Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit probable


  • This topic is locked This topic is locked
7 replies to this topic

#1 zenmonkey

zenmonkey

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 06 February 2014 - 10:30 PM

I am unable to run DDS as I am on 8.1 64bit. Is there an equivalent?

 

Here is a HijackThis log:

 

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:31:33 PM, on 2/6/2014
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.16384)
 
 
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\Steve\Downloads\Ninite 7Zip Avast Classic Start Dropbox Essentials Installer.exe
C:\Users\Steve\AppData\Local\Temp\54c66d0a-8fa6-11e3-8255-bc5ff461860d\Ninite.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Steve\Downloads\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\DllHost.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?type=599486&fr=spigot-yhp-ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Startup: Dropbox.lnk = Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\Windows\SysWOW64\urlmon.dll
O18 - Protocol hijack: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC}
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\SysWOW64\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\SysWOW64\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\SysWOW64\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\SysWOW64\urlmon.dll
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\SysWOW64\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%SystemRoot%\system32\wlms\wlms.exe,-1 (WLMS) - Unknown owner - C:\Windows\system32\wlms\wlms.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 9736 bytes

Edited by zenmonkey, 06 February 2014 - 10:32 PM.


BC AdBot (Login to Remove)

 


m

#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 07 February 2014 - 04:10 AM

Hi there,

please run a FRST scan instead:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 zenmonkey

zenmonkey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 07 February 2014 - 09:53 PM

I am currently sitting with no drives plugged in as this thing has killed file systems on two of my drives. Konboot shows a dummy bios. Even after flashing bios and clearing cmos it comes back. If I load even hirens xp or gparted in ram it starts a ton of background processes...even with no network cord in. Please tell me where to start...im relegated to posting this on my phone. If i install win8 on brand new partition with no hiddens it updates and kills any security. Tdss shows nothing. . Gmer showed activity as it scanned then crashes the desktop to a blue screen. I would really appreciate assistance here. It seems to behave like badbios or something that many say doesn't exist...but i can at least run boot c_d.

Edited by zenmonkey, 07 February 2014 - 09:54 PM.


#4 zenmonkey

zenmonkey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 07 February 2014 - 09:56 PM

...boot cds. However, kaspersky and bitdefender show nothing as this thing overshadows anything i do. Anyway, i am gracious for any suggestions.

#5 zenmonkey

zenmonkey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 07 February 2014 - 10:28 PM

I do believe it manifests in usb as i unplug any and it hangs up. Im sitting at a gparted screen and it is cycling parcellite, krfcmmd, obex-data-serv, and gconfd-2 in the top processes. I know no linux but googling them seems to suggest they are not normal tasks used? I will take off my tin foil hat and defer to any experts now... plugging in any usb device sets it going!

#6 zenmonkey

zenmonkey
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 08 February 2014 - 04:41 PM

Craziness aside, I formatted an SSD, reinstalled Windows 8, and here's where I am at with the FRST:

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-02-2014
Ran by Steve (administrator) on HOME-PC on 08-02-2014 15:39:19
Running from C:\Users\Steve\Desktop
Windows 8.1 Enterprise Evaluation (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Windows\System32\wlms\wlms.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Malwarebytes Corp.) D:\mbar-1.07.0.1009.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Malwarebytes Corporation) C:\Users\Steve\Desktop\mbar\mbar.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
() D:\AdwCleaner.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(NVIDIA Corporation) C:\Users\Steve\Downloads\332.21-desktop-win8-win7-winvista-64bit-english-whql.exe
(NVIDIA Corporation) C:\NVIDIA\DisplayDriver\332.21\Win8_WinVista_Win7_64\English\setup.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe\livecomm.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
(The Chromium Authors) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?type=599486&fr=spigot-yhp-ie
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
==================== Services (Whitelisted) =================
 
