Root-kit avgidsdrivera.sys and avgidsha.sys

Mizgal · September 17, 2015

Good morning!
Recently Malwarebytes spoted:

Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\avgidsdrivera.sys,

Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\avgidsha.sys, Z

I have quarantined them.

What should I do now? Is my computer infected?

I would appreciate help!

Mizgal · September 21, 2015

Is there someone, who is willing to help me?

MrCharlie · September 21, 2015

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
2. If you have illegal/cracked software (MS Office, Adobe Products, Windows), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Please enable your system to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Make sure rootkit scan is enabled

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button. (make sure the Addition box is checked)
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

You can also use this version of RogueKiller which works on both 32 and 64 bit:

RogueKiller 32 & 64 bit

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Sometimes when clearing out an infection the winsock stack will become corrupt and you'll loose your internet connection. To resolve this....reset the stack as outlined HERE

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Mizgal · September 21, 2015

Malwarebytes Anti-Malware

www.malwarebytes.org

Data skanowania: 2015-09-21

Czas skanowania: 20:27

Raport:

Administrator: Tak

Wersja: 2.1.8.1057

Baza szkodliwego oprogramowania: v2015.09.21.06

Baza danych rootkitów: v2015.09.18.01

Licencja: Darmowa

Ochrona przed złośliwym oprogramowaniem: Wyłączony

Ochrona przed szkodliwymi stronami: Wyłączony

Samoobrona: Wyłączony

System operacyjny: Windows 8.1

Procesor: x64

System plików: NTFS

Użytkownik: Olek

Typ skanowania: Dokładne skanowanie

Wynik: Zakończono

Obiekty przeskanowane: 358473

Czas, który upłynął: 6 min, 34 s

Pamięć: Włączony

Autostart: Włączony

System plików: Włączony

Archiwa: Włączony

Rootkity: Włączony

Heurystyka: Włączony

PUP: Włączony

PUM: Włączony

Procesy: 0

(Nie wykryto zagrożeń)

Moduły: 0

(Nie wykryto zagrożeń)

Klucze rejestru: 0

(Nie wykryto zagrożeń)

Wartości rejestru: 0

(Nie wykryto zagrożeń)

Dane rejestru: 0

(Nie wykryto zagrożeń)

Foldery: 0

(Nie wykryto zagrożeń)

Pliki: 0

(Nie wykryto zagrożeń)

Sektory fizyczne: 0

(Nie wykryto zagrożeń)

(end)

Rezultaty skanowania Farbar Recovery Scan Tool (FRST) (x64) Wersja:15-09-2015

Uruchomiony przez Olek (administrator) ALEKSANDERLAND (21-09-2015 19:52:35)

Uruchomiony z C:\Users\Olek\Downloads

Załadowane profile: Olek (Dostępne profile: Olek)

Platform: Windows 8.1 (X64) Język: Polski (Polska)

Internet Explorer Wersja 11 (Domyślna przeglądarka: Chrome)

Tryb startu: Normal

Instrukcja obsługi Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Procesy (filtrowane) =================

(Załączenie wejścia w fixlist spowoduje zamknięcie procesu. Powiązany plik nie zostanie przeniesiony.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

(Valve Corporation) L:\Program Files (x86)\Steam\Steam.exe

(Valve Corporation) L:\Program Files (x86)\Steam\bin\steamwebhelper.exe

(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe

() C:\Program Files (x86)\RocketDock\RocketDock.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe

(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe

(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe

(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe

(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Rejestr (filtrowane) ===========================

(Załączenie wejścia w fixlist spowoduje usunięcie obiektu z rejestru lub przywrócenie jego domyślnej postaci. Powiązany plik nie zostanie przeniesiony.)

HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [164080 2015-06-27] (IvoSoft)

HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2634872 2015-08-18] (NVIDIA Corporation)

HKLM\...\Run: [shadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)

HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3775912 2015-08-24] (AVG Technologies CZ, s.r.o.)

HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-08-28] (Brother Industries, Ltd.)

