Aiden147 Posted March 13, 2017 ID:1108125 Share Posted March 13, 2017 I was infected with malware and cannot get any anti-malware programs to start due to a "The parameter is incorrect" error on all of them. I have gotten Windows defender to run and scan, but it wasn't able to detect and remove all of the malware. Link to post Share on other sites More sharing options...
kevinf80 Posted March 13, 2017 ID:1108171 Share Posted March 13, 2017 Hello Aiden147 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files:http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Next, Download and save RogueKiller to your Desktop from this link:https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Let me see those logs... Thank you, Kevin.. Link to post Share on other sites More sharing options...
Aiden147 Posted March 13, 2017 Author ID:1108204 Share Posted March 13, 2017 I could not get to the RogueKiller site from the infected computer, so I used a USB drive to move the installer over and that worked. Something on the computer is causing sites with anything related to anti-malware to have a "no internet connection" error. I tried removing some of the malware with RogueKiller and manually but each says I need administrative permission when I am the admin. Here are the logs: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-03-2017 Ran by Aiden (administrator) on AIDENS-DESKTOP (12-03-2017 21:58:29) Running from C:\Users\Aiden\Downloads Loaded Profiles: Aiden (Available Profiles: Aiden & aiden_ra2lhlm) Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe" -- "%1") Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe () C:\Windows\SysWOW64\ASGT.exe (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUSTeK Computer Inc\AURA\AsLedService.exe () C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe (TODO: <Company name>) C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ASLED.exe (Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe () C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe (Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe (Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe () C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe (Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe (Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe () C:\Users\Aiden\AppData\Local\Temp\WS\WindowService.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe (TODO: <Company name>) C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.109.0_x64__kzf8qxf38zg5c\SkypeHost.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (TODO: <Company name>) C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvsphelper64.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe (Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe (Portrait Displays, Inc) C:\Program Files (x86)\BenQ\Display Pilot\dthtml.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Portrait Displays Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\HookManager.exe () C:\Program Files (x86)\svcvmx\svcvmx.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe (Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper.exe () C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\DP\DPHelper64.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe (ct Corp.) C:\Users\Aiden\AppData\Local\Temp\20170222\ct.exe (splsrv Corp.) C:\Windows\SysWOW64\splsrv.exe () C:\Program Files (x86)\dataup\dataup.exe (Microsoft Corporation) C:\Windows\System32\InstallAgent.exe (Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe () C:\Program Files (x86)\svcvmx\vmxclient.exe () C:\Program Files (x86)\svcvmx\vmxclient.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe () C:\Program Files (x86)\svcvmx\vmxclient.exe () C:\Program Files (x86)\svcvmx\vmxclient.exe () C:\Users\Aiden\AppData\Local\Temp\WS\WindowService.exe () C:\Program Files (x86)\svcvmx\vmxclient.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8822016 2016-06-02] (Realtek Semiconductor) HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-06] (Microsoft Corporation) HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart HKLM\...\Run: [Malwarebytes TrayApp] => "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe" HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [DT BEN] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [121096 2016-02-12] (Portrait Displays, Inc.) HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation) HKLM-x32\...\Run: [cutoauto] => "C:\Program Files (x86)\graebner\grub.exe" HKLM-x32\...\Run: [toys] => "C:\Program Files (x86)\graebner\upgraded.exe" HKLM-x32\...\Run: [interpee] => "C:\Program Files (x86)\Ingrown\cripes.exe" HKLM-x32\...\Run: [autoauto] => "C:\Program Files (x86)\graebner\upgraded.exe" HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] () HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8891608 2016-07-13] (Piriform Ltd) HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2881824 2017-01-18] (Valve Corporation) HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [rutoauto] => "C:\Program Files (x86)\graebner\upgraded.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [dutoauto] => "C:\Program Files (x86)\graebner\grub.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [toys] => "C:\Program Files (x86)\graebner\upgraded.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [interpee] => "C:\Program Files (x86)\Ingrown\cripes.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [ok49579048] => "C:\Program Files (x86)\graebner\grub.