Jump to content

Infected with Malware


Recommended Posts

Hello Aiden147 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Next,

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image

Let me see those logs...

Thank you,

Kevin..
Link to post
Share on other sites

I could not get to the RogueKiller site from the infected computer, so I used a USB drive to move the installer over and that worked. Something on the computer is causing sites with anything related to anti-malware to have a "no internet connection" error. I tried removing some of the malware with RogueKiller and manually but each says I need administrative permission when I am the admin. Here are the logs: 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-03-2017
Ran by Aiden (administrator) on AIDENS-DESKTOP (12-03-2017 21:58:29)
Running from C:\Users\Aiden\Downloads
Loaded Profiles: Aiden (Available Profiles: Aiden & aiden_ra2lhlm)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
() C:\Windows\SysWOW64\ASGT.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUSTeK Computer Inc\AURA\AsLedService.exe
() C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
(TODO: <Company name>) C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ASLED.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
() C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
() C:\Users\Aiden\AppData\Local\Temp\WS\WindowService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(TODO: <Company name>) C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.109.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(TODO: <Company name>) C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvsphelper64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Portrait Displays, Inc) C:\Program Files (x86)\BenQ\Display Pilot\dthtml.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Portrait Displays Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe
() C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper.exe
() C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(ct Corp.) C:\Users\Aiden\AppData\Local\Temp\20170222\ct.exe
(splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe
() C:\Program Files (x86)\dataup\dataup.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Users\Aiden\AppData\Local\Temp\WS\WindowService.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8822016 2016-06-02] (Realtek Semiconductor)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Malwarebytes TrayApp] => "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [DT BEN] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [121096 2016-02-12] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
HKLM-x32\...\Run: [cutoauto] => "C:\Program Files (x86)\graebner\grub.exe"
HKLM-x32\...\Run: [toys] => "C:\Program Files (x86)\graebner\upgraded.exe"
HKLM-x32\...\Run: [interpee] => "C:\Program Files (x86)\Ingrown\cripes.exe"
HKLM-x32\...\Run: [autoauto] => "C:\Program Files (x86)\graebner\upgraded.exe"
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8891608 2016-07-13] (Piriform Ltd)
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2881824 2017-01-18] (Valve Corporation)
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [rutoauto] => "C:\Program Files (x86)\graebner\upgraded.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [dutoauto] => "C:\Program Files (x86)\graebner\grub.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [toys] => "C:\Program Files (x86)\graebner\upgraded.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [interpee] => "C:\Program Files (x86)\Ingrown\cripes.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [ok49579048] => "C:\Program Files (x86)\graebner\grub.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [deuces] => C:\Program Files (x86)\resource\deuces.exe [40345 2017-02-21] ()
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [domenick] => "C:\Program Files (x86)\graebner\upgraded.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [psychomotor] => C:\Program Files (x86)\resource\snatchers.exe [522752 2017-02-21] (skye)
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [reflecting] => "C:\Program Files (x86)\Ingrown\cripes.exe"
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\RunOnce: [Uninstall C:\Users\Aiden\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Aiden\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64"
HKU\S-1-5-18\...\Run: [] => [X]
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe [2111488 2016-06-06] (TODO: <Company name>)
HKU\S-1-5-18\...\RunOnce: [Application Restart #2] => C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe [2111488 2016-06-06] (TODO: <Company name>)
Startup: C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok49579048.lnk [2017-02-21]
ShortcutTarget: ok49579048.lnk -> C:\Program Files (x86)\graebner\upgraded.exe (No File)
Startup: C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok49579048whistling.lnk [2017-02-21]
ShortcutTarget: ok49579048whistling.lnk -> C:\Program Files (x86)\Ingrown\cripes.exe (No File)
Startup: C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whistling.lnk [2017-02-21]
ShortcutTarget: whistling.lnk -> C:\Program Files (x86)\graebner\upgraded.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-1422503481-2403751381-2859416659-1001\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyEnable: [S-1-5-21-1422503481-2403751381-2859416659-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-1422503481-2403751381-2859416659-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{f2a188ae-4b0e-4a01-bf9a-a0aeb09faf98}: [DhcpNameServer] 75.75.75.75 75.75.76.76
ManualProxies: 1http=127.0.0.1:8877;https=127.0.0.1:8877

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-02-19] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-19] (Oracle Corporation)

FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-02-09] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-02-09] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-1422503481-2403751381-2859416659-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2017-02-15] ()

