Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake TS3 Plugin Keylogger. help analyzing?


  • This topic is locked This topic is locked
6 replies to this topic

#1 GrizzlyTDSL

GrizzlyTDSL

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 28 March 2017 - 05:39 PM

Hello guys and girls. I'm a lowly hardware tech who also loves to try and learn how malware works, but without the formal training/knowledge you all may have and I'm in need of some help or advice. I have a good friend of mine who I'm slowly teaching to be more computer literate, but today he fell for a scam. it's rather well known and old but I actually snagged the executable from his PC in hopes that someone here could tell me how it works, what it changes and how it manages to refuse connections after removal. I uninstalled it, restored his registry. used Hijack to remove any BHO's and proxy overrides, reset his firewall to default. ran ADW and JRT. still no dice. I don't know if I should attach a zip with a password with the executable to this Post or hold off considering I don't really want to distribute this threat. it's called TS3plugin.exe and is meant to be linked via a teamspeak server host who's out to scam individuals out of steam accounts and it masquerades as a Teamspeak update for a sound driver/plugin. It changes the steam icon to that of a default windows microphone symbol and makes connecting to steam server return an "error 103" message. Store.steampowered.com is also blocked indefinitely regardless of browser with a connection refused error. I was able to get him to change all of his passwords to everything on his smartphone and making sure not to use his computer for it so hes safe for the time being and the system restore worked out fine. he lost nothing thankfully, but I was defeated by why I couldn't solve the DNS refusal. was hoping I could get someone to analyze this executable for me or show me how so I can fix things like this in the future. any and all help and advice is welcome and I thank you for your time. If anyone would like the executable, let me know a way I can get it to you without breaking any rules and Ill put it in a locked .zip.

Thanks guys.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 29 March 2017 - 08:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 GrizzlyTDSL

GrizzlyTDSL
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 29 March 2017 - 06:40 PM

I remoted in and found the Temp folder the keylogger was reinstalling itself out of. so it's no longer a serious issue, and I've taken a copy of the logfile the Keylogger generated (rather lazy to leave a log locally on the malware authors part) and got his FRST installed so here are the logs.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Dibbles (administrator) on PC (29-03-2017 16:20:26)
Running from C:\Users\Dibbles\Downloads
Loaded Profiles: Dibbles (Available Profiles: Dibbles)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
() C:\Windows\System32\PnkBstrA.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hammer & Chisel, Inc.) C:\Users\Dibbles\AppData\Local\Discord\app-0.0.297\Discord.exe
(Nota Inc.) C:\Program Files (x86)\Gyazo\GyStation.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(Hammer & Chisel, Inc.) C:\Users\Dibbles\AppData\Local\Discord\app-0.0.297\Discord.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\InGameEngine\32bit\RazerIngameEngine.exe
(Razer, Inc.) C:\Users\Dibbles\AppData\Local\Razer\InGameEngine\cache\RzSynapse\rzcefrenderprocess.exe
() C:\Program Files (x86)\DTS, Inc\DTS Audio\dts_apo_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Razer Inc) C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzSurroundVADStreamingService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe
(Hammer & Chisel, Inc.) C:\Users\Dibbles\AppData\Local\Discord\app-0.0.297\Discord.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(AO Kaspersky Lab) C:\Users\Dibbles\Downloads\tdsskiller.exe
(AO Kaspersky Lab) C:\Users\Dibbles\AppData\Local\Temp\{437EB8B0-AF12-41A8-90C0-4C721A6B14F1}\{5E39EE30-2FCA-44A7-97F5-4174187A9C60}.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [9030112 2016-10-20] (Realtek Semiconductor)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [596640 2017-01-16] (Razer Inc.)
HKLM-x32\...\Run: [OnScreen Control] => C:\Program Files (x86)\LG Electronics\OnScreen Control\bin\OnScreenStartUpApp.exe [97776 2015-08-26] (TODO: <Company name>)
HKLM-x32\...\Run: [StereoLinksInstall] => C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe [627136 2017-03-16] (NVIDIA Corporation)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8641240 2016-02-12] (Piriform Ltd)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [Discord] => C:\Users\Dibbles\AppData\Local\Discord\app-0.0.297\Discord.exe [64290304 2017-01-04] (Hammer & Chisel, Inc.)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27250144 2016-12-20] (Skype Technologies S.A.)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [EvolveClient] => C:\Program Files\Echobit\Evolve\EvolveClient.exe [3334528 2017-01-23] (Echobit LLC)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [5077792 2017-02-03] (Nota Inc.)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3044816 2017-03-10] (Electronic Arts)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [WallpaperEngine] => D:\Steam\steamapps\common\wallpaper_engine\wallpaper32.exe [700416 2017-03-10] ()
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3019552 2017-03-22] (Valve Corporation)
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\MountPoints2: {44f5308b-d9c8-11e6-8256-806e6f6e6963} - "G:\.\Setup.exe"
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\...\MountPoints2: {a808f713-d949-11e6-8259-806e6f6e6963} - "explorer.exe" index.html
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DTS Audio.lnk [2017-01-13]
ShortcutTarget: DTS Audio.lnk -> C:\Program Files (x86)\DTS, Inc\DTS Audio\APO3GUI.exe (DTS, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{937D4026-2B2C-48BA-954C-10173B4FC33B}: [DhcpNameServer] 209.18.47.62 209.18.47.61