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
R2 WLMS; C:\Windows\system32\wlms\wlms.exe [22016 2013-08-22] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S0 ADP80XX; C:\Windows\System32\drivers\ADP80XX.SYS [782176 2013-08-22] (PMC-Sierra)
S3 bcmfn2; C:\Windows\System32\drivers\bcmfn2.sys [17624 2013-08-12] (Windows ® Win 7 DDK provider)
S3 iaLPSSi_GPIO; C:\Windows\System32\drivers\iaLPSSi_GPIO.sys [24568 2013-07-30] (Intel Corporation)
S3 iaLPSSi_I2C; C:\Windows\System32\drivers\iaLPSSi_I2C.sys [99320 2013-07-25] (Intel Corporation)
S0 iaStorAV; C:\Windows\System32\drivers\iaStorAV.sys [651248 2013-08-09] (Intel Corporation)
R0 intelpep; C:\Windows\System32\drivers\intelpep.sys [39776 2013-08-22] (Microsoft Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [47008 2013-07-30] ()
S3 kbldfltr; C:\Windows\System32\drivers\kbldfltr.sys [22272 2013-08-22] (Microsoft Corporation)
S0 LSI_SAS3; C:\Windows\System32\drivers\lsi_sas3.sys [81760 2013-08-22] (LSI Corporation)
R3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [91352 2014-02-08] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119000 2014-02-08] (Malwarebytes Corporation)
R3 NdisVirtualBus; C:\Windows\System32\drivers\NdisVirtualBus.sys [16384 2013-08-22] (Microsoft Corporation)
S3 netvsc; C:\Windows\system32\DRIVERS\netvsc63.sys [87040 2013-08-22] (Microsoft Corporation)
S3 ReFS; C:\Windows\System32\Drivers\ReFS.sys [924512 2013-08-22] (Microsoft Corporation)
S3 SerCx2; C:\Windows\System32\drivers\SerCx2.sys [146272 2013-08-22] (Microsoft Corporation)
S0 stornvme; C:\Windows\System32\drivers\stornvme.sys [56672 2013-08-22] (Microsoft Corporation)
S3 UEFI; C:\Windows\System32\drivers\UEFI.sys [26976 2013-08-22] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-02-08 15:39 - 2014-02-08 15:39 - 00006474 _____ () C:\Users\Steve\Desktop\FRST.txt
2014-02-08 15:39 - 2014-02-08 15:39 - 00000000 ____D () C:\FRST
2014-02-08 15:37 - 2014-02-08 15:37 - 02079744 _____ (Farbar) C:\Users\Steve\Desktop\FRST64.exe
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\ProgramData\NVIDIA Corporation
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\Program Files (x86)\AGEIA Technologies
2014-02-08 15:35 - 2013-12-19 14:33 - 30372640 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 25257248 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 22960416 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 18310112 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 18222008 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 17560352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 15877216 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 15230352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 12645664 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2014-02-08 15:35 - 2013-12-19 14:33 - 11605752 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 11554264 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 09700224 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 09657464 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 03132704 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 03125024 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvenc.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 03071656 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 02947872 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 02747680 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 02698272 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 01884448 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6433221.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 01511712 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6433221.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 01436528 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 01242400 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00882464 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00879392 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00852768 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00847648 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00479520 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00405280 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00357152 _____ () C:\Windows\system32\NvIFROpenGL.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00317472 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00314656 _____ () C:\Windows\SysWOW64\NvIFROpenGL.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00266984 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00168616 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00141336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2014-02-08 15:35 - 2013-12-19 14:33 - 00023754 _____ () C:\Windows\system32\nvinfo.pb
