Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Service executable eating up all memory


  • This topic is locked This topic is locked
8 replies to this topic

#1 MaseWiN

MaseWiN

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 31 March 2015 - 07:49 PM

Hi,

 

     I have a process that slowly eats up my memory all the way up to 99 percent.  It is listed in task manager as Antimalware Service Executable and a tab in it called Windows Defender Service.  Not sure how to stop this from happening, any help would be appreciated.

 

I am running windows 8.1 and I have ran malwarebytes before coming here.

 

 

Thank you.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 01 April 2015 - 08:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 MaseWiN

MaseWiN
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 02 April 2015 - 10:52 AM

# AdwCleaner v4.200 - Logfile created 02/04/2015 at 11:50:07
# Updated 29/03/2015 by Xplode
# Database : 2015-03-29.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Peter - MASE
# Running from : C:\Users\Peter\Downloads\adwcleaner_4.200.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
File Found : C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v41.0.2272.101
 
 
*************************
 
AdwCleaner[R0].txt - [8217 bytes] - [17/06/2014 17:55:12]
AdwCleaner[R1].txt - [1882 bytes] - [04/01/2015 21:26:29]
AdwCleaner[R2].txt - [1070 bytes] - [02/04/2015 11:50:07]
AdwCleaner[S0].txt - [8034 bytes] - [17/06/2014 17:55:29]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [1188 bytes] ##########
 