Internet Explorer:
==================
HKU\S-1-5-21-1057623414-1083221671-91498484-1002\Software\Microsoft\Internet Explorer\Main,Start Page =

FireFox:
========
FF DefaultProfile: zqgoip50.default
FF ProfilePath: C:\Users\Dibbles\AppData\Roaming\Mozilla\Firefox\Profiles\zqgoip50.default [2017-03-29]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\zqgoip50.default -> Yahoo!
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\zqgoip50.default -> Yahoo!
FF Homepage: Mozilla\Firefox\Profiles\zqgoip50.default -> hxxp://www.google.com/
FF Keyword.URL: Mozilla\Firefox\Profiles\zqgoip50.default -> hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=435371&p=
FF Extension: (YouTube Video and Audio Downloader) - C:\Users\Dibbles\AppData\Roaming\Mozilla\Firefox\Profiles\zqgoip50.default\Extensions\feca4b87-3be4-43da-a1b1-137c24220968@jetpack.xpi [2017-03-28]
FF Extension: (uBlock Origin) - C:\Users\Dibbles\AppData\Roaming\Mozilla\Firefox\Profiles\zqgoip50.default\Extensions\uBlock0@raymondhill.net.xpi [2017-03-13]
FF Extension: (Stylish) - C:\Users\Dibbles\AppData\Roaming\Mozilla\Firefox\Profiles\zqgoip50.default\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2017-01-13]
FF Extension: (Site Deployment Checker) - C:\Users\Dibbles\AppData\Roaming\Mozilla\Firefox\Profiles\zqgoip50.default\features\{9dde0c0e-6695-4eaa-a2e0-f49de0fe157a}\deployment-checker@mozilla.org.xpi [2017-03-28]
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-03-29] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-03-14] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-14] ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll [2011-11-03] (ESN Social Software AB)
FF Plugin-x32: @esn/esnlaunch,version=2.3.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll [2013-09-16] (ESN Social Software AB)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-03-16] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-03-16] (NVIDIA Corporation)