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [deuces] => C:\Program Files (x86)\resource\deuces.exe [40345 2017-02-21] () HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [domenick] => "C:\Program Files (x86)\graebner\upgraded.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [psychomotor] => C:\Program Files (x86)\resource\snatchers.exe [522752 2017-02-21] (skye) HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\Run: [reflecting] => "C:\Program Files (x86)\Ingrown\cripes.exe" HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\...\RunOnce: [Uninstall C:\Users\Aiden\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Aiden\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64" HKU\S-1-5-18\...\Run: [] => [X] HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe [2111488 2016-06-06] (TODO: <Company name>) HKU\S-1-5-18\...\RunOnce: [Application Restart #2] => C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ledcontrolservice.exe [2111488 2016-06-06] (TODO: <Company name>) Startup: C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok49579048.lnk [2017-02-21] ShortcutTarget: ok49579048.lnk -> C:\Program Files (x86)\graebner\upgraded.exe (No File) Startup: C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok49579048whistling.lnk [2017-02-21] ShortcutTarget: ok49579048whistling.lnk -> C:\Program Files (x86)\Ingrown\cripes.exe (No File) Startup: C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whistling.lnk [2017-02-21] ShortcutTarget: whistling.lnk -> C:\Program Files (x86)\graebner\upgraded.exe (No File) GroupPolicy: Restriction <======= ATTENTION GroupPolicyUsers\S-1-5-21-1422503481-2403751381-2859416659-1001\User: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings) ProxyEnable: [HKLM] => Proxy is enabled. ProxyEnable: [HKLM-x32] => Proxy is enabled. ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877 ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877 AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877 ProxyEnable: [S-1-5-21-1422503481-2403751381-2859416659-1001] => Proxy is enabled. ProxyServer: [S-1-5-21-1422503481-2403751381-2859416659-1001] => http=127.0.0.1:8877;https=127.0.0.1:8877 Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 Tcpip\..\Interfaces\{f2a188ae-4b0e-4a01-bf9a-a0aeb09faf98}: [DhcpNameServer] 75.75.75.75 75.75.76.76 ManualProxies: 1http=127.0.0.1:8877;https=127.0.0.1:8877 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-1422503481-2403751381-2859416659-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-02-19] (Oracle Corporation) BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-19] (Oracle Corporation) FireFox: ======== FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-19] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-19] (Oracle Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation) FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-02-09] (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-02-09] (NVIDIA Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [No File] FF Plugin HKU\S-1-5-21-1422503481-2403751381-2859416659-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2017-02-15] () Chrome: ======= CHR Profile: C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default [2017-03-12] CHR Extension: (Adblock Plus) - C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-12-06] CHR Extension: (Chrome Web Store Payments) - C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-12] CHR Extension: (Chrome Media Router) - C:\Users\Aiden\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-11] StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2016-07-30] () R2 ASGT; C:\Windows\SysWOW64\ASGT.exe [48640 2016-06-27] () [File not signed] R2 ASLED; C:\Program Files (x86)\ASUS\AURA(GRAPHICS CARD)\ASLED.exe [49664 2016-06-14] (TODO: <Company name>) [File not signed] R2 ASUS LED Control Service; C:\Program Files (x86)\ASUSTeK Computer Inc\AURA\AsLedService.exe [296240 2016-06-01] (ASUSTek Computer Inc.) R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [315472 2015-09-23] (Windows (R) Win 7 DDK provider) R2 BcmBtRSupport; C:\WINDOWS\system32\BtwRSupportService.exe [2251992 2015-03-27] (Broadcom Corporation.) S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1457160 2016-12-26] () R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [137480 2016-02-12] (Portrait Displays, Inc.) S3 Futuremark SystemInfo Service; C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe [342456 2016-06-21] (Futuremark) S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel(R) Corporation) S3 Intel(R) Security Assist; C:\Program Files (x86)\Intel\Intel(R) Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed] R2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel(R) Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed] R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [223008 2015-06-02] (Intel Corporation) R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation) S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation) R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462784 2017-02-09] (NVIDIA Corporation) R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [425408 2017-02-23] (NVIDIA Corporation) S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2122248 2017-02-11] (Electronic Arts) R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2184208 2017-02-11] (Electronic Arts) R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755200 2017-02-16] (qdcomsvc Inc.) [File not signed] <==== ATTENTION R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [69744 