D C:\Program Files\RDP Wrapper
2016-12-05 23:21 - 2016-12-05 23:21 - 00000000 ____D C:\Program Files (x86)\UPNP Host
2016-12-05 23:20 - 2016-12-19 14:41 - 00000000 ____D C:\Users\Chris\AppData\Roaming\498802FD-0AD2-434E-B3FB-BCEE43053EDC
2016-12-04 17:26 - 2016-12-04 17:26 - 00000000 ____D C:\Program Files (x86)\Shell Execution Monitor
2016-12-04 16:58 - 2016-12-04 16:58 - 00003284 _____ C:\WINDOWS\System32\Tasks\Shell Execution Service
2016-12-04 16:58 - 2016-12-04 16:58 - 00001600 __RSH C:\ProgramData\Shell Execution Service
2016-12-01 14:00 - 2016-12-12 12:35 - 00000000 _RSHD C:\ProgramData\Shell Execution Monitor
2016-12-01 14:00 - 2016-12-01 14:00 - 00000000 _RSHD C:\Users\Chris\AppData\Roaming\Shell Execution
2016-11-28 15:45 - 2016-11-28 15:45 - 48834072 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\system32\amdocl64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 38277664 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\SysWOW64\amdocl.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 33258008 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atio6axx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 27499032 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\system32\amdocl12cl64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 27304984 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\SysWOW64\atioglxx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 21649952 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\SysWOW64\amdocl12cl.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 15737368 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\system32\aticaldd64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 14328344 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\SysWOW64\aticaldd.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 09935896 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdvlk64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 09393176 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdxc64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 09320984 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdmantle64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 08075288 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdvlk32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 07729472 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdxc32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 07373344 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdmantle32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 07285848 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atiumdag.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 03471376 _____ C:\WINDOWS\SysWOW64\atiumdva.cap
2016-11-28 15:45 - 2016-11-28 15:45 - 03437632 _____ C:\WINDOWS\system32\atiumd6a.cap
2016-11-28 15:45 - 2016-11-28 15:45 - 02490392 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\amfrt64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 02389528 _____ C:\WINDOWS\system32\amdoclvp9lib64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 02299928 _____ C:\WINDOWS\SysWOW64\amdoclvp9lib32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 02172952 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\SysWOW64\amfrt32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 01007640 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\SysWOW64\atiadlxy.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 01007640 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\SysWOW64\atiadlxx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00854552 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\amdlvr64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00761544 _____ C:\WINDOWS\SysWOW64\atiapfxx.blb
2016-11-28 15:45 - 2016-11-28 15:45 - 00761544 _____ C:\WINDOWS\system32\atiapfxx.blb
2016-11-28 15:45 - 2016-11-28 15:45 - 00688672 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\SysWOW64\amdlvr32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00535584 _____ (AMD) C:\WINDOWS\system32\atieclxx.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00475632 _____ C:\WINDOWS\system32\amdmiracast.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00468000 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atidemgy.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00411672 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atiapfxx.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00358424 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\ATIODE.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00298528 _____ (AMD) C:\WINDOWS\system32\atiesrxx.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00295960 _____ (AMD) C:\WINDOWS\system32\atitmm64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00291352 _____ C:\WINDOWS\system32\dgtrayicon.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00284696 _____ C:\WINDOWS\system32\GameManager64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00278552 _____ C:\WINDOWS\system32\clinfo.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00277016 _____ C:\WINDOWS\system32\hsa-thunk64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00249376 _____ C:\WINDOWS\SysWOW64\GameManager32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00242712 _____ C:\WINDOWS\SysWOW64\hsa-thunk.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00239640 _____ C:\WINDOWS\system32\atieah64.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00217624 _____ C:\WINDOWS\SysWOW64\atieah32.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00210968 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atig6txx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00184856 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atigktxx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00177280 _____ C:\WINDOWS\system32\ativce03.dat