Chrome:
=======
CHR Profile: C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default [2017-03-28]
CHR Extension: (Google Slides) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-03-28]
CHR Extension: (Google Docs) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-03-28]
CHR Extension: (Google Drive) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-03-28]
CHR Extension: (YouTube) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-03-28]
CHR Extension: (Google Sheets) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-03-28]
CHR Extension: (Google Docs Offline) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-03-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-28]
CHR Extension: (Gmail) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\Dibbles\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-28]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2015-05-07] ()
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe [1360016 2014-04-23] () [File not signed]
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1465352 2017-01-12] ()
R3 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Audio\dts_apo_service.exe [30112 2016-10-19] ()
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [392976 2017-02-09] (EasyAntiCheat Ltd)
S3 EvoSvc; C:\Program Files\Echobit\Evolve\EvoSvc.exe [1583488 2017-01-23] (Echobit LLC)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [987432 2016-07-26] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [177440 2016-09-14] (Intel Corporation)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [464440 2017-03-16] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [425408 2017-02-23] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2123240 2017-03-10] (Electronic Arts)
S2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2184688 2017-03-10] (Electronic Arts)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2017-03-05] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2017-02-04] ()
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [69768 2017-01-31] (Razer Inc.)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] ()
R2 RzSurroundVADStreamingService; C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzSurroundVADStreamingService.exe [4261344 2016-11-03] (Razer Inc)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10351856 2016-12-15] (TeamViewer GmbH)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2016-08-25] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2016-08-25] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-09-08] ()
R3 e1dexpress; C:\Windows\system32\DRIVERS\e1d64x64.sys [541136 2016-07-26] (Intel Corporation)
R3 EvolveVirtualAdapter; C:\Windows\system32\DRIVERS\evolve.sys [21656 2017-01-23] (Echobit, LLC)
R3 int0800; C:\Windows\System32\drivers\flashud.sys [51712 2009-09-09] (Intel Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27584 2017-02-23] (NVIDIA Corporation)
R3 NVVADARM; C:\Windows\system32\drivers\nvvadarm.sys [47672 2017-03-16] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [46016 2017-02-23] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\drivers\nvvhci.sys [57792 2017-02-23] (NVIDIA Corporation)
R3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [51224 2016-04-07] (Razer Inc)
R3 rzmpos; C:\Windows\System32\drivers\rzmpos.sys [47640 2016-04-07] (Razer Inc)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [137840 2016-10-08] (Razer, Inc.)
R3 RZSURROUNDVADService; C:\Windows\system32\drivers\RzSurroundVAD.sys [49176 2016-10-16] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2016-08-25] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2016-08-25] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2016-08-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-29 16:18 - 2017-03-29 16:20 - 00044908 _____ C:\Users\Dibbles\Downloads\Addition.txt
2017-03-29 16:18 - 2017-03-29 16:20 - 00015461 _____ C:\Users\Dibbles\Downloads\FRST.txt
2017-03-29 16:18 - 2017-03-29 16:20 - 00000000 ____D C:\FRST
2017-03-29 16:18 - 2017-03-29 16:19 - 00220656 _____ C:\TDSSKiller.3.1.0.12_29.03.2017_16.18.32_log.txt
2017-03-29 16:18 - 2017-03-29 16:18 - 00250064 ____N (Kaspersky Lab, Yury Parshin) C:\Windows\system32\Drivers\91503998.sys
2017-03-29 16:17 - 2017-03-29 16:17 - 02424832 _____ (Farbar) C:\Users\Dibbles\Downloads\FRST64.exe
2017-03-29 16:15 - 2017-03-29 16:15 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Dibbles\Downloads\tdsskiller.exe
2017-03-29 16:15 - 2017-03-29 16:15 - 01663904 _____ (Malwarebytes) C:\Users\Dibbles\Downloads\JRT.exe
2017-03-29 14:57 - 2017-03-29 14:57 - 00000000 ____D C:\Crash
2017-03-29 14:18 - 2017-03-29 16:17 - 00000000 ____D C:\Program Files (x86)\Steam
2017-03-29 14:18 - 2017-03-29 14:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