2014-02-08 15:35 - 2013-12-19 12:53 - 06671648 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2014-02-08 15:35 - 2013-12-19 12:53 - 03490080 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2014-02-08 15:35 - 2013-12-19 12:53 - 00922912 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2014-02-08 15:35 - 2013-12-19 12:53 - 00386336 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2014-02-08 15:35 - 2013-12-19 12:53 - 00063776 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2014-02-08 15:35 - 2013-12-18 23:01 - 03539040 _____ () C:\Windows\system32\nvcoproc.bin
2014-02-08 15:34 - 2014-02-08 15:35 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2014-02-08 15:33 - 2014-02-08 15:33 - 00000000 ____D () C:\NVIDIA
2014-02-08 15:30 - 2014-02-08 15:33 - 217714560 _____ (NVIDIA Corporation) C:\Users\Steve\Downloads\332.21-desktop-win8-win7-winvista-64bit-english-whql.exe
2014-02-08 15:30 - 2014-02-08 15:30 - 00002314 _____ () C:\Users\Steve\Desktop\Chromium.lnk
2014-02-08 15:30 - 2014-02-08 15:30 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium
2014-02-08 15:30 - 2014-02-08 15:30 - 00000000 ____D () C:\Users\Steve\AppData\Local\Chromium
2014-02-08 15:28 - 2014-02-08 15:29 - 00000000 ____D () C:\AdwCleaner
2014-02-08 15:28 - 2014-02-08 15:28 - 00000000 ____D () C:\Users\Steve\AppData\Local\Google
2014-02-08 15:25 - 2014-02-08 15:25 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-02-08 15:25 - 2014-02-08 15:25 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-02-08 15:25 - 2014-02-08 15:25 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-02-08 15:25 - 2014-02-08 15:25 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-08 15:24 - 2014-02-08 15:35 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-251672677-1544237046-1052005705-1001
2014-02-08 15:24 - 2014-02-08 15:25 - 00000000 ____D () C:\Users\Steve\Desktop\mbar
2014-02-08 15:24 - 2014-02-08 15:24 - 00001221 _____ () C:\Users\Steve\Desktop\RKreport[0]_SC_02082014_152406.txt
2014-02-08 15:23 - 2014-02-08 15:38 - 00818732 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-08 15:23 - 2014-02-08 15:23 - 00001483 _____ () C:\Users\Steve\Desktop\RKreport[0]_D_02082014_152335.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00001434 _____ () C:\Users\Steve\Desktop\RKreport[0]_S_02082014_152328.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00001221 _____ () C:\Users\Steve\Desktop\RKreport[0]_SC_02082014_152354.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00000829 _____ () C:\Users\Steve\Desktop\RKreport[0]_H_02082014_152340.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00000767 _____ () C:\Users\Steve\Desktop\RKreport[0]_PR_02082014_152344.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00000731 _____ () C:\Users\Steve\Desktop\RKreport[0]_DN_02082014_152347.txt
2014-02-08 15:22 - 2014-02-08 15:24 - 00000000 ____D () C:\Users\Steve\Desktop\RK_Quarantine
2014-02-08 15:20 - 2014-02-08 15:20 - 00000408 __RSH () C:\ProgramData\ntuser.pol
2014-02-08 15:18 - 2014-02-08 15:19 - 00000000 ____D () C:\Windows\LastGood
2014-02-08 15:18 - 2014-02-08 15:18 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Macromedia
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Windows\LastGood.Tmp
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Program Files\Intel
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Program Files (x86)\Intel
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Intel
2014-02-08 15:17 - 2013-12-21 00:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2014-02-08 15:17 - 2013-12-21 00:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
2014-02-08 15:16 - 2014-02-08 15:16 - 00003922 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{21387F8E-F8DA-46C9-8BF0-769148B2EE14}
2014-02-08 15:15 - 2014-02-08 15:15 - 00001524 _____ () C:\Windows\DPINST.LOG
2014-02-08 15:15 - 2014-02-08 15:15 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-02-08 15:15 - 2014-02-08 15:15 - 00000000 ____D () C:\Program Files (x86)\Realtek
2014-02-08 15:15 - 2014-02-08 15:15 - 00000000 ____D () C:\Program Files (x86)\ASM106xSATA
2014-02-08 15:15 - 2011-08-23 07:57 - 00565352 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
2014-02-08 15:15 - 2011-08-23 07:57 - 00107552 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
2014-02-08 15:15 - 2011-08-23 07:57 - 00074272 _____ () C:\Windows\system32\RtNicProp64.dll
2014-02-08 15:13 - 2014-02-08 15:29 - 00000000 __RDO () C:\Users\Steve\SkyDrive
2014-02-08 15:12 - 2014-02-08 15:18 - 00000000 ____D () C:\Users\Steve
2014-02-08 15:12 - 2014-02-08 15:12 - 00001442 _____ () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-08 15:12 - 2014-02-08 15:12 - 00000020 ___SH () C:\Users\Steve\ntuser.ini
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Adobe
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve\AppData\Local\VirtualStore
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve\AppData\Local\Packages
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-02-08 15:11 - 2014-02-08 15:38 - 01551716 _____ () C:\Windows\WindowsUpdate.log
2014-02-08 15:11 - 2014-02-08 15:11 - 00000000 ____D () C:\Windows\CSC
2014-02-08 15:11 - 2013-08-21 23:17 - 02407936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
 
