Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

repeating virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 jon2112

jon2112

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 25 March 2017 - 07:03 PM

I keep reloading Win 10 Pro OEM on my pc and within 5 reboots, I get links to my desktop where they don't belong.  My group policy won't start, I cannot create another user.  This time I bought a new SSD (again) and my bios was auto updated from the motherboard itself. (Asrock X-99 Taichi mATX -5820K CPU 32G ddr4 120 SSD and DVD/RW)  Dual bios switching did not help, thinking that might have gone corrupt .
 
Mod Edit:  Removed dupe log data, merged topics - Hamluis.


I have something that after a new install of Win 10 Pro OEM on my pc, returns within 5 reboots.  It makes new folders that contain links to my desktop, my group policy service properties are greyed after two or so boots, and is not functional.  It will not stay on this is home pc ( that I'm not sure is normal or not ) I cannot make another user, sometimes the start menu quits working then after reboot works again.  My work within windows from one task to another seems slowed down, and my mouse cursor disappears sometimes.   If I have been online I always have to reset my PS3 which is sharing the same router. Arris NVG599 which was just put in to upgrade from the 589 before I loaded win for the first time.  I don't let the PS3 and the PC be on at the same time after the second windows reload.  I'm on 5th reload I think.  This time I started with a new SSD the Windows is on DVD full OEM I have it handy.  Got a system image and several restore points but they seem altered   I have services disabled I did not do and the ones I did do get re-enabled most of the time,   Hope you find something, this has really been a long, long frustrating time.   Thank you, John
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Jasper (administrator) on DESKTOP-74VGNK8 (25-03-2017 16:42:59)
Running from C:\Users\Jasper\Downloads
Loaded Profiles: Jasper (Available Profiles: defaultuser0 & Jasper)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
() C:\Program Files (x86)\NordVPN\nordvpn-service.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(QIHU 360 SOFTWARE CO. LIMITED) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(NordVPN) C:\Program Files (x86)\NordVPN\NordVPN.exe
(The OpenVPN Project) C:\Program Files (x86)\NordVPN\Resources\Binaries\64bit\openvpn-nordvpn.exe
(Gaijin Entertainment) C:\Users\Jasper\AppData\Local\WarThunder\launcher.exe
(Gaijin Entertainment) C:\Users\Jasper\AppData\Local\Gaijin\Program Files (x86)\NetAgent\gjagent.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16407296 2015-10-15] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [8027016 2016-11-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QHSafeTray] => C:\Program Files (x86)\360\Total Security\safemon\360Tray.exe [345000 2017-03-16] (QIHU 360 SOFTWARE CO. LIMITED)
HKU\S-1-5-21-823307457-1783870545-928694268-1001\...\Run: [Gaijin.Net Agent] => C:\Users\Jasper\AppData\Local\Gaijin\Program Files (x86)\NetAgent\gjagent.exe [2012616 2017-03-21] (Gaijin Entertainment)
GroupPolicyScripts: Restriction <======= ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 78.46.223.24 162.242.211.137
Tcpip\..\Interfaces\{46145afa-0a3d-445e-a55e-4b3ba0edf010}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{4e4c8e2d-6a61-4bd8-8a9c-74172a140f32}: [DhcpNameServer] 78.46.223.24 162.242.211.137
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://distrowatch.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://distrowatch.com/
HKU\S-1-5-21-823307457-1783870545-928694268-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://distrowatch.com/
SearchScopes: HKLM -> DefaultScope {59E9C8B1-74FD-4CB6-A815-9E96102F97BD} URL = hxxp://www.google.com/search?hl={language}&q={searchTerms}
SearchScopes: HKLM -> {59E9C8B1-74FD-4CB6-A815-9E96102F97BD} URL = hxxp://www.google.com/search?hl={language}&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {59E9C8B1-74FD-4CB6-A815-9E96102F97BD} URL = hxxp://www.google.com/search?hl={language}&q={searchTerms}
SearchScopes: HKLM-x32 -> {59E9C8B1-74FD-4CB6-A815-9E96102F97BD} URL = hxxp://www.google.com/search?hl={language}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-823307457-1783870545-928694268-1001 -> DefaultScope {59E9C8B1-74FD-4CB6-A815-9E96102F97BD} URL = hxxp://www.google.com/search?hl={language}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-823307457-1783870545-928694268-1001 -> {59E9C8B1-74FD-4CB6-A815-9E96102F97BD} URL = hxxp://www.google.com/search?hl={language}&q={searchTerms}
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 nordvpn-service; C:\Program Files (x86)\NordVPN\nordvpn-service.exe [410800 2017-03-16] ()
R2 QHActiveDefense; C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe [928168 2017-03-16] (QIHU 360 SOFTWARE CO. LIMITED)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-07-16] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker64.sys [160768 2017-03-16] (360.cn)
R3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [95232 2017-03-16] (360.cn)
R3 360AvFlt; C:\Windows\SysWOW64\DRIVERS\360AvFlt.sys [95232 2017-03-16] (360.cn)
R1 360Box64; C:\Windows\System32\DRIVERS\360Box64.sys [339456 2017-03-16] (360.cn)
S3 360Camera; C:\Windows\System32\Drivers\360Camera64.sys [57856 2017-03-16] (360.cn)
R1 360FsFlt; C:\Windows\System32\DRIVERS\360FsFlt.sys [400384 2017-03-16] (360.cn)
R3 amdkmdag; C:\Windows\System32\DriverStore\FileRepository\c0309377.inf_amd64_7ab08912e1e1da0a\atikmdag.sys [26568856 2017-03-15] (Advanced Micro Devices, Inc.)
R3 amdkmdap; C:\Windows\System32\DriverStore\FileRepository\c0309377.inf_amd64_7ab08912e1e1da0a\atikmpag.sys [536600 2017-03-15] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [110104 2016-09-28] (Advanced Micro Devices)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV64.sys [197632 2017-03-16] (360.cn)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [231168 2017-01-13] (Intel Corporation)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 NETwNb64; C:\Windows\System32\drivers\Netwbw02.sys [3485696 2016-07-16] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-03-25 16:42 - 2017-03-25 16:43 - 00007512 _____ C:\Users\Jasper\Downloads\FRST.txt
2017-03-25 16:42 - 2017-03-25 16:42 - 02424832 _____ (Farbar) C:\Users\Jasper\Downloads\FRST64.exe
2017-03-25 16:42 - 2017-03-25 16:42 - 00000000 ____D C:\FRST
2017-03-25 16:35 - 2017-03-25 16:35 - 138634176 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-03-25 16:33 - 2017-03-25 16:33 - 00002030 _____ C:\Users\Jasper\Desktop\WarThunder.lnk
2017-03-25 16:02 - 2017-03-25 16:03 - 00000000 ____D C:\ProgramData\360Quarant
2017-03-25 15:57 - 2016-12-21 00:08 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2017-03-25 15:57 - 2016-12-20 21:44 - 00120320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2017-03-25 15:51 - 2017-03-25 15:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Settings
2017-03-25 15:41 - 2017-03-25 15:42 - 00000000 ____D C:\ProgramData\NordVpn