HKLM-x32\...\Run: [brStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)

HKU\S-1-5-21-3871865451-3501784630-1123502970-1001\...\Run: [steam] => L:\Program Files (x86)\Steam\steam.exe [2899136 2015-08-19] (Valve Corporation)

HKU\S-1-5-21-3871865451-3501784630-1123502970-1001\...\Run: [RocketDock] => C:\Program Files (x86)\RocketDock\RocketDock.exe [495616 2007-09-02] ()

HKU\S-1-5-21-3871865451-3501784630-1123502970-1001\...\Run: [GalaxyClient] => [X]

ShellIconOverlayIdentifiers: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-06-27] (IvoSoft)

ShellIconOverlayIdentifiers-x32: [shareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-06-27] (IvoSoft)

==================== Internet (filtrowane) ====================

(Załączenie wejścia w fixlist, w przypadku gdy jest to obiekt rejestru, spowoduje usunięcie go z rejestru lub przywrócenie jego domyślnej postaci.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

Tcpip\..\Interfaces\{6F4EA04A-47DC-4B90-AC8D-C8B5A0D366A5}: [DhcpNameServer] 192.168.1.1

Tcpip\..\Interfaces\{A012BBC3-83C0-4F95-A797-974867306E45}: [DhcpNameServer] 192.168.42.129

Internet Explorer:

==================

HKU\S-1-5-21-3871865451-3501784630-1123502970-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/pl-pl/?ocid=iehp

BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-06-27] (IvoSoft)

BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2015-06-27] (IvoSoft)

BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-06-27] (IvoSoft)

BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-09-17] (Oracle Corporation)

BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-17] (Oracle Corporation)

BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2015-06-27] (IvoSoft)

Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-06-27] (IvoSoft)

Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-06-27] (IvoSoft)

FireFox:

========

FF ProfilePath: C:\Users\Olek\AppData\Roaming\Mozilla\Firefox\Profiles\bkjuiu6s.default

FF NetworkProxy: "type", 0

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-19] ()

FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-19] ()

FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-07-11] (Google, Inc.)

FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-17] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-17] (Oracle Corporation)

FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-06-17] (NVIDIA Corporation)

FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-06-17] (NVIDIA Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)

Chrome:

=======

CHR HomePage: Default -> hxxp://www.cdaction.pl/

CHR StartupUrls: Default -> "hxxp://google.pl/"

CHR DefaultSearchURL: Default -> hxxp://www.programuj.com/artykuly/rozne/sysliczb.php

CHR Profile: C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Prezentacje Google) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-07-28]

CHR Extension: (Dokumenty Google) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-07-28]

CHR Extension: (Dysk Google) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-28]

CHR Extension: (YouTube) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-07-28]

CHR Extension: (Google Search) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-07-28]

CHR Extension: (Arkusze Google) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-07-28]

CHR Extension: (Dokumenty Google offline) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-04]

CHR Extension: (Mac OS theme) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkpadlfbbnobnjaeodjfnkogiigdmgff [2015-07-28]

CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-28]

CHR Extension: (Gmail) - C:\Users\Olek\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-07-28]

==================== Usługi (filtrowane) ========================

(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3637160 2015-08-24] (AVG Technologies CZ, s.r.o.)

R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [335656 2015-08-24] (AVG Technologies CZ, s.r.o.)

R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [brak podpisu cyfrowego]

S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [1720888 2015-08-19] (GOG.com)

S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6920248 2015-08-30] (GOG.com)

R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1155192 2015-08-18] (NVIDIA Corporation)

S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)

R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-08-18] (NVIDIA Corporation)

R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [5544568 2015-08-18] (NVIDIA Corporation)

S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Sterowniki (filtrowane) ==========================

(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)

S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21152 2015-03-27] (AVG Technologies CZ, s.r.o.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162784 2015-03-11] (AVG Technologies CZ, s.r.o.)

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [313264 2015-08-19] (AVG Technologies CZ, s.r.o.)

R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [297904 2015-08-19] (AVG Technologies CZ, s.r.o.)

R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [259040 2015-06-16] (AVG Technologies CZ, s.r.o.)

R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [378336 2015-05-07] (AVG Technologies CZ, s.r.o.)

R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [250800 2015-08-04] (AVG Technologies CZ, s.r.o.)