2017-03-29 14:17 - 2017-03-29 14:17 - 01446792 _____ C:\Users\Dibbles\Downloads\SteamSetup.exe
2017-03-29 14:12 - 2017-03-29 14:12 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2017-03-29 14:12 - 2017-03-16 15:56 - 00134592 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2017-03-29 14:12 - 2017-01-25 17:13 - 00103936 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2017-03-29 14:12 - 2017-01-25 17:12 - 00326656 _____ C:\Windows\SysWOW64\vulkan-1.dll
2017-03-29 14:12 - 2017-01-25 17:09 - 00322560 _____ C:\Windows\system32\vulkan-1.dll
2017-03-29 14:12 - 2017-01-25 17:09 - 00118272 _____ C:\Windows\system32\vulkaninfo.exe
2017-03-29 14:11 - 2017-03-16 17:59 - 40190400 _____ C:\Windows\system32\nvcompiler.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 35272760 _____ C:\Windows\SysWOW64\nvcompiler.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 34952760 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 19006832 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 16400616 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 14674712 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 14434360 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2017-03-29 14:11 - 2017-03-16 17:59 - 11122912 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 11019888 _____ (NVIDIA Corporation) C:\Windows\system32\nvptxJitCompiler.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 09306312 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 08990256 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvptxJitCompiler.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 03627064 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 03187256 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 01983424 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6437892.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 01589696 _____ (NVIDIA Corporation) C:\Windows\system32\nvmcvadgenco64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 01589696 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6437892.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 01053240 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00989120 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00959424 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00912440 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00895456 _____ (NVIDIA Corporation) C:\Windows\system32\nvmcumd.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00687408 _____ (NVIDIA Corporation) C:\Windows\system32\nvfatbinaryLoader.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00609728 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00576192 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvfatbinaryLoader.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00504104 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00500792 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00492560 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00425104 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00408272 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00217528 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2017-03-29 14:11 - 2017-03-16 17:59 - 00170360 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00153368 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00148016 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00131536 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00124352 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcaparm.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00047672 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvadarm.sys
2017-03-29 14:11 - 2017-03-16 17:59 - 00047664 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2017-03-29 14:11 - 2017-03-16 17:59 - 00000669 _____ C:\Windows\SysWOW64\nv-vk32.json
2017-03-29 14:11 - 2017-03-16 17:59 - 00000669 _____ C:\Windows\system32\nv-vk64.json
2017-03-29 14:04 - 2017-03-29 14:04 - 00004146 _____ C:\Windows\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00003852 _____ C:\Windows\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00003738 _____ C:\Windows\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00003738 _____ C:\Windows\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00003730 _____ C:\Windows\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00003554 _____ C:\Windows\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00003494 _____ C:\Windows\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-29 14:04 - 2017-03-29 14:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2017-03-29 14:04 - 2017-03-16 16:31 - 00001951 _____ C:\Windows\NvContainerRecovery.bat