Chrome: 
=======
CHR Profile: C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default [2017-03-12]
CHR Extension: (Adblock Plus) - C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-12-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-11]
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2016-07-30] ()
R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [48640 2016-06-27] () [File not signed]
R2 ASLED; C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ASLED.exe [49664 2016-06-14] (TODO: <Company name>) [File not signed]
R2 ASUS LED Control Service; C:\Program Files (x86)\ASUSTeK Computer Inc\AURA\AsLedService.exe [296240 2016-06-01] (ASUSTek Computer Inc.)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [315472 2015-09-23] (Windows (R) Win 7 DDK provider)
R2 BcmBtRSupport; C:\WINDOWS\system32\BtwRSupportService.exe [2251992 2015-03-27] (Broadcom Corporation.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1457160 2016-12-26] ()
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [137480 2016-02-12] (Portrait Displays, Inc.)
S3 Futuremark SystemInfo Service; C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe [342456 2016-06-21] (Futuremark)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel(R) Corporation)
S3 Intel(R) Security Assist; C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
R2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [223008 2015-06-02] (Intel Corporation)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462784 2017-02-09] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [425408 2017-02-23] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2122248 2017-02-11] (Electronic Arts)
R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2184208 2017-02-11] (Electronic Arts)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755200 2017-02-16] (qdcomsvc Inc.) [File not signed] <==== ATTENTION
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [69744 2016-10-18] (Razer Inc.)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] ()
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
S2 SetupARService; C:\Program Files (x86)\Realtek\Audio\SetupAfterRebootService.exe [10752 2016-07-29] () [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 WindowService; C:\Users\Aiden\AppData\Local\Temp\WS\WindowService.exe [8192 2017-02-21] () [File not signed] <==== ATTENTION
R2 windowsmanagementservice; C:\Users\Aiden\AppData\Local\Temp\20170222\ct.exe [722432 2017-02-19] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S3 BstHdAndroidSvc; "C:\Program Files (x86)\BlueStacks\HD-Service.exe" BstHdAndroidSvc Android [X]
S2 BstHdLogRotatorSvc; "C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe" [X]
S3 BstHdPlusAndroidSvc; "C:\Program Files (x86)\BlueStacks\HD-Plus-Service.exe" BstHdPlusAndroidSvc Android [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X]
S2 sleights; C:\WINDOWS\sanguinis.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-09-08] ()
R0 asstahci64; C:\WINDOWS\System32\drivers\asstahci64.sys [88936 2015-06-17] (Asmedia Technology)
R3 bcbtums; C:\WINDOWS\system32\drivers\bcbtums.sys [173312 2015-03-27] (Broadcom Corporation.)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-21] () [File not signed] <==== ATTENTION
R3 e1dexpress; C:\WINDOWS\system32\DRIVERS\e1d65x64.sys [559080 2016-04-19] (Intel Corporation)
R3 IOMap; C:\WINDOWS\system32\drivers\IOMap64.sys [24824 2014-10-23] (ASUSTeK Computer Inc.)
S3 mt7612US; C:\WINDOWS\System32\drivers\mt7612US.sys [377864 2015-12-09] (MediaTek Inc.)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_0cc477a6fec64d8c\nvlddmkm.sys [14516664 2017-02-10] (NVIDIA Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27584 2017-02-23] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [47672 2017-01-05] (NVIDIA Corporation)
R3 nvvhci; C:\WINDOWS\System32\drivers\nvvhci.sys [57792 2017-02-23] (NVIDIA Corporation)
R3 PXGX112; C:\WINDOWS\system32\drivers\PXGX112.sys [42528 2015-09-09] ( )
R3 rzendpt; C:\WINDOWS\System32\drivers\rzendpt.sys [51736 2016-08-31] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [137840 2016-09-07] (Razer, Inc.)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [164992 2016-07-22] (Samsung Electronics Co., Ltd.)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 BstHdDrv; \??\C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [X]
S3 BstkDrv; \??\C:\Program Files (x86)\BlueStacks\BstkDrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-12 21:58 - 2017-03-12 21:58 - 00021211 _____ C:\Users\Aiden\Downloads\FRST.txt
2017-03-12 21:58 - 2017-03-12 21:58 - 00000000 ____D C:\FRST
2017-03-12 21:57 - 2017-03-12 21:58 - 02424832 _____ (Farbar) C:\Users\Aiden\Downloads\FRST64.exe
2017-03-12 21:37 - 2017-03-12 21:37 - 00530564 _____ C:\WINDOWS\Minidump\031217-6046-01.dmp
2017-03-12 21:37 - 2017-03-12 21:37 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-12 21:26 - 2017-03-12 21:26 - 00000622 _____ C:\Users\Aiden\Downloads\TakeOwnership.zip
2017-03-12 21:24 - 2017-03-12 21:27 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-03-12 21:00 - 2017-03-12 21:49 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2017-03-12 20:59 - 2017-03-12 20:59 - 00000000 ___HD C:\OneDriveTemp
