Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Claymore CryptoNote CPU Miner v3.4 Beta infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Mookid

Mookid

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 26 January 2015 - 06:30 AM

Hi!
I am writing in regards to me having been infected by the Claymore CryptoNote bitcoin miner which masks itself as svchost.exe and consumes A LOT of cpu power. It creates an instance of svchost in the temp folder which can be removed once the program has been shut down. At reboot it recreates itself. There have been several other users with the same infection, such as in the below threads.
 
 
Any help would be sincerely appreciated!

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by Mookid (administrator) on MOOKID-PC on 26-01-2015 12:23:18
Running from C:\Users\Mookid\Desktop
Loaded Profiles: Mookid (Available profiles: Mookid)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
() E:\SYSTEM\ZOTAC FireStorm\FireStorm.exe
(DT Soft Ltd) E:\SYSTEM\DAEMON Tools Lite\DTLite.exe
(Spotify Ltd) C:\Users\Mookid\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(ASUSTeK Computer Inc.) E:\SYSTEM\AI Suite III\AISuite3.exe
() E:\SYSTEM\AI Suite III\DIP4\DIPAwayMode\DipAwayMode.exe
(Electronic Arts) E:\SYSTEM\ORIGIN\Origin.exe
(Flux Software LLC) C:\Users\Mookid\AppData\Local\FluxSoftware\Flux\flux.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
(Dropbox, Inc.) C:\Users\Mookid\AppData\Roaming\Dropbox\bin\Dropbox.exe
(ASUSTeK Computer Inc.) E:\SYSTEM\AI Suite III\Wi-Fi GO!\AssistTools\WiFi GO! Server.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\1.04.01\AsusFanControlService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(ASUSTeK Computer Inc.) E:\SYSTEM\AI Suite III\Wi-Fi GO!\AssistTools\WiFile\WiFileTransfer.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Users\Mookid\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe
(DTS, Inc) C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\System32\PnkBstrA.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\32\WacomDesktopCenter.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(ASUSTeK Computer Inc.) E:\SYSTEM\AI Suite III\USB 3.0 Boost\U3BoostSvr64.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(ASUSTeK Computer Inc.) E:\SYSTEM\AI Suite III\Wi-Fi GO!\AsDLNAServer.exe
() E:\SYSTEM\AI Suite III\Wi-Fi GO!\AssistTools\S5WOW_App\x64\S5wow_2005.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
() C:\Windows\Temp\svchost.exe
() E:\SYSTEM\AI Suite III\DIP4\DIPAwayMode\EPUShortCut.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7156296 2013-03-05] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1278024 2013-03-05] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585928 2015-01-16] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [ASUS AiChargerPlus Execute] => C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe [550272 2013-01-28] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUS WiFi GO! FileTransfer Execute] => E:\SYSTEM\AI Suite III\Wi-Fi GO!\AssistTools\WiFile\WiFileTransfer.exe [1391416 2013-06-21] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Winlogon: [Shell] explorer.exe,SpotifyHelper.exe
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\Run: [DAEMON Tools Lite] => E:\SYSTEM\DAEMON Tools Lite\DTLite.exe [1305408 2011-01-05] (DT Soft Ltd)
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\Run: [Spotify Web Helper] => C:\Users\Mookid\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1676344 2014-12-13] (Spotify Ltd)
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\Run: [EADM] => E:\SYSTEM\ORIGIN\Origin.exe [3618648 2014-12-18] (Electronic Arts)
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\Run: [f.lux] => C:\Users\Mookid\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\MountPoints2: G - G:\Autorun.exe
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\...\MountPoints2: {dea8c917-576a-11e3-955f-240a64106da8} - F:\setup.exe
Startup: C:\Users\Mookid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Mookid\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3253841700-3206713208-408431204-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://se.msn.com/?ocid=iehp
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=ds&ts=1413125251&from=amt&uid=SamsungXSSDX840XSeries_S19MNSAD644424Z&q={searchTerms}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\SYSTEM\KONTOR\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: No Name -> {E3F1CA13-EA0E-4617-8D03-3EAA6A94A7E0} ->  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 193.150.193.150 83.255.245.11
 