R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [40928 2015-03-20] (AVG Technologies CZ, s.r.o.)

R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [304560 2015-08-04] (AVG Technologies CZ, s.r.o.)

S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-09-21] (Malwarebytes Corporation)

S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)

R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-08-18] (NVIDIA Corporation)

R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [50472 2015-08-11] (NVIDIA Corporation)

U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-09-06] ()

S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)

S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)

S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (filtrowane) ===================

(Załączenie wejścia w fixlist spowoduje jego usunięcie z rejestru. Powiązany plik nie zostanie przeniesiony, o ile nie zostanie załączony z osobna.)

==================== Jeden miesiąc - utworzone pliki i foldery ========

(Załączenie wejścia w fixlist spowoduje przeniesienie pliku/folderu.)

2015-09-21 19:52 - 2015-09-21 19:52 - 02191360 _____ (Farbar) C:\Users\Olek\Downloads\FRST64.exe

2015-09-21 19:52 - 2015-09-21 19:52 - 00016281 _____ C:\Users\Olek\Downloads\FRST.txt

2015-09-21 19:52 - 2015-09-21 19:52 - 00000000 ____D C:\FRST

2015-09-21 19:51 - 2015-09-21 19:51 - 00001104 _____ C:\Users\Olek\Downloads\Mbam.txt

2015-09-18 11:48 - 2015-09-18 11:48 - 00168448 _____ C:\Users\Olek\Downloads\13_107_i_rok_plan_20152016 (3).xls

2015-09-17 14:48 - 2015-09-17 14:48 - 03237248 _____ (Enigma Software Group USA, LLC.) C:\Users\Olek\Downloads\SpyHunter-Installer.exe

2015-09-17 14:23 - 2015-09-17 14:23 - 00168448 _____ C:\Users\Olek\Downloads\13_107_i_rok_plan_20152016 (2).xls

2015-09-17 10:49 - 2015-09-17 10:50 - 00068162 _____ C:\Users\Olek\Desktop\Riot dxdiag.txt

2015-09-17 10:49 - 2015-09-17 10:49 - 00022871 _____ C:\Users\Olek\Desktop\Riot Process.txt

2015-09-17 10:49 - 2015-09-17 10:49 - 00002707 _____ C:\Users\Olek\Desktop\Riot NetworkInfo.txt

2015-09-17 10:49 - 2015-09-17 10:49 - 00000833 _____ C:\Users\Olek\Downloads\Riot Log Tool.bat

2015-09-17 10:33 - 2015-09-17 10:33 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2015-09-17 10:33 - 2015-09-17 10:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2015-09-17 10:32 - 2015-09-17 10:32 - 00584288 _____ (Oracle Corporation) C:\Users\Olek\Downloads\chromeinstall-8u60.exe

2015-09-17 10:32 - 2015-09-17 10:32 - 00000000 ____D C:\Program Files (x86)\Java

2015-09-17 09:33 - 2015-09-17 09:33 - 03882104 _____ (solvusoft Corporation ) C:\Users\Olek\Downloads\Setup_WinThruster_[2015_Edition].exe

2015-09-17 09:27 - 2015-09-17 09:27 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software

2015-09-17 09:27 - 2015-09-17 09:27 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software

2015-09-16 21:16 - 2015-09-16 21:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip

2015-09-16 21:16 - 2015-09-16 21:16 - 00000000 ____D C:\Program Files\7-Zip

2015-09-16 21:15 - 2015-09-16 21:15 - 01513472 _____ C:\Users\Olek\Downloads\7z938-x64.msi

2015-09-16 21:04 - 2015-09-16 21:13 - 505996275 _____ C:\Users\Olek\Downloads\YanSimSeptember1st_Version2.rar

2015-09-15 22:39 - 2015-09-15 22:39 - 00000000 ____D C:\Users\Olek\AppData\Roaming\Sun

2015-09-15 22:39 - 2015-09-15 22:39 - 00000000 ____D C:\Users\Olek\.oracle_jre_usage

2015-09-10 22:23 - 2015-09-10 22:23 - 00000000 ____D C:\Users\Olek\Documents\My Games

2015-09-10 00:46 - 2015-09-10 02:53 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task