2017-03-25 15:41 - 2017-03-25 15:41 - 00003426 _____ C:\Windows\System32\Tasks\NordVPN
2017-03-25 15:41 - 2017-03-25 15:41 - 00001982 _____ C:\Users\Public\Desktop\NordVPN.lnk
2017-03-25 15:41 - 2017-03-25 15:41 - 00000000 ____D C:\Users\Jasper\AppData\Local\NordVPN
2017-03-25 15:41 - 2017-03-25 15:41 - 00000000 ____D C:\Users\Jasper\AppData\Local\IsolatedStorage
2017-03-25 15:41 - 2017-03-25 15:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NordVPN
2017-03-25 15:41 - 2017-03-25 15:41 - 00000000 ____D C:\ProgramData\Caphyon
2017-03-25 15:41 - 2017-03-25 15:41 - 00000000 ____D C:\Program Files (x86)\NordVPN
2017-03-25 15:40 - 2017-03-25 15:41 - 00000000 ____D C:\Program Files\TAP-Windows
2017-03-25 15:40 - 2017-03-25 15:40 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\NordVPN
2017-03-25 15:33 - 2017-03-25 15:33 - 00000000 ____D C:\Users\Jasper\AppData\LocalLow\Temp
2017-03-25 15:26 - 2017-03-25 15:26 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2017-03-25 15:21 - 2017-03-25 16:39 - 00000000 ____D C:\Users\Jasper\AppData\LocalLow\360WD
2017-03-25 15:21 - 2017-03-25 15:57 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\360safe
2017-03-25 15:21 - 2017-03-25 15:21 - 00001222 _____ C:\Users\Public\Desktop\360 Total Security.lnk
2017-03-25 15:21 - 2017-03-25 15:21 - 00000000 _RSHD C:\360SANDBOX
2017-03-25 15:21 - 2017-03-25 15:21 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\360 Security Center
2017-03-25 15:21 - 2017-03-25 15:21 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\360TotalSecurity
2017-03-25 15:21 - 2017-03-25 15:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center
2017-03-25 15:21 - 2017-03-25 15:21 - 00000000 ____D C:\ProgramData\360TotalSecurity
2017-03-25 15:21 - 2017-03-25 15:21 - 00000000 ____D C:\ProgramData\360safe
2017-03-25 15:21 - 2017-03-16 19:01 - 00400384 _____ (360.cn) C:\Windows\system32\Drivers\360FsFlt.sys
2017-03-25 15:21 - 2017-03-16 19:01 - 00339456 _____ (360.cn) C:\Windows\system32\Drivers\360Box64.sys
2017-03-25 15:21 - 2017-03-16 19:01 - 00197632 _____ (360.cn) C:\Windows\system32\Drivers\BAPIDRV64.sys
2017-03-25 15:21 - 2017-03-16 19:01 - 00160768 _____ (360.cn) C:\Windows\system32\Drivers\360AntiHacker64.sys
2017-03-25 15:21 - 2017-03-16 19:01 - 00095232 _____ (360.cn) C:\Windows\SysWOW64\Drivers\360AvFlt.sys
2017-03-25 15:21 - 2017-03-16 19:01 - 00095232 _____ (360.cn) C:\Windows\system32\Drivers\360AvFlt.sys
2017-03-25 15:21 - 2017-03-16 19:01 - 00057856 _____ (360.cn) C:\Windows\system32\Drivers\360Camera64.sys
2017-03-25 15:20 - 2017-03-25 15:20 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2017-03-25 15:20 - 2017-03-25 15:20 - 00000000 ____D C:\Program Files (x86)\360
2017-03-25 15:04 - 2017-03-25 16:16 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2017-03-25 10:16 - 2017-03-25 10:16 - 00000000 ____D C:\Users\Jasper\AppData\Local\Gaijin
2017-03-25 10:16 - 2017-03-25 10:16 - 00000000 ____D C:\ProgramData\Gaijin
2017-03-25 10:15 - 2017-03-25 16:35 - 00000000 ____D C:\Users\Jasper\AppData\Local\WarThunder
2017-03-25 10:15 - 2017-03-25 16:33 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder
2017-03-25 10:15 - 2017-03-25 10:15 - 00000000 ____D C:\Users\Jasper\Documents\My Games
2017-03-25 10:14 - 2017-03-25 10:14 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\Macromedia
2017-03-25 10:13 - 2017-03-25 10:13 - 00000000 ____D C:\Users\Jasper\AppData\LocalLow\AMD
2017-03-25 10:11 - 2017-03-25 10:11 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\Adobe
2017-03-25 09:54 - 2017-03-25 15:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BullGuard
2017-03-25 09:54 - 2017-03-25 09:54 - 00000000 ____D C:\Program Files\Common Files\AV
2017-03-25 09:53 - 2017-03-25 09:53 - 00000000 ____D C:\Program Files\BullGuard Ltd
2017-03-25 09:47 - 2017-03-25 09:47 - 00000000 ____D C:\Users\Jasper\AppData\Local\AMD
2017-03-25 09:46 - 2017-03-25 14:59 - 00075060 _____ C:\Windows\system32\config\afw_db.conf
2017-03-25 09:46 - 2017-03-25 14:59 - 00000312 _____ C:\Windows\system32\config\afw_hm.conf
2017-03-25 09:41 - 2017-03-25 09:56 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\BullGuard
2017-03-25 09:41 - 2017-03-25 09:41 - 00000000 ____D C:\Program Files\Common Files\BullGuard Ltd
2017-03-25 09:40 - 2017-03-25 09:40 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\QuickScan
2017-03-25 09:39 - 2017-03-25 15:03 - 00000000 ____D C:\ProgramData\BullGuard
2017-03-25 07:58 - 2017-03-25 07:58 - 00000000 ____D C:\Users\Jasper\AppData\Local\PeerDistRepub
2017-03-25 07:13 - 2017-03-25 07:38 - 00000000 ____D C:\AdwCleaner
2017-03-25 07:00 - 2017-03-25 07:00 - 00000000 ____D C:\ProgramData\ProcessLasso
2017-03-25 06:59 - 2017-03-25 07:38 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\ProcessLasso
2017-03-25 06:59 - 2017-03-25 07:38 - 00000000 ____D C:\Program Files\Process Lasso
2017-03-25 06:58 - 2017-03-25 06:58 - 00000000 ____D C:\Users\Jasper\Documents\Smart PC Utilities
2017-03-25 06:53 - 2017-03-25 06:53 - 00000000 ____D C:\Users\Jasper\AppData\Local\Smart_PC_Utilities,_Ltd
2017-03-25 06:50 - 2017-03-25 06:58 - 00000000 ____D C:\Program Files\Smart PC Utilities
2017-03-25 06:49 - 2017-03-25 07:38 - 00000000 ____D C:\ProgramData\RogueKiller
2017-03-25 06:49 - 2017-03-25 07:34 - 00000000 ____D C:\Users\Jasper\AppData\Local\CrashDumps
2017-03-25 06:49 - 2017-03-25 06:58 - 00000000 ____D C:\Users\Jasper\AppData\Roaming\Smart PC Utilities
2017-03-25 01:45 - 2017-03-25 01:45 - 00000000 ____D C:\Users\Jasper\Desktop\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
2017-03-25 01:43 - 2017-03-25 12:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Group Policy
2017-03-25 01:30 - 2017-03-25 01:30 - 00000000 ____D C:\Users\Jasper\AppData\Local\VirtualStore
2017-03-25 01:29 - 2017-03-25 06:44 - 00000000 ____D C:\Users\Jasper\AppData\Local\ConnectedDevicesPlatform
2017-03-24 21:19 - 2017-03-25 15:26 - 00000000 ____D C:\Program Files\AMD
2017-03-24 21:19 - 2017-03-25 15:26 - 00000000 ____D C:\AMD
2017-03-24 21:17 - 2017-03-25 09:53 - 00000000 ____D C:\Program Files (x86)\Razer
2017-03-24 21:17 - 2017-03-24 21:17 - 00000000 ____D C:\ProgramData\Razer
2017-03-24 19:55 - 2017-03-24 19:55 - 00000000 ____D C:\Users\Jennifer\AppData\Local\MicrosoftEdge
2017-03-24 17:11 - 2017-03-24 17:11 - 00000000 ____D C:\Users\Jennifer\AppData\Local\PeerDistRepub
2017-03-24 16:59 - 2017-03-24 16:59 - 00000000 ____D C:\Users\Jennifer\AppData\Local\Comms
2017-03-24 16:41 - 2017-03-25 09:40 - 00000000 ____D C:\Users\Jennifer
2017-03-24 16:41 - 2017-03-24 16:59 - 00000000 ____D C:\Users\Jennifer\AppData\Local\Packages
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 _SHDL C:\Users\Jennifer\My Documents
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 _SHDL C:\Users\Jennifer\Documents\My Videos
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 _SHDL C:\Users\Jennifer\Documents\My Pictures
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 _SHDL C:\Users\Jennifer\Documents\My Music
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 ___RD C:\Users\Jennifer\OneDrive
