Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with removing keylogger


  • This topic is locked This topic is locked
3 replies to this topic

#1 Sheogorath

Sheogorath

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 25 May 2014 - 02:01 AM

I have noticed lately that my free space on the c: drive was shrinking. I did a search with WinDirStat and found out i had 23 710 .png images in "C:\Windows\SysWOW64". In total it was around 18.8 gigabytes of images. After copying all the files over to an external hard drive, i checked the folder again. I noticed it had a lot of files like this one: "2013_11_08_15_26_55.txt". It some king of log file from the keylogger. They contain detailed information on my browsing history and basically everything I have done on my computer.

 

I'm using Windows 7 HP

 

DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Brage at 8:59:04 on 2014-05-25
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.47.1044.18.16339.12272 [GMT 2:00]
.
AV: F-Secure Anti-Virus for Workstations 11.00 *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
SP: F-Secure Anti-Virus for Workstations 11.00 *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\AXSP\1.00.18\atkexComSvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\system\HsMgr64.exe
C:\Windows\SysWOW64\HsMgr.exe
C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.04\AsusFanControlService.exe
C:\Users\Brage\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\ASUS Xonar DX Audio\Customapp\ASUSAUDIOCENTER.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe
C:\Users\Brage\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\F-Secure\Common\FSMA32.EXE
C:\Program Files (x86)\F-Secure\Anti-Virus\FSGK32.EXE
C:\Users\Brage\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Brage\AppData\Local\Skillbrains\lightshot\5.1.0.15\Lightshot.exe
C:\Windows\System32\spool\drivers\x64\3\E_IATIFSE.EXE
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
D:\Programmer\Programfiler\CCleaner\CCleaner64.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
D:\Programmer\Programfiler (x86)\RadeonPro\RadeonProSupport.exe
C:\Program Files (x86)\F-Secure\Common\FSHDLL32.EXE
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Brage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdaterService.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\F-Secure\Common\FSM32.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Corsair\K90 Keyboard\K90Hid.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Corsair\M95 Mouse\M95Hid.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Users\Brage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdaterService.exe
C:\Program Files (x86)\Internet Download Manager\IDMIntegrator64.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Corsair\K90 Keyboard\CorsTra.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\F-Secure\Common\FSHDLL64.EXE
C:\Program Files (x86)\F-Secure\Common\FNRB32.EXE
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\F-Secure\Common\FIH32.EXE
C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\F-Secure\Anti-Virus\fssm32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\F-Secure\Anti-Virus\fsav32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\Office15\MsoSync.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uProxyOverride = <local>;*.local
mWinlogon: Userinit = userinit.exe,
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmer\Programfiler (x86)\Java\jre7\bin\ssv.dll
BHO: Påloggingshjelp for Microsoft-konto: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: WinZip Courier BHO: {A8FB70FA-0FDF-4601-9DC4-BFA1B357204F} - C:\Program Files (x86)\WinZip Courier\wzwmcie.dll
BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Programmer\Programfiler (x86)\Java\jre7\bin\jp2ssv.dll
BHO: DVDVideoSoft IE Extension: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
uRun: [Akamai NetSession Interface] "C:\Users\Brage\AppData\Local\Akamai\netsession_win.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [Google Update] "C:\Users\Brage\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [MusicManager] "C:\Users\Brage\AppData\Local\Programs\Google\MusicManager\MusicManager.exe"
uRun: [LightShot] C:\Users\Brage\AppData\Local\Skillbrains\lightshot\Lightshot.exe Flags: uninsdeletevalue
uRun: [GoogleChromeAutoLaunch_FEE06BD9E78955C01A4351A97F5618F6] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [EPSON PX710W Series] C:\Windows\System32\spool\DRIVERS\x64\3\E_IATIFSE.EXE /FU "C:\Users\Brage\AppData\Local\Temp\E_SBCEE.tmp" /EF "HKCU"
uRun: [CCleaner Monitoring] "D:\Programmer\Programfiler\CCleaner\CCleaner64.exe" /MONITOR
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [F-Secure Manager] "C:\Program Files (x86)\F-Secure\Common\FSM32.EXE" /splash
mRun: [Corsair laver] C:\Program Files (x86)\Corsair\K90 Keyboard\K90Hid.exe