2016-10-18] (Razer Inc.) R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] () S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation) S2 SetupARService; C:\Program Files (x86)\Realtek\Audio\SetupAfterRebootService.exe [10752 2016-07-29] () [File not signed] R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation) R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation) R2 WindowService; C:\Users\Aiden\AppData\Local\Temp\WS\WindowService.exe [8192 2017-02-21] () [File not signed] <==== ATTENTION R2 windowsmanagementservice; C:\Users\Aiden\AppData\Local\Temp\20170222\ct.exe [722432 2017-02-19] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION S3 BstHdAndroidSvc; "C:\Program Files (x86)\BlueStacks\HD-Service.exe" BstHdAndroidSvc Android [X] S2 BstHdLogRotatorSvc; "C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe" [X] S3 BstHdPlusAndroidSvc; "C:\Program Files (x86)\BlueStacks\HD-Plus-Service.exe" BstHdPlusAndroidSvc Android [X] S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X] S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X] S2 NVIDIA Wireless Controller Service; "C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe" [X] S2 sleights; C:\WINDOWS\sanguinis.exe [X] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-09-08] () R0 asstahci64; C:\WINDOWS\System32\drivers\asstahci64.sys [88936 2015-06-17] (Asmedia Technology) R3 bcbtums; C:\WINDOWS\system32\drivers\bcbtums.sys [173312 2015-03-27] (Broadcom Corporation.) S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.) R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-21] () [File not signed] <==== ATTENTION R3 e1dexpress; C:\WINDOWS\system32\DRIVERS\e1d65x64.sys [559080 2016-04-19] (Intel Corporation) R3 IOMap; C:\WINDOWS\system32\drivers\IOMap64.sys [24824 2014-10-23] (ASUSTeK Computer Inc.) S3 mt7612US; C:\WINDOWS\System32\drivers\mt7612US.sys [377864 2015-12-09] (MediaTek Inc.) S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] () R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_0cc477a6fec64d8c\nvlddmkm.sys [14516664 2017-02-10] (NVIDIA Corporation) S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27584 2017-02-23] (NVIDIA Corporation) R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [47672 2017-01-05] (NVIDIA Corporation) R3 nvvhci; C:\WINDOWS\System32\drivers\nvvhci.sys [57792 2017-02-23] (NVIDIA Corporation) R3 PXGX112; C:\WINDOWS\system32\drivers\PXGX112.sys [42528 2015-09-09] ( ) R3 rzendpt; C:\WINDOWS\System32\drivers\rzendpt.sys [51736 2016-08-31] (Razer Inc) R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.) R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [137840 2016-09-07] (Razer, Inc.) S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [164992 2016-07-22] (Samsung Electronics Co., Ltd.) S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation) R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation) R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation) S3 BstHdDrv; \??\C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [X] S3 BstkDrv; \??\C:\Program Files (x86)\BlueStacks\BstkDrv.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-03-12 21:58 - 2017-03-12 21:58 - 00021211 _____ C:\Users\Aiden\Downloads\FRST.txt 2017-03-12 21:58 - 2017-03-12 21:58 - 00000000 ____D C:\FRST 2017-03-12 21:57 - 2017-03-12 21:58 - 02424832 _____ (Farbar) C:\Users\Aiden\Downloads\FRST64.exe 2017-03-12 21:37 - 2017-03-12 21:37 - 00530564 _____ C:\WINDOWS\Minidump\031217-6046-01.dmp 2017-03-12 21:37 - 2017-03-12 21:37 - 00000000 ____D C:\WINDOWS\Minidump 2017-03-12 21:26 - 2017-03-12 21:26 - 00000622 _____ C:\Users\Aiden\Downloads\TakeOwnership.zip 2017-03-12 21:24 - 2017-03-12 21:27 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware 2017-03-12 21:00 - 2017-03-12 21:49 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2017-03-12 20:59 - 2017-03-12 20:59 - 00000000 ___HD C:\OneDriveTemp 2017-03-12 20:30 - 2017-03-12 20:30 - 57131432 _____ (Malwarebytes ) C:\Users\Aiden\Downloads\mb3-setup-consumer-3.0.6.1469-1075 (2).exe 2017-03-12 20:18 - 2017-03-12 20:19 - 57131432 _____ (Malwarebytes ) C:\Users\Aiden\Downloads\mb3-setup-consumer-3.0.6.1469-1075 (1).exe 2017-03-12 20:15 - 2017-03-12 20:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2017-03-12 20:15 - 2017-03-12 20:15 - 00000000 ____D C:\ProgramData\Malwarebytes 2017-03-12 20:15 - 2017-03-12 20:15 - 00000000 ____D C:\Program Files\Malwarebytes 2017-03-12 20:15 - 2017-02-24 06:23 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys 2017-03-12 20:14 - 2017-03-12 20:14 - 57131432 _____ (Malwarebytes ) C:\Users\Aiden\Downloads\mb3-setup-consumer-3.0.6.1469-1075.exe 2017-03-12 19:58 - 2017-03-12 19:58 - 00000410 __RSH C:\ProgramData\ntuser.pol 2017-03-12 19:48 - 2017-03-12 19:48 - 00000000 ____D C:\Program Files (x86)\regtool 2017-03-12 19:02 - 2017-03-12 19:02 - 00004308 _____ C:\WINDOWS\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00003994 _____ C:\WINDOWS\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00003894 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00003866 _____ C:\WINDOWS\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00003858 _____ C:\WINDOWS\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00003696 _____ C:\WINDOWS\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00003654 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} 2017-03-12 19:02 - 2017-03-12 19:02 - 00001489 _____ C:\Users\Public\Desktop\GeForce Experience.lnk 2017-03-12 19:01 - 2017-03-12 19:01 - 00004166 