2017-03-12 20:30 - 2017-03-12 20:30 - 57131432 _____ (Malwarebytes ) C:\Users\Aiden\Downloads\mb3-setup-consumer-3.0.6.1469-1075 (2).exe
2017-03-12 20:18 - 2017-03-12 20:19 - 57131432 _____ (Malwarebytes ) C:\Users\Aiden\Downloads\mb3-setup-consumer-3.0.6.1469-1075 (1).exe
2017-03-12 20:15 - 2017-03-12 20:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-12 20:15 - 2017-03-12 20:15 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-12 20:15 - 2017-03-12 20:15 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-12 20:15 - 2017-02-24 06:23 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-12 20:14 - 2017-03-12 20:14 - 57131432 _____ (Malwarebytes ) C:\Users\Aiden\Downloads\mb3-setup-consumer-3.0.6.1469-1075.exe
2017-03-12 19:58 - 2017-03-12 19:58 - 00000410 __RSH C:\ProgramData\ntuser.pol
2017-03-12 19:48 - 2017-03-12 19:48 - 00000000 ____D C:\Program Files (x86)\regtool
2017-03-12 19:02 - 2017-03-12 19:02 - 00004308 _____ C:\WINDOWS\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00003994 _____ C:\WINDOWS\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00003894 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00003866 _____ C:\WINDOWS\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00003858 _____ C:\WINDOWS\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00003696 _____ C:\WINDOWS\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00003654 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-03-12 19:02 - 2017-03-12 19:02 - 00001489 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2017-03-12 19:01 - 2017-03-12 19:01 - 00004166 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8756843F-4468-4723-BC7C-B1EC426A5B14}
2017-03-12 19:01 - 2017-03-12 19:01 - 00003288 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-02-21 17:12 - 2017-03-12 21:55 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-02-21 17:12 - 2017-03-12 19:48 - 00000000 ____D C:\Users\Aiden\AppData\Local\llssoft
2017-02-21 17:00 - 2017-03-12 21:36 - 00003866 _____ C:\WINDOWS\System32\Tasks\dc04AF8ULxsXMwQkeNyzID-ni-2017-02-21-ni-99991-ni-1
2017-02-21 17:00 - 2017-03-12 21:33 - 00004408 _____ C:\WINDOWS\System32\Tasks\b20648901
2017-02-21 17:00 - 2017-03-12 21:33 - 00004398 _____ C:\WINDOWS\System32\Tasks\a20648901
2017-02-21 17:00 - 2017-03-12 21:33 - 00003852 _____ C:\WINDOWS\System32\Tasks\29380445
2017-02-21 17:00 - 2017-03-12 21:33 - 00003702 _____ C:\WINDOWS\System32\Tasks\19380445
2017-02-21 17:00 - 2017-03-12 20:59 - 00004016 _____ C:\WINDOWS\System32\Tasks\ab04AF8ULxsXMwQkeNyzID-ni-2017-02-21-ni-99991-ni-1
2017-02-21 17:00 - 2017-03-12 19:48 - 01851904 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-21 17:00 - 2017-02-21 17:01 - 00000418 _____ C:\WINDOWS\Tasks\Online Application Updater.job
2017-02-21 17:00 - 2017-02-21 17:01 - 00000372 _____ C:\WINDOWS\Tasks\Online Application v209.job
2017-02-21 17:00 - 2017-02-21 17:01 - 00000372 _____ C:\WINDOWS\Tasks\Online Application v209 Guardian.job
2017-02-21 17:00 - 2017-02-21 17:01 - 00000372 _____ C:\WINDOWS\Tasks\Online Application v209 Guard.job
2017-02-21 17:00 - 2017-02-21 17:01 - 00000362 _____ C:\WINDOWS\Tasks\Online Application v2.job
2017-02-21 17:00 - 2017-02-21 17:01 - 00000362 _____ C:\WINDOWS\Tasks\Online Application v2 Guardian.job
2017-02-21 17:00 - 2017-02-21 17:01 - 00000362 _____ C:\WINDOWS\Tasks\Online Application v2 Guard.job
2017-02-21 17:00 - 2017-02-21 17:00 - 01726240 _____ C:\Users\Aiden\AppData\Local\setupone.exe
2017-02-21 17:00 - 2017-02-21 17:00 - 00006549 _____ C:\WINDOWS\TEMPcoral.vbs
2017-02-21 17:00 - 2017-02-21 17:00 - 00003846 _____ C:\WINDOWS\System32\Tasks\31387561
2017-02-21 17:00 - 2017-02-21 17:00 - 00003722 _____ C:\WINDOWS\System32\Tasks\Online Application Guardian
2017-02-21 17:00 - 2017-02-21 17:00 - 00003716 _____ C:\WINDOWS\System32\Tasks\Online Application Guard
2017-02-21 17:00 - 2017-02-21 17:00 - 00003714 _____ C:\WINDOWS\System32\Tasks\Da3138756131387561
2017-02-21 17:00 - 2017-02-21 17:00 - 00003704 _____ C:\WINDOWS\System32\Tasks\Online Application
2017-02-21 17:00 - 2017-02-21 17:00 - 00003312 _____ C:\WINDOWS\System32\Tasks\Online Application Updater
2017-02-21 17:00 - 2017-02-21 17:00 - 00003278 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guardian
2017-02-21 17:00 - 2017-02-21 17:00 - 00003272 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guard
2017-02-21 17:00 - 2017-02-21 17:00 - 00003264 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guardian
2017-02-21 17:00 - 2017-02-21 17:00 - 00003260 _____ C:\WINDOWS\System32\Tasks\Online Application v209
2017-02-21 17:00 - 2017-02-21 17:00 - 00003258 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guard
2017-02-21 17:00 - 2017-02-21 17:00 - 00003246 _____ C:\WINDOWS\System32\Tasks\Online Application v2
2017-02-21 17:00 - 2017-02-21 17:00 - 00000055 _____ C:\WINDOWS\key.ini
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Microleaves
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\c
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\ProgramData\1487721636
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Program Files (x86)\resource