2016-11-28 15:45 - 2016-11-28 15:45 - 00169504 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\mantle64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00164376 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amduve64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00149640 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\aticfxstub64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00145944 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atisamu64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00144408 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\mantle32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00143904 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amduve32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00138784 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\mantleaxl64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00137256 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\aticfxstub32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00134448 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atiu9pag.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00132128 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atig6pxx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00127000 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atisamu32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00121888 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00120384 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atimpc64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00120384 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdpcom64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00119832 _____ (AMD) C:\WINDOWS\system32\atimuixx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00118320 _____ C:\WINDOWS\system32\kapp_ci.sbin
2016-11-28 15:45 - 2016-11-28 15:45 - 00118296 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\mantleaxl32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00116760 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atiglpxx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00116760 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atiglpxx.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00112664 _____ (Khronos Group) C:\WINDOWS\SysWOW64\OpenCL.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00110104 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atidxxstub64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00109080 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdxcstub64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00102672 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atimpc32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00102672 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdpcom32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00100832 _____ C:\WINDOWS\system32\ativce02.dat
2016-11-28 15:45 - 2016-11-28 15:45 - 00098840 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atidxxstub32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00096792 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdxcstub32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00092184 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdmcl64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00088088 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\system32\aticalrt64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00081432 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\system32\aticalcl64.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00077848 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\SysWOW64\aticalrt.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00076824 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\ATIODCLI.exe
2016-11-28 15:45 - 2016-11-28 15:45 - 00076312 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdmmcl6.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00075800 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdmcl32.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00074776 _____ (Advanced Micro Devices Inc.) C:\WINDOWS\SysWOW64\aticalcl.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00069144 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\ati2erec.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00064032 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdmmcl.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00029720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\detoured.dll
2016-11-28 15:45 - 2016-11-28 15:45 - 00029720 _____ (Microsoft Corporation) C:\WINDOWS\system32\detoured.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00257560 _____ C:\WINDOWS\system32\amdgfxinfo64.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00230432 _____ C:\WINDOWS\SysWOW64\amdgfxinfo32.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00209944 _____ C:\WINDOWS\system32\amdhdl64.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00189976 _____ C:\WINDOWS\SysWOW64\amdhdl32.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00175584 _____ C:\WINDOWS\system32\amde31a.dat
2016-11-28 15:44 - 2016-11-28 15:44 - 00166560 _____ C:\WINDOWS\system32\amde34b.dat
2016-11-28 15:44 - 2016-11-28 15:44 - 00166560 _____ C:\WINDOWS\system32\amde34a.dat
2016-11-28 15:44 - 2016-11-28 15:44 - 00156248 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdave64.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00152096 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\amdhcp64.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00135920 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\SysWOW64\amdhcp32.dll
2016-11-28 15:44 - 2016-11-28 15:44 - 00135408 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\amdave32.dll
2016-11-27 01:55 - 2016-11-27 01:55 - 00000000 ____D C:\Users\Chris\AppData\Local\NET Tools Services
2016-11-27 01:55 - 2016-11-27 01:55 - 00000000 ____D C:\NET Tools Services
2016-11-27 01:47 - 2016-11-27 01:47 - 00000000 ___HD C:\$Windows.~BT
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-19 14:42 - 2015-10-08 21:21 - 00003806 _____ C:\WINDOWS\System32\Tasks\AutoKMS
2016-12-19 14:41 - 2015-12-15 15:24 - 00000000 ____D C:\Users\Chris\AppData\Local\Deployment
2016-12-19 14:40 - 2015-10-08 21:05 - 00000934 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-19 14:39 - 2015-12-15 12:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-12-19 14:39 - 2015-12-15 11:57 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2016-12-19 14:39 - 2015-11-02 23:34 - 00000000 ____D C:\ProgramData\VMware
2016-12-19 14:39 - 2015-10-30 01:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2016-12-19 14:30 - 2015-10-08 21:05 - 00000938 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-12-19 14:20 - 2015-10-08 20:48 - 00000000 ____D C:\Users\Chris\AppData\Local\JDownloader v2.0