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{8756843F-4468-4723-BC7C-B1EC426A5B14} 2017-03-12 19:01 - 2017-03-12 19:01 - 00003288 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2 2017-02-21 17:12 - 2017-03-12 21:55 - 00000000 ____D C:\Program Files (x86)\svcvmx 2017-02-21 17:12 - 2017-03-12 19:48 - 00000000 ____D C:\Users\Aiden\AppData\Local\llssoft 2017-02-21 17:00 - 2017-03-12 21:36 - 00003866 _____ C:\WINDOWS\System32\Tasks\dc04AF8ULxsXMwQkeNyzID-ni-2017-02-21-ni-99991-ni-1 2017-02-21 17:00 - 2017-03-12 21:33 - 00004408 _____ C:\WINDOWS\System32\Tasks\b20648901 2017-02-21 17:00 - 2017-03-12 21:33 - 00004398 _____ C:\WINDOWS\System32\Tasks\a20648901 2017-02-21 17:00 - 2017-03-12 21:33 - 00003852 _____ C:\WINDOWS\System32\Tasks\29380445 2017-02-21 17:00 - 2017-03-12 21:33 - 00003702 _____ C:\WINDOWS\System32\Tasks\19380445 2017-02-21 17:00 - 2017-03-12 20:59 - 00004016 _____ C:\WINDOWS\System32\Tasks\ab04AF8ULxsXMwQkeNyzID-ni-2017-02-21-ni-99991-ni-1 2017-02-21 17:00 - 2017-03-12 19:48 - 01851904 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe 2017-02-21 17:00 - 2017-02-21 17:01 - 00000418 _____ C:\WINDOWS\Tasks\Online Application Updater.job 2017-02-21 17:00 - 2017-02-21 17:01 - 00000372 _____ C:\WINDOWS\Tasks\Online Application v209.job 2017-02-21 17:00 - 2017-02-21 17:01 - 00000372 _____ C:\WINDOWS\Tasks\Online Application v209 Guardian.job 2017-02-21 17:00 - 2017-02-21 17:01 - 00000372 _____ C:\WINDOWS\Tasks\Online Application v209 Guard.job 2017-02-21 17:00 - 2017-02-21 17:01 - 00000362 _____ C:\WINDOWS\Tasks\Online Application v2.job 2017-02-21 17:00 - 2017-02-21 17:01 - 00000362 _____ C:\WINDOWS\Tasks\Online Application v2 Guardian.job 2017-02-21 17:00 - 2017-02-21 17:01 - 00000362 _____ C:\WINDOWS\Tasks\Online Application v2 Guard.job 2017-02-21 17:00 - 2017-02-21 17:00 - 01726240 _____ C:\Users\Aiden\AppData\Local\setupone.exe 2017-02-21 17:00 - 2017-02-21 17:00 - 00006549 _____ C:\WINDOWS\TEMPcoral.vbs 2017-02-21 17:00 - 2017-02-21 17:00 - 00003846 _____ C:\WINDOWS\System32\Tasks\31387561 2017-02-21 17:00 - 2017-02-21 17:00 - 00003722 _____ C:\WINDOWS\System32\Tasks\Online Application Guardian 2017-02-21 17:00 - 2017-02-21 17:00 - 00003716 _____ C:\WINDOWS\System32\Tasks\Online Application Guard 2017-02-21 17:00 - 2017-02-21 17:00 - 00003714 _____ C:\WINDOWS\System32\Tasks\Da3138756131387561 2017-02-21 17:00 - 2017-02-21 17:00 - 00003704 _____ C:\WINDOWS\System32\Tasks\Online Application 2017-02-21 17:00 - 2017-02-21 17:00 - 00003312 _____ C:\WINDOWS\System32\Tasks\Online Application Updater 2017-02-21 17:00 - 2017-02-21 17:00 - 00003278 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guardian 2017-02-21 17:00 - 2017-02-21 17:00 - 00003272 _____ C:\WINDOWS\System32\Tasks\Online Application v209 Guard 2017-02-21 17:00 - 2017-02-21 17:00 - 00003264 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guardian 2017-02-21 17:00 - 2017-02-21 17:00 - 00003260 _____ C:\WINDOWS\System32\Tasks\Online Application v209 2017-02-21 17:00 - 2017-02-21 17:00 - 00003258 _____ C:\WINDOWS\System32\Tasks\Online Application v2 Guard 2017-02-21 17:00 - 2017-02-21 17:00 - 00003246 _____ C:\WINDOWS\System32\Tasks\Online Application v2 2017-02-21 17:00 - 2017-02-21 17:00 - 00000055 _____ C:\WINDOWS\key.ini 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Microleaves 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\c 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\ProgramData\1487721636 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Program Files (x86)\resource 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Program Files (x86)\qdcomsvc 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\Program Files (x86)\dataup 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 ____D C:\a 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\tr5b.txt 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\stxtname.txt 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\run.txt 2017-02-21 17:00 - 2017-02-21 17:00 - 00000000 _____ C:\Users\Aiden\AppData\Local\aatxtname.txt 2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget 2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\AppData\Local\AnonymizerLauncher 2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\.proxycheck 2017-02-21 16:59 - 2017-02-21 16:59 - 00000000 ____D C:\Users\Aiden\.AnonymizerLauncher 2017-02-21 16:58 - 2017-02-21 17:04 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\AGData 2017-02-21 16:52 - 2017-02-21 16:52 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Mozilla 2017-02-21 16:52 - 2017-02-21 16:52 - 00000000 ____D C:\Users\Aiden\AppData\Local\Macromedia 2017-02-21 16:51 - 2017-02-21 16:51 - 00000000 ____D C:\ProgramData\BlueStacksSetup 2017-02-21 16:51 - 2016-11-23 06:37 - 00000570 _____ C:\Users\Aiden\AppData\Local\TroubleshooterConfig.json 2017-02-21 16:50 - 2017-02-21 16:50 - 00000000 ____D C:\Users\Aiden\AppData\Local\Bluestacks 2017-02-21 16:49 - 2017-02-14 03:07 - 00000000 ____D C:\ProgramData\BlueStacks 2017-02-21 16:44 - 2017-02-21 16:49 - 335132976 _____ (BlueStack Systems Inc.) C:\Users\Aiden\Downloads\BlueStacks2_native_0ca80f484a7a400ee5f801ca896aedee.exe 2017-02-21 16:37 - 2017-02-21 16:37 - 00006656 _____ (repairmen) C:\Users\Aiden\AppData\Local\ddnow.exe 2017-02-21 15:54 - 2017-02-21 15:54 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys 2017-02-21 02:41 - 2017-02-21 02:41 - 00528896 _____ (baboon) C:\Users\Aiden\AppData\Local\slyness.exe 2017-02-21 02:41 - 2017-02-21 02:41 - 00304128 _____ (windows) C:\WINDOWS\foundations.exe 2017-02-21 02:41 - 2017-02-21 02:41 - 00192000 _____ C:\WINDOWS\dll.dll 2017-02-21 02:41 - 2017-02-21 02:41 - 00041198 _____ C:\WINDOWS\peruse.exe 2017-02-21 02:41 - 2017-02-21 02:41 - 00007680 _____ (corset) C:\WINDOWS\arabist.exe 2017-02-15 22:38 - 2017-02-15 22:38 - 00000000 ____D C:\Users\Aiden\ansel 2017-02-15 22:00 - 2017-02-09 15:39 - 00134592 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvStreaming.exe 2017-02-15 21:58 - 2017-02-09 19:33 - 40192056 _____ C:\WINDOWS\system32\nvcompiler.