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Program Files (x86)\dataup
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\a
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\tr5b.txt
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\stxtname.txt
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\run.txt
2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\aatxtname.txt
2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\AppData\Local\AnonymizerLauncher
2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\.proxycheck
2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\.AnonymizerLauncher
2017-02-21 16:58 - 2017-02-21 17:04 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\AGData
2017-02-21 16:52 - 2017-02-21 16:52 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Mozilla
2017-02-21 16:52 - 2017-02-21 16:52 - 00000000 ____D C:\Users\Aiden\AppData\Local\Macromedia
2017-02-21 16:51 - 2017-02-21 16:51 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2017-02-21 16:51 - 2016-11-23 06:37 - 00000570 _____ C:\Users\Aiden\AppData\Local\TroubleshooterConfig.json
2017-02-21 16:50 - 2017-02-21 16:50 - 00000000 ____D C:\Users\Aiden\AppData\Local\Bluestacks
2017-02-21 16:49 - 2017-02-14 03:07 - 00000000 ____D C:\ProgramData\BlueStacks
2017-02-21 16:44 - 2017-02-21 16:49 - 335132976 _____ (BlueStack Systems Inc.) C:\Users\Aiden\Downloads\BlueStacks2_native_0ca80f484a7a400ee5f801ca896aedee.exe
2017-02-21 16:37 - 2017-02-21 16:37 - 00006656 _____ (repairmen) C:\Users\Aiden\AppData\Local\ddnow.exe
2017-02-21 15:54 - 2017-02-21 15:54 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-21 02:41 - 2017-02-21 02:41 - 00528896 _____ (baboon) C:\Users\Aiden\AppData\Local\slyness.exe
2017-02-21 02:41 - 2017-02-21 02:41 - 00304128 _____ (windows) C:\WINDOWS\foundations.exe
2017-02-21 02:41 - 2017-02-21 02:41 - 00192000 _____ C:\WINDOWS\dll.dll
2017-02-21 02:41 - 2017-02-21 02:41 - 00041198 _____ C:\WINDOWS\peruse.exe
2017-02-21 02:41 - 2017-02-21 02:41 - 00007680 _____ (corset) C:\WINDOWS\arabist.exe
2017-02-15 22:38 - 2017-02-15 22:38 - 00000000 ____D C:\Users\Aiden\ansel
2017-02-15 22:00 - 2017-02-09 15:39 - 00134592 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvStreaming.exe
2017-02-15 21:58 - 2017-02-09 19:33 - 40192056 _____ C:\WINDOWS\system32\nvcompiler.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 35272760 _____ C:\WINDOWS\SysWOW64\nvcompiler.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 34979384 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 19007016 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 14674896 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 11122728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 11019704 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvptxJitCompiler.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 09305984 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 08990072 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvptxJitCompiler.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 03168192 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 02717752 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 01983424 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6437866.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 01589696 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6437866.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00991288 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00959424 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00946456 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFTH264.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00944224 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFThevc.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00910784 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00721952 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFTH264.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00719856 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFThevc.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00687224 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvfatbinaryLoader.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00618416 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmcumd.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00609728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00605120 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvDecMFTMjpeg.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00576192 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvfatbinaryLoader.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00499136 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00483384 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvDecMFTMjpeg.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00447984 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00047664 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvhdap64.dll
2017-02-15 21:58 - 2017-02-09 19:33 - 00000669 _____ C:\WINDOWS\SysWOW64\nv-vk32.json
2017-02-15 21:58 - 2017-02-09 19:33 - 00000669 _____ C:\WINDOWS\system32\nv-vk64.json