mRun: [Corsair Duke] C:\Program Files (x86)\Corsair\M95 Mouse\M95Hid.exe
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [F-Secure TNB] "C:\Program Files (x86)\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
StartupFolder: C:\Users\Brage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdaterService.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: E&ksporter til Microsoft Excel - <no file>
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office15\EXCEL.EXE/3000
IE: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm
IE: Konverter koblingsmål til en Adobe PDF-fil - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Konverter til Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Se&nd til OneNote - <no file>
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office15\ONBttnIE.dll/105
IE: Tilføy koblingsmål til en eksisterende PDF-fil - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Tilføy til eksisterende PDF-fil - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
IE: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{60881658-2EE2-467A-BE8F-1FB771219BF1} : DHCPNameServer = 192.168.43.1
TCP: Interfaces\{6EB79447-9BB1-4F25-9EDC-F9B967EAC012} : DHCPNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Adobe Acrobat Create PDF Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-BHO: DVDVideoSoft IE Extension: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll
x64-BHO: Adobe Acrobat Create PDF from Selection: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll
x64-Run: [RTHDVCPL] "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
x64-Run: [RtHDVBg_DTS] "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /DTSU2P
x64-Run: [Cmaudio8788GX64] C:\Windows\system\HsMgr64.exe Envoke
x64-Run: [Cmaudio8788] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd
x64-Run: [Cmaudio8788GX] C:\Windows\syswow64\HsMgr.exe Envoke
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-IE: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Brage\AppData\Roaming\Mozilla\Firefox\Profiles\l55gqjm7.default\
FF - plugin: C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Common Files\Wolfram Research\Browser\9.0.1.4092550\npmathplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Brage\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: C:\Users\Brage\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_206.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Adobe\Acrobat 11.0\Acrobat\browser\nppdf32.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Sony\Media Go\npMediaGoDetector.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: D:\Programmer\Programfiler (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2012-8-29 42624]
R0 asahci64;asahci64;C:\Windows\System32\drivers\asahci64.sys [2013-10-7 52440]
R0 fsbts;fsbts;C:\Windows\System32\drivers\fsbts.sys [2014-5-24 56016]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2014-2-21 630632]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2014-2-21 28008]
R0 iusb3hcs;Driver for Intel® USB 3.0 vertskontrollerbryter;C:\Windows\System32\drivers\iusb3hcs.sys [2014-2-21 20464]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-12-4 56208]
R1 cbfs3;cbfs3;C:\Windows\System32\drivers\cbfs3.sys [2013-8-16 352448]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2014-4-8 283064]
R1 F-Secure HIPS;F-Secure HIPS Driver;C:\Program Files (x86)\F-Secure\HIPS\drivers\fshs.sys [2014-5-24 69928]
R1 fsvista;F-Secure Vista Support Driver;C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsvista.sys [2014-5-24 13248]
R1 ndisrd;WinpkFilter LightWeight Filter;C:\Windows\System32\drivers\ndisrd.sys [2012-11-2 32360]
R2 asComSvc;ASUS Com Service;C:\Program Files (x86)\ASUS\AXSP\1.00.18\atkexComSvc.exe [2011-10-29 918448]
R2 asHmComSvc;ASUS HM Com Service;C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [2012-2-2 951936]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [2012-10-31 149120]
R2 AsusFanControlService;AsusFanControlService;C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.04\AsusFanControlService.exe [2012-11-2 1473664]
R2 DTSAudioSvc;DTSAudioSvc;C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [2014-2-2 240576]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;C:\Program Files (x86)\F-Secure\Anti-Virus\fsgk32st.exe [2014-5-24 224192]
R2 IDMWFP;IDMWFP;C:\Windows\System32\drivers\idmwfp.sys [2014-2-21 175480]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2014-4-9 1618888]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2014-4-9 21009352]
R2 RadeonPro Support Service;RadeonPro Support Service;D:\Programmer\Programfiler (x86)\RadeonPro\RadeonProSupport.exe [2014-5-6 20608]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-5-24 1738200]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-5-24 2081752]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-5-24 171928]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-4-9 413128]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2014-2-21 140032]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2014-2-21 424192]
