Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 8.1 Possibly RAT/Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 Xtreme37

Xtreme37

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:32 PM

Posted 13 March 2015 - 07:02 AM

Control Panel and Task Manager are disabled and when I run adwaware it doesn't open. Malewarebytes has stopped running.

I am also no longer the administrator and I am running linux alongside as well.

 

I believe this is a very hard to find Trojan so if anything I can re-install windows...

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by SYSTEM on MININT-NDJJEEC on 12-03-2015 23:46:37
Running from c:\
Platform: Windows 8.1 Pro (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-26] (AVAST Software)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKU\Xtreme\...\Run: [uTorrent] => C:\Users\Xtreme\AppData\Roaming\uTorrent\uTorrent.exe [1742928 2015-03-03] (BitTorrent Inc.)
HKU\Xtreme\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [30877280 2014-12-11] (Skype Technologies S.A.)
HKU\Xtreme\...\Run: [f.lux] => C:\Users\Xtreme\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\Xtreme\...\Run: [SandboxieControl] => C:\Program Files\Sandboxie\SbieCtrl.exe [632328 2014-10-14] (Sandboxie Holdings, LLC)
HKU\Xtreme\...\Run: [test] => C:\Users\Xtreme\AppData\Roaming\test.exe
HKU\Xtreme\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-24] (Yahoo! Inc.)
Startup: C:\Users\Xtreme\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gajim.lnk
ShortcutTarget: Gajim.lnk -> C:\Program Files\Gajim\bin\gajim.exe (Gajim Development Team)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-02] (AVAST Software)
S2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [104416 2015-01-02] (AVAST Software)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [33080 2014-12-01] (The OpenVPN Project)
S2 ptservice; C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe [17816 2014-10-02] (OpenVPN Technologies, Inc)
S2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [134664 2014-10-14] (Sandboxie Holdings, LLC)
S3 ScDeviceEnum; C:\Windows\System32\ScDeviceEnum.dll [105472 2013-08-21] (Microsoft Corporation)
S2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
S2 vncserver; C:\Program Files\RealVNC\VNC Server\vncservice.exe [469312 2014-11-28] (RealVNC Ltd)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [284488 2015-02-03] (Microsoft Corporation)
S3 WEPHOSTSVC; C:\Windows\system32\wephostsvc.dll [20992 2013-08-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [22200 2015-02-03] (Microsoft Corporation)
S3 workfolderssvc; C:\Windows\system32\workfolderssvc.dll [1222144 2014-07-23] (Microsoft Corporation)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S2 WrensWeberSpade; "C:\Windows\System32\lopedinkequip.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2015-01-02] ()
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [26136 2015-01-02] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2015-01-02] (AVAST Software)
S0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [271288 2015-01-02] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [81768 2015-01-02] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49944 2015-01-02] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [787800 2015-01-02] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423784 2015-01-02] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [91496 2015-01-02] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [206248 2015-01-02] ()
S3 athr; C:\Windows\system32\DRIVERS\athwn.sys [2795520 2013-06-18] (Qualcomm Atheros Communications, Inc.)
S1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [25600 2014-03-18] (Microsoft Corporation)
S3 GPIO; C:\Windows\System32\drivers\iaiogpio.sys [22016 2013-07-23] (Intel Corporation)
S3 L1C; C:\Windows\system32\DRIVERS\L1C63x86.sys [110792 2013-06-18] (Qualcomm Atheros Co., Ltd.)
S2 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [75480 2014-11-21] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
S2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S3 ptun0901; C:\Windows\system32\DRIVERS\ptun0901.sys [23552 2014-08-08] (The OpenVPN Project)
S3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [161288 2014-10-14] (Sandboxie Holdings, LLC)
S3 SCREAMINGBDRIVER; C:\Windows\system32\drivers\ScreamingBAudio.sys [34896 2010-07-01] (Screaming Bee LLC)
S3 StMp3Rec; C:\Windows\System32\Drivers\StMp3Rec.sys [19840 2007-02-14] (Generic)
S3 tap0901; C:\Windows\system32\DRIVERS\tap0901.sys [23040 2014-11-05] (The OpenVPN Project)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [22016 2013-08-29] (Windows ® Win 7 DDK provider)
S1 veracrypt; C:\Windows\System32\drivers\veracrypt.sys [190808 2014-12-30] (IDRIX)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [84800 2015-02-03] (Microsoft Corporation)
S0 Wof; C:\Windows\System32\Drivers\Wof.sys [138584 2014-06-24] (Microsoft Corporation)
S3 WUDFWpdMtp; C:\Windows\system32\DRIVERS\WUDFRd.sys [188416 2014-05-30] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 23:37 - 2015-03-12 23:46 - 00000000 _____ () C:\FRST.txt
2015-03-12 23:37 - 2015-03-12 23:38 - 00000000 ____D () C:\FRST
2015-03-12 03:58 - 2015-03-12 03:59 - 15632984 _____ () C:\Users\Xtreme\Downloads\RogueKiller.exe
2015-03-12 03:44 - 2015-03-12 03:44 - 01135104 _____ (Farbar) C:\Users\Xtreme\Desktop\FRST.exe
2015-03-12 03:44 - 2015-03-12 03:44 - 00000414 _____ () C:\Users\Xtreme\Downloads\TaskManagerFix.bat
2015-03-12 01:18 - 2015-03-12 01:18 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Xtreme\Downloads\mbam-setup-2.0.4.1028.exe
2015-03-11 22:17 - 2015-03-11 22:17 - 00000000 ____D () C:\Users\Xtreme\AppData\Local\Steam
2015-03-10 21:37 - 2015-03-10 21:42 - 00400720 _____ () C:\Users\Xtreme\Downloads\doublekiller.zip
2015-03-10 12:44 - 2015-02-05 17:08 - 01943040 _____ (Microsoft Corporation) C:\Windows\System32\dwmcore.dll
2015-03-10 12:44 - 2015-01-29 10:34 - 01488040 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2015-03-10 12:44 - 2015-01-20 21:15 - 01123848 _____ (Microsoft Corporation) C:\Windows\System32\msctf.dll
2015-03-10 12:43 - 2015-03-05 18:33 - 00358912 _____ (Microsoft Corporation) C:\Windows\System32\schannel.dll
2015-03-10 12:43 - 2015-02-20 16:41 - 12827648 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2015-03-10 12:43 - 2015-02-20 16:25 - 19720192 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2015-03-10 12:43 - 2015-02-19 18:03 - 02278400 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2015-03-10 12:43 - 2015-02-19 17:30 - 04300288 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2015-03-10 12:43 - 2015-02-19 17:01 - 01888256 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2015-03-10 12:43 - 2015-02-19 16:57 - 01311232 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2015-03-10 12:43 - 2015-02-12 09:34 - 19731824 _____ (Microsoft Corporation) C:\Windows\System32\shell32.dll
2015-03-10 12:43 - 2015-02-07 15:49 - 00791040 _____ (Microsoft Corporation) C:\Windows\System32\MrmCoreR.dll
2015-03-10 12:43 - 2015-02-06 15:09 - 00396419 _____ () C:\Windows\System32\ApnDatabase.xml
2015-03-10 12:43 - 2015-02-02 16:03 - 03551744 _____ (Microsoft Corporation) C:\Windows\System32\D3DCompiler_47.dll
2015-03-10 12:43 - 2015-01-30 15:29 - 02484224 _____ (Microsoft Corporation) C:\Windows\System32\msftedit.dll
2015-03-10 12:43 - 2015-01-30 15:20 - 00162304 _____ (Microsoft Corporation) C:\Windows\System32\ubpm.dll
2015-03-10 12:43 - 2015-01-29 18:25 - 00083456 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\hidbth.sys
2015-03-10 12:43 - 2015-01-29 17:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\System32\mfc42u.dll
2015-03-10 12:43 - 2015-01-29 17:42 - 01204224 _____ (Microsoft Corporation) C:\Windows\System32\mfc42.dll
2015-03-10 12:43 - 2015-01-28 17:29 - 00290816 _____ (Microsoft Corporation) C:\Windows\System32\photowiz.dll
2015-03-10 12:43 - 2015-01-28 17:00 - 00210944 _____ (Microsoft Corporation) C:\Windows\System32\Windows.ApplicationModel.Store.TestingFramework.dll
2015-03-10 12:43 - 2015-01-28 16:56 - 00602624 _____ (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2015-03-10 12:43 - 2015-01-28 16:55 - 00873984 _____ (Microsoft Corporation) C:\Windows\System32\localspl.dll
2015-03-10 12:43 - 2015-01-28 16:50 - 00811008 _____ (Microsoft Corporation) C:\Windows\System32\WSShared.dll
2015-03-10 12:43 - 2015-01-27 15:41 - 02207488 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2015-03-10 12:43 - 2015-01-22 21:02 - 00560392 _____ (Microsoft Corporation) C:\Windows\System32\SHCore.dll
2015-03-10 12:43 - 2014-12-10 21:40 - 00041296 _____ (Microsoft Corporation) C:\Windows\System32\LockScreenContentServer.exe
2015-03-10 12:43 - 2014-10-28 17:58 - 00061952 _____ (Microsoft Corporation) C:\Windows\System32\printui.exe
2015-03-10 12:43 - 2014-10-28 17:52 - 00289280 _____ (Microsoft Corporation) C:\Windows\System32\compstui.dll
2015-03-10 12:43 - 2014-10-28 17:52 - 00078336 _____ (Microsoft Corporation) C:\Windows\System32\WSReset.exe
2015-03-10 12:43 - 2014-10-28 17:51 - 00083456 _____ (Microsoft Corporation) C:\Windows\System32\WSCollect.exe
2015-03-10 12:43 - 2014-10-28 17:28 - 00055808 _____ (Microsoft Corporation) C:\Windows\System32\findnetprinters.dll
2015-03-10 12:43 - 2014-10-28 17:20 - 00367104 _____ (Microsoft Corporation) C:\Windows\System32\puiobj.dll
2015-03-10 12:43 - 2014-10-28 17:17 - 00730624 _____ (Microsoft Corporation) C:\Windows\System32\pmcsnap.dll
2015-03-10 12:43 - 2014-10-28 17:15 - 00238592 _____ (Microsoft Corporation) C:\Windows\System32\ppcsnap.dll
2015-03-10 12:43 - 2014-10-28 17:15 - 00199168 _____ (Microsoft Corporation) C:\Windows\System32\prnntfy.dll
2015-03-10 12:43 - 2014-10-28 17:05 - 00035840 _____ (Microsoft Corporation) C:\Windows\System32\atlthunk.dll
2015-03-10 12:43 - 2014-10-28 16:55 - 00223744 _____ (Microsoft Corporation) C:\Windows\System32\Windows.ApplicationModel.Store.dll
2015-03-10 12:43 - 2014-10-28 16:44 - 00167424 _____ (Microsoft Corporation) C:\Windows\System32\puiapi.dll
2015-03-10 12:43 - 2014-10-28 16:35 - 00203776 _____ (Microsoft Corporation) C:\Windows\System32\DafPrintProvider.dll
2015-03-10 12:42 - 2015-02-25 15:27 - 03543552 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2015-03-10 12:42 - 2015-02-20 16:27 - 00285696 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2015-03-10 12:42 - 2015-02-20 16:27 - 00128000 _____ (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2015-03-10 12:42 - 2015-02-20 15:32 - 00076288 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2015-03-10 12:42 - 2015-02-19 18:20 - 00301056 _____ (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2015-03-10 12:42 - 2015-02-19 18:15 - 00035840 _____ (Adobe Systems) C:\Windows\System32\atmlib.dll
2015-03-10 12:42 - 2015-02-19 18:09 - 00503296 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2015-03-10 12:42 - 2015-02-19 18:06 - 00064000 _____ (Microsoft Corporation) C:\Windows\System32\MshtmlDac.dll
2015-03-10 12:42 - 2015-02-19 17:56 - 00664064 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2015-03-10 12:42 - 2015-02-19 17:30 - 00880128 _____ (Microsoft Corporation) C:\Windows\System32\inetcomm.dll
2015-03-10 12:42 - 2015-02-19 17:26 - 00230400 _____ (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2015-03-10 12:42 - 2015-02-19 17:24 - 02052608 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2015-03-10 12:42 - 2015-02-19 17:24 - 00689152 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2015-03-10 12:42 - 2015-02-19 17:24 - 00684544 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2015-03-10 12:42 - 2015-02-19 16:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2015-03-10 12:42 - 2015-02-05 12:17 - 00869696 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2015-03-10 12:42 - 2015-02-03 15:51 - 00227136 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\WdFilter.sys
2015-03-10 12:42 - 2015-02-03 15:51 - 00084800 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\WdNisDrv.sys
2015-03-10 12:42 - 2015-02-03 15:51 - 00038392 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\WdBoot.sys
2015-03-10 12:42 - 2015-02-02 15:53 - 00012800 _____ (Microsoft Corporation) C:\Windows\System32\winshfhc.dll
2015-03-10 12:42 - 2015-01-29 17:40 - 00091648 _____ (Microsoft Corporation) C:\Windows\System32\eappgnui.dll
2015-03-10 12:42 - 2015-01-29 17:24 - 00250880 _____ (Microsoft Corporation) C:\Windows\System32\eapp3hst.dll
2015-03-10 12:42 - 2015-01-29 17:16 - 00266752 _____ (Microsoft Corporation) C:\Windows\System32\eapphost.dll
2015-03-10 12:42 - 2015-01-29 17:06 - 00278016 _____ (Microsoft Corporation) C:\Windows\System32\eappcfg.dll
2015-03-10 12:42 - 2015-01-28 16:49 - 02459136 _____ (Microsoft Corporation) C:\Windows\System32\authui.dll
2015-03-10 12:42 - 2015-01-28 07:35 - 05769024 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2015-03-10 12:42 - 2015-01-28 07:35 - 01468408 _____ (Microsoft Corporation) C:\Windows\System32\ntdll.dll
2015-03-10 12:42 - 2015-01-27 17:47 - 00060928 _____ (Microsoft Corporation) C:\Windows\System32\StorageContextHandler.dll
2015-03-10 12:42 - 2015-01-27 17:11 - 00357376 _____ (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2015-03-10 12:42 - 2015-01-23 18:20 - 00117248 _____ (Microsoft Corporation) C:\Windows\System32\rdpudd.dll
2015-03-10 12:42 - 2015-01-23 17:51 - 00816128 _____ (Microsoft Corporation) C:\Windows\System32\calc.exe
2015-03-10 12:42 - 2015-01-23 16:48 - 02975744 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2015-03-10 12:42 - 2014-10-28 19:10 - 00022848 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\rdpvideominiport.sys
2015-03-10 12:42 - 2014-10-28 18:04 - 00003072 _____ (Microsoft Corporation) C:\Windows\System32\lpk.dll
2015-03-10 12:42 - 2014-10-28 18:00 - 00077824 _____ (Microsoft Corporation) C:\Windows\System32\fontsub.dll
2015-03-10 12:42 - 2014-10-28 18:00 - 00011776 _____ (Microsoft Corporation) C:\Windows\System32\dciman32.dll
2015-03-10 12:42 - 2014-10-28 17:54 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\rfxvmt.dll
2015-03-10 12:42 - 2014-10-28 16:59 - 00056320 _____ (Microsoft Corporation) C:\Windows\System32\eappprxy.dll
2015-03-09 22:54 - 2015-03-09 22:54 - 00000807 _____ () C:\Users\Xtreme\Downloads\jamiew_'s_server_setup.txt
2015-03-09 22:54 - 2015-03-09 22:54 - 00000596 _____ () C:\Users\Xtreme\Downloads\jamiew_'s_auto_exec.txt
2015-03-09 21:13 - 2015-03-09 21:13 - 05140387 _____ () C:\Users\Xtreme\Downloads\dejavu-fonts-ttf-2.34(1).zip
2015-03-09 21:10 - 2015-03-09 21:11 - 05140387 _____ () C:\Users\Xtreme\Downloads\dejavu-fonts-ttf-2.34.zip
2015-03-09 20:29 - 2015-03-09 20:29 - 00000868 _____ () C:\Users\Xtreme\AppData\Local\recently-used.xbel
2015-03-08 15:58 - 2015-03-08 16:08 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ghost_in_the_Shell_Stand_Alone_Complex_2nd_GIG_[THORA][720p]
2015-03-06 20:30 - 2015-03-06 23:37 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ghost in the Shell - Stand Alone Complex
2015-03-06 19:44 - 2015-03-06 19:44 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ghost in the Shell - Stand Alone Complex - Solid State Society 3D (Another Dimension 2D Edition)
2015-03-06 05:04 - 2015-03-06 05:23 - 00000000 ____D () C:\Users\Xtreme\Downloads\How to Talk to Anyone 92 Little Tricks for Big Success in Relationships - MG
2015-03-05 22:48 - 2015-03-05 23:01 - 00000000 ____D () C:\Users\Xtreme\Downloads\[CBM] Ghost in the Shell Arise 1-2 (Dual Audio) [BDRip-1080p-8bit-AC3]
2015-03-05 22:43 - 2015-03-06 19:26 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ghost in the Shell
2015-03-03 23:27 - 2015-03-03 23:35 - 00000593 _____ () C:\Users\Xtreme\Desktop\Tech Scam SE.txt
2015-03-03 13:13 - 2015-03-03 13:15 - 63463424 _____ () C:\Users\Xtreme\Downloads\EpicGamesLauncherInstaller-2.0.1-2467307.msi
2015-03-02 22:01 - 2015-03-02 22:04 - 63361024 _____ () C:\Users\Xtreme\Downloads\EpicGamesLauncherInstaller-2.0.0-2465596.msi
2015-02-27 14:33 - 2015-02-27 17:36 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-02-27 14:27 - 2015-02-27 17:36 - 00000000 ____D () C:\Users\Xtreme\Desktop\mbar
2015-02-27 14:26 - 2015-02-27 14:27 - 16502728 _____ (Malwarebytes Corp.) C:\Users\Xtreme\Downloads\mbar-1.09.1.1004.exe
2015-02-26 22:56 - 2015-02-26 22:57 - 262144000 _____ () C:\Users\Xtreme\Documents\A2Z
2015-02-26 21:14 - 2015-02-27 03:53 - 3686891520 ____R () C:\Users\Xtreme\Downloads\CSGO v1.34.6.9.iso
2015-02-25 00:23 - 2015-02-25 02:15 - 00000213 _____ () C:\Users\Xtreme\Desktop\csgo practice bots for headshots etc.txt
2015-02-24 13:19 - 2014-12-13 13:29 - 00513488 _____ () C:\Windows\System32\locale.nls
2015-02-24 13:19 - 2014-10-28 17:04 - 00868352 _____ (Microsoft Corporation) C:\Windows\System32\Windows.Globalization.dll
2015-02-24 13:19 - 2014-10-28 17:04 - 00200704 _____ (Microsoft Corporation) C:\Windows\System32\GlobCollationHost.dll
2015-02-24 06:08 - 2015-02-24 06:08 - 00000142 _____ () C:\Users\Xtreme\Desktop\foot note example.txt
2015-02-22 04:13 - 2015-03-12 00:04 - 00000455 _____ () C:\Users\Xtreme\Desktop\cs go crosshair.txt
2015-02-21 22:57 - 2015-02-21 23:11 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ronald Jenkees - Alpha Numeric (2014) ~{B@tman}
2015-02-20 19:43 - 2015-03-10 22:07 - 00000000 ____D () C:\Program Files\Counter-Strike Global Offensive
2015-02-20 16:41 - 2015-02-20 16:41 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\java
2015-02-20 16:40 - 2015-02-20 16:40 - 02997389 _____ () C:\Users\Xtreme\Downloads\NodusLauncher.zip
2015-02-20 16:23 - 2015-02-20 19:49 - 00000000 ____D () C:\Users\Xtreme\Downloads\Justice League The Flashpoint Paradox 2013 720p BluRay x264 MultiSub - the.HH
2015-02-20 16:22 - 2015-02-20 19:26 - 00000000 ____D () C:\Users\Xtreme\Downloads\Garrys Mod v14.07.10
2015-02-20 16:16 - 2015-02-20 16:25 - 00000000 ____D () C:\Users\Xtreme\Downloads\LEGO DC Justice League vs Bizarro League 2015 720p BluRay x264 AAC - Ozlem
2015-02-20 15:05 - 2015-02-20 19:24 - 3688431616 _____ () C:\Users\Xtreme\Downloads\CSGO v1.34.7.0.iso
2015-02-19 22:11 - 2015-02-19 22:11 - 00000000 ____D () C:\Users\Xtreme\Documents\Ableton
2015-02-19 22:07 - 2015-02-19 22:07 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\WinRAR
2015-02-19 22:06 - 2015-02-19 22:06 - 00000000 ____D () C:\Program Files\WinRAR
2015-02-19 20:53 - 2015-02-19 22:06 - 00000000 ____D () C:\Users\Xtreme\Downloads\WinRAR 5.21 Final (32 & 64bit) SONIC VIBES
2015-02-19 20:44 - 2015-02-20 00:27 - 1183914684 _____ () C:\Users\Xtreme\Downloads\Rise.Of.The.Legend.2014.720p.BRRip.1.1GB.MkvCage.com.mkv
2015-02-19 20:40 - 2015-02-19 20:40 - 00000000 ____D () C:\Users\Xtreme\WinRar Portable
2015-02-19 06:32 - 2015-02-19 06:32 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\MPC-HC
2015-02-19 06:25 - 2015-02-19 06:26 - 00000000 ____D () C:\Program Files\Combined Community Codec Pack
2015-02-19 06:25 - 2015-02-19 06:25 - 10420256 _____ (CCCP Project ) C:\Users\Xtreme\Downloads\Combined-Community-Codec-Pack-2014-07-13.exe
2015-02-19 06:24 - 2015-02-19 06:38 - 00000000 ____D () C:\Program Files\MPC-HC
2015-02-19 06:24 - 2015-02-19 06:24 - 00001848 _____ () C:\Users\Xtreme\Desktop\MPC-HC.lnk
2015-02-19 06:22 - 2015-02-19 06:22 - 11443560 _____ (MPC-HC Team ) C:\Users\Xtreme\Downloads\MPC-HC.1.7.8.x86.exe
2015-02-18 21:27 - 2015-02-18 21:27 - 00000000 ____D () C:\Users\Xtreme\Desktop\PreAlphaSTRAFESPEEDZONE
2015-02-17 23:48 - 2015-02-18 01:05 - 00000000 ____D () C:\Users\Xtreme\Downloads\[Trailer Music] Immediate - Trailerhead Nu Epiq 2014 @320 (Jamal The Moroccan)
2015-02-17 06:14 - 2015-02-17 06:14 - 00000036 _____ () C:\Users\Xtreme\Desktop\tooxtrem3 gm yt.txt
2015-02-17 05:16 - 2015-02-17 05:16 - 00000119 _____ () C:\Users\Xtreme\Desktop\ghos7be.txt
2015-02-17 03:07 - 2015-02-17 03:07 - 00000000 ____D () C:\Program Files\ImageWriter
2015-02-17 03:05 - 2015-02-17 03:05 - 12290974 _____ (ImageWriter Developers ) C:\Users\Xtreme\Downloads\Win32DiskImager-0.9.5-install.exe
2015-02-16 22:47 - 2015-02-16 22:47 - 00057672 _____ () C:\Users\Xtreme\Downloads\p.txt
2015-02-16 21:47 - 2015-02-16 21:47 - 00091300 _____ () C:\Users\Xtreme\Documents\BLOGGER G7 Sec Template Backup.xml
2015-02-16 20:59 - 2015-02-16 20:59 - 01247912 _____ (Microsoft Corporation) C:\Windows\System32\FM20.DLL
2015-02-16 20:02 - 2015-02-16 20:09 - 142986291 _____ () C:\Users\Xtreme\Downloads\PreAlphaSTRAFESPEEDZONE.zip
2015-02-16 19:46 - 2015-02-16 19:46 - 00348070 _____ (PortableAppZ.blogspot.com) C:\Users\Xtreme\Downloads\WinRAR_Portable_Multiversion_32-64_Multilingual_Online.exe
2015-02-16 13:13 - 2015-02-19 22:13 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\Ableton
2015-02-16 13:13 - 2015-02-16 13:13 - 00000000 ____D () C:\Program Files\Common Files\Propellerhead Software
2015-02-16 13:05 - 2015-02-16 13:05 - 00000000 ____D () C:\ProgramData\Ableton
2015-02-16 04:44 - 2015-02-16 04:44 - 00091042 _____ () C:\Users\Xtreme\Downloads\template-750819634700969164.xml
2015-02-16 03:00 - 2015-02-19 22:07 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ableton Live Suite 9.1.7 (x86x64)-P2P [helg420]
2015-02-16 03:00 - 2015-02-16 03:00 - 00000000 ____D () C:\Users\Xtreme\Downloads\Ableton Live 9 Suite 9.1.3 Authorize.auz File
2015-02-16 02:29 - 2015-02-16 02:29 - 00000000 __SHD () C:\Users\Xtreme\AppData\Local\EmieBrowserModeList
2015-02-15 22:10 - 2015-02-15 22:10 - 00000000 ____D () C:\Users\Xtreme\Downloads\Suits
2015-02-15 21:51 - 2015-02-15 21:51 - 00054174 _____ () C:\Users\Xtreme\Downloads\Suits.rar
2015-02-15 21:42 - 2015-02-15 21:44 - 34842237 _____ () C:\Users\Xtreme\Downloads\Batman Eternal 044 (2015) (Digital-Empire).cbr
2015-02-15 21:42 - 2015-02-15 21:43 - 35054916 _____ () C:\Users\Xtreme\Downloads\Batman Eternal 045 (2015) (Digital-Empire).cbr
2015-02-14 14:35 - 2015-02-14 14:35 - 00000911 _____ () C:\Users\Xtreme\Desktop\µTorrent.lnk
2015-02-13 21:11 - 2015-02-15 22:10 - 00000000 ____D () C:\Users\Xtreme\Downloads\PVRIS - White Noise [2014]
2015-02-12 22:01 - 2015-02-12 22:01 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\Steam
2015-02-12 00:45 - 2015-02-12 00:54 - 00000000 ____D () C:\Users\Xtreme\Documents\Arma 3
2015-02-12 00:42 - 2015-02-12 00:42 - 00000000 ___SH () C:\Users\Xtreme\AppData\Local\LumaEmu
2015-02-11 04:19 - 2015-01-19 10:36 - 01192552 _____ (Microsoft Corporation) C:\Windows\System32\sppobjs.dll
2015-02-11 04:13 - 2015-01-11 17:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2015-02-11 04:13 - 2015-01-11 17:23 - 00327168 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2015-02-11 04:12 - 2014-12-19 00:25 - 00602776 _____ (Microsoft Corporation) C:\Windows\System32\oleaut32.dll
2015-02-11 04:11 - 2015-01-15 14:37 - 00478776 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2015-02-11 04:11 - 2015-01-15 14:37 - 00148288 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2015-02-11 04:11 - 2014-10-28 18:06 - 00736768 _____ (Microsoft Corporation) C:\Windows\System32\adtschema.dll
2015-02-11 04:11 - 2014-10-28 18:06 - 00154112 _____ (Microsoft Corporation) C:\Windows\System32\msaudite.dll
2015-02-11 04:11 - 2014-10-28 17:03 - 01117696 _____ (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2015-02-11 04:10 - 2014-12-08 19:45 - 00393728 _____ (Microsoft Corporation) C:\Windows\System32\scesrv.dll
2015-02-10 21:03 - 2015-02-10 21:11 - 234344322 _____ () C:\Users\Xtreme\Downloads\How I made my knives! - Imgur.zip

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-12 04:58 - 2014-12-23 23:47 - 00000000 ____D () C:\ProgramData\Package Cache
2015-03-12 03:34 - 2013-08-21 23:23 - 00057433 _____ () C:\Windows\setupact.log
2015-03-12 01:47 - 2015-01-02 01:41 - 00000000 ____D () C:\Users\Xtreme\AppData\Local\CrashDumps
2015-03-12 01:15 - 2014-12-23 17:42 - 00000000 ____D () C:\Program Files\Steam
2015-03-12 01:12 - 2014-12-23 17:20 - 00000000 ____D () C:\users\Xtreme
2015-03-12 01:06 - 2015-01-10 19:15 - 00000000 ____D () C:\Games
2015-03-12 00:19 - 2014-12-23 17:18 - 01125654 _____ () C:\Windows\WindowsUpdate.log
2015-03-12 00:16 - 2013-08-22 00:17 - 00000000 ____D () C:\Windows\LiveKernelReports
2015-03-12 00:09 - 2014-03-18 00:00 - 00863592 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-03-12 00:05 - 2014-12-23 17:42 - 00000000 ____D () C:\Program Files\Common Files\Steam
2015-03-12 00:04 - 2014-12-23 17:37 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\uTorrent
2015-03-12 00:03 - 2014-12-23 17:55 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-03-12 00:02 - 2013-08-21 23:22 - 00513016 _____ () C:\Windows\System32\FNTCACHE.DAT
2015-03-12 00:00 - 2013-08-22 00:17 - 00000000 ____D () C:\Windows\System32\sru
2015-03-12 00:00 - 2013-08-22 00:17 - 00000000 ____D () C:\Program Files\Windows Defender
2015-03-11 23:57 - 2013-08-21 22:13 - 00262144 ___SH () C:\Windows\System32\config\BBI
2015-03-11 23:55 - 2013-08-22 00:17 - 00000000 ___RD () C:\Windows\ToastData
2015-03-11 23:55 - 2013-08-22 00:17 - 00000000 ____D () C:\Windows\WinStore
2015-03-11 09:52 - 2013-08-22 00:17 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-10 14:11 - 2013-08-22 00:05 - 00000000 ____D () C:\Windows\CbsTemp
2015-03-10 14:10 - 2015-02-06 19:38 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-10 14:08 - 2014-12-25 14:31 - 00000000 ____D () C:\Windows\System32\MRT
2015-03-10 14:01 - 2014-12-25 14:31 - 119837696 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2015-03-10 13:44 - 2013-08-21 22:13 - 00000167 _____ () C:\Windows\win.ini
2015-03-09 20:32 - 2014-12-25 12:55 - 00000000 ____D () C:\Users\Xtreme\.gimp-2.8
2015-03-09 20:29 - 2014-12-25 13:06 - 00000000 ____D () C:\Users\Xtreme\AppData\Local\gtk-2.0
2015-03-09 20:06 - 2015-01-05 20:12 - 00001722 _____ () C:\Windows\Sandboxie.ini
2015-03-05 20:53 - 2014-12-23 17:26 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-03-05 20:53 - 2014-12-23 17:26 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-03-04 13:24 - 2013-08-22 00:18 - 00792032 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2015-03-04 13:24 - 2013-08-22 00:18 - 00178144 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2015-02-27 21:25 - 2014-12-24 15:43 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\vlc
2015-02-27 14:33 - 2015-02-06 20:51 - 00000000 ____D () C:\Program Files\InstallShield
2015-02-26 23:07 - 2014-03-17 23:49 - 00031200 _____ () C:\Windows\PFRO.log
2015-02-26 15:35 - 2015-02-06 22:14 - 00000000 ____D () C:\Users\Xtreme\Documents\School
2015-02-22 00:59 - 2015-01-20 02:36 - 00000000 ____D () C:\AdwCleaner
2015-02-20 22:03 - 2015-01-13 20:24 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\.minecraft
2015-02-20 16:41 - 2013-07-31 20:18 - 01673860 _____ (TeamExtreme) C:\Users\Xtreme\Desktop\Minecraft Launcher.exe
2015-02-19 18:47 - 2014-12-24 22:05 - 00002160 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-16 23:17 - 2015-02-06 19:38 - 00000000 ____D () C:\Users\Xtreme\AppData\Local\Microsoft Help
2015-02-16 04:22 - 2015-01-05 20:14 - 00000000 ____D () C:\Users\Xtreme\Desktop\^^^
2015-02-15 23:06 - 2015-01-19 02:48 - 00000034 _____ () C:\Users\Xtreme\AppData\Roaming\AdobeWLCMCache.dat
2015-02-15 21:59 - 2014-12-23 17:43 - 00000000 ____D () C:\Users\Xtreme\AppData\Roaming\Notepad++
2015-02-13 10:08 - 2013-08-22 00:17 - 00000000 ____D () C:\Windows\rescache
2015-02-10 22:00 - 2015-01-02 00:42 - 00002102 _____ () C:\Windows\System32\jumpscaskspang.bin
2015-02-10 03:45 - 2015-02-09 13:13 - 00000000 ____D () C:\Users\Xtreme\Downloads\PC Format -  Get More Speed for Free+ 52 Techie Tips and Tricks (February 2015)

Some content of TEMP:
====================
C:\Users\Xtreme\AppData\Local\Temp\Microsoft Toolkit.exe
C:\Users\Xtreme\AppData\Local\Temp\npp.6.7.4.Installer.exe
C:\Users\Xtreme\AppData\Local\Temp\Quarantine.exe
C:\Users\Xtreme\AppData\Local\Temp\sqlite3.dll
C:\Users\Xtreme\AppData\Local\Temp\xmlUpdater.exe


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe
[2015-03-10 12:43] - [2015-01-27 15:41] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2014-06-24 20:22] - [2014-06-24 20:22] - 0328984 ____A (Microsoft Corporation) BE8FB66895B5475B09F5907D875CD47D

C:\Windows\System32\User32.dll
[2014-12-27 12:04] - [2014-07-24 05:50] - 1371176 ____A (Microsoft Corporation) C8AAFD77D50A97D06591DE49C4283822

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2014-12-27 12:04] - [2014-06-18 16:56] - 0264512 ___AC (Microsoft Corporation) 31A2AA48C1ECD390E2707E5C21B75DCE


==================== Restore Points  =========================

Restore point made on: 2015-02-24 23:25:42
Restore point made on: 2015-03-05 11:45:01
Restore point made on: 2015-03-10 13:30:43
Restore point made on: 2015-03-12 00:06:41

==================== Memory info ===========================

Percentage of memory in use: 24%
Total physical RAM: 1910.85 MB
Available physical RAM: 1434.11 MB
Total Pagefile: 1910.85 MB
Available Pagefile: 1438.78 MB
Total Virtual: 2047.88 MB
Available Virtual: 1934.42 MB

==================== Drives ================================

Drive c: (S3A8924D007) (Fixed) (Total:241.25 GB) (Free:40.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (System) (Fixed) (Total:1.46 GB) (Free:1.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (Debian wheezy 20) (CDROM) (Total:1.25 GB) (Free:0 GB) CDFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: (X) (Removable) (Total:7.45 GB) (Free:7.2 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 03F0F5E4)
Partition 1: (Not Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=241.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=9.7 GB) - (Type=17)
Partition 4: (Active) - (Size=45.6 GB) - (Type=83)

========================================================
Disk: 2 (Size: 7.5 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.


LastRegBack: 2015-03-05 11:27

==================== End Of Log ============================


Edited by Xtreme37, 13 March 2015 - 07:33 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:02 AM

Posted 17 March 2015 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKU\Xtreme\...\Run: [test] => C:\Users\Xtreme\AppData\Roaming\test.exe
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S2 WrensWeberSpade; "C:\Windows\System32\lopedinkequip.exe" [X]
C:\Users\Xtreme\AppData\Roaming\test.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:02 AM

Posted 22 March 2015 - 08:07 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users