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-12 21:47 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-12 21:42 - 2016-07-29 18:11 - 02125808 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-12 21:37 - 2016-08-04 23:54 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-12 21:37 - 2016-08-04 23:52 - 00000000 ____D C:\Users\Aiden
2017-03-12 21:37 - 2016-08-04 23:51 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-12 21:37 - 2016-08-04 23:51 - 00000000 ____D C:\ProgramData\NVIDIA
2017-03-12 21:37 - 2016-07-29 19:09 - 1257101165 _____ C:\WINDOWS\MEMORY.DMP
2017-03-12 21:37 - 2016-07-29 18:09 - 00000000 ___RD C:\Users\Aiden\OneDrive
2017-03-12 21:37 - 2016-07-16 04:45 - 00000000 ____D C:\WINDOWS\INF
2017-03-12 21:26 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-12 20:58 - 2016-07-15 23:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-03-12 20:56 - 2016-07-29 18:09 - 00000000 ____D C:\Users\Aiden\AppData\Local\MicrosoftEdge
2017-03-12 20:24 - 2016-07-31 10:59 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Skype
2017-03-12 19:58 - 2015-10-30 00:24 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2017-03-12 19:56 - 2016-07-31 10:59 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-03-12 19:56 - 2016-07-31 10:59 - 00000000 ____D C:\ProgramData\Skype
2017-03-12 19:55 - 2016-07-29 19:48 - 00000000 ____D C:\Program Files (x86)\Steam
2017-03-12 19:02 - 2016-08-04 23:51 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-03-12 19:02 - 2016-08-04 23:51 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-03-12 19:02 - 2016-08-04 23:51 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-03-12 19:01 - 2016-07-29 18:09 - 00002367 _____ C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-12 18:58 - 2016-07-16 04:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-02-23 11:35 - 2017-01-12 00:31 - 00057792 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvvhci.sys
2017-02-23 11:35 - 2016-10-28 20:29 - 01880512 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspcap64.dll
2017-02-23 11:35 - 2016-10-28 20:29 - 01755072 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
2017-02-23 11:35 - 2016-10-28 20:29 - 01468864 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2017-02-23 11:35 - 2016-10-28 20:29 - 01317312 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2017-02-23 11:35 - 2016-10-28 20:29 - 00120256 _____ C:\WINDOWS\system32\NvRtmpStreamer64.dll
2017-02-23 07:32 - 2016-10-28 20:29 - 00001951 _____ C:\WINDOWS\NvContainerRecovery.bat
2017-02-23 07:30 - 2016-12-18 13:22 - 00001951 _____ C:\WINDOWS\NvTelemetryContainerRecovery.bat
2017-02-21 17:22 - 2016-07-29 19:43 - 00000000 ____D C:\Program Files (x86)\Google
2017-02-21 17:08 - 2016-07-29 21:30 - 00000000 ____D C:\Users\Aiden\AppData\Local\CrashDumps
2017-02-21 16:50 - 2016-07-16 04:47 - 00000000 __RHD C:\Users\Public\Libraries
2017-02-19 14:43 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\rescache
2017-02-19 13:40 - 2016-07-29 22:02 - 00000000 ____D C:\ProgramData\Oracle
2017-02-19 13:39 - 2016-07-29 22:06 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-02-19 13:39 - 2016-07-29 22:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-02-19 13:39 - 2016-07-29 22:02 - 00000000 ____D C:\Program Files (x86)\Java
2017-02-18 22:54 - 2016-12-11 20:45 - 00000000 ____D C:\Users\Aiden\AppData\Local\Ubisoft Game Launcher
2017-02-18 22:29 - 2016-12-11 21:17 - 00281688 _____ C:\WINDOWS\SysWOW64\PnkBstrB.xtr
2017-02-18 21:58 - 2016-12-11 20:45 - 00281688 _____ C:\WINDOWS\SysWOW64\PnkBstrB.ex0
2017-02-18 21:51 - 2016-12-26 22:22 - 00000000 ____D C:\Users\Aiden\AppData\Local\Battle.net
2017-02-18 21:47 - 2016-12-26 22:21 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-02-15 22:19 - 2016-08-22 21:40 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Origin
2017-02-15 22:01 - 2016-07-29 21:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2017-02-15 22:00 - 2016-12-05 21:18 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2017-02-15 21:57 - 2016-07-30 08:19 - 00000000 ____D C:\Users\Aiden\Desktop\Games
2017-02-15 21:44 - 2016-08-22 21:39 - 00000000 ____D C:\ProgramData\Origin
2017-02-11 20:19 - 2016-08-22 21:39 - 00000000 ____D C:\Program Files (x86)\Origin
2017-02-11 18:37 - 2016-08-04 22:42 - 00000000 ____D C:\Users\Aiden\AppData\Local\ElevatedDiagnostics