2017-03-29 14:04 - 2017-02-23 11:36 - 01880512 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2017-03-29 14:04 - 2017-02-23 11:36 - 01755072 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2017-03-29 14:04 - 2017-02-23 11:36 - 01468864 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2017-03-29 14:04 - 2017-02-23 11:36 - 01317312 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2017-03-29 14:04 - 2017-02-23 11:36 - 00120256 _____ C:\Windows\system32\NvRtmpStreamer64.dll
2017-03-29 14:04 - 2017-02-23 11:36 - 00057792 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvhci.sys
2017-03-29 14:04 - 2017-02-23 07:30 - 00001951 _____ C:\Windows\NvTelemetryContainerRecovery.bat
2017-03-29 13:58 - 2017-03-29 14:12 - 00000000 ____D C:\Windows\LastGood
2017-03-29 13:58 - 2017-02-23 11:36 - 00156608 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2017-03-29 13:58 - 2017-02-23 11:36 - 00124352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2017-03-29 13:58 - 2017-02-23 11:36 - 00046016 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2017-03-28 13:27 - 2017-03-28 13:27 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Google
2017-03-28 13:27 - 2017-03-28 13:27 - 00000000 ____D C:\Program Files (x86)\Google
2017-03-28 12:49 - 2017-03-28 12:49 - 00000000 ____D C:\Users\Dibbles\Documents\OnScreen Control
2017-03-21 15:37 - 2017-03-28 14:29 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Arma 3
2017-03-21 15:34 - 2017-03-21 15:35 - 00000049 _____ C:\Users\Dibbles\Downloads\removeArmaTrash.bat
2017-03-16 15:45 - 2017-03-16 15:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OnScreen Control
2017-03-16 15:45 - 2017-03-16 15:45 - 00000000 ____D C:\Program Files (x86)\LG Electronics
2017-03-16 15:45 - 2015-09-09 14:02 - 00196608 _____ (LG Soft India) C:\Windows\SysWOW64\LGDeviceManager.dll
2017-03-16 15:45 - 2015-09-09 14:02 - 00131072 _____ (LG Soft India) C:\Windows\SysWOW64\LGMonitorDDCCISDK.dll
2017-03-16 15:45 - 2015-09-09 14:02 - 00102400 _____ (LG Soft India) C:\Windows\SysWOW64\LGProtocolEngine.dll
2017-03-16 15:45 - 2015-09-09 14:02 - 00049152 _____ () C:\Windows\SysWOW64\LGErrorHandler.dll
2017-03-16 15:45 - 2012-12-27 14:55 - 00010752 _____ (LG Soft India) C:\Windows\SysWOW64\LGPII2CDriver.sys
2017-03-16 15:45 - 2012-10-08 16:41 - 00016384 _____ (LG Soft India) C:\Windows\SysWOW64\LGI2CDriver.sys
2017-03-16 15:43 - 2017-03-16 15:44 - 86186152 _____ (LG Electronics Inc) C:\Users\Dibbles\Downloads\OnScreenControl.exe
2017-03-16 15:43 - 2017-03-16 15:43 - 00086016 _____ () C:\Users\Dibbles\Downloads\Setup.exe
2017-03-13 18:53 - 2017-03-13 18:53 - 885242887 _____ C:\Windows\MEMORY.DMP
2017-03-13 18:53 - 2017-03-13 18:53 - 00000000 ____D C:\Windows\Minidump
2017-03-05 20:51 - 2017-03-05 20:51 - 00076152 _____ C:\Windows\system32\PnkBstrA.exe
2017-03-05 20:51 - 2017-03-05 20:51 - 00000000 ___HD C:\Program Files\Common FilesEAInstaller
2017-03-05 20:41 - 2017-03-05 20:41 - 00000000 ____D C:\Users\Dibbles\AppData\Local\PunkBuster
2017-03-05 20:38 - 2017-03-05 20:38 - 00000000 ____D C:\ProgramData\Electronic Arts
2017-03-01 20:43 - 2017-03-14 17:44 - 00004288 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-02-27 17:35 - 2017-02-27 17:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StarCraft II
2017-02-27 17:32 - 2017-02-27 17:32 - 00007605 _____ C:\Users\Dibbles\AppData\Local\Resmon.ResmonCfg
2017-02-27 17:30 - 2017-03-07 16:15 - 00000000 ____D C:\Program Files (x86)\StarCraft II
2017-02-27 17:30 - 2017-03-01 21:31 - 00000000 ____D C:\Users\Dibbles\Documents\StarCraft II
2017-02-27 17:30 - 2017-03-01 21:31 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Blizzard Entertainment
2017-02-27 17:30 - 2017-03-01 21:25 - 00000000 ____D C:\ProgramData\Blizzard Entertainment
2017-02-27 17:29 - 2017-03-13 18:45 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Battle.net
2017-02-27 17:29 - 2017-02-27 17:30 - 00000000 ____D C:\Users\Dibbles\AppData\Roaming\Battle.net
2017-02-27 17:29 - 2017-02-27 17:30 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-02-27 17:29 - 2017-02-27 17:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battle.net
2017-02-27 17:28 - 2017-02-27 17:29 - 00000000 ____D C:\ProgramData\Battle.net
2017-02-27 17:28 - 2017-02-27 17:28 - 03126768 _____ (Blizzard Entertainment) C:\Users\Dibbles\Downloads\Battle.net-Setup.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-29 16:19 - 2017-01-13 17:20 - 00000000 _____ C:\Windows\system32\RzSurroundVADAudioDeviceManager_log.txt
2017-03-29 16:18 - 2017-01-12 22:02 - 00000000 ____D C:\Users\Dibbles\AppData\LocalLow\Mozilla
2017-03-29 15:02 - 2017-01-13 13:09 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1057623414-1083221671-91498484-1002
2017-03-29 14:27 - 2017-01-12 22:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-29 14:21 - 2017-01-12 21:51 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-29 14:20 - 2017-01-13 17:18 - 00000000 ____D C:\Users\Dibbles\Desktop\Applications