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 ____D C:\Users\Jennifer\AppData\Roaming\Adobe
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 ____D C:\Users\Jennifer\AppData\Local\VirtualStore
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 ____D C:\Users\Jennifer\AppData\Local\Publishers
2017-03-24 16:41 - 2017-03-24 16:41 - 00000000 ____D C:\Users\Jennifer\AppData\Local\ConnectedDevicesPlatform
2017-03-24 15:26 - 2017-03-24 15:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2017-03-24 15:26 - 2017-03-24 15:26 - 00000000 ____D C:\ProgramData\ESET
2017-03-24 15:26 - 2017-03-24 15:26 - 00000000 ____D C:\Program Files\ESET
2017-03-24 15:20 - 2017-03-24 15:20 - 00000000 ____D C:\Program Files\ATI Technologies
2017-03-24 15:20 - 2017-03-24 15:20 - 00000000 ____D C:\Program Files (x86)\AMD
2017-03-24 15:16 - 2017-03-24 15:16 - 00000000 ____D C:\Windows\system32\ÿÿÿÿÿÿÿÿerStore
2017-03-24 14:53 - 2017-03-25 16:36 - 00000000 ____D C:\Windows\system32\MRT
2017-03-23 11:10 - 2017-03-23 10:34 - 00000000 ____D C:\Windows\Panther
2017-03-23 10:52 - 2017-03-23 10:52 - 00000000 ____H C:\ProgramData\DP45977C.lfl
2017-03-23 10:52 - 2017-03-23 10:52 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2017-03-23 10:52 - 2017-03-23 10:52 - 00000000 ____D C:\Windows\system32\DAX2
2017-03-23 10:52 - 2017-03-23 10:52 - 00000000 ____D C:\Program Files\Realtek
2017-03-23 10:51 - 2015-10-15 18:01 - 05804772 _____ C:\Windows\system32\Drivers\rtvienna.dat
2017-03-23 10:51 - 2015-10-15 18:01 - 04628736 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RTKVHD64.sys
2017-03-23 10:51 - 2015-10-15 18:01 - 04005405 _____ C:\Windows\system32\Drivers\RTAIODAT.DAT
2017-03-23 10:51 - 2015-10-15 18:01 - 03299832 _____ (Yamaha Corporation) C:\Windows\system32\YamahaAE2.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 03271912 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkApi64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 03154607 _____ C:\Windows\system32\Drivers\rtkSSTsetting.dat
2017-03-23 10:51 - 2015-10-15 18:01 - 02997504 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtPgEx64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 02965120 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RltkAPO64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 02893568 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTSnMg64.cpl
2017-03-23 10:51 - 2015-10-15 18:01 - 02610208 _____ (Realtek Semiconductor Corp.) C:\Windows\SysWOW64\RltkAPO.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 02190992 _____ (Yamaha Corporation) C:\Windows\system32\YamahaAE.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 02110600 _____ (Waves Audio Ltd.) C:\Windows\system32\WavesGUILib64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 02028664 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoInstII64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 01435152 _____ (Synopsys, Inc.) C:\Windows\system32\SRRPTR64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 01382240 _____ (TOSHIBA Corporation) C:\Windows\system32\tosade.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 01351992 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RTCOM64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 01121864 _____ (SRS Labs, Inc.) C:\Windows\system32\slcnt64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00965032 _____ (Sony Corporation) C:\Windows\system32\SFSS_APO.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00961848 _____ (DTS, Inc.) C:\Windows\system32\sl3apo64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00933640 _____ (Sound Research, Corp.) C:\Windows\system32\SEHDRA64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00888480 _____ (TOSHIBA Corporation) C:\Windows\system32\tossaeapo64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00873464 _____ (TOSHIBA Corporation) C:\Windows\system32\tadefxapo264.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00749000 _____ (DTS, Inc.) C:\Windows\system32\sltech64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00716104 _____ (Sound Research, Corp.) C:\Windows\system32\SECOMN64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00689888 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtDataProc64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00596120 _____ (TOSHIBA Corporation) C:\Windows\system32\tosasfapo64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00589072 _____ (Sound Research, Corp.) C:\Windows\SysWOW64\SECOMN32.DLL
2017-03-23 10:51 - 2015-10-15 18:01 - 00532384 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSTSX64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00467160 _____ (Synopsys, Inc.) C:\Windows\system32\SRAPO64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00448584 _____ (Sound Research, Corp.) C:\Windows\system32\SEAPO64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00387320 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEEP64A.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00381416 _____ (Synopsys, Inc.) C:\Windows\system32\SRCOM64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00343712 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtlCPAPI64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00341152 _____ (Synopsys, Inc.) C:\Windows\SysWOW64\SRCOM.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00341152 _____ (Synopsys, Inc.) C:\Windows\system32\SRCOM.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00321720 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RP3DHT64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00321720 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RP3DAA64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00258504 _____ (TODO: <Company name>) C:\Windows\system32\slprp64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00231920 _____ (Synopsys, Inc.) C:\Windows\system32\SFNHK64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00224264 _____ (TOSHIBA Corporation) C:\Windows\system32\tossaemaxapo64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00221976 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSTSH64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00214840 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEED64A.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00209536 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSHP64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00195192 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkCfg64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00172584 _____ (TOSHIBA Corporation) C:\Windows\system32\toseaeapo64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00166208 _____ (SRS Labs, Inc.) C:\Windows\system32\SRSWOW64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00158704 _____ (TOSHIBA Corporation) C:\Windows\system32\tadefxapo.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00110984 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEEL64A.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00105312 _____ C:\Windows\system32\audioLibVc.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00090920 _____ (Synopsys, Inc.) C:\Windows\system32\SFCOM64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00088352 _____ (Dolby Laboratories, Inc.) C:\Windows\system32\RTEEG64A.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00088328 _____ (Synopsys, Inc.) C:\Windows\system32\SFAPO64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00083632 _____ (Virage Logic Corporation / Sonic Focus) C:\Windows\SysWOW64\SFCOM.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00075544 _____ (TOSHIBA CORPORATION.) C:\Windows\system32\tepeqapo64.dll