==================== Files in the root of some directories =======

2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\aatxtname.txt
2017-02-21 16:37 - 2017-02-21 16:37 - 0006656 _____ (repairmen) C:\Users\Aiden\AppData\Local\ddnow.exe
2016-07-30 15:00 - 2016-08-01 18:14 - 1065984 _____ () C:\Users\Aiden\AppData\Local\file__0.localstorage
2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\run.txt
2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Aiden\AppData\Local\sc48254972.exe
2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Aiden\AppData\Local\sc8254972.exe
2017-02-21 17:00 - 2017-02-21 17:00 - 1726240 _____ () C:\Users\Aiden\AppData\Local\setupone.exe
2017-02-21 02:41 - 2017-02-21 02:41 - 0528896 _____ (baboon) C:\Users\Aiden\AppData\Local\slyness.exe
2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\stxtname.txt
2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\tr5b.txt
2017-02-21 16:51 - 2016-11-23 06:37 - 0000570 _____ () C:\Users\Aiden\AppData\Local\TroubleshooterConfig.json
2016-12-18 13:22 - 2017-01-12 00:31 - 0005110 _____ () C:\ProgramData\NvTelemetryContainer.log
2016-12-18 13:22 - 2017-01-12 00:09 - 0005110 _____ () C:\ProgramData\NvTelemetryContainer.log_backup1

Some files in TEMP:
====================
2016-10-28 05:54 - 2016-10-28 05:54 - 0737856 _____ (Oracle Corporation) C:\Users\Aiden\AppData\Local\Temp\jre-8u111-windows-au.exe
2017-02-19 13:39 - 2017-02-19 13:39 - 0739904 _____ (Oracle Corporation) C:\Users\Aiden\AppData\Local\Temp\jre-8u121-windows-au.exe
2016-07-30 20:37 - 2016-12-29 05:43 - 0747464 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\nvSCPAPI.dll
2016-07-30 20:37 - 2016-12-29 05:43 - 0860776 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\nvSCPAPI64.dll
2016-08-16 20:35 - 2016-12-29 05:43 - 0351680 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\nvStInst.exe
2016-10-28 20:29 - 2016-09-29 21:25 - 0950328 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\NvTelemetry.dll
2016-10-28 20:29 - 2017-01-05 18:10 - 0255032 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\NvTelemetryAPI32.dll
2016-10-28 20:29 - 2017-01-05 18:10 - 0335928 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\NvTelemetryAPI64.dll
2016-08-05 10:35 - 2016-08-05 10:35 - 13767776 _____ (Microsoft Corporation) C:\Users\Aiden\AppData\Local\Temp\vsredistsetup.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-12 19:57

==================== End of FRST.txt ============================

Addition.txt

roguekiller.txt

Link to post
Share on other sites

Thanks for those logs, the infection on your system has a protective rootkit, we can only deal  with that from Safemode. Continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Next,

Reboot your computer in Safe Mode. http://www.howtogeek.com/107511/how-to-boot-into-safe-mode-on-windows-8-the-easy-way/

Next,

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Boot your system back to Normal mode, continue with the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin..