2016-12-19 14:09 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
2016-12-19 14:09 - 2015-10-09 03:49 - 00000442 __RSH C:\ProgramData\ntuser.pol
2016-12-19 13:56 - 2015-10-28 02:29 - 00000000 ____D C:\Program Files (x86)\SpeedFan
2016-12-19 13:12 - 2015-10-09 02:59 - 00000000 ____D C:\BluetoothExchangeFolder
2016-12-19 12:15 - 2015-10-08 22:02 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-12-19 09:00 - 2016-06-21 14:33 - 00001024 ____H C:\SYSTAG.BIN
2016-12-19 09:00 - 2016-06-21 14:33 - 00000082 _____ C:\WINDOWS\SysWOW64\winsevr.dat
2016-12-18 20:54 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-12-18 16:07 - 2015-10-14 03:08 - 00000438 _____ C:\WINDOWS\Tasks\Defraggler Volume D Task.job
2016-12-18 02:00 - 2016-05-20 17:04 - 00000000 ____D C:\Users\Chris\AppData\Local\Adobe
2016-12-17 14:22 - 2015-10-08 22:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-12-17 14:15 - 2015-10-08 22:09 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-17 13:49 - 2016-06-06 21:49 - 00001142 _____ C:\WINDOWS\system32\Drivers\etc\hosts.txt
2016-12-17 13:26 - 2015-10-08 21:14 - 00000000 ____D C:\ProgramData\Package Cache
2016-12-16 21:47 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-12-16 17:33 - 2016-11-14 00:07 - 00000035 _____ C:\Users\Chris\Desktop\mdwandre.txt
2016-12-16 17:33 - 2015-10-08 08:23 - 00000000 ____D C:\Users\Chris\AppData\Roaming\vlc
2016-12-16 01:07 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\rescache
2016-12-16 00:49 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\Web
2016-12-16 00:36 - 2015-12-15 11:57 - 05083208 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-12-16 00:31 - 2015-10-08 21:04 - 00000000 ____D C:\ProgramData\Oracle
2016-12-16 00:28 - 2015-10-08 21:04 - 00000000 ____D C:\Program Files\Java
2016-12-15 01:47 - 2015-10-08 21:04 - 00000000 ____D C:\Users\Chris\.oracle_jre_usage
2016-12-15 00:34 - 2015-10-26 18:54 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-12-15 00:31 - 2015-10-08 21:05 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-14 23:54 - 2015-10-27 01:13 - 00000000 ____D C:\Users\Chris\Documents\movingdesktop
2016-12-14 15:32 - 2016-01-14 07:11 - 00000000 ____D C:\Program Files (x86)\Guitar Scales Method
2016-12-14 14:59 - 2016-08-26 02:10 - 00001202 _____ C:\Users\Chris\Desktop\Amazon Drive.lnk
2016-12-14 14:59 - 2016-06-06 18:54 - 00001214 _____ C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon Drive.lnk
2016-12-14 14:59 - 2015-12-12 14:52 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Amazon Cloud Drive
2016-12-14 14:55 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\oobe
2016-12-13 23:06 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-12-13 23:04 - 2015-10-09 01:41 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-12-13 23:01 - 2015-10-09 01:41 - 135632432 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-12-13 17:37 - 2015-10-08 20:31 - 00000000 ____D C:\Users\Chris\AppData\Local\Packages
2016-12-13 10:01 - 2015-10-09 00:08 - 00000000 ____D C:\ProgramData\KMSAutoS
2016-12-12 19:52 - 2015-10-08 07:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-12 19:52 - 2015-10-08 07:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-12 19:51 - 2015-10-08 21:59 - 00000000 ____D C:\Users\Chris\AppData\Roaming\uTorrent
2016-12-12 17:35 - 2015-11-09 23:11 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Mp3tag
2016-12-12 12:22 - 2015-11-09 23:46 - 00000000 ____D C:\Users\Chris\AppData\Roaming\spek
2016-12-12 11:39 - 2016-09-19 00:23 - 00000000 ____D C:\Users\Chris\AppData\LocalLow\uTorrent
2016-12-11 19:27 - 2015-10-08 20:33 - 00005630 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-12-11 18:03 - 2015-10-30 02:26 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-12-11 18:03 - 2015-10-30 02:26 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-07 13:52 - 2015-10-08 08:02 - 00000000 ____D C:\Users\Chris\AppData\Local\ElevatedDiagnostics
2016-12-06 13:01 - 2016-10-28 22:43 - 00000000 ____D C:\Users\Chris\AppData\LocalLow\AMD
2016-12-06 12:59 - 2015-11-06 00:04 - 00000000 ____D C:\ProgramData\AMD
2016-12-06 12:58 - 2015-12-15 11:57 - 00000000 ____D C:\Program Files\AMD
2016-12-06 12:57 - 2015-11-06 00:02 - 00000000 ____D C:\AMD
2016-12-05 23:32 - 2015-10-08 20:31 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-11-28 15:45 - 2016-10-26 00:04 - 00901656 _____ (AMD) C:\WINDOWS\system32\coinst_16.40.dll
2016-11-28 15:45 - 2016-03-31 17:46 - 10078120 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atiumdva.dll
2016-11-28 15:45 - 2015-11-24 02:36 - 11082912 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atiumd6a.dll
2016-11-28 15:45 - 2015-11-24 02:36 - 00181064 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atiuxp64.dll
2016-11-28 15:45 - 2015-11-24 02:36 - 00150496 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atiuxpag.dll
2016-11-28 15:45 - 2015-11-24 02:35 - 11075168 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atidxx64.dll
2016-11-28 15:45 - 2015-11-24 02:35 - 09206440 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\atidxx32.dll
2016-11-28 15:45 - 2015-11-24 02:35 - 08934832 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atiumd64.dll
2016-11-28 15:45 - 2015-11-24 02:35 - 01586368 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\aticfx64.dll
2016-11-28 15:45 - 2015-11-24 02:35 - 01303760 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\SysWOW64\aticfx32.dll
2016-11-28 15:45 - 2015-11-24 02:35 - 00161944 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atiu9p64.dll
2016-11-28 15:45 - 2015-11-24 02:31 - 26569872 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\atikmdag.sys
2016-11-28 15:45 - 2015-11-24 02:31 - 00529440 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\atikmpag.sys
2016-11-28 15:45 - 2015-11-24 02:30 - 01342488 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atiadlxx.dll
2016-11-27 01:47 - 2016-09-06 18:10 - 00000000 ____D C:\WINDOWS\Panther
2016-11-27 01:47 - 2015-12-15 11:45 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2016-11-27 01:47 - 2015-12-15 11:45 - 00001908 _____ C:\WINDOWS\diagerr.xml
2016-11-25 22:15 - 2016-08-04 02:36 - 00000000 ____D C:\Program Files (x86)\VulkanRT
 