2017-03-23 10:51 - 2015-10-15 18:01 - 00023704 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RtkCoLDR64.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 72203792 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\RCoRes64.dat
2017-03-23 10:50 - 2015-10-15 18:01 - 14057256 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioRealtek64.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 13120760 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxVoiceAPO3064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 12986520 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxVoiceAPO4064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 07172920 _____ (Dolby Laboratories) C:\Windows\system32\R4EEP64A.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 05774632 _____ (Nahimic Inc) C:\Windows\system32\NAHIMICV2apo.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 05289952 _____ (Nahimic Inc) C:\Windows\system32\NAHIMICAPOlfx.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 02823280 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO7064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 02050184 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioEQ64.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 01395760 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO6064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 01334384 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxSpeechAPO64.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 01211832 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO5064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 01164336 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO4064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 01003864 _____ (Nahimic Inc) C:\Windows\system32\NahimicAPONSControl.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00998032 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxVoiceAPO2064.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00931624 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPOShell64.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00923752 _____ (Sony Corporation) C:\Windows\system32\MISS_APO.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00678184 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO30.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00677672 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxVolumeSDAPO.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00447720 _____ (Dolby Laboratories) C:\Windows\system32\R4EED64A.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00330568 _____ (Waves Audio Ltd.) C:\Windows\system32\MaxxAudioAPO20.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00151792 _____ (Dolby Laboratories) C:\Windows\system32\R4EEL64A.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00134208 _____ (Dolby Laboratories) C:\Windows\system32\R4EEA64A.dll
2017-03-23 10:50 - 2015-10-15 18:01 - 00084624 _____ (Dolby Laboratories) C:\Windows\system32\R4EEG64A.dll
2017-03-23 10:49 - 2017-03-23 10:49 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-03-23 10:49 - 2017-03-23 10:49 - 00000000 ____D C:\Program Files (x86)\Realtek
2017-03-23 10:49 - 2015-10-15 18:01 - 09997848 _____ (Intel Corporation) C:\Windows\system32\IntelSSTAPO.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 07096192 _____ (Dolby Laboratories) C:\Windows\system32\DDPP64A.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 06264640 _____ (Dolby Laboratories) C:\Windows\system32\DDPP64AF3.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 05338936 _____ (Dolby Laboratories) C:\Windows\system32\DolbyDAX2APOv211.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 03278408 _____ (Fortemedia Corporation) C:\Windows\system32\FMAPO64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 02437136 _____ (Dolby Laboratories) C:\Windows\system32\DolbyDAX2APOv201.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01965816 _____ (Dolby Laboratories) C:\Windows\system32\DDPD64A.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01959608 _____ (Dolby Laboratories) C:\Windows\system32\DDPD64AF3.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01780624 _____ (DTS) C:\Windows\system32\DTSS2SpeakerDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01601944 _____ (Conexant Systems Inc.) C:\Windows\system32\CX64APO.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01591064 _____ (DTS) C:\Windows\system32\DTSS2HeadphoneDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01508936 _____ (DTS) C:\Windows\system32\DTSBoostDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 01186160 _____ (Intel Corporation) C:\Windows\system32\IntelSstCApoPropPage.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00952984 _____ (Dolby Laboratories) C:\Windows\system32\DolbyDAX2APOProp.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00743968 _____ (DTS) C:\Windows\system32\DTSBassEnhancementDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00727440 _____ (DTS) C:\Windows\system32\DTSSymmetryDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00708320 _____ (DTS) C:\Windows\system32\DTSVoiceClarityDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00618192 _____ (Knowles Acoustics ) C:\Windows\system32\KAAPORT64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00574760 _____ (Andrea Electronics Corporation) C:\Windows\system32\AERTAC64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00514528 _____ (DTS) C:\Windows\system32\DTSU2PLFX64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00504312 _____ (DTS) C:\Windows\system32\DTSNeoPCDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00500560 _____ (DTS) C:\Windows\system32\DTSU2PGFX64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00445408 _____ (DTS) C:\Windows\system32\DTSLimiterDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00441272 _____ (DTS) C:\Windows\system32\DTSGainCompensatorDLL64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00428232 _____ (DTS) C:\Windows\system32\DTSU2PREC64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00362056 _____ (Dolby Laboratories) C:\Windows\system32\DDPO64AF3.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00357528 _____ (Dolby Laboratories) C:\Windows\system32\HiFiDAX2API.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00340648 _____ (ICEpower a/s) C:\Windows\system32\ICEsoundAPO64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00327464 _____ (Dolby Laboratories) C:\Windows\system32\DDPO64A.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00310424 _____ (Dolby Laboratories) C:\Windows\system32\DDPA64F3.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00272720 _____ (Dolby Laboratories) C:\Windows\system32\DDPA64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00253904 _____ (DTS) C:\Windows\system32\DTSGFXAPO64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00253872 _____ (DTS) C:\Windows\system32\DTSLFXAPO64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00252880 _____ (DTS) C:\Windows\system32\DTSGFXAPONS64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00122328 _____ (Real Sound Lab SIA) C:\Windows\system32\CONEQMSAPOGUILibrary.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00118600 _____ C:\Windows\system32\AcpiServiceVnA64.dll