 

 

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

The Malwarebytes parameter is still incorrect, could not start. Some of the malware is still on the computer even though the tool said it was removed.

# AdwCleaner v6.044 - Logfile created 13/03/2017 at 15:33:20
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-13.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : Aiden - AIDENS-DESKTOP
# Running from : C:\Users\Aiden\Downloads\adwcleaner_6.044 (1).exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

[-] Service deleted: windowsmanagementservice
[-] Service deleted: drmkpro64
[-] Service deleted: qdcomsvc


***** [ Folders ] *****

[#] Folder deleted on reboot: C:\Users\Aiden\AppData\Local\llssoft
[#] Folder deleted on reboot: C:\Program Files (x86)\dataup
[#] Folder deleted on reboot: C:\Program Files (x86)\svcvmx


***** [ Files ] *****

[#] File deleted: C:\WINDOWS\SysNative\drivers\drmkpro64.sys
[-] File deleted: C:\WINDOWS\TEMPcoral.vbs


***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
[-] Key deleted: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\windowsmanagementservice
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [cpx]


***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3536 Bytes] - [12/03/2017 22:57:16]
C:\AdwCleaner\AdwCleaner[C2].txt - [1605 Bytes] - [12/03/2017 23:03:29]
C:\AdwCleaner\AdwCleaner[C3].txt - [1749 Bytes] - [13/03/2017 15:33:20]
C:\AdwCleaner\AdwCleaner[S0].txt - [3252 Bytes] - [12/03/2017 22:54:20]
C:\AdwCleaner\AdwCleaner[S1].txt - [3301 Bytes] - [12/03/2017 22:56:54]
C:\AdwCleaner\AdwCleaner[S2].txt - [1608 Bytes] - [12/03/2017 23:03:17]
C:\AdwCleaner\AdwCleaner[S3].txt - [2149 Bytes] - [13/03/2017 15:32:43]

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [2114 Bytes] ##########

Fixlog.txt

mrt.log

Link to post
Share on other sites

Thanks for the update, boot your system to normal mode and run the following:

1.Download Malwarebytes Anti-Rootkit from this link:

http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

user posted image

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

user posted image

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

user posted image

7. The following image opens, select Update

user posted image

8. When the update completes select Next.

user posted image

9. In the following window ensure "Targets" are ticked. Then select "Scan"

user posted image

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

user posted image

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

user posted image

13. Verify that your system is now running normally, making sure that the following items are functional:
 
  • Internet access
  • Windows Update
  • Windows Firewall


14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Thanks,

Kevin...
Link to post
Share on other sites

This has worked from what I can tell! Here are the logs:

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
Database version:
  main:    v2017.03.13.06
  rootkit: v2017.03.11.01
Windows 10 x64 NTFS
Internet Explorer 11.576.14393.0
Aiden :: AIDENS-DESKTOP [administrator]
3/13/2017 3:51:34 PM
mbar-log-2017-03-13 (15-51-34).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 348042
Time elapsed: 8 minute(s), 27 second(s)
Memory Processes Detected: 8
C:\Program Files (x86)\dataup\dataup.exe (Adware.Yelloader) -> 2204 -> Delete on reboot. [474306c3b4f4e84eaab99ddac33e59a7]
C:\Program Files (x86)\svcvmx\svcvmx.exe (Adware.Yelloader) -> 8328 -> Delete on reboot. [216920a94266a98d8c316d0e7a8755ab]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 10032 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 10128 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 6212 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 1068 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 11200 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 13240 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
Memory Modules Detected: 18
C:\Program Files (x86)\svcvmx\d3dcompiler_47.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libEGL.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libGLESv2.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\pepflashplayer.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\dataup\help_dll.dll (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
Registry Keys Detected: 12
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Dataup (Adware.Yelloader) -> Delete on reboot. [474306c3b4f4e84eaab99ddac33e59a7]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE (Adware.DotDo.Generic) -> Delete on reboot. [c5c5a227b8f033033036b9c20df312ee]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE (Adware.DotDo.Generic) -> Delete on reboot. [c5c5a227b8f033033036b9c20df312ee]
HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C} (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
HKLM\SOFTWARE\CLASSES\NTService.Control.1 (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
HKLM\SOFTWARE\WOW6432NODE\CLASSES\NTService.Control.1 (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
HKLM\SOFTWARE\CLASSES\WOW6432NODE\NTService.Control.1 (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C} (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 (Rootkit.Agent.PUA) -> Delete on reboot. [fb8f2c9d8127d561099f9a24ff0253ad]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\qdcomsvc (Adware.Yelloader) -> Delete on reboot. [ee9c8d3c06a275c1947e074342bfc43c]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup (Trojan.Clicker) -> Delete on reboot. [5a309b2e693f76c0821eb5c711f0cc34]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE (Trojan.Clicker) -> Delete on reboot. [d8b2b613961276c0732faad2aa57ed13]
Registry Values Detected: 3
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svcvmx (Adware.Yelloader) -> Data: "C:\Program Files (x86)\svcvmx\svcvmx.exe" -starup -> Delete on reboot. [216920a94266a98d8c316d0e7a8755ab]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP|ImagePath (Trojan.Clicker) -> Data: C:\Program Files (x86)\dataup\dataup.exe -> Delete on reboot. [6f1bd7f2565293a3d5ca7904659cb24e]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|ImagePath (Trojan.Clicker) -> Data: C:\Users\Aiden\AppData\Local\Temp\20170222\ct.exe -> Delete on reboot. [d8b2b613961276c0732faad2aa57ed13]
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 3
C:\Program Files (x86)\svcvmx (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\locales (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\dataup (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
Files Detected: 31
C:\WINDOWS\SYSTEM32\drivers\drmkpro64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [50431b88509a5921fb8c6611b9870af3]
C:\Program Files (x86)\dataup\dataup.exe (Adware.Yelloader) -> Delete on reboot. [474306c3b4f4e84eaab99ddac33e59a7]
C:\Program Files (x86)\svcvmx\svcvmx.exe (Adware.Yelloader) -> Delete on reboot. [216920a94266a98d8c316d0e7a8755ab]
C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c]
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Adware.DotDo.Generic) -> Delete on reboot. [c5c5a227b8f033033036b9c20df312ee]
C:\Users\Aiden\AppData\Local\Temp\drmkpro64.sys.dmp (Rootkit.Agent.PUA) -> Delete on reboot. [68228c3d792f9e98c321659d3ec46d93]
C:\Windows\dll.dll (Adware.DotDo) -> Delete on reboot. [1f6bf7d2beea1e18e479199fb24fb24e]
C:\ProgramData\RogueKiller\Quarantine\526CF3CD20F3C55C.vir (Adware.Yelloader) -> Delete on reboot. [e7a3c603ccdc83b3065d6116ba472fd1]
C:\Program Files (x86)\svcvmx\icudtl.dat (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\cef.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\cef_100_percent.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\cef_200_percent.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\cef_extensions.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\d3dcompiler_47.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\debug.log (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libEGL.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\libGLESv2.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\natives_blob.bin (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\pepflashplayer.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\snapshot_blob.bin (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\svcvmx.log (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\widevinecdm.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\widevinecdmadapter.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\locales\en-US.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\svcvmx\locales\zh-CN.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb]
C:\Program Files (x86)\dataup\dataup.ini (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
C:\Program Files (x86)\dataup\help_dll.dll (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
C:\Program Files (x86)\dataup\NTSVC.ocx (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977]
C:\Users\Aiden\AppData\Local\Temp\dataup.zip (Trojan.Clicker) -> Delete on reboot. [5f2b13b6ebbdea4c46b9b9c3a55ceb15]
Physical Sectors Detected: 0
(No malicious items detected)
(end)
 
Success!
Executing an action cmd.exe...
Success!
Executing an action cmd.exe...
Success!
Executing an action cmd.exe...
Success!
Executing an action cmd.exe...
Success!
Executing an action cmd.exe...
Success!
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
Link to post
Share on other sites

Yes a better result with MBAR, can you also post System - log will be saved in the MBAR folder... To ensure there are no remnants of the infection or subsequent secondary infections run the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

This scan is very thorough, allow it will take several hours it is very well worth running...

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Thank you,

Kevin...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.