==================== One Month Modified Files and Folders =======
 
2014-02-08 15:39 - 2014-02-08 15:39 - 00006474 _____ () C:\Users\Steve\Desktop\FRST.txt
2014-02-08 15:39 - 2014-02-08 15:39 - 00000000 ____D () C:\FRST
2014-02-08 15:38 - 2014-02-08 15:23 - 00818732 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-08 15:38 - 2014-02-08 15:11 - 01551716 _____ () C:\Windows\WindowsUpdate.log
2014-02-08 15:37 - 2014-02-08 15:37 - 02079744 _____ (Farbar) C:\Users\Steve\Desktop\FRST64.exe
2014-02-08 15:37 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\AppReadiness
2014-02-08 15:36 - 2013-08-22 08:46 - 00009805 _____ () C:\Windows\setupact.log
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\ProgramData\NVIDIA Corporation
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2014-02-08 15:35 - 2014-02-08 15:35 - 00000000 ____D () C:\Program Files (x86)\AGEIA Technologies
2014-02-08 15:35 - 2014-02-08 15:34 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2014-02-08 15:35 - 2014-02-08 15:24 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-251672677-1544237046-1052005705-1001
2014-02-08 15:35 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\Help
2014-02-08 15:33 - 2014-02-08 15:33 - 00000000 ____D () C:\NVIDIA
2014-02-08 15:33 - 2014-02-08 15:30 - 217714560 _____ (NVIDIA Corporation) C:\Users\Steve\Downloads\332.21-desktop-win8-win7-winvista-64bit-english-whql.exe
2014-02-08 15:30 - 2014-02-08 15:30 - 00002314 _____ () C:\Users\Steve\Desktop\Chromium.lnk
2014-02-08 15:30 - 2014-02-08 15:30 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium
2014-02-08 15:30 - 2014-02-08 15:30 - 00000000 ____D () C:\Users\Steve\AppData\Local\Chromium
2014-02-08 15:29 - 2014-02-08 15:28 - 00000000 ____D () C:\AdwCleaner
2014-02-08 15:29 - 2014-02-08 15:13 - 00000000 __RDO () C:\Users\Steve\SkyDrive
2014-02-08 15:28 - 2014-02-08 15:28 - 00000000 ____D () C:\Users\Steve\AppData\Local\Google
2014-02-08 15:27 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-08 15:25 - 2014-02-08 15:25 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-02-08 15:25 - 2014-02-08 15:25 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-02-08 15:25 - 2014-02-08 15:25 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-02-08 15:25 - 2014-02-08 15:25 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-08 15:25 - 2014-02-08 15:24 - 00000000 ____D () C:\Users\Steve\Desktop\mbar
2014-02-08 15:24 - 2014-02-08 15:24 - 00001221 _____ () C:\Users\Steve\Desktop\RKreport[0]_SC_02082014_152406.txt
2014-02-08 15:24 - 2014-02-08 15:22 - 00000000 ____D () C:\Users\Steve\Desktop\RK_Quarantine
2014-02-08 15:23 - 2014-02-08 15:23 - 00001483 _____ () C:\Users\Steve\Desktop\RKreport[0]_D_02082014_152335.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00001434 _____ () C:\Users\Steve\Desktop\RKreport[0]_S_02082014_152328.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00001221 _____ () C:\Users\Steve\Desktop\RKreport[0]_SC_02082014_152354.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00000829 _____ () C:\Users\Steve\Desktop\RKreport[0]_H_02082014_152340.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00000767 _____ () C:\Users\Steve\Desktop\RKreport[0]_PR_02082014_152344.txt
2014-02-08 15:23 - 2014-02-08 15:23 - 00000731 _____ () C:\Users\Steve\Desktop\RKreport[0]_DN_02082014_152347.txt
2014-02-08 15:20 - 2014-02-08 15:20 - 00000408 __RSH () C:\ProgramData\ntuser.pol
2014-02-08 15:20 - 2013-08-22 09:36 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-02-08 15:19 - 2014-02-08 15:18 - 00000000 ____D () C:\Windows\LastGood
2014-02-08 15:19 - 2013-08-22 08:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-08 15:18 - 2014-02-08 15:18 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Macromedia
2014-02-08 15:18 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Windows\LastGood.Tmp
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Program Files\Intel
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Program Files (x86)\Intel
2014-02-08 15:17 - 2014-02-08 15:17 - 00000000 ____D () C:\Intel
2014-02-08 15:16 - 2014-02-08 15:16 - 00003922 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{21387F8E-F8DA-46C9-8BF0-769148B2EE14}
2014-02-08 15:15 - 2014-02-08 15:15 - 00001524 _____ () C:\Windows\DPINST.LOG
2014-02-08 15:15 - 2014-02-08 15:15 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-02-08 15:15 - 2014-02-08 15:15 - 00000000 ____D () C:\Program Files (x86)\Realtek
2014-02-08 15:15 - 2014-02-08 15:15 - 00000000 ____D () C:\Program Files (x86)\ASM106xSATA
2014-02-08 15:15 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\restore
2014-02-08 15:12 - 2014-02-08 15:12 - 00001442 _____ () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-02-08 15:12 - 2014-02-08 15:12 - 00000020 ___SH () C:\Users\Steve\ntuser.ini
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ___RD () C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve\AppData\Roaming\Adobe
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve\AppData\Local\VirtualStore
2014-02-08 15:12 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Steve\AppData\Local\Packages
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\WinStore
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\FileManager
2014-02-08 15:12 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\Camera
2014-02-08 15:12 - 2013-08-22 04:28 - 00000000 ____D () C:\Windows\Panther
2014-02-08 15:11 - 2014-02-08 15:11 - 00000000 ____D () C:\Windows\CSC
2014-02-08 15:11 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\sru
 