FireFox:
========
FF ProfilePath: C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
FF Plugin: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.40.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll (Adobe Systems)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin-x32: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> E:\SYSTEM\KONTOR\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll (Wacom)
FF Plugin HKU\S-1-5-21-3253841700-3206713208-408431204-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Mookid\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF user.js: detected! => C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\user.js
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\mystartsearch.xml
FF Extension: Fast Start - C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\Extensions\faststartff@gmail.com [2014-10-12]
FF HKLM-x32\...\Firefox\Extensions: [jid1-tofUlNEIFlkUIA@jetpack] - C:\Program Files (x86)\Flowsurf\jid1-tofUlNEIFlkUIA@jetpack
FF HKLM-x32\...\Firefox\Extensions: [faststartff@gmail.com] - C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com
 
Chrome: 
=======
CHR Profile: C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Presentationer) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-15]
CHR Extension: (Reverse Youtube Playlist) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajhonbaagcobjdmbocblbebcmbmmbfmi [2014-10-15]
CHR Extension: (Google Dokument) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-15]
CHR Extension: (Google Drive) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-15]
CHR Extension: (YouTube) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-15]
CHR Extension: (Adblock Plus) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-10-15]
CHR Extension: (Sök på Google) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-15]
CHR Extension: (Google Kalkylark) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-15]
CHR Extension: (Hola Better Internet) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2014-10-15]
CHR Extension: (Google Wallet) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-15]
CHR Extension: (Gmail) - C:\Users\Mookid\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-15]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-05-07] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe [954648 2013-08-01] (ASUSTeK Computer Inc.)
R2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.04.01\AsusFanControlService.exe [1656464 2013-08-08] (ASUSTeK Computer Inc.)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [240584 2012-10-02] (DTS, Inc)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2015-01-16] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706312 2015-01-16] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833544 2015-01-16] (NVIDIA Corporation)
S3 Origin Client Service; E:\SYSTEM\ORIGIN\OriginClientService.exe [1903472 2014-12-18] (Electronic Arts)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2014-07-12] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-11-11] ()
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [649496 2014-10-27] (Wacom Technology, Corp.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AiChargerPlus; C:\Windows\SysWow64\drivers\AiChargerPlus.sys [14848 2013-01-28] (ASUSTek Computer Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-21] ()
R3 ASMTFilter; C:\Windows\SysWow64\drivers\asmtufdriver.sys [21400 2013-01-28] (http://www.asmedia.com.tw) [File not signed]
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2012-09-14] ()
R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
S3 ASUSstpt; C:\Windows\System32\DRIVERS\ASUSstpt.sys [27392 2013-03-28] (MCCI Corporation)
S3 ASUSumsc; C:\Windows\System32\DRIVERS\ASUSumsc.sys [151808 2013-03-28] (MCCI Corporation)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [254528 2013-11-10] (DT Soft Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [496400 2013-02-27] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19784 2015-01-16] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
S3 btath_avdt; system32\drivers\btath_avdt.sys [X]
S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X]
S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X]
S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
R3 FireStorm; \??\C:\Users\Mookid\AppData\Local\Temp\FireStorm.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 wacommousefilter; system32\DRIVERS\wacommousefilter.sys [X]
S3 wacomvhid; system32\DRIVERS\wacomvhid.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-26 12:23 - 2015-01-26 12:23 - 00022204 _____ () C:\Users\Mookid\Desktop\FRST.txt
2015-01-26 12:18 - 2015-01-26 12:23 - 00000000 ____D () C:\FRST
2015-01-26 12:12 - 2015-01-26 12:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2015-01-26 12:12 - 2015-01-26 12:12 - 00000000 ____D () C:\Program Files (x86)\Cobian Backup 11
2015-01-26 12:05 - 2015-01-26 12:05 - 02129920 _____ (Farbar) C:\Users\Mookid\Desktop\FRST64.exe
2015-01-26 12:02 - 2015-01-26 12:21 - 00000000 ____D () C:\Users\Mookid\Desktop\ANTI MALWARE
2015-01-26 11:08 - 2015-01-26 11:08 - 00038793 _____ () C:\Windows\DirectX.log
2015-01-26 01:13 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-01-26 01:13 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2015-01-26 01:13 - 2014-07-07 03:06 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-01-26 01:13 - 2014-07-07 03:06 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-01-26 01:13 - 2014-07-07 03:06 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-01-26 01:13 - 2014-07-07 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-01-26 01:13 - 2014-07-07 02:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2015-01-26 01:13 - 2014-07-07 02:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2015-01-26 01:13 - 2014-07-07 02:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2015-01-26 01:13 - 2014-07-07 02:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2015-01-26 01:12 - 2015-01-26 01:12 - 00000000 ____D () C:\Program Files (x86)\Microsoft ASP.NET