2015-09-10 00:46 - 2015-09-10 02:53 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk

2015-09-10 00:46 - 2015-09-10 00:52 - 00000000 ____D C:\ProgramData\Adobe

2015-09-10 00:46 - 2015-09-10 00:46 - 00000000 ____D C:\Program Files (x86)\Adobe

2015-09-08 22:58 - 2015-09-03 04:18 - 02531400 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll

2015-09-08 22:58 - 2015-09-03 04:17 - 01903848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll

2015-09-08 22:58 - 2015-09-02 20:48 - 02345472 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2015-09-08 22:58 - 2015-09-02 19:09 - 01556992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2015-09-08 22:58 - 2015-08-27 04:48 - 00136904 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe

2015-09-08 22:58 - 2015-08-26 20:00 - 00721920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll

2015-09-08 22:58 - 2015-08-26 20:00 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll

2015-09-08 22:58 - 2015-08-26 20:00 - 00081920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll

2015-09-08 22:58 - 2015-08-26 20:00 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe

2015-09-08 22:58 - 2015-08-26 16:46 - 03705344 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll

2015-09-08 22:58 - 2015-08-26 16:29 - 02240512 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll

2015-09-08 22:58 - 2015-08-26 16:27 - 00891904 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll

2015-09-08 22:58 - 2015-08-26 16:27 - 00409088 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll

2015-09-08 22:58 - 2015-08-26 16:26 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll

2015-09-08 22:58 - 2015-08-26 16:26 - 00095744 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll

2015-09-08 22:58 - 2015-08-26 16:26 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe

2015-09-08 22:58 - 2015-08-22 20:19 - 25188352 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2015-09-08 22:58 - 2015-08-22 19:35 - 02886144 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2015-09-08 22:58 - 2015-08-22 19:34 - 00585216 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2015-09-08 22:58 - 2015-08-22 19:22 - 19856384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2015-09-08 22:58 - 2015-08-22 19:21 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2015-09-08 22:58 - 2015-08-22 19:20 - 05923840 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2015-09-08 22:58 - 2015-08-22 18:55 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2015-09-08 22:58 - 2015-08-22 18:50 - 02279424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2015-09-08 22:58 - 2015-08-22 18:50 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll

2015-09-08 22:58 - 2015-08-22 18:45 - 00665600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2015-09-08 22:58 - 2015-08-22 18:44 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll

2015-09-08 22:58 - 2015-08-22 18:41 - 14451712 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2015-09-08 22:58 - 2015-08-22 18:41 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2015-09-08 22:58 - 2015-08-22 18:41 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2015-09-08 22:58 - 2015-08-22 18:41 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2015-09-08 22:58 - 2015-08-22 18:39 - 02126336 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2015-09-08 22:58 - 2015-08-22 18:28 - 04520448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2015-09-08 22:58 - 2015-08-22 18:26 - 02427392 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2015-09-08 22:58 - 2015-08-22 18:23 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll

2015-09-08 22:58 - 2015-08-22 18:22 - 12857344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2015-09-08 22:58 - 2015-08-22 18:20 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll

2015-09-08 22:58 - 2015-08-22 18:18 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2015-09-08 22:58 - 2015-08-22 18:18 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2015-09-08 22:58 - 2015-08-22 18:18 - 00327168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2015-09-08 22:58 - 2015-08-22 18:14 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2015-09-08 22:58 - 2015-08-22 18:01 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2015-09-08 22:58 - 2015-08-22 18:00 - 01951232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2015-09-08 22:58 - 2015-08-22 17:56 - 01310720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2015-09-08 22:58 - 2015-08-22 17:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2015-09-08 22:58 - 2015-07-30 19:18 - 00268288 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll

2015-09-08 22:58 - 2015-07-30 18:22 - 00230912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll

2015-09-08 22:58 - 2015-07-22 16:19 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll

2015-09-08 22:58 - 2015-07-22 15:52 - 01633792 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll

2015-09-08 22:58 - 2015-07-17 16:15 - 00951296 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll

2015-09-08 22:58 - 2015-07-17 16:10 - 00749568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll

2015-09-08 22:58 - 2015-06-27 13:47 - 00118616 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe

2015-09-08 22:57 - 2015-09-02 04:56 - 04175872 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2015-09-08 22:57 - 2015-09-02 04:55 - 00358912 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll

2015-09-08 22:57 - 2015-09-02 04:50 - 00044032 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll

2015-09-08 22:57 - 2015-09-02 04:17 - 00301568 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll

2015-09-08 22:57 - 2015-09-02 04:13 - 00035840 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

2015-09-08 22:57 - 2015-08-03 23:15 - 00074928 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll

2015-09-08 22:57 - 2015-08-03 23:15 - 00065600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll

2015-09-08 22:57 - 2015-08-01 16:22 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll

2015-09-08 22:57 - 2015-08-01 05:47 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\schtasks.exe

2015-09-08 22:57 - 2015-08-01 05:45 - 00182784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schtasks.exe

2015-09-08 22:57 - 2015-08-01 05:38 - 01265152 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll

2015-09-08 22:57 - 2015-08-01 05:37 - 00468992 _____ (Microsoft Corporation) C:\Windows\system32\taskeng.exe

2015-09-08 22:57 - 2015-08-01 05:37 - 00359936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\taskeng.exe

2015-09-08 22:57 - 2015-07-22 16:34 - 02775552 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll

2015-09-08 22:57 - 2015-07-22 16:33 - 01728000 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Immersive.dll

2015-09-08 22:57 - 2015-07-22 16:25 - 02461184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2015-09-08 22:57 - 2015-07-22 16:25 - 01546752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Immersive.dll

2015-09-08 22:57 - 2015-07-18 20:31 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\shacct.dll

2015-09-08 22:57 - 2015-07-18 20:29 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\SettingSync.dll

2015-09-08 22:57 - 2015-07-18 20:29 - 00148480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shacct.dll

2015-09-08 22:57 - 2015-07-18 20:27 - 00520192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSync.dll

2015-09-08 22:57 - 2015-07-14 05:27 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\tzsync.exe

2015-09-08 22:57 - 2015-07-13 21:10 - 00411455 _____ C:\Windows\system32\ApnDatabase.xml

2015-09-08 22:57 - 2015-07-09 18:14 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll

2015-09-08 22:57 - 2015-07-03 23:51 - 01380056 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll

2015-09-08 22:57 - 2015-07-03 16:00 - 01097216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll

2015-09-08 22:57 - 2015-06-19 19:07 - 02819072 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers.dll

2015-09-08 00:26 - 2015-09-08 00:26 - 00158208 _____ C:\Users\Olek\Downloads\13_107_i_rok_plan_20152016 (1).xls

2015-09-06 01:35 - 2015-09-06 01:35 - 00001108 _____ C:\Users\Olek\Downloads\scan-mam.txt

2015-09-05 16:13 - 2015-09-05 16:13 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf

2015-09-05 03:06 - 2015-09-05 03:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wiedźmin 3® - Dziki Gon [GOG.com]

2015-09-02 18:59 - 2015-09-02 19:00 - 00000000 ____D C:\NPE

2015-09-02 18:51 - 2015-09-02 19:02 - 00000000 ____D C:\Users\Olek\AppData\Local\NPE

2015-09-02 18:51 - 2015-09-02 18:51 - 03088296 _____ (Symantec Corporation) C:\Users\Olek\Downloads\NPE.exe

2015-09-02 18:51 - 2015-09-02 18:51 - 00000000 ____D C:\ProgramData\Norton

2015-09-01 02:44 - 2015-09-01 02:44 - 00000718 _____ C:\Users\Olek\Downloads\Pulpit — skrót.lnk

2015-08-31 20:08 - 2015-09-02 18:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2015-08-31 17:25 - 2015-08-11 06:52 - 00069416 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll

2015-08-31 17:25 - 2015-08-11 06:52 - 00050472 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys

2015-08-22 00:19 - 2015-08-22 00:19 - 00162816 _____ C:\Users\Olek\Downloads\13_107_i_rok_plan_20152016.xls

==================== Jeden miesiąc - zmodyfikowane pliki i foldery ========

(Załączenie wejścia w fixlist spowoduje przeniesienie pliku/folderu.)