Some content of TEMP:
====================
C:\Users\Steve\AppData\Local\Temp\ntdll_dump.dll
C:\Users\Steve\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe
[2013-08-22 03:01] - [2013-08-22 06:39] - 2328880 ____A (Microsoft Corporation) 8479DC46E9A09015C0777A16BC22A15D
 
C:\Windows\SysWOW64\explorer.exe
[2013-08-21 20:06] - [2013-08-21 23:25] - 2063408 ____A (Microsoft Corporation) 2CA8E3C9335C3C8BAEB335345E48364D
 
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-08-22 03:28
 
==================== End Of Log ============================
 
 
Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-02-2014
Ran by Steve at 2014-02-08 15:39:33
Running from C:\Users\Steve\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
Asmedia ASM106x SATA Host Controller Driver (x32 Version: 1.3.1.000 - Asmedia Technology)
Chromium (HKCU Version: 31.0.1632.0 - Chromium)
NVIDIA Control Panel 332.21 (Version: 332.21 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 332.21 (Version: 332.21 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.142.992 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.0725 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.13.0725 (Version: 9.13.0725 - NVIDIA Corporation)
Realtek Ethernet Controller Driver (x32 Version: 7.48.823.2011 - Realtek)
 
==================== Restore Points  =========================
 
08-02-2014 21:15:04 Installed Asmedia ASM106x SATA Host Controller Driver.
 