2015-01-26 01:12 - 2014-06-27 03:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2015-01-26 01:12 - 2014-06-27 02:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2015-01-25 23:47 - 2014-12-12 06:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-25 23:47 - 2014-12-12 06:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-25 23:47 - 2014-12-12 06:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-25 23:47 - 2014-12-12 06:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-25 23:47 - 2014-12-12 06:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-25 23:47 - 2014-12-12 06:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-25 23:47 - 2014-12-12 06:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-25 23:47 - 2014-10-10 01:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-01-25 23:47 - 2014-08-01 12:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2015-01-25 23:47 - 2014-08-01 12:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2015-01-25 23:47 - 2014-07-17 03:07 - 03722240 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-01-25 23:47 - 2014-07-17 03:07 - 01118720 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2015-01-25 23:47 - 2014-07-17 03:07 - 01113088 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2015-01-25 23:47 - 2014-07-17 03:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2015-01-25 23:47 - 2014-07-17 03:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2015-01-25 23:47 - 2014-07-17 03:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2015-01-25 23:47 - 2014-07-17 03:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2015-01-25 23:47 - 2014-07-17 02:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2015-01-25 23:47 - 2014-07-17 02:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-01-25 23:47 - 2014-07-17 02:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2015-01-25 23:47 - 2014-07-17 02:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2015-01-25 23:47 - 2014-07-17 02:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2015-01-25 23:47 - 2014-07-17 02:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2015-01-25 23:46 - 2015-01-09 23:27 - 00621200 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2015-01-25 23:46 - 2014-12-19 04:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-25 23:46 - 2014-12-19 02:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-25 23:46 - 2014-12-11 18:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-25 23:46 - 2014-12-06 05:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-25 23:46 - 2014-12-06 04:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-25 23:46 - 2014-12-06 04:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-25 23:46 - 2014-11-11 04:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-01-25 23:46 - 2014-11-11 04:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2015-01-25 23:46 - 2014-11-11 03:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-01-25 23:46 - 2014-11-11 03:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2015-01-25 23:46 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-01-25 23:46 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2015-01-25 23:46 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2015-01-25 23:46 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2015-01-25 23:46 - 2014-10-25 02:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2015-01-25 23:46 - 2014-10-25 02:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2015-01-25 23:46 - 2014-10-18 03:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-01-25 23:46 - 2014-10-18 02:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-01-25 23:46 - 2014-10-14 03:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-01-25 23:46 - 2014-10-14 03:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-01-25 23:46 - 2014-10-14 02:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-01-25 23:46 - 2014-10-14 02:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-01-25 23:46 - 2014-10-03 03:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-01-25 23:46 - 2014-10-03 03:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-01-25 23:46 - 2014-10-03 03:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-01-25 23:46 - 2014-10-03 03:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-01-25 23:46 - 2014-10-03 03:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-01-25 23:46 - 2014-10-03 02:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2015-01-25 23:46 - 2014-10-03 02:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2015-01-25 23:46 - 2014-10-03 02:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2015-01-25 23:46 - 2014-09-25 03:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2015-01-25 23:46 - 2014-09-25 02:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2015-01-25 23:46 - 2014-09-19 10:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-01-25 23:46 - 2014-09-19 10:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-01-25 23:46 - 2014-09-19 10:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-01-25 23:46 - 2014-09-19 10:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-01-25 23:46 - 2014-09-19 10:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-01-25 23:46 - 2014-09-19 10:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-01-25 23:46 - 2014-09-19 10:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-01-25 23:46 - 2014-09-19 10:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-01-25 23:46 - 2014-09-19 10:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-01-25 23:46 - 2014-09-19 10:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-01-25 23:46 - 2014-09-19 10:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-01-25 23:46 - 2014-09-19 10:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-01-25 