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 35272760 _____ C:\WINDOWS\SysWOW64\nvcompiler.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 34979384 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 19007016 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 14674896 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 11122728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 11019704 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvptxJitCompiler.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 09305984 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 08990072 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvptxJitCompiler.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 03168192 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 02717752 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 01983424 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6437866.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 01589696 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6437866.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00991288 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00959424 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00946456 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFTH264.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00944224 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFThevc.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00910784 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00721952 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFTH264.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00719856 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFThevc.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00687224 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvfatbinaryLoader.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00618416 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmcumd.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00609728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00605120 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvDecMFTMjpeg.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00576192 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvfatbinaryLoader.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00499136 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00483384 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvDecMFTMjpeg.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00447984 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00047664 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvhdap64.dll 2017-02-15 21:58 - 2017-02-09 19:33 - 00000669 _____ C:\WINDOWS\SysWOW64\nv-vk32.json 2017-02-15 21:58 - 2017-02-09 19:33 - 00000669 _____ C:\WINDOWS\system32\nv-vk64.json ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-03-12 21:47 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\AppReadiness 2017-03-12 21:42 - 2016-07-29 18:11 - 02125808 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-03-12 21:37 - 2016-08-04 23:54 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-03-12 21:37 - 2016-08-04 23:52 - 00000000 ____D C:\Users\Aiden 2017-03-12 21:37 - 2016-08-04 23:51 - 00000000 ____D C:\WINDOWS\system32\SleepStudy 2017-03-12 21:37 - 2016-08-04 23:51 - 00000000 ____D C:\ProgramData\NVIDIA 2017-03-12 21:37 - 2016-07-29 19:09 - 1257101165 _____ C:\WINDOWS\MEMORY.DMP 2017-03-12 21:37 - 2016-07-29 18:09 - 00000000 ___RD C:\Users\Aiden\OneDrive 2017-03-12 21:37 - 2016-07-16 04:45 - 00000000 ____D C:\WINDOWS\INF 2017-03-12 21:26 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps 2017-03-12 20:58 - 2016-07-15 23:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI 2017-03-12 20:56 - 2016-07-29 18:09 - 00000000 ____D C:\Users\Aiden\AppData\Local\MicrosoftEdge 2017-03-12 20:24 - 2016-07-31 10:59 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Skype 2017-03-12 19:58 - 2015-10-30 00:24 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy 2017-03-12 19:56 - 2016-07-31 10:59 - 00000000 ___RD C:\Program Files (x86)\Skype 2017-03-12 19:56 - 2016-07-31 10:59 - 00000000 ____D C:\ProgramData\Skype 2017-03-12 19:55 - 2016-07-29 19:48 - 00000000 ____D C:\Program Files (x86)\Steam 2017-03-12 19:02 - 2016-08-04 23:51 - 00000000 ____D C:\ProgramData\NVIDIA Corporation 2017-03-12 19:02 - 2016-08-04 23:51 - 00000000 ____D C:\Program Files\NVIDIA Corporation 2017-03-12 19:02 - 2016-08-04 23:51 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation 2017-03-12 19:01 - 2016-07-29 18:09 - 00002367 _____ C:\Users\Aiden\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2017-03-12 18:58 - 2016-07-16 04:36 - 00000000 ____D C:\WINDOWS\CbsTemp 2017-02-23 11:35 - 2017-01-12 00:31 - 00057792 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvvhci.sys 2017-02-23 11:35 - 2016-10-28 20:29 - 01880512 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspcap64.dll 2017-02-23 11:35 - 2016-10-28 20:29 - 01755072 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll 2017-02-23 11:35 - 2016-10-28 20:29 - 01468864 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll 2017-02-23 11:35 - 2016-10-28 20:29 - 01317312 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll 2017-02-23 11:35 - 2016-10-28 20:29 - 00120256 _____ C:\WINDOWS\system32\NvRtmpStreamer64.dll 2017-02-23 07:32 - 2016-10-28 20:29 - 00001951 _____ C:\WINDOWS\NvContainerRecovery.bat 2017-02-23 07:30 - 2016-12-18 13:22 - 00001951 _____ C:\WINDOWS\NvTelemetryContainerRecovery.bat 2017-02-21 17:22 - 2016-07-29 19:43 - 00000000 ____D C:\Program Files (x86)\Google 2017-02-21 17:08 - 2016-07-29 21:30 - 00000000 ____D C:\Users\Aiden\AppData\Local\CrashDumps 2017-02-21 16:50 - 2016-07-16 04:47 - 00000000 __RHD C:\Users\Public\Libraries 2017-02-19 14:43 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\rescache 2017-02-19 13:40 - 2016-07-29 22:02 - 00000000 ____D C:\ProgramData\Oracle 2017-02-19 13:39 - 2016-07-29 22:06 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll 2017-02-19 13:39 - 2016-07-29 22:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-02-19 13:39 - 2016-07-29 22:02 - 00000000 ____D C:\Program Files (x86)\Java 2017-02-18 22:54 - 2016-12-11 20:45 - 00000000 ____D C:\Users\Aiden\AppData\Local\Ubisoft Game Launcher 2017-02-18 22:29 - 2016-12-11 21:17 - 00281688 _____ C:\WINDOWS\SysWOW64\PnkBstrB.xtr 2017-02-18 21:58 - 2016-12-11 20:45 - 00281688 _____ C:\WINDOWS\SysWOW64\PnkBstrB.ex0 2017-02-18 21:51 - 2016-12-26 22:22 - 00000000 ____D C:\Users\Aiden\AppData\Local\Battle.net 2017-02-18 21:47 - 2016-12-26 22:21 - 00000000 ____D C:\Program Files (x86)\Battle.net 2017-02-15 22:19 - 2016-08-22 21:40 - 00000000 ____D C:\Users\Aiden\AppData\Roaming\Origin 2017-02-15 22:01 - 2016-07-29 21:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation 2017-02-15 22:00 - 2016-12-05 21:18 - 00000000 ____D C:\Program Files (x86)\VulkanRT 2017-02-15 21:57 - 2016-07-30 08:19 - 00000000 ____D C:\Users\Aiden\Desktop\Games 2017-02-15 21:44 - 2016-08-22 21:39 - 00000000 ____D C:\ProgramData\Origin 2017-02-11 20:19 - 2016-08-22 21:39 - 00000000 ____D C:\Program Files (x86)\Origin 2017-02-11 18:37 - 2016-08-04 22:42 - 00000000 ____D C:\Users\Aiden\AppData\Local\ElevatedDiagnostics ==================== Files in the root of some directories ======= 2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\aatxtname.txt 2017-02-21 16:37 - 2017-02-21 16:37 - 0006656 _____ (repairmen) C:\Users\Aiden\AppData\Local\ddnow.exe 2016-07-30 15:00 - 2016-08-01 18:14 - 1065984 _____ () C:\Users\Aiden\AppData\Local\file__0.localstorage 2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\run.txt 2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Aiden\AppData\Local\sc48254972.exe 2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Aiden\AppData\Local\sc8254972.exe 2017-02-21 17:00 - 2017-02-21 17:00 - 1726240 _____ () C:\Users\Aiden\AppData\Local\setupone.exe 2017-02-21 02:41 - 2017-02-21 02:41 - 0528896 _____ (baboon) C:\Users\Aiden\AppData\Local\slyness.exe 2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\stxtname.txt 2017-02-21 17:00 - 2017-02-21 17:00 - 0000000 _____ () C:\Users\Aiden\AppData\Local\tr5b.txt 2017-02-21 16:51 - 2016-11-23 06:37 - 0000570 _____ () C:\Users\Aiden\AppData\Local\TroubleshooterConfig.json 2016-12-18 13:22 - 2017-01-12 00:31 - 0005110 _____ () C:\ProgramData\NvTelemetryContainer.log 2016-12-18 13:22 - 2017-01-12 00:09 - 0005110 _____ () C:\ProgramData\NvTelemetryContainer.log_backup1 Some files in TEMP: ==================== 2016-10-28 05:54 - 2016-10-28 05:54 - 0737856 _____ (Oracle Corporation) C:\Users\Aiden\AppData\Local\Temp\jre-8u111-windows-au.exe 2017-02-19 13:39 - 2017-02-19 13:39 - 0739904 _____ (Oracle Corporation) C:\Users\Aiden\AppData\Local\Temp\jre-8u121-windows-au.exe 2016-07-30 20:37 - 2016-12-29 05:43 - 0747464 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\nvSCPAPI.dll 2016-07-30 20:37 - 2016-12-29 05:43 - 0860776 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\nvSCPAPI64.dll 2016-08-16 20:35 - 2016-12-29 05:43 - 0351680 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\nvStInst.exe 2016-10-28 20:29 - 2016-09-29 21:25 - 0950328 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\NvTelemetry.dll 2016-10-28 20:29 - 2017-01-05 18:10 - 0255032 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\NvTelemetryAPI32.dll 2016-10-28 20:29 - 2017-01-05 18:10 - 0335928 _____ (NVIDIA Corporation) C:\Users\Aiden\AppData\Local\Temp\NvTelemetryAPI64.dll 2016-08-05 10:35 - 2016-08-05 10:35 - 13767776 _____ (Microsoft Corporation) C:\Users\Aiden\AppData\Local\Temp\vsredistsetup.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-03-12 19:57 ==================== End of FRST.txt ============================ Addition.txt roguekiller.txt Link to post Share on other sites More sharing options...
kevinf80 Posted March 13, 2017 ID:1108235 Share Posted March 13, 2017 (edited) Thanks for those logs, the infection on your system has a protective rootkit, we can only deal with that from Safemode. Continue with the following: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Next, Reboot your computer in Safe Mode. http://www.howtogeek.com/107511/how-to-boot-into-safe-mode-on-windows-8-the-easy-way/ Next, Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Boot your system back to Normal mode, continue with the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply, also tell me if there are any remaining issues or concerns... Thank you, Kevin.. fixlist.txt Edited March 13, 2017 by kevinf80 Link to post Share on other sites More sharing options...