2017-03-23 10:49 - 2015-10-15 18:01 - 00118600 _____ (Andrea Electronics Corporation) C:\Windows\system32\AERTAR64.dll
2017-03-23 10:48 - 2017-03-23 10:53 - 00000000 ___HD C:\Program Files (x86)\Temp
2017-03-23 10:48 - 2015-06-08 01:13 - 02825944 ____R (Realtek Semiconductor Corp.) C:\Windows\RtlExUpd.dll
2017-03-23 10:47 - 2017-03-23 10:47 - 00000000 ____D C:\Intel
2017-03-23 10:44 - 2017-03-25 16:21 - 00979530 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-23 10:44 - 2017-03-25 15:27 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-23 10:44 - 2017-03-23 10:44 - 00002366 _____ C:\Users\Jasper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-23 10:44 - 2017-03-23 10:44 - 00000000 ____D C:\Program Files\Intel
2017-03-23 10:43 - 2017-03-23 10:43 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2017-03-23 10:42 - 2017-03-25 15:51 - 00000000 ____D C:\Users\Jasper
2017-03-23 10:42 - 2017-03-25 15:03 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-03-23 10:42 - 2017-03-25 15:03 - 00000000 ____D C:\Users\Jasper\AppData\Local\TileDataLayer
2017-03-23 10:42 - 2017-03-25 15:03 - 00000000 ____D C:\Users\Jasper\AppData\Local\Packages
2017-03-23 10:42 - 2017-03-23 10:42 - 00000020 ___SH C:\Users\Jasper\ntuser.ini
2017-03-23 10:41 - 2017-03-23 10:41 - 00000000 ____D C:\Windows\CSC
2017-03-23 10:41 - 2016-07-16 04:41 - 02716672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2017-03-23 10:40 - 2017-03-25 15:03 - 00000000 ____D C:\Users\defaultuser0\AppData\Local\Packages
2017-03-23 10:40 - 2017-03-25 15:00 - 00000000 ____D C:\Users\defaultuser0\AppData\Local\TileDataLayer
2017-03-23 10:40 - 2017-03-23 10:40 - 00000000 ____D C:\ProgramData\USOShared
2017-03-23 10:39 - 2017-03-25 15:04 - 00000000 ____D C:\Users\defaultuser0
2017-03-23 10:39 - 2017-03-23 10:39 - 00000020 ___SH C:\Users\defaultuser0\ntuser.ini
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default\My Documents
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2017-03-23 10:39 - 2017-03-23 10:39 - 00000000 _SHDL C:\Documents and Settings
2017-03-23 10:34 - 2017-03-25 16:17 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-23 10:34 - 2017-03-25 14:53 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-03-23 10:34 - 2017-03-23 10:34 - 00194192 _____ C:\Windows\system32\FNTCACHE.DAT
2017-03-23 10:34 - 2017-03-23 10:34 - 00000000 ____D C:\Windows\ServiceProfiles
2017-03-15 22:34 - 2017-03-15 22:34 - 09405464 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdvlk64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 07589392 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdvlk32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 02463248 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amfrt64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 02150928 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amfrt32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 01351184 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiadlxx.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 01015824 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 01015824 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxx.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00909336 _____ (AMD) C:\Windows\system32\coinst_16.40.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00768024 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdlvr64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00643088 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdlvr32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00541208 _____ (AMD) C:\Windows\system32\atieclxx.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00488488 _____ C:\Windows\system32\amdmiracast.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00476696 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atidemgy.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00420376 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\atiapfxx.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00310808 _____ C:\Windows\system32\dgtrayicon.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00305176 _____ (AMD) C:\Windows\system32\atiesrxx.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00293392 _____ C:\Windows\system32\GameManager64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00287248 _____ C:\Windows\system32\clinfo.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00285720 _____ C:\Windows\system32\hsa-thunk64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00266256 _____ C:\Windows\system32\amdgfxinfo64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00258064 _____ C:\Windows\SysWOW64\GameManager32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00251416 _____ C:\Windows\SysWOW64\hsa-thunk.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00248336 _____ C:\Windows\system32\atieah64.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00239128 _____ C:\Windows\SysWOW64\amdgfxinfo32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00226320 _____ C:\Windows\SysWOW64\atieah32.exe
2017-03-15 22:34 - 2017-03-15 22:34 - 00219664 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atig6txx.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00193560 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00178200 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantle64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00166408 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdave64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00162216 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\amdhcp64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00158336 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\aticfx64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00154640 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atisamu64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00153104 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantle32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00147472 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\mantleaxl64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00145952 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00145864 _____ (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\amdhcp32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00145360 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdave32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00135704 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atisamu32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00130584 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00130216 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atimpc64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00130216 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdpcom64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00128528 _____ (AMD) C:\Windows\system32\atimuixx.