23:46 - 2014-09-04 06:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2015-01-25 23:46 - 2014-09-04 06:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2015-01-25 23:46 - 2014-08-21 07:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-01-25 23:46 - 2014-08-21 07:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2015-01-25 23:46 - 2014-08-21 07:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2015-01-25 23:46 - 2014-08-21 07:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2015-01-25 23:46 - 2014-08-12 03:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2015-01-25 23:46 - 2014-08-12 02:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2015-01-25 23:46 - 2014-06-18 23:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2015-01-25 23:46 - 2014-06-18 23:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2015-01-25 23:46 - 2014-06-18 23:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2015-01-25 23:46 - 2014-06-18 23:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2015-01-25 23:46 - 2014-06-18 23:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2015-01-25 23:46 - 2014-06-18 23:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2015-01-25 23:45 - 2015-01-13 05:15 - 01540240 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco6420103.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 32102544 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 25459856 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 24765584 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 20465296 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 17250776 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 13295552 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 13210248 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 10774544 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 10714488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 10274448 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2015-01-25 23:45 - 2015-01-10 09:07 - 03607184 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 03245712 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 01895240 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6434725.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 01556808 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6434725.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00994712 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00969360 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00942736 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00929424 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00906384 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00877488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00496456 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00399688 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00390472 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00353040 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00345744 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00305320 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00177624 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00164568 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2015-01-25 23:45 - 2015-01-10 09:07 - 00031376 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvpciflt.sys
2015-01-25 10:53 - 2015-01-26 12:22 - 00002287 _____ () C:\Windows\setupact.log
2015-01-25 10:53 - 2015-01-25 10:53 - 00001556 _____ () C:\Windows\PFRO.log
2015-01-25 10:53 - 2015-01-25 10:53 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-25 00:39 - 2015-01-25 00:39 - 00000768 _____ () C:\Users\Mookid\AppData\Local\recently-used.xbel
2015-01-25 00:38 - 2015-01-25 00:38 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\MadeWithMischief
2015-01-25 00:38 - 2015-01-25 00:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mischief-Free
2015-01-25 00:36 - 2015-01-25 00:36 - 00001942 _____ () C:\Users\Public\Desktop\Mischief.lnk
2015-01-25 00:36 - 2015-01-25 00:36 - 00000016 _____ () C:\Users\Public\Documents\MID_V0001_000
2015-01-25 00:36 - 2015-01-25 00:36 - 00000000 ____D () C:\Program Files (x86)\Mischief
2015-01-24 22:50 - 2015-01-24 22:50 - 00597304 _____ () C:\Users\Mookid\Downloads\flux-setup.exe
2015-01-24 22:50 - 2015-01-24 22:50 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Flux
2015-01-24 22:50 - 2015-01-24 22:50 - 00000000 ____D () C:\Users\Mookid\AppData\Local\FluxSoftware
2015-01-18 15:12 - 2015-01-18 15:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-01-16 22:37 - 2015-01-16 22:37 - 00000000 ____D () C:\Users\Mookid\Documents\BioWare
2015-01-16 22:37 - 2008-07-12 08:18 - 04992520 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2015-01-16 22:37 - 2008-07-12 08:18 - 01942552 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2015-01-16 22:37 - 2008-07-12 08:18 - 00540688 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2015-01-10 13:52 - 2015-01-10 00:29 - 02558608 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2015-01-10 13:51 - 2014-12-13 11:08 - 01895056 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6434709.dll
2015-01-10 13:51 - 2014-12-13 11:08 - 01556624 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6434709.dll
2015-01-10 13:51 - 2014-10-09 18:02 - 00195728 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2015-01-10 13:51 - 2014-10-09 18:02 - 00030536 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2015-01-10 13:51 - 2014-10-09 08:17 - 01540240 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco64.dll
2015-01-10 13:49 - 2014-11-22 11:46 - 00038032 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2015-01-10 13:49 - 2014-11-22 11:46 - 00032400 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2015-01-10 13:05 - 2015-01-10 15:34 - 00060597 _____ () C:\Windows\temp023423.vbe