2017-03-29 14:13 - 2017-01-13 13:24 - 00000000 ____D C:\Temp
2017-03-29 14:13 - 2017-01-12 21:38 - 00000000 ____D C:\ProgramData\NVIDIA
2017-03-29 14:13 - 2017-01-12 21:37 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-03-29 14:13 - 2017-01-12 21:37 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-03-29 14:13 - 2017-01-12 21:37 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-03-29 14:13 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\Inf
2017-03-29 14:12 - 2017-02-17 00:03 - 00000000 ____D C:\Users\Dibbles\AppData\Local\CrashDumps
2017-03-29 14:07 - 2017-02-09 20:41 - 00000000 ____D C:\Users\Dibbles\AppData\Local\NVIDIA Corporation
2017-03-29 14:07 - 2014-11-21 01:43 - 00865068 _____ C:\Windows\system32\PerfStringBackup.INI
2017-03-29 14:04 - 2017-02-09 20:41 - 00000000 ____D C:\Users\Dibbles\AppData\Local\NVIDIA
2017-03-28 21:27 - 2017-01-13 17:48 - 00000000 ____D C:\Program Files (x86)\A3Launcher
2017-03-28 21:14 - 2017-01-15 17:48 - 00000000 ____D C:\Users\Dibbles\AppData\Roaming\MPC-HC
2017-03-28 20:35 - 2017-02-09 01:01 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Ubisoft Game Launcher
2017-03-28 14:31 - 2017-01-13 17:12 - 00000000 ___DO C:\Users\Dibbles\OneDrive
2017-03-28 14:31 - 2017-01-13 13:04 - 00000000 ____D C:\Users\Dibbles
2017-03-28 14:30 - 2017-01-23 20:22 - 00349184 _____ C:\Windows\system32\FNTCACHE.DAT
2017-03-28 14:30 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-28 14:29 - 2017-01-15 17:41 - 00000000 ____D C:\Users\Dibbles\AppData\Roaming\uTorrent
2017-03-28 14:29 - 2017-01-13 21:33 - 00000000 ____D C:\Users\Dibbles\Documents\Arma 3
2017-03-28 14:29 - 2017-01-13 13:04 - 00000000 ____D C:\Users\Dibbles\AppData\Local\VirtualStore
2017-03-28 14:29 - 2017-01-12 22:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-28 14:29 - 2013-08-22 08:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-28 14:27 - 2017-02-04 19:03 - 00000000 ____D C:\ProgramData\Origin
2017-03-28 14:27 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\registration
2017-03-28 12:46 - 2017-02-04 19:04 - 00000000 ____D C:\Users\Dibbles\AppData\Roaming\Origin
2017-03-20 17:37 - 2017-01-13 17:18 - 00000000 ____D C:\Users\Dibbles\Desktop\Anime Memes
2017-03-19 00:51 - 2017-02-04 19:38 - 00214392 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2017-03-19 00:51 - 2017-02-04 19:38 - 00214392 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2017-03-17 01:18 - 2017-01-17 20:21 - 00000000 ____D C:\Users\Dibbles\Documents\Battlefield 4
2017-03-16 17:59 - 2017-01-12 21:38 - 00514616 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2017-03-16 17:59 - 2017-01-12 21:38 - 00420408 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2017-03-16 17:59 - 2017-01-12 21:37 - 28223544 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2017-03-16 17:59 - 2017-01-12 21:37 - 19883600 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2017-03-16 17:59 - 2017-01-12 21:37 - 17282648 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2017-03-16 17:59 - 2017-01-12 21:37 - 13378096 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2017-03-16 17:59 - 2017-01-12 21:37 - 00042686 _____ C:\Windows\system32\nvinfo.pb
2017-03-16 17:59 - 2017-01-12 21:36 - 04064088 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2017-03-16 17:59 - 2017-01-12 21:36 - 03583744 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2017-03-16 17:59 - 2017-01-12 21:36 - 01600056 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco6420103.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 06401984 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 02477504 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 01762752 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 00549944 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshext.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 00392128 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 00081856 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshextr.dll
2017-03-16 16:16 - 2017-01-12 21:38 - 00069568 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2017-03-16 15:45 - 2017-01-13 13:25 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-03-16 02:39 - 2017-01-12 21:38 - 07813427 _____ C:\Windows\system32\nvcoproc.bin
2017-03-15 16:05 - 2017-02-04 19:04 - 00000000 ____D C:\Program Files (x86)\Origin
2017-03-14 17:44 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-14 17:44 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-13 18:56 - 2017-01-13 16:59 - 00000000 ____D C:\Users\Dibbles\AppData\Roaming\discord
2017-03-10 22:51 - 2017-01-13 13:25 - 00000000 ____D C:\ProgramData\Package Cache
2017-03-01 20:44 - 2017-01-23 20:14 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Adobe
2017-02-28 16:49 - 2017-01-13 21:32 - 00000000 ____D C:\Users\Dibbles\AppData\Local\Arma 3 Launcher