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00126488 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\mantleaxl32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00121368 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00118800 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\atidxx64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00112336 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00112336 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00107544 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00100888 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\amdmcl64.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00084504 _____ (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdmcl32.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00077840 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ati2erec.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00038424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\detoured.dll
2017-03-15 22:34 - 2017-03-15 22:34 - 00038416 _____ (Microsoft Corporation) C:\Windows\system32\detoured.dll
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-03-25 16:35 - 2016-07-16 04:36 - 00000000 ____D C:\Windows\CbsTemp
2017-03-25 16:20 - 2016-07-16 04:45 - 00000000 ____D C:\Windows\INF
2017-03-25 16:16 - 2016-07-15 23:04 - 00262144 _____ C:\Windows\system32\config\BBI
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 __RSD C:\Windows\Media
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\SysWOW64\Nui
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\SysWOW64\F12
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\SysWOW64\DiagSvcs
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\system32\Nui
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\system32\F12
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\system32\dsc
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\system32\DiagSvcs
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ___RD C:\Windows\PrintDialog
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\WinMetadata
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\setup
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\oobe
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\lv-LV
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\icsxml
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\et-EE
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\es-MX
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\en-GB
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\WinMetadata
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\WinBioPlugIns
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\setup
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\oobe
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\migwiz
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\lv-LV
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\lt-LT
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\icsxml
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\et-EE
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\es-MX
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\en-GB
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\DDFs
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\appraiser
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\ShellExperiences
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\Provisioning
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\PolicyDefinitions
2017-03-25 15:04 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\L2Schemas
2017-03-25 15:04 - 2016-07-15 23:04 - 00000000 ____D C:\Windows\SysWOW64\Dism
2017-03-25 15:04 - 2016-07-15 23:04 - 00000000 ____D C:\Windows\system32\Sysprep
2017-03-25 15:04 - 2016-07-15 23:04 - 00000000 ____D C:\Windows\system32\Dism
2017-03-25 15:04 - 2016-07-15 23:04 - 00000000 ____D C:\Windows\servicing
2017-03-25 15:03 - 2016-07-16 07:29 - 00000000 ____D C:\Program Files\Windows Defender Advanced Threat Protection
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\SysWOW64\Configuration
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ___SD C:\Windows\system32\Configuration
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\IME
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\SystemResources
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\spool
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\IME
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\System
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\schemas
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\InfusedApps
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\IME
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\Globalization
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\bcastdvr
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\addins
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Program Files\Windows Defender
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2017-03-25 15:03 - 2016-07-16 04:47 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2017-03-25 15:03 - 2016-07-15 23:04 - 00000000 ____D C:\Windows\system32\SMI
2017-03-25 15:02 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-25 15:01 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\registration
2017-03-25 15:00 - 2016-07-16 04:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-03-25 14:58 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\AppReadiness
2017-03-24 15:48 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\appcompat
2017-03-23 11:09 - 2016-07-16 04:47 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2017-03-23 10:42 - 2016-07-16 04:47 - 00000000 ____D C:\Windows\system32\WinBioDatabase
2017-03-23 10:40 - 2016-07-16 04:47 - 00000000 ____D C:\ProgramData\USOPrivate
2017-03-23 10:40 - 2016-07-16 04:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-03-23 10:34 - 2016-07-16 04:47 - 00000000 ___RD C:\Windows\MiracastView
2017-03-23 10:34 - 2016-07-15 23:04 - 00032768 _____ C:\Windows\system32\config\ELAM
2017-03-09 22:17 - 2016-07-16 04:49 - 00835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-09 22:17 - 2016-07-16 04:49 - 00177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
==================== Files in the root of some directories =======
2017-03-23 10:52 - 2017-03-23 10:52 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2017-03-23 10:34
==================== End of FRST.txt ============================
 

