Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep being hacked into on Steam


  • This topic is locked This topic is locked
8 replies to this topic

#1 coolhandluth

coolhandluth

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 01 February 2015 - 11:59 AM

I have been hacked into on my Steam account twice now, after I think a virus was installed after a hacked friend sent me a bad link. I don't know what malware or virus was installed. I have always had Microsoft Security Essentials installed, and have run Malwarebytes and it found nothing also. I did run a combofix scan, probably somewhat stupidly as I'm not sure what that does really, but it did delete some files. No idea if my problem is fixed or something is still floating out there. Scary stuff.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by MARCUS (administrator) on LUTHER-PC on 01-02-2015 10:47:09
Running from C:\Users\MARCUS\Downloads
Loaded Profiles: MARCUS (Available profiles: MARCUS)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2531472 2014-12-12] (NVIDIA Corporation)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2014-10-20] (Apple Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [GoogleChromeAutoLaunch_B5392DF6F078FA48EC3C95E50CBE3F4E] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-01-26] (Google Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=UP97&ocid=UP97DHP&dt=062513
SearchScopes: HKU\S-1-5-21-1274005809-3457345562-43971716-1001 -> DefaultScope {30E21D6C-92B0-4FDD-92D0-3E08D6160967} URL = http://www.bing.com/search?FORM=UP97DF&PC=UP97&dt=062313&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1274005809-3457345562-43971716-1001 -> BEC4E7530BA6490AB40BD8C1A600BBA9 URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=293224&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1274005809-3457345562-43971716-1001 -> {30E21D6C-92B0-4FDD-92D0-3E08D6160967} URL = http://www.bing.com/search?FORM=UP97DF&PC=UP97&dt=062313&q={searchTerms}&src=IE-SearchBox
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} http://10.0.1.55/codebase/DVM_IPCam2.ocx
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{C4001740-0B91-4695-9FA7-BEB01998F413}: [NameServer] 208.67.222.222,208.67.220.220,10.0.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\MARCUS\AppData\Roaming\Mozilla\Firefox\Profiles\4yyp78ew.default
FF SearchEngineOrder.3: Bing 
FF Homepage: google.com
FF Keyword.URL: hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&dt=062313&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @esn/npbattlelog,version=2.4.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.4.0\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\MARCUS\AppData\Roaming\Mozilla\Firefox\Profiles\4yyp78ew.default\searchplugins\bingp.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: Adblock Plus - C:\Users\MARCUS\AppData\Roaming\Mozilla\Firefox\Profiles\4yyp78ew.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-10-15]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-27]
CHR Extension: (Google Drive) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-27]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-27]
CHR Extension: (YouTube) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-27]
CHR Extension: (Google Search) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-27]
CHR Extension: (Pandora) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbangkleohkafngihneedemihgfeikcl [2014-10-27]
CHR Extension: (AdBlock) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-10-27]
CHR Extension: (Hangouts) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-10-27]
CHR Extension: (Google Wallet) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-27]
CHR Extension: (Gmail) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-27]
CHR Profile: C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-14]
CHR Extension: (Google Docs) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-14]
CHR Extension: (Google Drive) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-14]
CHR Extension: (YouTube) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-14]
CHR Extension: (Google Search) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-14]
CHR Extension: (Google Sheets) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-14]
CHR Extension: (Skype Click to Call) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-01-14]
CHR Extension: (Google Wallet) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-14]
CHR Extension: (Gmail) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-14]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2014-12-12] (NVIDIA Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1701520 2014-12-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19823248 2014-12-12] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1903472 2014-12-17] (Electronic Arts)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [75136 2014-05-30] ()
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 FoxAwdWINFLASH64; C:\Program Files (x86)\FOXCONN\FOX LiveUpdate\FoxAwdWINFLASH64.SYS [17808 2007-06-13] (Foxconn ® Corporation) [File not signed]
S3 FXDrv32; C:\Program Files (x86)\FOXCONN\FOX LiveUpdate\FXDrv64.sys [32024 2005-12-08] (Your Corporation)
R3 irsir; C:\Windows\System32\DRIVERS\irsir.sys [27648 2008-01-19] (Microsoft Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2014-12-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-18] (Razer, Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-02-01] ()
U3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-01 10:47 - 2015-02-01 10:47 - 00018063 _____ () C:\Users\MARCUS\Downloads\FRST.txt
2015-02-01 10:45 - 2015-02-01 10:47 - 00000000 ____D () C:\FRST
2015-02-01 10:45 - 2015-02-01 10:45 - 02131456 _____ (Farbar) C:\Users\MARCUS\Downloads\FRST64.exe
2015-02-01 10:28 - 2015-02-01 10:28 - 15431256 _____ () C:\Users\MARCUS\Downloads\RogueKiller.exe
2015-02-01 10:28 - 2015-02-01 10:28 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-02-01 10:28 - 2015-02-01 10:28 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-01 10:25 - 2015-02-01 10:25 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\MARCUS\Downloads\rkill.exe
2015-02-01 10:25 - 2015-02-01 10:25 - 00002356 _____ () C:\Users\MARCUS\Desktop\Rkill.txt
2015-02-01 10:25 - 2015-02-01 10:25 - 00000000 ____D () C:\Users\MARCUS\Desktop\rkill
2015-02-01 10:23 - 2015-02-01 10:23 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\MARCUS\Downloads\tdsskiller.exe
2015-02-01 10:14 - 2015-02-01 10:14 - 00026093 _____ () C:\Users\MARCUS\Desktop\ComboFix.txt
2015-02-01 10:12 - 2015-02-01 10:12 - 00026093 _____ () C:\ComboFix.txt
2015-02-01 10:02 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-02-01 10:02 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-02-01 10:02 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2015-02-01 10:01 - 2015-02-01 10:12 - 00000000 ____D () C:\Qoobox
2015-02-01 10:01 - 2015-02-01 10:11 - 00000000 ____D () C:\Windows\erdnt
2015-02-01 10:01 - 2015-02-01 10:01 - 00000000 ____D () C:\Program Files (x86) (x86)
2015-02-01 09:59 - 2015-02-01 09:59 - 05611408 ____R (Swearware) C:\Users\MARCUS\Downloads\ComboFix.exe
2015-01-22 01:56 - 2015-01-22 01:56 - 04505161 _____ () C:\Users\MARCUS\Downloads\Peace Lutheran Logo (E).zip
2015-01-14 02:13 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 02:13 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 02:13 - 2014-12-11 23:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 02:13 - 2014-12-11 23:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 02:13 - 2014-12-11 23:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 02:13 - 2014-12-11 23:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 02:13 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 02:13 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 02:13 - 2014-12-11 23:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-14 02:13 - 2014-12-11 11:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 02:13 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 02:13 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 02:13 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-13 16:22 - 2015-01-13 16:22 - 00000013 ___SH () C:\Users\MARCUS\AppData\Roaming\rtv.bin
2015-01-13 16:21 - 2014-05-12 15:11 - 15686656 _____ () C:\Users\MARCUS\AppData\Roaming\mumble-1.2.5.msi
2015-01-13 16:19 - 2015-01-13 16:19 - 14357545 _____ () C:\Users\MARCUS\Downloads\mumble-1.2.5.rar
2015-01-09 15:52 - 2014-11-22 04:46 - 00038032 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2015-01-09 15:52 - 2014-11-22 04:46 - 00032400 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-01 10:37 - 2014-03-24 21:02 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-01 10:27 - 2013-06-19 08:27 - 01121711 _____ () C:\Windows\WindowsUpdate.log
2015-02-01 10:15 - 2013-10-09 17:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-01 10:12 - 2009-07-13 21:20 - 00000000 __RHD () C:\Users\Default
2015-02-01 10:11 - 2009-07-13 20:34 - 00000215 _____ () C:\Windows\system.ini
2015-02-01 10:08 - 2013-07-12 12:27 - 00000000 ____D () C:\ProgramData\TEMP
2015-02-01 10:07 - 2013-10-03 23:25 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-02-01 09:45 - 2014-07-10 15:48 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-01 05:54 - 2014-03-24 21:02 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-31 16:04 - 2013-06-19 19:59 - 00000000 ____D () C:\Users\MARCUS\AppData\Roaming\Skype
2015-01-31 08:55 - 2009-07-13 22:45 - 00015328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-31 08:55 - 2009-07-13 22:45 - 00015328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-31 08:48 - 2014-12-08 06:23 - 00000000 ___RD () C:\Users\MARCUS\iCloudDrive
2015-01-31 08:48 - 2009-07-13 22:51 - 00102780 _____ () C:\Windows\setupact.log
2015-01-31 08:47 - 2013-06-19 08:59 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-31 08:47 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-27 00:38 - 2014-09-28 04:23 - 00002042 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-01-27 00:38 - 2014-09-28 04:23 - 00002040 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-01-27 00:38 - 2014-09-28 04:23 - 00002030 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-01-27 00:38 - 2014-09-28 04:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-01-26 19:04 - 2013-10-09 17:04 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-26 19:04 - 2013-06-19 15:51 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-26 19:04 - 2013-06-19 15:51 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-22 02:11 - 2014-10-15 16:12 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-22 02:11 - 2013-10-03 22:34 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-22 02:10 - 2014-10-15 16:12 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-20 21:57 - 2014-09-08 23:39 - 00000000 ____D () C:\Users\MARCUS\Documents\Outlook Files
2015-01-19 17:37 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-14 02:29 - 2013-07-26 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 02:22 - 2013-06-19 09:05 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-13 17:39 - 2014-07-10 15:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-13 17:39 - 2014-07-10 15:48 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-13 17:15 - 2013-09-29 12:29 - 00000000 ____D () C:\Users\MARCUS\AppData\Roaming\Mumble
2015-01-10 12:26 - 2009-07-13 23:08 - 00032638 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-09 01:28 - 2014-05-29 20:02 - 00000000 ____D () C:\ProgramData\Origin
2015-01-07 10:08 - 2013-06-20 12:30 - 00331767 _____ () C:\Windows\DirectX.log
2015-01-05 10:36 - 2014-05-29 20:02 - 00000000 ____D () C:\Program Files (x86)\Origin
 
==================== Files in the root of some directories =======
 
2013-08-28 15:32 - 2013-08-28 15:32 - 0003698 _____ () C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
2015-01-13 16:21 - 2014-05-12 15:11 - 15686656 _____ () C:\Users\MARCUS\AppData\Roaming\mumble-1.2.5.msi
2015-01-13 16:22 - 2015-01-13 16:22 - 0000013 ___SH () C:\Users\MARCUS\AppData\Roaming\rtv.bin
2014-02-05 11:25 - 2014-02-05 11:25 - 0033193 _____ () C:\Users\MARCUS\AppData\Roaming\UserTile.png
2013-11-20 00:18 - 2014-10-27 03:00 - 0007599 _____ () C:\Users\MARCUS\AppData\Local\resmon.resmoncfg
2013-12-27 23:50 - 2013-10-28 23:50 - 0000032 ____R () C:\ProgramData\hash.dat
 
Files to move or delete:
====================
C:\ProgramData\hash.dat
C:\Users\MARCUS\jagex_cl_oldschool_LIVE.dat
C:\Users\MARCUS\random.dat
 
 
Some content of TEMP:
====================
C:\Users\MARCUS\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-25 15:43
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:40 AM

Posted 02 February 2015 - 10:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF SearchPlugin: C:\Users\MARCUS\AppData\Roaming\Mozilla\Firefox\Profiles\4yyp78ew.default\searchplugins\bingp.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
CHR Extension: (Google Wallet) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-27]
CHR Extension: (Google Wallet) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-14]
U3 catchme; \??\C:\ComboFix\catchme.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 coolhandluth

coolhandluth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 02 February 2015 - 12:41 PM

Hey, thanks for the help so far. I copied and ran the fixlist as said, and restarted the computer. However, no Fixlog.txt came up and I am unable to find that it created it anywhere, not sure if I did something wrong. I did run the Adwarecleaner.exe and am posting the results:

 

# AdwCleaner v4.109 - Report created 02/02/2015 at 11:34:04
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : MARCUS - LUTHER-PC
# Running from : C:\Users\MARCUS\Downloads\adwcleaner_4.109.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Windows\System32\roboot64.exe
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 228200
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v40.0.2214.94
 
[C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.fantastigames.com/web?src=crb&gct=ds&appid=103&systemid=463&q={searchTerms}
[C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [1709 octets] - [02/02/2015 11:29:22]
AdwCleaner[S0].txt - [1593 octets] - [02/02/2015 11:34:04]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1653 octets] ##########
 
Thanks!


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:40 AM

Posted 02 February 2015 - 02:41 PM

Run the Farbar tool normally and post a fresh log. I will review it.

How is the computer running now?

#5 coolhandluth

coolhandluth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 02 February 2015 - 02:45 PM

Ok, will do. The thing is the computer has always run fine, but they were getting into programs and stealing information and transferring things to their accounts. Along with virtual currency, I just received a notice of a suspicious charge that I definitely did not authorize on my credit card, so this whole thing really sucks. Thanks for your help, running the scan now and I'll post when I'm done.



#6 coolhandluth

coolhandluth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 02 February 2015 - 03:03 PM

Here's the log. I should probably add that I got the virus from a friend who had a virus and sent me a link to download mumble, I contracted the bad stuff either through mumble or the bad link, not sure which. I uninstalled mumble, but apparently damage was already done.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2015
Ran by MARCUS (administrator) on LUTHER-PC on 02-02-2015 13:59:14
Running from C:\Users\MARCUS\Downloads
Loaded Profiles: MARCUS (Available profiles: MARCUS)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2531472 2014-12-12] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-01-27] (Apple Inc.)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2014-10-20] (Apple Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [GoogleChromeAutoLaunch_B5392DF6F078FA48EC3C95E50CBE3F4E] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-01-26] (Google Inc.)
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-01-20] (Piriform Ltd)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1274005809-3457345562-43971716-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=UP97&ocid=UP97DHP&dt=062513
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1274005809-3457345562-43971716-1001 -> BEC4E7530BA6490AB40BD8C1A600BBA9 URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=293224&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1274005809-3457345562-43971716-1001 -> {30E21D6C-92B0-4FDD-92D0-3E08D6160967} URL = http://www.bing.com/search?FORM=UP97DF&PC=UP97&dt=062313&q={searchTerms}&src=IE-SearchBox
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} http://10.0.1.55/codebase/DVM_IPCam2.ocx
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{C4001740-0B91-4695-9FA7-BEB01998F413}: [NameServer] 208.67.222.222,208.67.220.220,10.0.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\MARCUS\AppData\Roaming\Mozilla\Firefox\Profiles\4yyp78ew.default
FF SearchEngineOrder.3: Bing 
FF Homepage: google.com
FF Keyword.URL: hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&dt=062313&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\MARCUS\AppData\Roaming\Mozilla\Firefox\Profiles\4yyp78ew.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-10-15]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-27]
CHR Extension: (Google Drive) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-27]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-27]
CHR Extension: (YouTube) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-27]
CHR Extension: (Google Search) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-27]
CHR Extension: (Pandora) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbangkleohkafngihneedemihgfeikcl [2014-10-27]
CHR Extension: (AdBlock) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-10-27]
CHR Extension: (Hangouts) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-10-27]
CHR Extension: (Gmail) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-27]
CHR Profile: C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-14]
CHR Extension: (Google Docs) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-14]
CHR Extension: (Google Drive) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-14]
CHR Extension: (YouTube) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-14]
CHR Extension: (Google Search) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-14]
CHR Extension: (Google Sheets) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-14]
CHR Extension: (Skype Click to Call) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-01-14]
CHR Extension: (Gmail) - C:\Users\MARCUS\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-14]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2014-12-12] (NVIDIA Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1701520 2014-12-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19823248 2014-12-12] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1910128 2015-02-02] (Electronic Arts)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [75136 2014-05-30] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 FoxAwdWINFLASH64; C:\Program Files (x86)\FOXCONN\FOX LiveUpdate\FoxAwdWINFLASH64.SYS [17808 2007-06-13] (Foxconn ® Corporation) [File not signed]
S3 FXDrv32; C:\Program Files (x86)\FOXCONN\FOX LiveUpdate\FXDrv64.sys [32024 2005-12-08] (Your Corporation)
R3 irsir; C:\Windows\System32\DRIVERS\irsir.sys [27648 2008-01-19] (Microsoft Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2014-12-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-18] (Razer, Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-02-01] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-02 13:59 - 2015-02-02 13:59 - 02131456 _____ (Farbar) C:\Users\MARCUS\Downloads\FRST64.exe
2015-02-02 12:52 - 2015-02-02 12:52 - 00000000 ____D () C:\Users\MARCUS\AppData\Local\ESN
2015-02-02 12:50 - 2015-02-02 12:50 - 01533584 _____ () C:\Users\MARCUS\Downloads\battlelog-web-plugins_2.6.2_157 (1).exe
2015-02-02 12:49 - 2015-02-02 12:49 - 01533584 _____ () C:\Users\MARCUS\Downloads\battlelog-web-plugins_2.6.2_157.exe
2015-02-02 11:28 - 2015-02-02 11:34 - 00000000 ____D () C:\AdwCleaner
2015-02-02 11:27 - 2015-02-02 11:28 - 02194432 _____ () C:\Users\MARCUS\Downloads\adwcleaner_4.109.exe
2015-02-02 11:24 - 2015-02-02 11:35 - 00001346 _____ () C:\Windows\PFRO.log
2015-02-02 11:24 - 2015-02-02 11:35 - 00000336 _____ () C:\Windows\setupact.log
2015-02-02 11:24 - 2015-02-02 11:24 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-02 07:56 - 2015-02-02 07:56 - 00000000 ____D () C:\Users\MARCUS\AppData\Local\CrashDumps
2015-02-02 07:48 - 2015-02-02 07:48 - 00448512 _____ (OldTimer Tools) C:\Users\MARCUS\Downloads\TFC.exe
2015-02-02 07:34 - 2015-02-02 07:35 - 00276348 _____ () C:\Users\MARCUS\Documents\cc_20150202_073422.reg
2015-02-02 07:26 - 2015-02-02 07:26 - 05325208 _____ (Piriform Ltd) C:\Users\MARCUS\Downloads\ccsetup502.exe
2015-02-02 07:26 - 2015-02-02 07:26 - 00002774 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-02-02 07:26 - 2015-02-02 07:26 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-01 16:46 - 2015-02-01 16:46 - 00075136 _____ () C:\Users\MARCUS\Downloads\PnkBstrA.exe
2015-02-01 16:45 - 2015-02-01 16:45 - 00125896 _____ () C:\Users\MARCUS\Downloads\Extras.Txt
2015-02-01 16:44 - 2015-02-01 16:44 - 00221488 _____ () C:\Users\MARCUS\Downloads\OTL.Txt
2015-02-01 16:38 - 2015-02-01 16:38 - 00602112 _____ (OldTimer Tools) C:\Users\MARCUS\Downloads\OTL.exe
2015-02-01 16:05 - 2015-02-01 16:19 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-02-01 16:04 - 2015-02-01 16:04 - 16466552 _____ (Malwarebytes Corp.) C:\Users\MARCUS\Downloads\mbar-1.08.3.1004.exe
2015-02-01 11:19 - 2015-02-01 11:19 - 00001753 _____ () C:\Users\Public\Desktop\iTunes.lnk
2015-02-01 11:19 - 2015-02-01 11:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-02-01 11:18 - 2015-02-01 11:18 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-02-01 11:18 - 2015-02-01 11:18 - 00000000 ____D () C:\Program Files\iTunes
2015-02-01 11:18 - 2015-02-01 11:18 - 00000000 ____D () C:\Program Files\iPod
2015-02-01 11:18 - 2015-02-01 11:18 - 00000000 ____D () C:\Program Files (x86)\iTunes
2015-02-01 10:47 - 2015-02-02 13:59 - 00018076 _____ () C:\Users\MARCUS\Downloads\FRST.txt
2015-02-01 10:47 - 2015-02-01 10:48 - 00026945 _____ () C:\Users\MARCUS\Downloads\Addition.txt
2015-02-01 10:45 - 2015-02-02 13:59 - 00000000 ____D () C:\FRST
2015-02-01 10:28 - 2015-02-01 10:28 - 15431256 _____ () C:\Users\MARCUS\Downloads\RogueKiller.exe
2015-02-01 10:28 - 2015-02-01 10:28 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-02-01 10:28 - 2015-02-01 10:28 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-01 10:25 - 2015-02-01 10:25 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\MARCUS\Downloads\rkill.exe
2015-02-01 10:25 - 2015-02-01 10:25 - 00000000 ____D () C:\Users\MARCUS\Desktop\rkill
2015-02-01 10:23 - 2015-02-01 10:23 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\MARCUS\Downloads\tdsskiller.exe
2015-02-01 10:14 - 2015-02-01 10:14 - 00026093 _____ () C:\Users\MARCUS\Desktop\ComboFix.txt
2015-02-01 10:12 - 2015-02-01 10:12 - 00026093 _____ () C:\ComboFix.txt
2015-02-01 10:02 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-02-01 10:02 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-02-01 10:02 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2015-02-01 10:02 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2015-02-01 10:01 - 2015-02-01 10:12 - 00000000 ____D () C:\Qoobox
2015-02-01 10:01 - 2015-02-01 10:11 - 00000000 ____D () C:\Windows\erdnt
2015-02-01 10:01 - 2015-02-01 10:01 - 00000000 ____D () C:\Program Files (x86) (x86)
2015-02-01 09:59 - 2015-02-01 09:59 - 05611408 ____R (Swearware) C:\Users\MARCUS\Downloads\ComboFix.exe
2015-01-14 02:13 - 2014-12-18 21:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 02:13 - 2014-12-18 19:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 02:13 - 2014-12-11 23:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 02:13 - 2014-12-11 23:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 02:13 - 2014-12-11 23:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 02:13 - 2014-12-11 23:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 02:13 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 02:13 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 02:13 - 2014-12-11 23:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-14 02:13 - 2014-12-11 11:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 02:13 - 2014-12-05 22:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 02:13 - 2014-12-05 21:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 02:13 - 2014-12-05 21:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-13 16:22 - 2015-01-13 16:22 - 00000013 ___SH () C:\Users\MARCUS\AppData\Roaming\rtv.bin
2015-01-13 16:21 - 2014-05-12 15:11 - 15686656 _____ () C:\Users\MARCUS\AppData\Roaming\mumble-1.2.5.msi
2015-01-09 15:52 - 2014-11-22 04:46 - 00038032 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2015-01-09 15:52 - 2014-11-22 04:46 - 00032400 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-02 13:46 - 2014-05-29 20:02 - 00000000 ____D () C:\ProgramData\Origin
2015-02-02 13:46 - 2013-10-03 23:25 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-02-02 13:37 - 2014-03-24 21:02 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-02 13:15 - 2013-10-09 17:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-02 12:52 - 2014-04-15 18:28 - 00280904 _____ () C:\Windows\SysWOW64\PnkBstrB.xtr
2015-02-02 12:52 - 2014-04-15 18:22 - 00280904 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2015-02-02 12:51 - 2014-05-30 05:15 - 00000000 ____D () C:\Program Files (x86)\Battlelog Web Plugins
2015-02-02 12:46 - 2014-05-29 20:02 - 00000000 ____D () C:\Program Files (x86)\Origin
2015-02-02 11:42 - 2009-07-13 22:45 - 00015328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-02 11:42 - 2009-07-13 22:45 - 00015328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-02 11:39 - 2013-06-19 08:27 - 01261510 _____ () C:\Windows\WindowsUpdate.log
2015-02-02 11:35 - 2014-12-08 06:23 - 00000000 ___RD () C:\Users\MARCUS\iCloudDrive
2015-02-02 11:35 - 2014-03-24 21:02 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-02 11:35 - 2013-06-19 08:59 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-02 11:35 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-02 07:36 - 2013-08-16 00:13 - 00000000 ____D () C:\Windows\pss
2015-02-02 07:36 - 2013-07-02 13:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-02 07:33 - 2013-08-28 11:25 - 00000000 ____D () C:\Users\MARCUS\AppData\Roaming\DAEMON Tools Pro
2015-02-02 07:32 - 2013-06-21 08:46 - 00000000 ____D () C:\Windows\Minidump
2015-02-02 07:32 - 2013-06-20 12:34 - 00000000 ____D () C:\Users\MARCUS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Open Broadcaster Software
2015-02-02 07:32 - 2013-06-18 17:31 - 00000000 ____D () C:\Windows\Panther
2015-02-02 07:08 - 2013-06-19 19:59 - 00000000 ____D () C:\Users\MARCUS\AppData\Roaming\Skype
2015-02-01 16:20 - 2014-07-10 15:48 - 00097496 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-01 16:05 - 2014-07-10 15:48 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-01 11:18 - 2014-10-09 23:12 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-02-01 10:12 - 2009-07-13 21:20 - 00000000 __RHD () C:\Users\Default
2015-02-01 10:11 - 2009-07-13 20:34 - 00000215 _____ () C:\Windows\system.ini
2015-02-01 10:08 - 2013-07-12 12:27 - 00000000 ____D () C:\ProgramData\TEMP
2015-01-27 00:38 - 2014-09-28 04:23 - 00002042 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-01-27 00:38 - 2014-09-28 04:23 - 00002040 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-01-27 00:38 - 2014-09-28 04:23 - 00002030 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-01-27 00:38 - 2014-09-28 04:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-01-26 19:04 - 2013-10-09 17:04 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-26 19:04 - 2013-06-19 15:51 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-26 19:04 - 2013-06-19 15:51 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-22 02:11 - 2014-10-15 16:12 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-22 02:11 - 2013-10-03 22:34 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-22 02:10 - 2014-10-15 16:12 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-20 21:57 - 2014-09-08 23:39 - 00000000 ____D () C:\Users\MARCUS\Documents\Outlook Files
2015-01-19 17:37 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-14 02:29 - 2013-07-26 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 02:22 - 2013-06-19 09:05 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-13 17:39 - 2014-07-10 15:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-13 17:39 - 2014-07-10 15:48 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-13 17:15 - 2013-09-29 12:29 - 00000000 ____D () C:\Users\MARCUS\AppData\Roaming\Mumble
2015-01-10 12:26 - 2009-07-13 23:08 - 00032638 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
 
==================== Files in the root of some directories =======
 
2013-08-28 15:32 - 2013-08-28 15:32 - 0003698 _____ () C:\Program Files (x86)\Mozilla Firefoxsafeguard-secure-search.xml
2015-01-13 16:21 - 2014-05-12 15:11 - 15686656 _____ () C:\Users\MARCUS\AppData\Roaming\mumble-1.2.5.msi
2015-01-13 16:22 - 2015-01-13 16:22 - 0000013 ___SH () C:\Users\MARCUS\AppData\Roaming\rtv.bin
2014-02-05 11:25 - 2014-02-05 11:25 - 0033193 _____ () C:\Users\MARCUS\AppData\Roaming\UserTile.png
2013-11-20 00:18 - 2014-10-27 03:00 - 0007599 _____ () C:\Users\MARCUS\AppData\Local\resmon.resmoncfg
2013-12-27 23:50 - 2013-10-28 23:50 - 0000032 ____R () C:\ProgramData\hash.dat
 
Files to move or delete:
====================
C:\ProgramData\hash.dat
C:\Users\MARCUS\jagex_cl_oldschool_LIVE.dat
C:\Users\MARCUS\random.dat
 
 
Some content of TEMP:
====================
C:\Users\MARCUS\AppData\Local\Temp\Quarantine.exe
C:\Users\MARCUS\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-25 15:43
 
==================== End Of Log ============================


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:40 AM

Posted 03 February 2015 - 09:05 AM

Your log is clean.

I can only suggest you change all your passwords if not already done.

#8 coolhandluth

coolhandluth
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 03 February 2015 - 12:40 PM

I will do that again, thanks again for all your help, very much appreciated!



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:40 AM

Posted 08 February 2015 - 08:46 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users