==================== Hosts content: ==========================
 
2013-08-22 07:25 - 2014-02-08 15:23 - 00000741 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {035792A1-D4EF-4A78-BF9A-AA9628C281A3} - System32\Tasks\Microsoft\Windows\Setup\SetupCleanupTask
Task: {05293577-D647-4185-B859-C94839A0B2E3} - System32\Tasks\Microsoft\Windows\SettingSync\NetworkStateChangeTask
Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {2085BF56-520D-4951-B7C0-DF34AF90CC6A} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {2C9C0C6C-2A74-46F2-858A-4389D253EAD0} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\Windows\System32\AutoWorkplace.exe [2013-08-21] (Microsoft Corporation)
Task: {3B6D8A73-F20B-4C93-B8FB-56A154F172D2} - System32\Tasks\Microsoft\Windows\Time Zone\SynchronizeTimeZone => C:\Windows\system32\tzsync.exe [2013-08-22] (Microsoft Corporation)
Task: {49754026-21E1-41FC-94FD-727AFE414FE7} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance
Task: {6AA91E8C-DDBD-4979-8464-4062F7681A19} - System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup
Task: {6DFCB649-0769-4F83-BB10-F60F235F6D3D} - System32\Tasks\Microsoft\Windows\SkyDrive\Idle Sync Maintenance Task
Task: {73B1B253-CE67-4501-AE1A-377DD1D68B65} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {77F1D869-6E65-4079-A2A0-E2023408EF97} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {872D0E53-FD2E-41E3-B431-698AF82882CE} - System32\Tasks\Microsoft\Windows\SkyDrive\Routine Maintenance Task
Task: {8CC813C9-712A-41EF-9512-B233444FC669} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup => Rundll32.exe %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask
Task: {9FF4C139-5234-410C-B7FA-23EE2FD2AB53} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Maintenance Work
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - System32\Tasks\Microsoft\Windows\SettingSync\BackupTask
Task: {D88FEC9E-A82A-46F9-87E2-B6B97B301C1A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {DA46820F-FF8A-4B5E-A6B2-B12185DCFFFB} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Logon Synchronization
Task: {E6D378FA-E068-4BCB-80DE-56D43A249507} - System32\Tasks\Microsoft\Windows\RecoveryEnvironment\VerifyWinRE
 
==================== Loaded Modules (whitelisted) =============
 
2014-02-08 15:30 - 2013-09-16 16:36 - 00956416 _____ () C:\Users\Steve\AppData\Local\Chromium\Application\31.0.1632.0\ffmpegsumo.dll
2014-02-08 15:30 - 2013-09-16 16:36 - 00593408 _____ () C:\Users\Steve\AppData\Local\Chromium\Application\31.0.1632.0\ppGoogleNaClPluginChrome.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\Users\Steve\SkyDrive:ms-properties
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WLMS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WLMS => ""="Service"
 
==================== Faulty Device Manager Devices =============
 
Name: Video Controller
Description: Video Controller
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: 
Service: 
Problem: : Reinstall the drivers for this device. (Code 18)
Resolution: The drivers for this device must be reinstalled.
 Click "Update Driver", which starts the Hardware Update wizard.
Alternately, uninstall the driver, and then click "Scan for hardware changes" to reload the drivers.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/08/2014 03:15:04 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (02/08/2014 03:12:35 PM) (Source: Software Protection Platform Service) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004E028
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=0eebbb45-29d4-49cb-ba87-a23db0cce40a;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
 
System errors:
=============
Error: (02/08/2014 03:19:29 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 3:17:55 PM on ‎2/‎8/‎2014 was unexpected.
 
Error: (02/08/2014 03:11:19 PM) (Source: Service Control Manager) (User: )
Description: The Printer Extensions and Notifications service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (08/22/2013 03:28:56 AM) (Source: Service Control Manager) (User: )
Description: The IP Helper service terminated with the following error: 
%%1058
 
Error: (08/22/2013 03:28:23 AM) (Source: volmgr) (User: )
Description: Crash dump initialization failed!
 
 
Microsoft Office Sessions:
=========================
Error: (02/08/2014 03:15:04 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
 
Error: (02/08/2014 03:12:35 PM) (Source: Software Protection Platform Service)(User: )
Description: hr=0xC004E028RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=0eebbb45-29d4-49cb-ba87-a23db0cce40a;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 35%
Total physical RAM: 8079.56 MB
Available physical RAM: 5183.19 MB
Total Pagefile: 9999.56 MB
Available Pagefile: 6632.65 MB
Total Virtual: 131072 MB
Available Virtual: 131071.79 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:55.9 GB) (Free:36.3 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Data 2014-02-06~) (CDROM) (Total:0.02 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 56 GB) (Disk ID: 73AA79CD)
Partition 1: (Active) - (Size=56 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 10 February 2014 - 04:27 AM

Sorry I think don't quite follow. A malware that attacks your resident Windows operating system as well as a Linux live-system running from RAM is highly unlikely.

What makes you think that you are dealing with a extremely sophisticated malware and not with some "normal" problems that cause these symptoms?

Your FRST logs are inconspicuous.


Edited by aharonov, 10 February 2014 - 04:28 AM.


#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:15 AM

Posted 04 March 2014 - 11:28 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users