2015-09-21 19:38 - 2015-07-29 22:19 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-09-21 19:37 - 2015-07-28 18:55 - 00000000 ____D C:\Users\Olek\AppData\Local\ClassicShell

2015-09-21 19:24 - 2015-07-28 18:42 - 01887827 _____ C:\Windows\WindowsUpdate.log

2015-09-21 19:20 - 2015-08-19 23:59 - 00000930 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2015-09-21 19:15 - 2015-07-28 21:40 - 00001086 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2015-09-21 19:04 - 2015-07-28 21:40 - 00001082 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2015-09-21 19:00 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\sru

2015-09-21 12:39 - 2015-07-28 19:17 - 00000000 ____D C:\ProgramData\MFAData

2015-09-21 12:37 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\ELAM

2015-09-20 02:18 - 2015-07-28 18:52 - 00004004 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{7CE8F19A-DB06-4119-AA3A-7107FBCE0C8F}

2015-09-19 20:06 - 2014-11-21 06:46 - 01825074 _____ C:\Windows\system32\PerfStringBackup.INI

2015-09-19 20:06 - 2014-11-21 06:07 - 00805918 _____ C:\Windows\system32\perfh015.dat

2015-09-19 20:06 - 2014-11-21 06:07 - 00163272 _____ C:\Windows\system32\perfc015.dat

2015-09-19 19:32 - 2013-08-22 16:46 - 00026888 _____ C:\Windows\setupact.log

2015-09-17 21:20 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\AppReadiness

2015-09-17 10:44 - 2015-07-28 18:52 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3871865451-3501784630-1123502970-1001

2015-09-17 09:37 - 2015-07-28 19:02 - 00000000 ____D C:\ProgramData\NVIDIA

2015-09-17 09:37 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2015-09-17 09:27 - 2015-07-28 19:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG

2015-09-15 23:10 - 2015-07-28 21:40 - 00004058 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2015-09-15 23:10 - 2015-07-28 21:40 - 00003822 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2015-09-15 22:45 - 2015-07-28 19:00 - 00000000 ____D C:\ProgramData\Oracle

2015-09-15 22:39 - 2015-07-28 18:47 - 00000000 ____D C:\Users\Olek

2015-09-13 23:29 - 2015-07-29 14:53 - 00000000 ____D C:\Users\Olek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam

2015-09-13 21:48 - 2015-07-28 21:40 - 00000000 ____D C:\Users\Olek\AppData\Local\Google

2015-09-12 22:29 - 2015-08-20 22:38 - 00000000 ____D C:\Users\Olek\AppData\Roaming\TS3Client

2015-09-10 19:03 - 2015-07-28 21:48 - 00000000 ___RD C:\Users\Olek\Desktop\skróty

2015-09-10 01:17 - 2015-07-28 18:47 - 00000000 ____D C:\Users\Olek\AppData\Roaming\Adobe

2015-09-10 00:51 - 2015-07-29 22:57 - 00000000 ____D C:\Users\Olek\AppData\Local\Adobe

2015-09-09 14:46 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\rescache

2015-09-09 14:25 - 2015-07-29 15:17 - 00044921 _____ C:\Windows\DirectX.log

2015-09-09 13:13 - 2013-08-22 16:44 - 00484320 _____ C:\Windows\system32\FNTCACHE.DAT

2015-09-09 04:09 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\PolicyDefinitions

2015-09-09 04:09 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\BBI

2015-09-09 01:40 - 2015-07-28 22:32 - 00000000 ____D C:\ProgramData\Microsoft Help

2015-09-09 01:40 - 2014-11-21 06:29 - 00000000 ____D C:\Program Files\Windows Journal

2015-09-09 01:40 - 2013-08-22 17:20 - 00000000 ____D C:\Windows\CbsTemp

2015-09-09 01:39 - 2015-07-28 19:42 - 00000000 ____D C:\Windows\system32\MRT

2015-09-07 17:49 - 2015-07-29 15:17 - 00000000 ____D C:\Users\Olek\Documents\Paradox Interactive