==================== Files in the root of some directories =======
 
2015-10-08 07:36 - 2015-10-08 07:36 - 0000000 _____ () C:\Program Files (x86)\Common Files\AMD
2016-12-05 23:29 - 2016-12-05 23:29 - 1289728 _____ (Stas'M Corp.) C:\Users\Chris\AppData\Roaming\Rdp.exe
2016-12-12 12:41 - 2016-12-12 12:35 - 1127936 __RSH (Electronic Arts) C:\Users\Chris\AppData\Roaming\ShellExecution.exe
2015-10-10 00:14 - 2015-10-10 00:14 - 0007605 _____ () C:\Users\Chris\AppData\Local\Resmon.ResmonCfg
2015-10-27 00:53 - 2015-10-27 00:53 - 6678784 _____ (Piriform Ltd) C:\Users\Chris\AppData\Local\Tempccsetup510pro.exe
2015-10-27 00:53 - 2015-10-27 00:53 - 0025600 _____ (Microsoft) C:\Users\Chris\AppData\Local\TempSetup.exe
2016-12-14 12:54 - 2016-12-14 12:54 - 1815552 _____ (Microsoft) C:\ProgramData\CLMonitor.exe
2015-12-15 11:57 - 2015-12-15 11:57 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-12-04 16:58 - 2016-12-04 16:58 - 0001600 __RSH () C:\ProgramData\Shell Execution Service
2016-12-12 12:35 - 2016-12-12 12:35 - 0001607 __RSH () C:\ProgramData\Shell Extension Service
2016-05-20 18:46 - 2016-05-20 18:46 - 0000354 _____ () C:\ProgramData\StreamingMediaTechnologyLog.txt
 
Files to move or delete:
====================
C:\ProgramData\CLMonitor.exe
 
 
Some files in TEMP:
====================
C:\Users\Chris\AppData\Local\Temp\1.5.5 FINAL REAL 2.exe
C:\Users\Chris\AppData\Local\Temp\131262553580096995.exe
C:\Users\Chris\AppData\Local\Temp\131262559140476510.exe
C:\Users\Chris\AppData\Local\Temp\131262586743745820.exe
C:\Users\Chris\AppData\Local\Temp\131263382812821083.exe
C:\Users\Chris\AppData\Local\Temp\131263390721742804.exe
C:\Users\Chris\AppData\Local\Temp\131264715599622569.exe
C:\Users\Chris\AppData\Local\Temp\131265650310071194.exe
C:\Users\Chris\AppData\Local\Temp\20347.exe
C:\Users\Chris\AppData\Local\Temp\32848.exe
C:\Users\Chris\AppData\Local\Temp\42497.exe
C:\Users\Chris\AppData\Local\Temp\78358.exe
C:\Users\Chris\AppData\Local\Temp\82501.exe
C:\Users\Chris\AppData\Local\Temp\AmazonCloudDriveSetup.exe
C:\Users\Chris\AppData\Local\Temp\AmazonDriveSetup.exe
C:\Users\Chris\AppData\Local\Temp\AmazonDriveSetupQ.exe
C:\Users\Chris\AppData\Local\Temp\CloudDriveInstaller.exe
C:\Users\Chris\AppData\Local\Temp\dnHCaHDN.exe
C:\Users\Chris\AppData\Local\Temp\dp1.5.5 2.exe
C:\Users\Chris\AppData\Local\Temp\hhHgmuFq.exe
C:\Users\Chris\AppData\Local\Temp\JDSetup131262561272662035.exe
C:\Users\Chris\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\Chris\AppData\Local\Temp\jre-8u111-windows-au.exe
C:\Users\Chris\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Chris\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Chris\AppData\Local\Temp\libeay32.dll
C:\Users\Chris\AppData\Local\Temp\LogiOptionsUninstaller.exe
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll
C:\Users\Chris\AppData\Local\Temp\proxy_vole2485213900853246609.dll
C:\Users\Chris\AppData\Local\Temp\proxy_vole4408406775370427791.dll
C:\Users\Chris\AppData\Local\Temp\proxy_vole5048831489500953789.dll
C:\Users\Chris\AppData\Local\Temp\proxy_vole5218276430011803765.dll
C:\Users\Chris\AppData\Local\Temp\sfamcc00001.dll
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll
C:\Users\Chris\AppData\Local\Temp\vlc-2.2.4-win32.exe
C:\Users\Chris\AppData\Local\Temp\wVx4rt.exe
C:\Users\Chris\AppData\Local\Temp\_setup.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-18 14:10
 