2015-01-08 23:24 - 2015-01-08 23:25 - 00018645 _____ () C:\Users\Mookid\Downloads\Inside_Peach's_Castle.mid
2014-12-27 19:29 - 2014-12-27 19:29 - 00001162 _____ () C:\Users\Mookid\Desktop\Elite Dangerous Launcher.lnk
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-26 12:23 - 2014-01-09 21:02 - 01048576 _____ () C:\Windows\PE_Rom.dll
2015-01-26 12:22 - 2014-10-15 11:11 - 00000994 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-26 12:22 - 2014-10-15 11:11 - 00000990 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-26 12:22 - 2014-10-12 15:55 - 01571380 _____ () C:\Windows\WindowsUpdate.log
2015-01-26 12:22 - 2014-01-09 19:54 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-26 12:22 - 2013-11-21 16:01 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\Dropbox
2015-01-26 12:22 - 2013-11-10 22:09 - 00000000 ____D () C:\ProgramData\Origin
2015-01-26 12:22 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-26 12:02 - 2014-10-15 10:49 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-01-26 11:08 - 2013-11-22 03:33 - 00000000 ____D () C:\Users\Mookid\Documents\My Games
2015-01-26 10:08 - 2014-08-14 18:48 - 00000000 ____D () C:\Users\Mookid\AppData\Local\Adobe
2015-01-26 10:04 - 2014-01-09 21:07 - 00000000 _____ () C:\Windows\Path.idx
2015-01-26 10:04 - 2009-07-14 06:13 - 00006464 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-26 10:03 - 2009-07-14 05:45 - 00010016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-26 10:03 - 2009-07-14 05:45 - 00010016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-26 09:58 - 2009-07-14 05:45 - 04906872 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-26 01:15 - 2014-01-27 12:02 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-01-26 01:12 - 2013-11-17 23:15 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-26 00:19 - 2014-10-11 14:09 - 00007608 _____ () C:\Users\Mookid\AppData\Local\resmon.resmoncfg
2015-01-25 23:48 - 2014-01-09 19:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2015-01-25 23:46 - 2013-10-25 07:42 - 00000000 ____D () C:\Temp
2015-01-25 23:33 - 2013-11-12 16:25 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\Skype
2015-01-25 23:33 - 2013-11-11 21:05 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\Spotify
2015-01-25 16:00 - 2014-08-23 19:15 - 00000000 ____D () C:\Users\Mookid\Desktop\DIGITALA ALSTER
2015-01-25 10:56 - 2009-07-14 06:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-01-25 02:09 - 2013-11-10 22:12 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\uTorrent
2015-01-24 22:55 - 2014-01-09 21:14 - 00000000 ____D () C:\Users\Mookid\AppData\Local\CrashDumps
2015-01-24 22:55 - 2013-11-10 22:32 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\DAEMON Tools Lite
2015-01-24 19:15 - 2013-11-12 14:06 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\vlc
2015-01-24 17:27 - 2014-10-15 11:11 - 00002179 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-24 17:05 - 2014-08-04 13:33 - 00000000 ____D () C:\Users\Mookid\Desktop\Figure
2015-01-24 14:30 - 2013-11-11 21:09 - 00000000 ____D () C:\Users\Mookid\AppData\Local\Spotify
2015-01-19 01:04 - 2014-10-13 02:02 - 00000000 ____D () C:\Users\Mookid\Documents\MyPaint
2015-01-18 15:13 - 2013-11-12 16:25 - 00000000 ____D () C:\ProgramData\Skype
2015-01-18 15:12 - 2014-10-11 13:33 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-01-18 15:12 - 2014-03-23 22:14 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-01-17 13:52 - 2014-10-17 12:15 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\WTablet
2015-01-17 13:21 - 2013-12-21 21:46 - 00000000 ____D () C:\Users\Mookid\AppData\Roaming\Adobe
2015-01-16 07:41 - 2014-06-10 18:44 - 01756424 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2015-01-16 07:41 - 2014-06-10 18:44 - 01316184 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2015-01-16 07:41 - 2014-03-17 13:35 - 01514528 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2015-01-16 07:41 - 2014-03-17 13:35 - 01278920 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2015-01-10 15:34 - 2014-09-07 16:36 - 00003174 _____ () C:\Windows\System32\Tasks\Origin
2015-01-10 09:07 - 2014-09-23 23:58 - 16009120 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2015-01-10 09:07 - 2014-01-09 19:58 - 18566296 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2015-01-10 09:07 - 2014-01-09 19:58 - 14115944 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2015-01-10 09:07 - 2014-01-09 19:58 - 03298816 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2015-01-10 09:07 - 2014-01-09 19:58 - 02902456 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2015-01-10 09:07 - 2014-01-09 19:53 - 00073872 _____ (Khronos Group) C:\Windows\system32\OpenCL.dll
2015-01-10 09:07 - 2014-01-09 19:53 - 00060744 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2015-01-10 09:07 - 2013-11-21 15:49 - 00027441 _____ () C:\Windows\system32\nvinfo.pb
2015-01-10 00:30 - 2014-01-09 19:53 - 06860432 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2015-01-10 00:30 - 2014-01-09 19:53 - 03517256 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2015-01-10 00:29 - 2014-05-27 14:40 - 01097872 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshext.dll
2015-01-10 00:29 - 2014-05-27 14:40 - 00075080 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshextr.dll
2015-01-10 00:29 - 2014-01-09 19:53 - 00935056 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2015-01-10 00:29 - 2014-01-09 19:53 - 00385352 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2015-01-10 00:29 - 2014-01-09 19:53 - 00062608 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2015-01-09 20:47 - 2014-01-09 19:53 - 04173527 _____ () C:\Windows\system32\nvcoproc.bin
2015-01-08 09:55 - 2013-11-10 22:22 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-31 13:12 - 2013-11-17 23:15 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-29 10:58 - 2014-09-07 22:48 - 00019403 _____ () C:\Users\Mookid\Desktop\UUUH.gpx
 