2015-09-07 01:53 - 2015-07-28 18:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell

2015-09-07 01:53 - 2015-07-28 18:54 - 00000000 ____D C:\Program Files\Classic Shell

2015-09-07 01:51 - 2015-08-10 11:10 - 00000754 _____ C:\DelFix.txt

2015-09-06 01:41 - 2015-08-10 00:22 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys

2015-09-05 19:10 - 2015-07-31 22:04 - 00000000 ____D C:\Users\Olek\Documents\The Witcher 3

2015-09-02 18:59 - 2015-07-29 22:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2015-09-02 18:59 - 2014-11-20 21:36 - 00009078 _____ C:\Windows\PFRO.log

2015-08-31 17:26 - 2015-07-28 19:11 - 00000000 ____D C:\ProgramData\NVIDIA Corporation

2015-08-26 18:37 - 2015-07-28 19:42 - 134753440 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

Niektóre pliki w TEMP:

====================

C:\Users\Olek\AppData\Local\Temp\dllnt_dump.dll

C:\Users\Olek\AppData\Local\Temp\jre-8u60-windows-au.exe

C:\Users\Olek\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap =================

(Brak automatycznej naprawy dla plików które nie przeszły weryfikacji.)

C:\Windows\system32\winlogon.exe => Plik podpisany cyfrowo

C:\Windows\system32\wininit.exe => Plik podpisany cyfrowo

C:\Windows\explorer.exe => Plik podpisany cyfrowo

C:\Windows\SysWOW64\explorer.exe => Plik podpisany cyfrowo

C:\Windows\system32\svchost.exe => Plik podpisany cyfrowo

C:\Windows\SysWOW64\svchost.exe => Plik podpisany cyfrowo

C:\Windows\system32\services.exe => Plik podpisany cyfrowo

C:\Windows\system32\User32.dll => Plik podpisany cyfrowo

C:\Windows\SysWOW64\User32.dll => Plik podpisany cyfrowo

C:\Windows\system32\userinit.exe => Plik podpisany cyfrowo

C:\Windows\SysWOW64\userinit.exe => Plik podpisany cyfrowo

C:\Windows\system32\rpcss.dll => Plik podpisany cyfrowo

C:\Windows\system32\dnsapi.dll => Plik podpisany cyfrowo

C:\Windows\SysWOW64\dnsapi.dll => Plik podpisany cyfrowo

C:\Windows\system32\Drivers\volsnap.sys => Plik podpisany cyfrowo

LastRegBack: 2015-09-17 18:18

==================== Koniec FRST.txt ============================

RogueKiller V10.10.6.0 (x64) [sep 21 2015] od Adlice Software

e-mail : http://www.adlice.com/contact/

Komentarze : http://forum.adlice.com

Strona internetowa : http://www.adlice.com/software/roguekiller/

Blog : http://www.adlice.com

System operacyjny : Windows 8.1 (6.3.9600) 64 bits version

Uruchomiono : Tryb normalny

Użytkownik : Olek [Administrator]

Uruchomiony z : C:\Users\Olek\Downloads\RogueKillerX64.exe

Tryb : Skanowanie -- Data : 09/21/2015 20:19:42

¤¤¤ Procesy : 0 ¤¤¤

¤¤¤ Rejestr : 2 ¤¤¤

[PUM.SearchPage] (X64) HKEY_USERS\RK_Olek_ON_D_1B0A\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Znaleziono

[PUM.SearchPage] (X86) HKEY_USERS\RK_Olek_ON_D_1B0A\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Znaleziono

¤¤¤ Zaplanowane zadania : 0 ¤¤¤

¤¤¤ Pliki : 0 ¤¤¤

¤¤¤ Plik hosts : 0 ¤¤¤

¤¤¤ Rootkity : 0 (Driver: załadowano) ¤¤¤

¤¤¤ Przeglądarki : 0 ¤¤¤

¤¤¤ Sprawdzenie MBR : ¤¤¤

+++++ PhysicalDrive0: KINGSTON SHSS37A120G ATA Device +++++

--- User ---

[MBR] c1a84b6bc997f444709c1acbaad5c11b

[bSP] 5e2b501b3a827763da811cd736796499 : Windows Vista/7/8|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 114121 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