==================== End of FRST.txt ============================
 
 
 
 
 
Addition.txt is attached as well. Thanks for any help anyone can provide!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 20 December 2016 - 01:44 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Windows\AutoKMS\AutoKMS.exe
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [NET Tools Monitor] => C:\Users\Chris\AppData\Roaming\NET Tools\netprotocol.exe [493056 2016-12-14] (Michael Thummerer Software Design)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Chris\AppData\Roaming\ShellExecution.exe" <==== ATTENTION
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CheVolume.lnk [2016-07-25]
ShortcutTarget: CheVolume.lnk -> C:\Program Files (x86)\WellWeWeb\CheVolume\CheVolume.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR StartupUrls: Default -> "hxxps://search.yahoo.com/?type=523482&fr=yo-yhp-ch","hxxps://mysearch.avg.com?cid={6DB0DC47-0A78-4348-B42A-5D7D9DBDA939}&mid=07bdcdbb118b47d39627d16d67fa436a-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=oc011&coid=avgtbdisoc&cmpid=&pr=sa&d=2014-09-04 01:31:17&v=18.1.9.786&pid=safeguard&sg=&sap=hp","hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_ir_16_03&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dus%26pa%3D... (long line)
CHR Extension: (Flash Video Downloader) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2016-12-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Chrome Media Router) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
Task: {B8F8F4E6-A134-4EB1-867A-321BEBFC6D31} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-08] ()
Task: {E80E2E62-4B97-484F-A9F4-55A3A3E409F5} - System32\Tasks\KMSAutoNet => C:\ProgramData\KMSAutoS\KMSAuto Net.exe [2015-09-24] (MSFree Inc.)
2015-10-08 21:21 - 2015-10-08 21:21 - 03820032 _____ () C:\Windows\AutoKMS\AutoKMS.exe
AlternateDataStreams: C:\ProgramData\TEMP:B755D674 [173]
AlternateDataStreams: C:\Users\Chris\Local Settings:8ZFxmR1oQl1k2dFhbPJuVbiKyK [2330]
AlternateDataStreams: C:\Users\Chris\Local Settings:nyz34Gwr46LHths8FxMNfjk15 [2038]
AlternateDataStreams: C:\Users\Chris\AppData\Local:8ZFxmR1oQl1k2dFhbPJuVbiKyK [2330]
AlternateDataStreams: C:\Users\Chris\AppData\Local:nyz34Gwr46LHths8FxMNfjk15 [2038]
AlternateDataStreams: C:\Users\Chris\AppData\Local\Application Data:8ZFxmR1oQl1k2dFhbPJuVbiKyK [2330]
AlternateDataStreams: C:\Users\Chris\AppData\Local\Application Data:nyz34Gwr46LHths8FxMNfjk15 [2038]
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Software\Classes\.exe:  =>  <===== ATTENTION
FirewallRules: [TCP Query User{9EDB15D5-E3CD-49F3-9DC6-736FEA0CABC1}C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe
FirewallRules: [UDP Query User{E5F06E94-E6ED-4FB8-9639-619E479C4F71}C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe
C:\Windows\AutoKMS
C:\Users\Chris\AppData\Roaming\NET Tools\netprotocol.exe
C:\ProgramData\KMSAutoS

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 24 December 2016 - 01:11 PM

Sorry for the wait, the holidays are taking quite a bit of my time.