Attached Files


Edited by hamluis, 25 March 2017 - 08:06 PM.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:50 AM

Posted 26 March 2017 - 10:30 AM

Jon:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil.

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs. That could take a day or two.

 

In future, to assist me, please copy and paste the contents of all log files requested into your replies rather than attaching them.  That makes it easier for me, and faster.  Thank you for your anticipated cooperation.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 27 March 2017 - 03:27 AM

 Thank you, I misread the guidelines on log posting.  My bad.   I had to use a restore point- it would not connect to the internet.   If this is a problem I apologize in advance.  I have a mac I can communicate to you if you wish, and leave the Windows PC alone.  I use the PC  to play War Thunder with friends on certain nights and did not want to miss  that.  Thanks for your time and patients.



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:50 AM

Posted 27 March 2017 - 12:29 PM

John:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: In analyzing your logs, I am seeing evidence program remnants that do not show in your list of installed programs. We can remove these if you want, in a later step. Please let me know if you want the remnants removed.

  • Bullguard
  • Smart PC Utilities
  • ESET

.


:step2: Please run a FRST "Fix" for me.

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the folder: C:\Users\Jasper\Downloads

NOTE: It is important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

CreateRestorePoint:
CloseProcesses:

GroupPolicyScripts: Restriction <======= ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
Folder: C:\Windows\system32\ÿÿÿÿÿÿÿÿerStore
  • Right click FRST64.exe, and select "Run as Administrator".
  • Then press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log to the folder: C:\Users\Jasper\Downloads (Fixlog.txt). Please copy and paste the contents into your reply.

.

So far, I am not seeing any active malware on your computer. I think that we might be dealing with hardware or configuration issues, but I will want to run some additional anti-malware scans to be certain.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 27 March 2017 - 05:57 PM

I can proceed as you want me to do but I may ask, that since I used a restore point (image) all the things are the same except I had to rename the pc like I had it in the records I sent and the admin account name was changed from Jennifer to jasper (wife adopted my pc) should I continue or should I resend a new scan log.  My VPN did not make the restore either and she added a realtek network card shutting off the onboard Intel 211 and 218-V LAN we never had the wifi on.    You said there were no stupid questions.  I hope we did not anger you.  Is it ok to play war thunder and do nothing else on this pc?  Were sorry for any ignorant actions.   Jon and Jennifer (her nicknames jasper long story)



#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:50 AM

Posted 28 March 2017 - 08:22 AM

John:

 

Thank you for your post.  The "fixlist.txt" will be unaffected by the changes that you describe.  Please run it and then copy and paste the contents of the "fixlog.txt" file into your next reply, but thank you for checking with me. :thumbup2:

 

I am not angered at all.  I am here to help you and your wife.

 

Please let me know if you want me to remove the remnants of the programs that I listed in Step :step1:?  We can do that at a future date, if you would like.

 

I would like to run a few more anti-malware scans before it would be advisable to use the computer online unnecessarily.  Let's get the "fixlist.txt" script run, and then move on to the additional anti-malware scans.

 

Thank you and have a great day.

 

Regards,

-Phil

 


Graduate of the Bleeping Computer Malware Removal Study Hall


#7 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 28 March 2017 - 05:39 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Jennifer (28-03-2017 15:34:35) Run:1
Running from C:\Users\Jennifer\Downloads
Loaded Profiles: Jennifer (Available Profiles: Jennifer)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:

GroupPolicyScripts: Restriction <======= ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
Folder: C:\Windows\system32\ÿÿÿÿÿÿÿÿerStore
*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Windows\system32\GroupPolicy\Machine" => not found.
HKLM\System\CurrentControlSet\Services\ibtsiva => key removed successfully
ibtsiva => service removed successfully

========================= Folder: C:\Windows\system32\ÿÿÿÿÿÿÿÿerStore ========================

====== End of Folder: ======

 

The system needed a reboot.

==== End of Fixlog 15:34:40 ====



#8 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 28 March 2017 - 05:54 PM

Jaspers folder is hidden right above libraries in quick link and User/Jennifer is where some of the data is going...  seemed odd just renamed user that's all



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:50 AM

Posted 29 March 2017 - 03:47 AM

John:


Thank you for your post and update. Let's run some more standard anti-malware scans to see if anything might be lurking in your computer.

.

:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-1878.1878-3.0.6.1469.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil

 

Graduate of the Bleeping Computer Malware Removal Study Hall


#10 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 29 March 2017 - 10:59 AM

can I please send a screenshot? its gone haywire again I have all kinds of s*** in my users folder and public desktop is on quicklinks and this pc

I wanted you to know before I did anything- and something is here it's showing itself


Edited by jon2112, 29 March 2017 - 11:01 AM.


#11 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 29 March 2017 - 11:12 AM

I apologize about the s substitution I forgot about that being in the forum rules   not to do


Edited by jon2112, 29 March 2017 - 11:13 AM.


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:50 AM

Posted 29 March 2017 - 01:25 PM

John:

 

Thank you for your posts.  I KNOW that it is very FRUSTRATING when your computer is not working as it should.  To resolve your issues, we need to approach the problem logically and with deliberation.  My plan right now is to deal with any malware that might be detected, so as to eliminate that as a cause of your issues.