==================== Files in the root of some directories =======

2017-02-25 00:03 - 2017-02-25 00:03 - 0000883 _____ () C:\Users\Dibbles\AppData\Local\recently-used.xbel
2017-02-27 17:32 - 2017-02-27 17:32 - 0007605 _____ () C:\Users\Dibbles\AppData\Local\Resmon.ResmonCfg
2017-01-13 13:29 - 2017-01-13 13:29 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2011-11-03 07:13 - 2011-11-03 07:13 - 1786688 _____ () C:\Users\Dibbles\AppData\Local\Temp\sonarinst.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-18 05:11

==================== End of FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 30 March 2017 - 08:24 AM

This program is not trusted. Your call if you want to keep it.
Do it via the Control Panel > Programs > Programs and Features.

Wallpaper Engine (HKLM\...\Steam App 431960) (Version: - Kristjan Skutta)

It's called by this .exe file.
D:\Steam\steamapps\common\wallpaper_engine\wallpaper32.exe

Source.
http://www.isthisfilesafe.com/product/Wallpaper%20Engine_details.aspx
---


Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#5 GrizzlyTDSL

GrizzlyTDSL
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 01 April 2017 - 06:42 PM

I'm positive wallpaper engine, while not perfect, is trustworthy and also not the cause of this infection. the content submitted to wallpaper engine CAN be malicious, but those get weeded out rather quickly and I've looked over his installed addons from that app and nothing poses a threat, they're all simple overlays. His JRT logs come up empty as It was one of my first steps. I've cleaned his machine and he's no longer actually at risk, I'm just trying to find someone capable of analyzing the actual executable who could share with me how it kept refusing certain DNS connections(which again, is no longer an issue) after uninstallation of the trojan along with removal of its registry keys and setting firewall rules to default. He was infected because he followed a link from a Fake HOST message on the Teamspeak 3 platform which disguised itself as a fake audio plugin from TS to steal his steam info for Counter strike.

However, as soon as he is available again, I'll run it once more and throw the log here.


Edited by GrizzlyTDSL, 01 April 2017 - 06:44 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:30 AM

Posted 02 April 2017 - 07:02 AM


I'm just trying to find someone capable of analyzing the actual executable who could share with me how it kept refusing certain DNS connections(which again, is no longer an issue) after uninstallation of the trojan


I cannot help you with this.

These are all the forums available here.
https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=navigation&inapp=forums

You may want to ask in the Networking forum since you want to deal with DNS.
https://www.bleepingcomputer.com/forums/f/21/networking/

#7 GrizzlyTDSL

GrizzlyTDSL
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:30 PM

Posted 06 April 2017 - 12:54 AM

Alright fair enough, thanks for your time!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users