 

unfortunately, following the fix, the trojan still shows up in a MBAM scan. I am considering a fresh windows install. 

 

Here is the Fixlog.txt you asked for:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Chris (24-12-2016 12:18:48) Run:2
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris & Guest1 (Available Profiles: Chris & Guest1)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
() C:\Windows\AutoKMS\AutoKMS.exe
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Run: [NET Tools Monitor] => C:\Users\Chris\AppData\Roaming\NET Tools\netprotocol.exe [493056 2016-12-14] (Michael Thummerer Software Design)
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\...\Winlogon: [Shell] explorer.exe,"C:\Users\Chris\AppData\Roaming\ShellExecution.exe" <==== ATTENTION
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CheVolume.lnk [2016-07-25]
ShortcutTarget: CheVolume.lnk -> C:\Program Files (x86)\WellWeWeb\CheVolume\CheVolume.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
CHR StartupUrls: Default -> "hxxps://search.yahoo.com/?type=523482&fr=yo-yhp-ch","hxxps://mysearch.avg.com?cid={6DB0DC47-0A78-4348-B42A-5D7D9DBDA939}&mid=07bdcdbb118b47d39627d16d67fa436a-b602d594afd2b0b327e07a06f36ca6a7e42546d0&lang=en&ds=oc011&coid=avgtbdisoc&cmpid=&pr=sa&d=2014-09-04 01:31:17&v=18.1.9.786&pid=safeguard&sg=&sap=hp","hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_ir_16_03&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dus%26pa%3D... (long line)
CHR Extension: (Flash Video Downloader) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2016-12-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
CHR Extension: (Chrome Media Router) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-16]
Task: {B8F8F4E6-A134-4EB1-867A-321BEBFC6D31} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-10-08] ()
Task: {E80E2E62-4B97-484F-A9F4-55A3A3E409F5} - System32\Tasks\KMSAutoNet => C:\ProgramData\KMSAutoS\KMSAuto Net.exe [2015-09-24] (MSFree Inc.)
2015-10-08 21:21 - 2015-10-08 21:21 - 03820032 _____ () C:\Windows\AutoKMS\AutoKMS.exe
AlternateDataStreams: C:\ProgramData\TEMP:B755D674 [173]
AlternateDataStreams: C:\Users\Chris\Local Settings:8ZFxmR1oQl1k2dFhbPJuVbiKyK [2330]
AlternateDataStreams: C:\Users\Chris\Local Settings:nyz34Gwr46LHths8FxMNfjk15 [2038]
AlternateDataStreams: C:\Users\Chris\AppData\Local:8ZFxmR1oQl1k2dFhbPJuVbiKyK [2330]
AlternateDataStreams: C:\Users\Chris\AppData\Local:nyz34Gwr46LHths8FxMNfjk15 [2038]
AlternateDataStreams: C:\Users\Chris\AppData\Local\Application Data:8ZFxmR1oQl1k2dFhbPJuVbiKyK [2330]
AlternateDataStreams: C:\Users\Chris\AppData\Local\Application Data:nyz34Gwr46LHths8FxMNfjk15 [2038]
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Software\Classes\.exe:  =>  <===== ATTENTION
FirewallRules: [TCP Query User{9EDB15D5-E3CD-49F3-9DC6-736FEA0CABC1}C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe
FirewallRules: [UDP Query User{E5F06E94-E6ED-4FB8-9639-619E479C4F71}C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe] => C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe
C:\Windows\AutoKMS
C:\Users\Chris\AppData\Roaming\NET Tools\netprotocol.exe
C:\ProgramData\KMSAutoS
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Windows\AutoKMS\AutoKMS.exe => No running process found
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value not found.
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Software\Microsoft\Windows\CurrentVersion\Run\\NET Tools Monitor => value not found.
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CheVolume.lnk => not found.
C:\Program Files (x86)\WellWeWeb\CheVolume\CheVolume.exe => not found.
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found. 
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => key not found. 
Chrome StartupUrls => removed successfully
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc => moved successfully
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{B8F8F4E6-A134-4EB1-867A-321BEBFC6D31}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8F8F4E6-A134-4EB1-867A-321BEBFC6D31}" => key removed successfully
C:\WINDOWS\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E80E2E62-4B97-484F-A9F4-55A3A3E409F5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E80E2E62-4B97-484F-A9F4-55A3A3E409F5}" => key removed successfully
C:\WINDOWS\System32\Tasks\KMSAutoNet => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMSAutoNet" => key removed successfully
C:\Windows\AutoKMS\AutoKMS.exe => moved successfully
"C:\ProgramData\TEMP" => ":B755D674" ADS not found.
"C:\Users\Chris\Local Settings" => ":8ZFxmR1oQl1k2dFhbPJuVbiKyK" ADS not found.
"C:\Users\Chris\Local Settings" => ":nyz34Gwr46LHths8FxMNfjk15" ADS not found.
"C:\Users\Chris\AppData\Local" => ":8ZFxmR1oQl1k2dFhbPJuVbiKyK" ADS not found.
"C:\Users\Chris\AppData\Local" => ":nyz34Gwr46LHths8FxMNfjk15" ADS not found.
"C:\Users\Chris\AppData\Local\Application Data" => ":8ZFxmR1oQl1k2dFhbPJuVbiKyK" ADS not found.
"C:\Users\Chris\AppData\Local\Application Data" => ":nyz34Gwr46LHths8FxMNfjk15" ADS not found.
HKU\S-1-5-21-4189167504-858158947-2538492093-1001\Software\Classes\.exe => key not found. 
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{9EDB15D5-E3CD-49F3-9DC6-736FEA0CABC1}C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{E5F06E94-E6ED-4FB8-9639-619E479C4F71}C:\users\chris\appdata\local\jdownloader v2.0\jdownloader2.exe => value not found.
C:\Windows\AutoKMS => moved successfully
"C:\Users\Chris\AppData\Roaming\NET Tools\netprotocol.exe" => not found.
C:\ProgramData\KMSAutoS => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18325199 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 91811 B
Edge => 0 B
Chrome => 380062178 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
Chris => 92030807 B
Guest1 => 21731118 B
 
RecycleBin => 0 B
EmptyTemp: => 488.5 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 12:19:33 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 25 December 2016 - 09:54 AM

Please post a fresh MBAM log for my review.

We may be able to remove it by an other mean.

#5 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 26 December 2016 - 02:13 AM

Hi nasdaq, this is my latest MBAM log:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/25/16
Scan Time: 2:20 AM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.856
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 450443
Time Elapsed: 4 min, 35 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
Trojan.StolenData, C:\USERS\CHRIS\APPDATA\ROAMING\IMMINENT\LOGS, Delete-on-Reboot, [1350], [250104],1.0.856
 
File: 2
Trojan.Agent.Trace, C:\USERS\CHRIS\APPDATA\ROAMING\IMMINENT\PATH.DAT, Delete-on-Reboot, [10781], [247476],1.0.856
Trojan.StolenData, C:\USERS\CHRIS\APPDATA\ROAMING\IMMINENT\LOGS\20-12-2016, Delete-on-Reboot, [1350], [250104],1.0.856
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 26 December 2016 - 08:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {4E3718A4-3271-42C4-AC6E-23D5CC2763A9} - System32\Tasks\Update\01963db8-fc1d-4d8c-9c68-6ff61b20a7a1 => C:\ProgramData\CLMonitor.exe [2016-12-14] (Microsoft) <==== ATTENTION
Task: {B3CDEE21-ACEF-4A43-89FC-C6E689F8FF69} - System32\Tasks\Shell Extension Service => C:\ProgramData\Shell Extension Monitor\ShellExtension.exe
C:\ProgramData\CLMonitor.exe
C:\USERS\CHRIS\APPDATA\ROAMING\IMMINENT

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run the Malwarebytes after the Reboot and let me know if the problem persists.

#7 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 26 December 2016 - 12:08 PM