==================== Files in the root of some directories =======
 
2014-02-27 00:37 - 2003-09-03 07:46 - 0010960 _____ () C:\Program Files (x86)\EULA.txt
2014-02-27 00:37 - 2014-02-27 00:37 - 0000351 _____ () C:\Program Files (x86)\INSTALL.LOG
2014-02-27 00:37 - 2003-12-18 11:33 - 0020102 _____ () C:\Program Files (x86)\Readme.txt
2014-02-11 14:48 - 2014-09-01 17:25 - 0000074 _____ () C:\Users\Mookid\AppData\Roaming\log.txt
2014-02-11 14:48 - 2014-03-10 11:15 - 0682496 _____ () C:\Users\Mookid\AppData\Roaming\SpotifyHelper.exe
2014-02-27 20:59 - 2014-02-27 20:59 - 0000000 ___SH () C:\Users\Mookid\AppData\Local\LumaEmu
2015-01-25 00:39 - 2015-01-25 00:39 - 0000768 _____ () C:\Users\Mookid\AppData\Local\recently-used.xbel
2014-10-11 14:09 - 2015-01-26 00:19 - 0007608 _____ () C:\Users\Mookid\AppData\Local\resmon.resmoncfg
2014-09-17 11:03 - 2014-09-17 11:03 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Files to move or delete:
====================
C:\Users\Mookid\AppData\Roaming\Origin\update.vbe
 
 
Some content of TEMP:
====================
C:\Users\Mookid\AppData\Local\Temp\drm_dialogs.dll
C:\Users\Mookid\AppData\Local\Temp\drm_dyndata_7330014.dll
C:\Users\Mookid\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcvdwcs.dll
C:\Users\Mookid\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Mookid\AppData\Local\Temp\nvStInst.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-25 14:57
 
==================== End Of Log ============================

Attached Files


Edited by Mookid, 26 January 2015 - 08:29 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 26 January 2015 - 08:35 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

 

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Mookid

Mookid
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 26 January 2015 - 01:01 PM

Obviusly I had a few more problems than I thought perhaps. Here are the logs, in chronological order. The svchost.exe virus went away after the first purge with FRST. The results from ESET I think are a bit weird also - can I trust 100% that the files in this pirated software is malware and harmful? Nevertheless, I will remove them.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2015-01-26
Scan Time: 16:42:26
Logfile: 
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.26.06
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Mookid

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 351962
Time Elapsed: 3 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.FlowSurf.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{E3F1CA13-EA0E-4617-8D03-3EAA6A94A7E0}, Quarantined, [7c828675c6c36dc98d49c53118ea8d73], 
PUP.Optional.FlowSurf.A, HKU\S-1-5-21-3253841700-3206713208-408431204-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\FLOWSURF, Quarantined, [ab535f9c8801f93dc3e51bd6ba4a07f9], 
PUP.Optional.FastStart.A, HKU\S-1-5-21-3253841700-3206713208-408431204-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS, Quarantined, [827c10eb3c4da88e6fbb1f70ce357888], 