 

The FRST  scan did not detect any serious malware on your computer; but, like all anti-malware scanning tools, while it is the best, it does have limitations.

 

If you are able to do so, I would like you to run the two scans that I requested and post the results, copied and pasted, into your next reply.  They target, and detect, some issues that FRST does not detect.  I also have additional anti-malware scan and cleaning tools at my disposal.

 

If you cannot successfully run the either or both of the two scans that I have requested you to run, please tell me why you can't run the scans, and any error messages that might appear.  This would help me greatly, to help you.

 

I am asking you to trust in my approach.  I received lengthy and comprehensive training in the Bleeping Computer Malware Removal Study Hall from their highly qualified and dedicated instructors.  By employing a methodical and focused approach, I am confident that we will be able to identify the cause of your computer issues.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#13 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 29 March 2017 - 08:31 PM

I am sorry if my reply sounded like a personal attack on you or your knowledge of the subject at hand.  It was not my intention.  I was like "wow I can't believe all this happened on two reboots!" then i thought "I have to show him this! Take a screenshot!  Show my neighbors!"  That's where I was at.  I sometimes have difficulty relaying what im thinking to paper.  Again my apologies-
 
This is what i have for you-

Eset updated definitions

Eset crashed on the first run.

Second run-

182,531 files scanned:
No infected files:
No cleaned threats:
Scan time: 00:17:53
Scan Status: finished

 

 

If it's left a log file somewhere I cannot locate it.

 

 

Jennifer loaded Shophos after the infection.  She didn't know that you were still helping me - I thought I said something to her about it.  It was completely disabled before the scans.  Eset reminded me.

 

  Also, I don't know if this is a legitimate entry but i have it in the Allowed apps through firewall interface,

after the entry 'Xbox Identity Provider' is 'Your account'  << checked for private and public.

 

The mbam log.

After the end of that is what was on the screen about the scan, I typed it verbatim. It seemed radically different then the log it exported.

Please note at the bottom of the log what I read off the view log screen itself shown before and after the export.  It would not copy paste so I typed it out-  Thanks, John

 

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/30/17
Scan Time: 12:01 AM
Logfile: mbam.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1624
License: Trial

-System Information-
OS: Windows 8
CPU: x64
File System: NTFS
User: PANZER_FAUS\Jennifer

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404447
Time Elapsed: 0 min, 29 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUP.Optional.GeekBuddy, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\GeekBuddyRSP, No Action By User, [2261], [362758],1.0.1624

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

 

What I viewed on GUI:

Scan Date:
Scan Time:
Log File:
Administrator:               Yes
Version:
Component Package Version:
Update package version:
License:                     Unknown
OS:
CPU:
File System Type:
User:
Scan Type:                   Threat
Result:
Objects scanned:             31,173,784
Time Elapsed:                00:00:00
Processes:                   26,671,912
Modules:                     31,166,792
Resistry Keys:               1,998,180,943
Registry Values:             1,999,045,860
Registry Data:               26,672,208
Folders:                     0
Files:                       -1,073,741,275
Memory:                      Disabled
Startup:                     Disabled
File System:                 Disabled
Archives:                    Disabled
Rootkits:                    Enabled
Heuristics:                  Enabled
PUP:                         Enabled
PUM:                         Enabled

I changed nothing in the setting tabs for this scan.  Factory settings.  It did update itself
I ran one with the rootkit enabled and got the same results.  It scanned my root C:/ drive
Local Disk
Downloaded Directly from Malwarebytes to desktop

 



#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:50 AM

Posted 30 March 2017 - 01:05 PM

John:

Thank you for your post. Thank you also for the MBAM log.  If there are no detections, ESET does not create a log.

 

As for your question about the "Xbox Identity Provider", you can find more information at this link, and by "googling" the phrase.

I was not concerned about you making a "personal attack" on me. I know, from my experience helping people on this Forum, that they, understandably want their computer fixed, and fixed NOW! :) Sometimes I think it is prudent to remind them that malware removal is not an easy process and patience is needed.

Let's continue with some more standard anti-malware scans.

.

:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.

:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.


Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#15 jon2112

jon2112
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:50 AM

Posted 30 March 2017 - 06:17 PM

Ok im on my mac air it wont connect to the internet.  Im working on it, did not  change anything.  I'll reset my router.  NVG599.  Ill have to download to a usb on the mac and either run it off that or put in windows.   Question:  (This is the only way I can explain this.)  I had two users to start.  #1 Jennifer (Admin)  #2 Jon (Standard) -  I changed the name #1Jennifer to Jasper (Still admin) #2 (Jon standard still the same).  When I log into either one and at a administrator  command prompt type whoami   The renamed Jennifer account shows as Jennifer - So if I sign out and log into Jon which shows as standard account, repeat the process and whoami shows jennifer. (administrator is wrong, name is wrong.)  I was finally able to create another user Jasper_ (standard account)  do the whoami on this and it shows jennifer.  So I don't get it.  If you go to Users in control panel it shows jennifer and  Default User.  Look it up in settings it shows jasper (admin) jon (standard) and jasper_ (standard)  ok heres my point:  why does a command prompt tell me I have three administrators and i'm told just one administrator and two standard accounts through settings which conflicts with users in control panel and command prompt  None of them match I've never messed with the users   just create or delete.  This seems weird.  If this is not in the realm of what seems wrong I am getting jumpy.  It just does not seem right.  Like someones messing with my user accounts and group policy is greyed out in services set to automatic but never starts -  I never went and changed anything and neither did jennifer.  it was ok to begin with.   Is it due to uninstalled security suites?  I'm lost.  If you made it this far thanks for reading.  I am doing as you instructed now.   Thank you sir.


Edited by jon2112, 30 March 2017 - 06:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users