Hello again nasdaq, this is my latest FRST log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Chris (26-12-2016 11:09:46) Run:3
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris & Guest1)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Task: {4E3718A4-3271-42C4-AC6E-23D5CC2763A9} - System32\Tasks\Update\01963db8-fc1d-4d8c-9c68-6ff61b20a7a1 => C:\ProgramData\CLMonitor.exe [2016-12-14] (Microsoft) <==== ATTENTION
Task: {B3CDEE21-ACEF-4A43-89FC-C6E689F8FF69} - System32\Tasks\Shell Extension Service => C:\ProgramData\Shell Extension Monitor\ShellExtension.exe
C:\ProgramData\CLMonitor.exe
C:\USERS\CHRIS\APPDATA\ROAMING\IMMINENT
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4E3718A4-3271-42C4-AC6E-23D5CC2763A9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4E3718A4-3271-42C4-AC6E-23D5CC2763A9}" => key removed successfully
C:\WINDOWS\System32\Tasks\Update\01963db8-fc1d-4d8c-9c68-6ff61b20a7a1 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update\01963db8-fc1d-4d8c-9c68-6ff61b20a7a1" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B3CDEE21-ACEF-4A43-89FC-C6E689F8FF69}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3CDEE21-ACEF-4A43-89FC-C6E689F8FF69}" => key removed successfully
C:\WINDOWS\System32\Tasks\Shell Extension Service => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Shell Extension Service" => key removed successfully
C:\ProgramData\CLMonitor.exe => moved successfully
C:\USERS\CHRIS\APPDATA\ROAMING\IMMINENT => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18327939 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 38181 B
Edge => 0 B
Chrome => 370670632 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
Chris => 31861667 B
Guest1 => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 401.4 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 11:09:51 ====


#8 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 26 December 2016 - 12:10 PM

and just to keep things clean, here is the latest MBAM log, it seems to be picking up new objects now:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/26/16
Scan Time: 12:06 PM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.0
Update Package Version: 1.0.863
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-HA96UUL\Chris
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 442776
Time Elapsed: 1 min, 54 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 1
Hijack.ShellA.Gen, HKU\S-1-5-21-4189167504-858158947-2538492093-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, No Action By User, [14936], [187664],1.0.863
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 4
PUP.Optional.InstallCore, C:\USERS\CHRIS\APPDATA\LOCAL\TEMP\ICREINSTALL_13127242683062005301.EXE, No Action By User, [8], [355724],1.0.863
PUP.Optional.InstallCore, C:\USERS\CHRIS\APPDATA\LOCAL\TEMP\13127242683062005301.EXE, No Action By User, [8], [355724],1.0.863
PUP.Optional.InstallCore, C:\USERS\CHRIS\DOWNLOADS\JAVASETUP-WIN10.EXE, No Action By User, [8], [80770],1.0.863
PUP.Optional.InstallCore, C:\USERS\CHRIS\APPDATA\LOCAL\TEMP\13127243807855513137.EXE, No Action By User, [8], [355708],1.0.863
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
 
The computer still has two issues that have only come up since the malware started being detected. The drivers for my usb bluetooth dongle keep getting deleted and need to be reinstalled. Java is also experiencing several issues and a java based program I use has stopped working as a result. Otherwise, the other errors and malware seem to be gone


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 26 December 2016 - 01:07 PM

Run the MBAM tool and clean everything.

Restart the computer normally after.

If the problem persist run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#10 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 26 December 2016 - 01:16 PM

The latest MBAM scan following the clean had no malware!

 

hopefully my issues are over, i'll reply if I find any other problems. thanks nasdaq!!!



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 26 December 2016 - 01:44 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#12 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 26 December 2016 - 02:04 PM

I rebooted and ran another scan, and MBAM picked this up:

 

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/26/16
Scan Time: 1:58 PM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.0
Update Package Version: 1.0.864
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-HA96UUL\Chris
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 442974
Time Elapsed: 2 min, 1 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 1
Hijack.ShellA.Gen, HKU\S-1-5-21-4189167504-858158947-2538492093-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, No Action By User, [14936], [187664],1.0.864
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 1
PUP.Optional.InstallCore, C:\USERS\CHRIS\APPDATA\LOCAL\TEMP\13127251640293845340.EXE, No Action By User, [8], [355708],1.0.864
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#13 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 27 December 2016 - 12:09 AM

I have tried installing Rougekiller but the program won't install. I get this error:

 

 

Runtime Error (at -1:0):

 

Cannot import dll:C:\Users\Chris\AppData\Local\Temp\is-EJ7QT.tmp\RougekillerDLL.dll

 

 

I seem to be experiencing write permission issues with the AppData folder, and randomly in other areas of the computer too. I wonder if this is related to the malware?


Edited by spaceace76, 27 December 2016 - 01:02 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:27 PM

Posted 27 December 2016 - 09:03 AM


When you download files in what folder are they saved?
In which folder is the RogueKiller parked?

Cannot import dll:C:\Users\Chris\AppData\Local\Temp\is-EJ7QT.tmp\RougekillerDLL.dll


You should never save an executable in a Temp folder.

#15 spaceace76

spaceace76
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 27 December 2016 - 02:15 PM

I saved the RougeKiller install file on my desktop as per your instructions.

 

Chrome is set to save items in C:\Users\Chris\Downloads which is the default path






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users