R3 cmudaxp;ASUS Xonar DX Audio Interface;C:\Windows\System32\drivers\cmudaxp.sys [2013-10-7 2703360]
R3 CORSGKB;Corsair Gaming Keyboard;C:\Windows\System32\drivers\CORSGKB.sys [2012-10-31 25600]
R3 DUKEMS;Corsair M95 Gaming Mouse;C:\Windows\System32\drivers\DUKEMS.sys [2014-4-8 25600]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files (x86)\F-Secure\Anti-Virus\minifilter\fsgk.sys [2014-5-24 203304]
R3 F-Secure Network Request Broker;F-Secure Network Request Broker;C:\Program Files (x86)\F-Secure\Common\FNRB32.exe [2013-12-23 217024]
R3 FSORSPClient;F-Secure ORSP Client;C:\Program Files (x86)\F-Secure\ORSP Client\fsorsp.exe [2014-5-24 60352]
R3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);C:\Windows\System32\drivers\ICCWDT.sys [2010-8-17 26136]
R3 iusb3hub;Driver for Intel® USB 3.0 hub;C:\Windows\System32\drivers\iusb3hub.sys [2013-10-7 358896]
R3 iusb3xhc;Driver for Intel® USB 3.0 utvidbar vertskontroller;C:\Windows\System32\drivers\iusb3xhc.sys [2013-10-7 795632]
R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2014-5-24 19744]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2014-5-24 40392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 LiveUpdateSvc;LiveUpdate;C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2014-4-23 2151232]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2012-8-29 82560]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2012-8-29 223872]
S3 CORSGMS;Corsair M90 Gaming Mouse;C:\Windows\System32\drivers\CORSGMS.sys [2012-12-24 25600]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-6-4 103448]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2012-8-29 57280]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-9-12 1512448]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\System32\drivers\ggflt.sys [2013-4-19 14448]
S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2012-11-2 160768]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-12 111616]
S3 LEqdUsb;Logicool SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2014-4-8 77592]
S3 LHidEqd;Logicool SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2014-4-8 13080]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2012-12-9 117520]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2014-1-23 178760]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-2-3 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2013-5-17 31800]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-8-29 676968]
S3 Sony PC Companion;Sony PC Companion;C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [2013-3-22 155824]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-6-4 203672]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 taphss6;Anchorfree HSS VPN Adapter;C:\Windows\System32\drivers\taphss6.sys [2013-4-24 42184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-4-12 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-2-3 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-31 1255736]
S3 WsAudio_Device;WsAudio_Device;C:\Windows\System32\drivers\VirtualAudio.sys [2012-12-1 31080]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys [2012-12-1 29288]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files (x86)\F-Secure\Anti-Virus\win2k\fsfilter.sys [2014-5-24 40256]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files (x86)\F-Secure\Anti-Virus\win2k\fsrec.sys [2014-5-24 25536]
.
=============== Created Last 30 ================
.
2014-05-24 18:20:47 56016 ----a-w- C:\Windows\System32\drivers\fsbts.sys
2014-05-24 12:01:47 21040 ----a-w- C:\Windows\System32\sdnclean64.exe
2014-05-24 12:01:46 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2014-05-24 12:01:42 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-05-24 11:45:53 -------- d-----w- C:\ProgramData\Malwarebytes
2014-05-24 11:21:46 40392 ----a-w- C:\Windows\System32\drivers\nvvad64v.sys
2014-05-24 11:21:46 34760 ----a-w- C:\Windows\SysWow64\nvaudcap32v.dll
2014-05-24 09:51:09 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A273F159-363A-4F24-AC54-A0DC571EDC5F}\mpengine.dll
2014-05-23 11:35:34 -------- d-----w- C:\Program Files (x86)\ESET
2014-05-23 11:29:17 536576 ----a-w- C:\Windows\SysWow64\sqlite3.dll
2014-05-23 11:28:51 -------- d-----w- C:\AdwCleaner
2014-05-22 20:42:17 -------- d-----w- C:\Windows\ERUNT
2014-05-22 15:06:37 -------- d-----w- C:\Program Files (x86)\Microsoft OneDrive
2014-05-22 15:06:37 -------- d-----r- C:\Users\Brage\OneDrive
2014-05-20 15:59:49 -------- d-----w- C:\Users\Brage\AppData\Local\Aviator
2014-05-20 15:59:44 -------- d-----w- C:\Program Files (x86)\WhiteHat
2014-05-17 17:26:38 -------- d-----w- C:\Program Files (x86)\Everything
2014-05-16 12:30:08 -------- d--h--w- C:\OneDriveTemp