Registry Values: 4
PUP.Optional.FlowSurf.A, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|jid1-tofUlNEIFlkUIA@jetpack, C:\Program Files (x86)\Flowsurf\jid1-tofUlNEIFlkUIA@jetpack, Quarantined, [5ea004f78dfc053186b16350c340758b]
PUP.Optional.FastStart.A, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|faststartff@gmail.com, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com, Quarantined, [7a84eb10c9c0a393aa903db923e1758b]
PUP.Optional.FlowSurf.A, HKU\S-1-5-21-3253841700-3206713208-408431204-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\FLOWSURF|chrid, oglkiljdmflopemijdadoiepkhcaodjn, Quarantined, [ab535f9c8801f93dc3e51bd6ba4a07f9]
PUP.Optional.FastStart.A, HKU\S-1-5-21-3253841700-3206713208-408431204-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MOZILLA\EXTENDS|appid, faststartff@gmail.com, Quarantined, [827c10eb3c4da88e6fbb1f70ce357888]

Registry Data: 0
(No malicious items detected)

Folders: 33
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include\tools, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\lib, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\module, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\pack, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\en, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\en-US, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\es, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\es-419, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-BE, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-CA, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-CH, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-LU, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\it, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\it-CH, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\pl, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\pt-BR, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\ru, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\ru-MO, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\tr, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\vi, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\zh-CN, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\zh-TW, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\defaults, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\defaults\preferences, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 

Files: 62
Trojan.BitcoinMiner, C:\Users\Mookid\AppData\Roaming\GFXController\lgfxpers.exe, Quarantined, [ffff9a611079fe380a716311986df30d], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome.manifest, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\install.rdf, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\index.html, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\quick_start.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\quick_start.xul, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include\speed_dial.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include\tools\about_blank_hook.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include\tools\misc.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include\tools\popup_image_helper.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\include\tools\urlrequestor.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\js.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\lib\doT.min.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\lib\jquery-2.1.0.min.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\lib\jquery.autocomplete.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\module\hotSearch.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\module\mostgrid.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\module\search.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\module\stat.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\pack\common.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\pack\ga.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\content\js\pack\xagainit.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\en\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\en-US\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\es\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\es-419\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-BE\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-CA\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-CH\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\fr-LU\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\it\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\it-CH\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\pl\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\pt-BR\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\ru\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\ru-MO\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\tr\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\vi\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\zh-CN\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\locale\zh-TW\locale.properties, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\default_logo.png, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\googlelogo.png, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\google_trends.png, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\icon.png, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\loading.gif, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\logo.png, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\newtab.ico, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\simple.css, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\chrome\skin\style.css, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\defaults\preferences\fvd.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\defaults\preferences\preferences.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\addonmanager.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\aes.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\config.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\dialogs.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\last_tab.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\misc.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\properties.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\remoterequest.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\restoreprefs.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 
PUP.Optional.FastStart.A, C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\extensions\faststartff@gmail.com\modules\settings.js, Quarantined, [1ce2e9122c5dcd6910b3174032d1857b], 

Physical Sectors: 0
(No malicious items detected)


(end)
ESET
C:\Program Files (x86)\SIMS4\The SIMS 4 - Deluxe Edition\Game\Bin\3dmgame.dll	a variant of Win32/Packed.VMProtect.AAA trojan
C:\ProgramData\InstallMate\{64944592-F483-456B-A780-BCA1BF776764}\Custom.dll	Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{64944592-F483-456B-A780-BCA1BF776764}\Custom.dll	Win32/InstalleRex.M potentially unwanted application
C:\Users\Mookid\AppData\Roaming\SpotifyHelper.exe	Win32/Packed.Autoit.H potentially unwanted application
C:\Users\Mookid\AppData\Roaming\GUIController\usergui.exe	a variant of Win64/BitCoinMiner.AG potentially unsafe application
C:\Windows\SpotifyHelper.exe	Win32/Packed.Autoit.H potentially unwanted application
E:\DOWN\A DRAWING PROGRAM - xf-sms502ex.exe	a variant of Win32/Keygen.HA potentially unsafe application
E:\DOWN\SPEL\GAME 1 - SC-TS-41974-V-3.zip	a variant of Win32/Packed.VMProtect.AAA trojan
E:\DOWN\SPEL\GAME 1 - 3dmgame.dll	        a variant of Win32/Packed.VMProtect.AAA trojan
E:\DOWN\GAME 2 - rld-towaroiihatg.iso	        a variant of Win32/HackTool.Crack.BL potentially unsafe application
E:\SYSTEM\ GAME 1 - 3dmgame.dll	                a variant of Win32/Packed.VMProtect.AAA trojan
E:\SYSTEM\GAME 2 - steam_api.dll	        a variant of Win32/HackTool.Crack.BL potentially unsafe application

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 27 January 2015 - 09:33 AM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Mookid

Mookid
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 27 January 2015 - 03:37 PM

Well this was awkward... Sorry about me not reading the forum rules. Really do appreciate the help, you are a kind person. I am ready to proceed now.



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 28 January 2015 - 04:04 AM

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK Mirror (if the link is down)

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread (Note: Do NOT post this one into a code box!





Are any problems left or may I post the final reply? :)

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Mookid

Mookid
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 January 2015 - 05:26 PM

If the fixlog.txt looks different from what you expected, it is because you asked me to remove the pirated software from earlier manually. I did, thus rendering some of the lines in the fixlist.txt obsolete. For example, The SIMS 4, I uninstalled the application manually, therefore explaining why FRST was unable to find it.

ADW

# AdwCleaner v4.109 - Report created 28/01/2015 at 23:05:59
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Mookid - MOOKID-PC
# Running from : C:\Users\Mookid\Desktop\ANTI MALWARE\adwcleaner_4.109.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Users\Mookid\AppData\Roaming\Mozilla\Firefox\Profiles\afbd0r4d.default\user.js

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****

Shortcut Disinfected : C:\Users\Mookid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Mookid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Shortcut Disinfected : C:\Users\Mookid\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8018C54-B702-4D52-9ACC-8CA78911E633}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C6A846C5-D67F-48B4-8552-C22354E56966}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C321541F-B22D-4593-AC1A-9634812A4E40}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A8018C54-B702-4D52-9ACC-8CA78911E633}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C6A846C5-D67F-48B4-8552-C22354E56966}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 228200

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Mozilla Firefox v33.0 (x86 fr)

[afbd0r4d.default\prefs.js] - Line Deleted : user_pref("extensions.quick_start.enable_search1", false);
[afbd0r4d.default\prefs.js] - Line Deleted : user_pref("extensions.quick_start.sd.closeWindowWithLastTab_prev_state", false);

-\\ Google Chrome v40.0.2214.93


*************************

AdwCleaner[R0].txt - [1707 octets] - [28/01/2015 23:05:16]
AdwCleaner[S0].txt - [2062 octets] - [28/01/2015 23:05:59]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2122 octets] ##########

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Ultimate x64
Ran by Mookid on 2015-01-28 at 23:09:53,54
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-3253841700-3206713208-408431204-1000\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Mookid\AppData\Roaming\thinstall"
Successfully deleted: [Folder] "C:\Users\Mookid\appdata\local\thinstall"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Mookid\appdata\local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2015-01-28 at 23:11:16,59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Results of screen317's Security Check version 0.99.95  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy 
 Java 7 Update 71  
 Java 7 Update 21  
  Java 64-bit 8 Update 31
  Adobe Flash Player 15.0.0.239 Flash Player out of Date!
 Adobe Reader XI  
 Mozilla Firefox 33.0 Firefox out of Date!
 Google Chrome (40.0.2214.91) 
 Google Chrome (40.0.2214.93) 
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 5% 
````````````````````End of Log``````````````````````

Attached Files



#8 Mookid

Mookid
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 January 2015 - 05:28 PM

No more problems it seems. Thank you so much for your help! You may now lay your wisdom of security on me :)



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 29 January 2015 - 08:30 AM

Your system is clean now! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

Adobe Flash Player out of date

Your Adobe flash player is outdated. We will fix this.

  • Get the actual player from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

 

Mozilla Firefox out of date

Your Firefox browser is outdated. Please follow these instructions to update it:

  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.




Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.




Temp File Cleaner

We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

 

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 03 July 2015 - 02:23 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users