Farbar
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CtHdaSvc.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Qualcomm Atheros) C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\SBRcni.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\CTJckCfg.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Users\Peter\Downloads\adwcleaner_4.200.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\Peter\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2673296 2015-03-27] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [590144 2015-02-28] (Razer Inc.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [449168 2012-03-26] (CANON INC.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [UpdReg] => C:\WINDOWS\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Sound Blaster Recon3Di SBX Control Panel] => C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\SBRcni.exe [976896 2012-11-28] (Creative Technology Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Killer Network Manager.lnk
ShortcutTarget: Killer Network Manager.lnk -> C:\Windows\Installer\{401FADAA-1C16-4721-9F02-19067E1A1CA8}\NetworkManager.exe_130C27D738F34C89BDDF21BCFD74B56D.exe (Flexera Software LLC)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Top Gear S22E07 720p HDTV x264-RiVER [eztv].lnk
ShortcutTarget: Top Gear S22E07 720p HDTV x264-RiVER [eztv].lnk -> C:\ProgramData\{b062c844-c656-dfb7-b062-2c844c652113}\Top Gear S22E07 720p HDTV x264-RiVER [eztv].exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
DPF: HKLM-x32 {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
Tcpip\Parameters: [DhcpNameServer] 64.71.255.204 64.71.255.198
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-05] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-05] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-06]
CHR Extension: (Google Docs) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-06]
CHR Extension: (Google Drive) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-06]
CHR Extension: (YouTube) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-06]
CHR Extension: (Google Search) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-06]
CHR Extension: (Google Sheets) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-06]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-14]
CHR Extension: (Google Wallet) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-06]
CHR Extension: (Page Monitor) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd [2015-02-12]
CHR Extension: (Gmail) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-06]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2015-02-24] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2015-02-24] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [423424 2012-10-08] (Creative Technology Ltd) [File not signed]
R2 CtHdaSvc; C:\Windows\sysWow64\CtHdaSvc.exe [103936 2014-08-29] (Creative Technology Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1152144 2015-03-27] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1878672 2015-03-27] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [22995600 2015-03-27] (NVIDIA Corporation)
R2 Qualcomm Atheros Killer Service V2; C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe [343040 2013-08-08] (Qualcomm Atheros) [File not signed]
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [187072 2015-02-04] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BfLwf; C:\Windows\system32\DRIVERS\bwcW8x64.sys [75056 2013-02-13] (Qualcomm Atheros, Inc.)
R3 cthda; C:\Windows\system32\drivers\cthda.sys [1051392 2014-08-29] (Creative Technology Ltd)
R3 Ke2200; C:\Windows\system32\DRIVERS\e22w8x64.sys [163536 2013-03-20] (Qualcomm Atheros, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-03-27] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
R3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [39592 2014-12-30] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [37184 2015-02-04] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [129600 2014-12-10] (Razer, Inc.)
S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42184 2014-05-16] (Anchorfree Inc.)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-02 11:51 - 2015-04-02 11:51 - 02095616 _____ (Farbar) C:\Users\Peter\Downloads\FRST64 (1).exe
2015-04-02 11:49 - 2015-04-02 11:49 - 02208768 _____ () C:\Users\Peter\Downloads\adwcleaner_4.200.exe
2015-03-31 19:40 - 2015-03-31 19:40 - 00019702 _____ () C:\Users\Peter\Downloads\Into The Woods (2014) [1080p] YIFY - YTS.torrent
2015-03-31 19:40 - 2015-03-31 19:40 - 00017636 _____ () C:\Users\Peter\Downloads\The Gambler (2014) [1080p] YIFY - YTS.torrent
2015-03-29 22:09 - 2015-03-29 22:09 - 00015315 _____ () C:\Users\Peter\Downloads\Appleseed Alpha (2014) [1080p] YIFY - YTS.torrent
2015-03-29 21:58 - 2015-03-29 21:58 - 00016218 _____ () C:\Users\Peter\Downloads\The Adventures Of Tintin (2011) [1080p] YIFY - YTS.torrent
2015-03-29 21:56 - 2015-03-29 21:56 - 00266320 _____ () C:\WINDOWS\Minidump\032915-6953-01.dmp