2014-05-15 05:50:09 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-15 05:50:09 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-15 05:46:58 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-15 05:46:58 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-15 05:44:00 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-05-10 10:24:36 -------- d-----w- C:\Users\Brage\AppData\Roaming\NCSOFT
2014-05-10 10:24:36 -------- d-----w- C:\Users\Brage\AppData\Local\NCSOFT
2014-05-08 19:55:34 -------- d-----w- C:\Screenshots
2014-05-08 13:49:32 227704 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2014-05-04 01:51:43 -------- d-----w- C:\Users\Brage\AppData\Local\LOOT
2014-05-03 21:10:22 396800 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\w\a\l\m\a\r\t\dll\ISSkinExW.dll
2014-05-03 11:15:22 -------- d-s---w- C:\Windows\System32\CompatTel
2014-05-01 23:18:25 -------- d-----w- C:\Program Files (x86)\Skillbrains
2014-05-01 23:18:24 -------- d-----w- C:\Users\Brage\AppData\Local\Skillbrains
2014-04-28 08:01:37 -------- d-----w- C:\Program Files (x86)\System Functions Software
2014-04-27 15:20:13 -------- d-----w- C:\DriveKey
2014-04-27 15:19:55 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2014-04-27 15:19:55 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2014-04-27 15:19:55 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2014-04-27 15:19:54 610436 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2014-04-26 12:25:20 2759360 ----a-w- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\1044\MSOINTL.DLL
2014-04-25 11:28:12 80806080 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSORES.DLL
2014-04-25 11:28:12 26134720 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSO.DLL
2014-04-25 11:23:42 80806080 ----a-w- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSORES.DLL
2014-04-25 11:23:42 651960 ----a-w- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOSQM.EXE
2014-04-25 11:23:42 36434624 ----a-w- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL
.
==================== Find3M  ====================
.
2014-05-14 21:09:10 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 21:09:10 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-30 18:29:25 1081112 ----a-w- C:\Windows\SysWow64\nvspcap.dll
2014-04-30 18:29:03 1225920 ----a-w- C:\Windows\System32\nvspcap64.dll
2014-04-21 07:27:32 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2014-04-14 18:13:43 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-04-08 17:21:30 1193267 ----a-w- C:\Windows\unins002.exe
2014-04-08 17:19:53 1192831 ----a-w- C:\Windows\unins001.exe
2014-04-08 14:33:58 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2014-04-08 14:31:10 283064 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2014-03-31 16:42:42 37320 ----a-w- C:\Windows\System32\nvaudcap64v.dll
2014-03-31 07:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-03-27 02:11:04 6768584 ----a-w- C:\Windows\System32\nvcpl.dll
2014-03-27 02:11:04 3512664 ----a-w- C:\Windows\System32\nvsvc64.dll
2014-03-27 02:11:02 927520 ----a-w- C:\Windows\System32\nvvsvc.exe
2014-03-27 02:11:02 63776 ----a-w- C:\Windows\System32\nvshext.dll
2014-03-27 02:11:02 386336 ----a-w- C:\Windows\System32\nvmctray.dll
2014-03-27 02:11:02 2558808 ----a-w- C:\Windows\System32\nvsvcr.dll
2014-03-26 21:40:14 601432 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2014-03-24 10:31:38 3683457 ----a-w- C:\Windows\System32\nvcoproc.bin
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll
2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:56 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
.
============= FINISH:  8:59:16,78 ===============
 


BC AdBot (Login to Remove)

 


#2 Sheogorath

Sheogorath
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 25 May 2014 - 03:07 AM

Update: I used the Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to try and find out what saved files to my "SysWOW64" folder. After a while I found out that it was a program called "GoogleUpdaterService.exe". Here is a link to a screenshot of it: http://prntscr.com/3md21t The exe file was placed in my startup folder: "C:\Users\Brage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

When I opened Task Manager two processes had the name: "GoogleUpdaterService.exe". I killed one of them and both of them quit. I then deleted the file.

 

This all happened around 30 minutes ago. I see no new screenshots or logs in the "SysWOW64" folder now. It was usually several per minute. I think the keylogger is gone, but I need to be sure I've killed the whole thing.


Edited by Sheogorath, 25 May 2014 - 03:07 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:29 PM

Posted 28 May 2014 - 08:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:29 PM

Posted 03 June 2014 - 08:51 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users