Aiden147 Posted March 13, 2017 Author ID:1108368 Share Posted March 13, 2017 The Malwarebytes parameter is still incorrect, could not start. Some of the malware is still on the computer even though the tool said it was removed. # AdwCleaner v6.044 - Logfile created 13/03/2017 at 15:33:20 # Updated on 28/02/2017 by Malwarebytes # Database : 2017-03-13.1 [Server] # Operating System : Windows 10 Pro (X64) # Username : Aiden - AIDENS-DESKTOP # Running from : C:\Users\Aiden\Downloads\adwcleaner_6.044 (1).exe # Mode: Clean # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** [-] Service deleted: windowsmanagementservice [-] Service deleted: drmkpro64 [-] Service deleted: qdcomsvc ***** [ Folders ] ***** [#] Folder deleted on reboot: C:\Users\Aiden\AppData\Local\llssoft [#] Folder deleted on reboot: C:\Program Files (x86)\dataup [#] Folder deleted on reboot: C:\Program Files (x86)\svcvmx ***** [ Files ] ***** [#] File deleted: C:\WINDOWS\SysNative\drivers\drmkpro64.sys [-] File deleted: C:\WINDOWS\TEMPcoral.vbs ***** [ DLL ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Registry ] ***** [-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup [-] Key deleted: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup [-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\windowsmanagementservice [-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} [-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [cpx] ***** [ Web browsers ] ***** ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [3536 Bytes] - [12/03/2017 22:57:16] C:\AdwCleaner\AdwCleaner[C2].txt - [1605 Bytes] - [12/03/2017 23:03:29] C:\AdwCleaner\AdwCleaner[C3].txt - [1749 Bytes] - [13/03/2017 15:33:20] C:\AdwCleaner\AdwCleaner[S0].txt - [3252 Bytes] - [12/03/2017 22:54:20] C:\AdwCleaner\AdwCleaner[S1].txt - [3301 Bytes] - [12/03/2017 22:56:54] C:\AdwCleaner\AdwCleaner[S2].txt - [1608 Bytes] - [12/03/2017 23:03:17] C:\AdwCleaner\AdwCleaner[S3].txt - [2149 Bytes] - [13/03/2017 15:32:43] ########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [2114 Bytes] ########## Fixlog.txt mrt.log Link to post Share on other sites More sharing options...
kevinf80 Posted March 13, 2017 ID:1108373 Share Posted March 13, 2017 Thanks for the update, boot your system to normal mode and run the following: 1.Download Malwarebytes Anti-Rootkit from this link:http://www.malwarebytes.org/products/mbar/ 2. Unzip the File to a convenient location. (Recommend the Desktop) 3. Open the folder where the contents were unzipped to run mbar.exe 4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image: 5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.) 6. The following image opens, select Next. 7. The following image opens, select Update 8. When the update completes select Next. 9. In the following window ensure "Targets" are ticked. Then select "Scan" 10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed. 11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process. 12. If no threats were found you will see the following image, Select Exit: 13. Verify that your system is now running normally, making sure that the following items are functional: Internet access Windows Update Windows Firewall 14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder. 15. Select "Y" from your Keyboard, tap Enter. 16. The fix will be applied, select any key to Exit. 17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:System - logMbar - log Date and time of scan will also be shown Thanks, Kevin... Link to post Share on other sites More sharing options...
Aiden147 Posted March 13, 2017 Author ID:1108379 Share Posted March 13, 2017 This has worked from what I can tell! Here are the logs: Malwarebytes Anti-Rootkit BETA 1.9.3.1001 www.malwarebytes.org Database version: main: v2017.03.13.06 rootkit: v2017.03.11.01 Windows 10 x64 NTFS Internet Explorer 11.576.14393.0 Aiden :: AIDENS-DESKTOP [administrator] 3/13/2017 3:51:34 PM mbar-log-2017-03-13 (15-51-34).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 348042 Time elapsed: 8 minute(s), 27 second(s) Memory Processes Detected: 8 C:\Program Files (x86)\dataup\dataup.exe (Adware.Yelloader) -> 2204 -> Delete on reboot. [474306c3b4f4e84eaab99ddac33e59a7] C:\Program Files (x86)\svcvmx\svcvmx.exe (Adware.Yelloader) -> 8328 -> Delete on reboot. [216920a94266a98d8c316d0e7a8755ab] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 10032 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 10128 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 6212 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 1068 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 11200 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> 13240 -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] Memory Modules Detected: 18 C:\Program Files (x86)\svcvmx\d3dcompiler_47.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libEGL.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libGLESv2.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\pepflashplayer.