User = LL2 ... OK

+++++ PhysicalDrive1: ST1000DM003-1ER162 ATA Device +++++

--- User ---

[MBR] de162284bea1c995a282dc8a40e57ed2

[bSP] 7bb2a941d1f7291bfe1062514ea75f18 : Windows Vista/7/8|VT.Unknown MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 200000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409602048 | Size: 200000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 819202048 | Size: 553866 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

User = LL2 ... OK

+++++ PhysicalDrive2: SAMSUNG HD103SJ ATA Device +++++

--- User ---

[MBR] c9795eeb96bef37f789827d6d3d30c13

[bSP] a1031a6751ec99804f5b02a819fb4836 : Windows XP|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 99998 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 204796620 | Size: 853861 MB

User = LL1 ... OK

User = LL2 ... OK

Mizgal · September 21, 2015

Addition.txt

MrCharlie · September 21, 2015

Those 2 files belong to AVG anti-virus program which you have on the system.

Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\avgidsdrivera.sys
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\avgidsha.sys

They're still showing in the logs:

R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [297904 2015-08-19] (AVG
Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [313264 2015-08-19] (AVG Technologies CZ, s.r.o.)

Can you show me the log from Malwarebytes that show them being quarantined.

=============================================

Is AVG still working OK?????

Are you having any other problems????

MrC

Mizgal · September 22, 2015

It looks like that, it works fine.

Malwarebytes Anti-Malware

www.malwarebytes.org

Data skanowania: 2015-09-17

Czas skanowania: 09:27

Raport:

Administrator: Tak

Wersja: 2.1.8.1057

Baza szkodliwego oprogramowania: v2015.09.17.01

Baza danych rootkitów: v2015.08.16.01

Licencja: Darmowa

Ochrona przed złośliwym oprogramowaniem: Wyłączony

Ochrona przed szkodliwymi stronami: Wyłączony

Samoobrona: Wyłączony

System operacyjny: Windows 8.1

Procesor: x64

System plików: NTFS

Użytkownik: Olek

Typ skanowania: Dokładne skanowanie

Wynik: Zakończono

Obiekty przeskanowane: 358311

Czas, który upłynął: 8 min, 37 s

Pamięć: Włączony

Autostart: Włączony

System plików: Włączony

Archiwa: Włączony

Rootkity: Włączony

Heurystyka: Włączony

PUP: Włączony

PUM: Włączony

Procesy: 0

(Nie wykryto zagrożeń)

Moduły: 0

(Nie wykryto zagrożeń)

Klucze rejestru: 0

(Nie wykryto zagrożeń)

Wartości rejestru: 0

(Nie wykryto zagrożeń)

Dane rejestru: 0

(Nie wykryto zagrożeń)

Foldery: 0

(Nie wykryto zagrożeń)

Pliki: 0

(Nie wykryto zagrożeń)

Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\avgidsdrivera.sys, Zastąpienie-po-restarcie, [0cc611cda005070b9f5a496352124eff],

Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\avgidsha.sys, Zastąpienie-po-restarcie, [54384fc2230b4469e7edf938b7cf5ff7],

Sektory fizyczne: 0

(Nie wykryto zagrożeń)

(end)

MrCharlie · September 22, 2015

OK..lets run Malwarebytes Anti-Rootkit to double check:

Download Malwarebytes Anti-Rootkit from HERE
Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default)
Malwarebytes Anti-Rootkit will then open, follow the instruction in the wizard to update and allow the program to scan your computer for threats
Click on the Cleanup button to remove any threats and reboot if prompted to do so
Wait while the system shuts down and the cleanup process is performed
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process

MrC

Mizgal · September 22, 2015

No malware was found.

MrCharlie · September 22, 2015

OK, you're good to go!

A little clean up to do....

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

Ensure Remove disinfection tools is checked.
Click the Run button.
Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Mizgal · September 22, 2015

Thank very much you for your help!

MrCharlie · September 22, 2015

OK...Take Care MrC

Naathim · September 25, 2015

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Root-kit avgidsdrivera.sys and avgidsha.sys

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information