2015-03-29 21:52 - 2015-03-29 21:52 - 00013304 _____ () C:\Users\Peter\Downloads\Superman Unbound (2013) [1080p] YIFY - YTS.torrent
2015-03-24 20:40 - 2015-03-24 20:40 - 00017465 _____ () C:\Users\Peter\Downloads\Big Hero 6 (2014) [1080p] YIFY - YTS.torrent
2015-03-24 20:40 - 2015-03-24 20:40 - 00015078 _____ () C:\Users\Peter\Downloads\Wreck It Ralph (2012) [1080p] YIFY - YTS.torrent
2015-03-19 11:33 - 2015-03-19 11:33 - 00027580 _____ () C:\Users\Peter\Downloads\Hellenic Home Invoice (1).xlsx
2015-03-19 11:32 - 2015-03-19 11:32 - 00027580 _____ () C:\Users\Peter\Downloads\Hellenic Home Invoice.xlsx
2015-03-18 22:31 - 2015-03-18 22:31 - 00000000 ____D () C:\Users\Peter\AppData\Local\RzStats
2015-03-18 21:43 - 2015-03-18 21:43 - 00019553 _____ () C:\Users\Peter\Downloads\The Theory Of Everything (2014) [1080p] YIFY - YTS.torrent
2015-03-16 21:06 - 2015-03-16 21:19 - 00000000 ____D () C:\ProgramData\{b062c844-c656-dfb7-b062-2c844c652113}
2015-03-13 23:01 - 2015-03-13 23:01 - 00019469 _____ () C:\Users\Peter\Downloads\Nightcrawler (2014) [1080p] YIFY - YTS.torrent
2015-03-13 22:59 - 2015-03-13 22:59 - 00019570 _____ () C:\Users\Peter\Downloads\The Imitation Game (2014) [1080p] YIFY - YTS.torrent
2015-03-05 00:50 - 2015-03-05 00:50 - 00003886 _____ () C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-02 11:51 - 2014-12-17 01:58 - 00013221 _____ () C:\Users\Peter\Downloads\FRST.txt
2015-04-02 11:51 - 2014-08-26 21:19 - 00000000 ____D () C:\FRST
2015-04-02 11:50 - 2014-06-17 17:55 - 00000000 ____D () C:\AdwCleaner
2015-04-02 11:49 - 2013-08-22 10:46 - 00052192 _____ () C:\WINDOWS\setupact.log
2015-04-02 11:48 - 2014-08-12 23:31 - 01918713 _____ () C:\WINDOWS\WindowsUpdate.log
2015-04-02 11:47 - 2014-12-06 17:06 - 00000912 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-02 11:47 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-03-31 22:14 - 2014-08-12 23:27 - 00000000 ____D () C:\Users\Peter
2015-03-31 22:08 - 2014-08-23 21:53 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\vlc
2015-03-31 22:03 - 2014-10-11 22:00 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\Mumble
2015-03-31 21:17 - 2014-12-06 17:06 - 00000916 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-31 20:49 - 2014-08-12 23:53 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\uTorrent
2015-03-31 20:46 - 2014-10-11 22:27 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-03-31 19:39 - 2014-12-31 18:51 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\HexChat
2015-03-29 22:40 - 2014-08-12 23:30 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-03-29 22:34 - 2014-08-12 23:41 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-03-29 22:34 - 2013-08-22 10:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-03-29 21:56 - 2014-12-09 22:27 - 3976479019 _____ () C:\WINDOWS\MEMORY.DMP
2015-03-29 21:56 - 2014-11-12 23:38 - 00000000 ____D () C:\WINDOWS\Minidump
2015-03-27 23:44 - 2014-08-12 23:45 - 01316000 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2015-03-27 23:44 - 2014-08-12 23:45 - 01316000 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2015-03-27 23:43 - 2014-08-12 23:45 - 01756424 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
2015-03-27 23:43 - 2014-08-12 23:45 - 01570672 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspcap64.dll
2015-03-21 14:52 - 2014-07-11 17:21 - 00000000 ____D () C:\Users\Peter\Desktop\Eleni
2015-03-21 14:49 - 2014-08-12 23:27 - 00000000 ____D () C:\Users\Peter\AppData\Local\VirtualStore
2015-03-20 20:57 - 2014-08-12 23:34 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4241128372-278323654-1664001173-1001
2015-03-20 20:18 - 2014-12-06 17:06 - 00002203 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-19 19:13 - 2013-08-22 11:20 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-03-19 18:42 - 2014-08-12 23:24 - 00040606 _____ () C:\WINDOWS\PFRO.log
2015-03-19 18:42 - 2013-08-22 10:44 - 00479240 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-03-19 18:19 - 2014-03-15 17:24 - 00000000 ____D () C:\Users\Peter\Documents\Outlook Files
2015-03-18 11:55 - 2014-12-07 21:20 - 00000000 ____D () C:\Users\Peter\Desktop\randomfolders
2015-03-16 21:19 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\Help
2015-03-16 21:19 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-03-16 12:17 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2015-03-15 18:42 - 2014-10-13 22:42 - 00000000 ____D () C:\Users\Peter\AppData\Local\CrashDumps
2015-03-13 23:35 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-03-06 23:00 - 2015-02-26 21:22 - 00000000 ____D () C:\Users\Peter\AppData\Local\Adobe
2015-03-06 23:00 - 2014-08-12 23:27 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\Adobe
2015-03-06 17:13 - 2014-08-21 19:26 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\mIRC
2015-03-05 00:47 - 2015-02-26 21:22 - 00000000 ____D () C:\ProgramData\Adobe
2015-03-05 00:47 - 2013-12-12 11:19 - 00266059 ____N () C:\WINDOWS\Minidump\030415-6781-01.dmp
 
==================== Files in the root of some directories =======
 
2014-08-12 23:38 - 2014-08-21 13:32 - 0000000 _____ () C:\Users\Peter\AppData\Local\Driver_LOM_8161Present.flag
2014-08-18 11:51 - 2014-08-21 13:31 - 0000102 _____ () C:\Users\Peter\AppData\Local\killertool.log
 
Some content of TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Peter\AppData\Local\Temp\GameuxInstallHelper.dll
C:\Users\Peter\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Peter\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Peter\AppData\Local\Temp\nvStInst.exe
C:\Users\Peter\AppData\Local\Temp\Quarantine.exe
C:\Users\Peter\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-31 05:57
 
==================== End Of Log ============================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 02 April 2015 - 01:13 PM

Your FRST log is missing the top part of the log.
Please post a complete log for my review.

===

Please Download and run this program and post the log for my review.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#5 MaseWiN

MaseWiN
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 02 April 2015 - 03:45 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Peter (administrator) on MASE on 02-04-2015 16:43:51
Running from C:\Users\Peter\Downloads
Loaded Profiles: Peter (Available profiles: Peter)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CtHdaSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Qualcomm Atheros) C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\SBRcni.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\CTJckCfg.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Farbar) C:\Users\Peter\Downloads\FRST64 (2).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2673296 2015-03-27] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [590144 2015-02-28] (Razer Inc.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [449168 2012-03-26] (CANON INC.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [UpdReg] => C:\WINDOWS\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Sound Blaster Recon3Di SBX Control Panel] => C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\SBRcni.exe [976896 2012-11-28] (Creative Technology Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Killer Network Manager.lnk
ShortcutTarget: Killer Network Manager.lnk -> C:\Windows\Installer\{401FADAA-1C16-4721-9F02-19067E1A1CA8}\NetworkManager.exe_130C27D738F34C89BDDF21BCFD74B56D.exe (Flexera Software LLC)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Top Gear S22E07 720p HDTV x264-RiVER [eztv].lnk
ShortcutTarget: Top Gear S22E07 720p HDTV x264-RiVER [eztv].lnk -> C:\ProgramData\{b062c844-c656-dfb7-b062-2c844c652113}\Top Gear S22E07 720p HDTV x264-RiVER [eztv].exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
DPF: HKLM-x32 {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
Tcpip\Parameters: [DhcpNameServer] 64.71.255.204 64.71.255.198
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-05] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-05] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-06]
CHR Extension: (Google Docs) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-06]
CHR Extension: (Google Drive) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-06]
CHR Extension: (YouTube) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-06]
CHR Extension: (Google Search) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-06]
CHR Extension: (Google Sheets) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-06]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-14]
CHR Extension: (Google Wallet) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-06]
CHR Extension: (Page Monitor) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd [2015-02-12]
CHR Extension: (Gmail) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-06]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2015-02-24] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2015-02-24] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [423424 2012-10-08] (Creative Technology Ltd) [File not signed]
R2 CtHdaSvc; C:\Windows\sysWow64\CtHdaSvc.exe [103936 2014-08-29] (Creative Technology Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1152144 2015-03-27] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1878672 2015-03-27] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [22995600 2015-03-27] (NVIDIA Corporation)
R2 Qualcomm Atheros Killer Service V2; C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe [343040 2013-08-08] (Qualcomm Atheros) [File not signed]
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [187072 2015-02-04] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BfLwf; C:\Windows\system32\DRIVERS\bwcW8x64.sys [75056 2013-02-13] (Qualcomm Atheros, Inc.)
R3 cthda; C:\Windows\system32\drivers\cthda.sys [1051392 2014-08-29] (Creative Technology Ltd)
R3 Ke2200; C:\Windows\system32\DRIVERS\e22w8x64.sys [163536 2013-03-20] (Qualcomm Atheros, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-03-27] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
R3 rzendpt; C:\Windows\System32\drivers\rzendpt.sys [39592 2014-12-30] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [37184 2015-02-04] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [129600 2014-12-10] (Razer, Inc.)
S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42184 2014-05-16] (Anchorfree Inc.)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-02 16:43 - 2015-04-02 16:43 - 02095616 _____ (Farbar) C:\Users\Peter\Downloads\FRST64 (2).exe
2015-04-02 16:42 - 2015-04-02 16:42 - 00023617 _____ () C:\Users\Peter\Desktop\Addition.txt
2015-04-02 16:42 - 2015-04-02 16:42 - 00021133 _____ () C:\Users\Peter\Desktop\FRST.txt
2015-04-02 16:42 - 2015-04-02 16:42 - 00000000 ____D () C:\Users\Peter\Desktop\FRST-OlderVersion
2015-04-02 11:51 - 2015-04-02 11:51 - 02095616 _____ (Farbar) C:\Users\Peter\Downloads\FRST64 (1).exe
2015-04-02 11:49 - 2015-04-02 11:49 - 02208768 _____ () C:\Users\Peter\Downloads\adwcleaner_4.200.exe
2015-03-31 19:40 - 2015-03-31 19:40 - 00019702 _____ () C:\Users\Peter\Downloads\Into The Woods (2014) [1080p] YIFY - YTS.torrent
2015-03-31 19:40 - 2015-03-31 19:40 - 00017636 _____ () C:\Users\Peter\Downloads\The Gambler (2014) [1080p] YIFY - YTS.torrent
2015-03-29 22:09 - 2015-03-29 22:09 - 00015315 _____ () C:\Users\Peter\Downloads\Appleseed Alpha (2014) [1080p] YIFY - YTS.torrent
2015-03-29 21:58 - 2015-03-29 21:58 - 00016218 _____ () C:\Users\Peter\Downloads\The Adventures Of Tintin (2011) [1080p] YIFY - YTS.torrent
2015-03-29 21:56 - 2015-03-29 21:56 - 00266320 _____ () C:\WINDOWS\Minidump\032915-6953-01.dmp
2015-03-29 21:52 - 2015-03-29 21:52 - 00013304 _____ () C:\Users\Peter\Downloads\Superman Unbound (2013) [1080p] YIFY - YTS.torrent
2015-03-24 20:40 - 2015-03-24 20:40 - 00017465 _____ () C:\Users\Peter\Downloads\Big Hero 6 (2014) [1080p] YIFY - YTS.torrent
2015-03-24 20:40 - 2015-03-24 20:40 - 00015078 _____ () C:\Users\Peter\Downloads\Wreck It Ralph (2012) [1080p] YIFY - YTS.torrent
2015-03-19 11:33 - 2015-03-19 11:33 - 00027580 _____ () C:\Users\Peter\Downloads\Hellenic Home Invoice (1).xlsx
2015-03-19 11:32 - 2015-03-19 11:32 - 00027580 _____ () C:\Users\Peter\Downloads\Hellenic Home Invoice.xlsx
2015-03-18 22:31 - 2015-03-18 22:31 - 00000000 ____D () C:\Users\Peter\AppData\Local\RzStats
2015-03-18 21:43 - 2015-03-18 21:43 - 00019553 _____ () C:\Users\Peter\Downloads\The Theory Of Everything (2014) [1080p] YIFY - YTS.torrent
2015-03-16 21:06 - 2015-03-16 21:19 - 00000000 ____D () C:\ProgramData\{b062c844-c656-dfb7-b062-2c844c652113}
2015-03-13 23:01 - 2015-03-13 23:01 - 00019469 _____ () C:\Users\Peter\Downloads\Nightcrawler (2014) [1080p] YIFY - YTS.torrent
2015-03-13 22:59 - 2015-03-13 22:59 - 00019570 _____ () C:\Users\Peter\Downloads\The Imitation Game (2014) [1080p] YIFY - YTS.torrent
2015-03-05 00:50 - 2015-03-05 00:50 - 00003886 _____ () C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-02 16:43 - 2014-12-17 01:58 - 00012884 _____ () C:\Users\Peter\Downloads\FRST.txt
2015-04-02 16:43 - 2014-08-26 21:19 - 00000000 ____D () C:\FRST
2015-04-02 16:42 - 2014-08-26 21:18 - 02095616 _____ (Farbar) C:\Users\Peter\Desktop\FRST64.exe
2015-04-02 16:41 - 2014-12-06 17:06 - 00000912 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-02 16:41 - 2014-08-12 23:41 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-04-02 16:41 - 2013-08-22 10:46 - 00052540 _____ () C:\WINDOWS\setupact.log
2015-04-02 16:41 - 2013-08-22 10:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-04-02 11:54 - 2014-08-12 23:34 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4241128372-278323654-1664001173-1001
2015-04-02 11:51 - 2014-08-12 23:31 - 01918713 _____ () C:\WINDOWS\WindowsUpdate.log
2015-04-02 11:50 - 2014-06-17 17:55 - 00000000 ____D () C:\AdwCleaner
2015-04-02 11:47 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-03-31 22:14 - 2014-08-12 23:27 - 00000000 ____D () C:\Users\Peter
2015-03-31 22:08 - 2014-08-23 21:53 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\vlc
2015-03-31 22:03 - 2014-10-11 22:00 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\Mumble
2015-03-31 21:17 - 2014-12-06 17:06 - 00000916 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-31 20:49 - 2014-08-12 23:53 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\uTorrent
2015-03-31 20:46 - 2014-10-11 22:27 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-03-31 19:39 - 2014-12-31 18:51 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\HexChat
2015-03-29 22:40 - 2014-08-12 23:30 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-03-29 21:56 - 2014-12-09 22:27 - 3976479019 _____ () C:\WINDOWS\MEMORY.DMP
2015-03-29 21:56 - 2014-11-12 23:38 - 00000000 ____D () C:\WINDOWS\Minidump
2015-03-28 07:14 - 2013-08-22 11:20 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-03-27 23:44 - 2014-08-12 23:45 - 01316000 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2015-03-27 23:44 - 2014-08-12 23:45 - 01316000 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2015-03-27 23:43 - 2014-08-12 23:45 - 01756424 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
2015-03-27 23:43 - 2014-08-12 23:45 - 01570672 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspcap64.dll
2015-03-21 14:52 - 2014-07-11 17:21 - 00000000 ____D () C:\Users\Peter\Desktop\Eleni
2015-03-21 14:49 - 2014-08-12 23:27 - 00000000 ____D () C:\Users\Peter\AppData\Local\VirtualStore
2015-03-20 20:18 - 2014-12-06 17:06 - 00002203 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-19 18:42 - 2014-08-12 23:24 - 00040606 _____ () C:\WINDOWS\PFRO.log
2015-03-19 18:42 - 2013-08-22 10:44 - 00479240 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-03-19 18:19 - 2014-03-15 17:24 - 00000000 ____D () C:\Users\Peter\Documents\Outlook Files
2015-03-18 11:55 - 2014-12-07 21:20 - 00000000 ____D () C:\Users\Peter\Desktop\randomfolders
2015-03-16 21:19 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\Help
2015-03-16 21:19 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-03-16 12:17 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2015-03-15 18:42 - 2014-10-13 22:42 - 00000000 ____D () C:\Users\Peter\AppData\Local\CrashDumps
2015-03-13 23:35 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-03-06 23:00 - 2015-02-26 21:22 - 00000000 ____D () C:\Users\Peter\AppData\Local\Adobe
2015-03-06 23:00 - 2014-08-12 23:27 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\Adobe
2015-03-06 17:13 - 2014-08-21 19:26 - 00000000 ____D () C:\Users\Peter\AppData\Roaming\mIRC
2015-03-05 00:47 - 2015-02-26 21:22 - 00000000 ____D () C:\ProgramData\Adobe
2015-03-05 00:47 - 2013-12-12 11:19 - 00266059 ____N () C:\WINDOWS\Minidump\030415-6781-01.dmp
 
==================== Files in the root of some directories =======
 
2014-08-12 23:38 - 2014-08-21 13:32 - 0000000 _____ () C:\Users\Peter\AppData\Local\Driver_LOM_8161Present.flag
2014-08-18 11:51 - 2014-08-21 13:31 - 0000102 _____ () C:\Users\Peter\AppData\Local\killertool.log
 
Some content of TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Peter\AppData\Local\Temp\GameuxInstallHelper.dll
C:\Users\Peter\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Peter\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\Peter\AppData\Local\Temp\nvStInst.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-31 05:57
 
==================== End Of Log ============================


#6 MaseWiN

MaseWiN
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 02 April 2015 - 03:47 PM

RogueKiller V10.5.8.0 [Mar 30 2015] by Adlice Software
 
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Peter [Administrator]
Started from : C:\Users\Peter\Downloads\RogueKiller (1).exe
Mode : Delete -- Date : 04/02/2015  16:47:01
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 12 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)][CANADA (CA)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)][CANADA (CA)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0FC67003-3FE8-49C0-8191-0999320CB3B0} | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)][CANADA (CA)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0FC67003-3FE8-49C0-8191-0999320CB3B0} | DhcpNameServer : 64.71.255.204 64.71.255.198 [CANADA (CA)][CANADA (CA)]  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-4241128372-278323654-1664001173-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] Top Gear S22E07 720p HDTV x264-RiVER [eztv].lnk -- C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Top Gear S22E07 720p HDTV x264-RiVER [eztv].lnk [LNK@] C:\ProgramData\{b062c844-c656-dfb7-b062-2c844c652113}\Top Gear S22E07 720p HDTV x264-RiVER [eztv].exe --startup=1 -> Deleted
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: INTEL SSDSC2BW240A4 +++++
--- User ---
[MBR] 34e210f06b9d4d116665d080919dbb0b
[BSP] fd62d9190ff8ace98551f0478bdeed7e : Windows Vista/7/8 MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 616448 | Size: 99 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 819200 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1081344 | Size: 228408 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD10EZEX-00RKKA0 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 953740 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_DEL_12092014_115102.log - RKreport_DEL_12092014_221747.log - RKreport_DEL_12092014_221756.log - RKreport_DEL_12092014_221840.log
RKreport_DEL_12092014_222136.log - RKreport_SCN_08282014_230754.log - RKreport_SCN_11092014_125342.log - RKreport_SCN_12092014_115047.log
RKreport_SCN_12092014_221745.log - RKreport_SCN_12092014_221839.log - RKreport_SCN_12092014_221931.log - RKreport_SCN_12092014_222224.log
RKreport_SCN_12102014_224458.log - RKreport_SCN_12212014_214748.log - RKreport_SCN_04022015_164646.log


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 03 April 2015 - 07:26 AM


Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Delete this file in bold C:\WINDOWS\MEMORY.DMP and flush/empty you Recycle binr

===

Nothing suspicious was found on your FRST log.


The Windows Defender Service is the Antivirus programs that comes with Windows 8.

If the problem persists I suggest you run this online scan from Eset and see what should be deleted.


There could be some remnant items.
Run this online scan.
It may take some time. Do it when you know you will not need the computer for a few hours.

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable th

    e realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png

How is the computer running now?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 09 April 2015 - 08:13 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:06 PM

Posted 15 April 2015 - 08:42 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users