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\dataup\help_dll.dll (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] Registry Keys Detected: 12 HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Dataup (Adware.Yelloader) -> Delete on reboot. [474306c3b4f4e84eaab99ddac33e59a7] HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE (Adware.DotDo.Generic) -> Delete on reboot. [c5c5a227b8f033033036b9c20df312ee] HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE (Adware.DotDo.Generic) -> Delete on reboot. [c5c5a227b8f033033036b9c20df312ee] HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C} (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] HKLM\SOFTWARE\CLASSES\NTService.Control.1 (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] HKLM\SOFTWARE\WOW6432NODE\CLASSES\NTService.Control.1 (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] HKLM\SOFTWARE\CLASSES\WOW6432NODE\NTService.Control.1 (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C} (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 (Rootkit.Agent.PUA) -> Delete on reboot. [fb8f2c9d8127d561099f9a24ff0253ad] HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\qdcomsvc (Adware.Yelloader) -> Delete on reboot. [ee9c8d3c06a275c1947e074342bfc43c] HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup (Trojan.Clicker) -> Delete on reboot. [5a309b2e693f76c0821eb5c711f0cc34] HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE (Trojan.Clicker) -> Delete on reboot. [d8b2b613961276c0732faad2aa57ed13] Registry Values Detected: 3 HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svcvmx (Adware.Yelloader) -> Data: "C:\Program Files (x86)\svcvmx\svcvmx.exe" -starup -> Delete on reboot. [216920a94266a98d8c316d0e7a8755ab] HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP|ImagePath (Trojan.Clicker) -> Data: C:\Program Files (x86)\dataup\dataup.exe -> Delete on reboot. [6f1bd7f2565293a3d5ca7904659cb24e] HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|ImagePath (Trojan.Clicker) -> Data: C:\Users\Aiden\AppData\Local\Temp\20170222\ct.exe -> Delete on reboot. [d8b2b613961276c0732faad2aa57ed13] Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 3 C:\Program Files (x86)\svcvmx (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\locales (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\dataup (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] Files Detected: 31 C:\WINDOWS\SYSTEM32\drivers\drmkpro64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [50431b88509a5921fb8c6611b9870af3] C:\Program Files (x86)\dataup\dataup.exe (Adware.Yelloader) -> Delete on reboot. [474306c3b4f4e84eaab99ddac33e59a7] C:\Program Files (x86)\svcvmx\svcvmx.exe (Adware.Yelloader) -> Delete on reboot. [216920a94266a98d8c316d0e7a8755ab] C:\Program Files (x86)\svcvmx\vmxclient.exe (Adware.Yelloader) -> Delete on reboot. [0783cdfc288087af5e0af78039c8c43c] C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Adware.DotDo.Generic) -> Delete on reboot. [c5c5a227b8f033033036b9c20df312ee] C:\Users\Aiden\AppData\Local\Temp\drmkpro64.sys.dmp (Rootkit.Agent.PUA) -> Delete on reboot. [68228c3d792f9e98c321659d3ec46d93] C:\Windows\dll.dll (Adware.DotDo) -> Delete on reboot. [1f6bf7d2beea1e18e479199fb24fb24e] C:\ProgramData\RogueKiller\Quarantine\526CF3CD20F3C55C.vir (Adware.Yelloader) -> Delete on reboot. [e7a3c603ccdc83b3065d6116ba472fd1] C:\Program Files (x86)\svcvmx\icudtl.dat (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\cef.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\cef_100_percent.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\cef_200_percent.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\cef_extensions.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\d3dcompiler_47.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\dbghelp.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\debug.log (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libcef.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libEGL.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\libGLESv2.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\natives_blob.bin (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\pepflashplayer.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\snapshot_blob.bin (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\svcvmx.log (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\widevinecdm.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\widevinecdmadapter.dll (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\locales\en-US.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\svcvmx\locales\zh-CN.pak (Trojan.Clicker.E.Generic) -> Delete on reboot. [b9d14c7d9117979f265c371afa0605fb] C:\Program Files (x86)\dataup\dataup.ini (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] C:\Program Files (x86)\dataup\help_dll.dll (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] C:\Program Files (x86)\dataup\NTSVC.ocx (Trojan.Clicker) -> Delete on reboot. [b8d253762b7df04619884b3129d88977] C:\Users\Aiden\AppData\Local\Temp\dataup.zip (Trojan.Clicker) -> Delete on reboot. [5f2b13b6ebbdea4c46b9b9c3a55ceb15] Physical Sectors Detected: 0 (No malicious items detected) (end) Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Executing an action cmd.exe... Success! Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= Link to post Share on other sites More sharing options...
kevinf80 Posted March 13, 2017 ID:1108382 Share Posted March 13, 2017 Yes a better result with MBAR, can you also post System - log will be saved in the MBAR folder... To ensure there are no remnants of the infection or subsequent secondary infections run the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, This scan is very thorough, allow it will take several hours it is very well worth running... Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Thank you, Kevin... Link to post Share on other sites More sharing options...
Aiden147 Posted March 14, 2017 Author ID:1108395 Share Posted March 14, 2017 I completed the scan using Malwarebytes, restarted my PC, and am now unable to sign into Windows with any account. It now logs me in with the TEMP account. Link to post Share on other sites More sharing options...
kevinf80 Posted March 14, 2017 ID:1108458 Share Posted March 14, 2017 Do you mean your password is not recognized...? if so go here: https://account.live.com/password/reset follow instructions to reset your password Link to post Share on other sites More sharing options...
kevinf80 Posted March 18, 2017 ID:1109641 Share Posted March 18, 2017 Any progress....? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 23, 2017 Root Admin ID:1110904 Share Posted March 23, 2017 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts