Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lsass.exe and svchost.exe taking up 100% cpu and can't get rid of them


  • This topic is locked This topic is locked
5 replies to this topic

#1 vivisect

vivisect

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 06 June 2015 - 12:30 PM

I appear to be having the same problem this person had. http://www.bleepingcomputer.com/forums/t/571980/trojanagentmnr-bitcoin-miner-running-fake-svchostexe-and-lsassexe/. SuperAntiSpyware and Malwarebytes finds the files in c:\windows\temp and can delete them, but upon restart they are both active again in task manager and are back in c:\windows\temp

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:06-06-2015
Ran by Kyle (administrator) on CHUBS on 06-06-2015 12:25:26
Running from C:\Users\Kyle\Desktop
Loaded Profiles: Kyle (Available Profiles: Kyle)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Valve Corporation) D:\Games\Steam\Steam.exe
(Valve Corporation) D:\Games\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) D:\Games\Steam\bin\steamwebhelper.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
() C:\Program Files (x86)\Opera\29.0.1795.60\opera_crashreporter.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\29.0.1795.60\opera.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2715536 2015-04-10] (Dominik Reichl)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AirPort Base Station Agent] => C:\Program Files (x86)\AirPort\APAgent.exe [771360 2009-11-11] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-04-14] (Malwarebytes Corporation)
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [25700400 2015-04-28] (Google)
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Kyle\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-30] (Akamai Technologies, Inc.)
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [YoloMouse] => C:\Program Files\YoloMouse\YoloMouse.exe [133632 2014-10-14] ()
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [MyComGames] => C:\Users\Kyle\AppData\Local\MyComGames\MyComGames.exe [3956168 2015-06-06] ()
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31283328 2015-04-17] (Skype Technologies S.A.)
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [5893768 2015-05-04] (Plex, Inc.)
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7799576 2015-05-15] (SUPERAntiSpyware)
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\MountPoints2: {7e233343-fa30-11e4-8275-002618a372c3} - "V:\Setup.exe" 
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\MountPoints2: {805e00c5-8133-11e4-8263-002618a372c3} - "V:\setup.exe" 
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\MountPoints2: {cdabb0c0-6b2c-11e4-825d-002618a372c3} - "V:\setup.exe" 
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\...\MountPoints2: {e8bc44fe-0a11-11e4-8254-002618a372c3} - "V:\setup.exe" 
Startup: C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2015-04-11]
ShortcutTarget: Curse.lnk -> C:\Users\Kyle\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)
Startup: C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SABnzbd.lnk [2014-07-13]
ShortcutTarget: SABnzbd.lnk -> C:\Program Files (x86)\SABnzbd\SABnzbd.exe ()
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-01-29] (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class -> {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} -> C:\Program Files (x86)\Arc\Plugins\ArcPluginIE.dll [2015-05-19] (Perfect World Entertainment Inc)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-29] (Oracle Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
Tcpip\..\Interfaces\{FD9C73CB-A57B-4260-97EB-F9D216B2200B}: [NameServer] 8.8.8.8,8.8.4.4
 
FireFox:
========
FF ProfilePath: C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\5cxillfa.default-1430266372881
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-14] ()
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-14] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-29] (Oracle Corporation)
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> C:\Program Files (x86)\Arc\Plugins\npArcPluginFF.dll [2015-05-19] (Perfect World Entertainment Inc)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1562672214-3536400489-3838108396-1001: @my.com/Games -> C:\Users\Kyle\AppData\Local\MyComGames\NPMyComDetector.dll [2015-04-15] (My.com, Inc)
FF Plugin HKU\S-1-5-21-1562672214-3536400489-3838108396-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Kyle\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-08-08] (Unity Technologies ApS)
FF Extension: Adblock Plus - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\5cxillfa.default-1430266372881\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-28]
 
Chrome: 
=======
CHR Profile: C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Lucidchart Diagrams - Online) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\apboafhkiegglekeafbckfjldecefkhn [2015-01-20]
CHR Extension: (Google Drive) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-11]
CHR Extension: (YouTube) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-11]
CHR Extension: (Google Search) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-11]
CHR Extension: (Bookmark Manager) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-06-02]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-05]
CHR Extension: (Ghostery) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2015-04-10]
CHR Extension: (Google Wallet) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-11]
CHR Extension: (Gmail) - C:\Users\Kyle\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-11]
CHR HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
 
Opera: 
=======
OPR Extension: (XKit) - C:\Users\Kyle\AppData\Roaming\Opera Software\Opera Stable\Extensions\fpfgeeomkfdefkckijiabdbogjkdaecd [2015-05-29]
OPR Extension: (µBlock) - C:\Users\Kyle\AppData\Roaming\Opera Software\Opera Stable\Extensions\kccohkcpppjjkkjppopfnflnebibpida [2015-04-30]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
S3 ArcService; C:\Program Files (x86)\Arc\ArcService.exe [88400 2015-05-19] (Perfect World Entertainment Inc)
S2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2252504 2013-09-04] (Broadcom Corporation.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
S2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2015-03-12] (Hi-Rez Studios) [File not signed]
S2 NzbDrone; C:\ProgramData\NzbDrone\bin\nzbdrone.console.exe [24064 2015-06-04] (sonarr.tv) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-01] (TeamViewer GmbH)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [222720 2014-03-11] (Advanced Micro Devices)
S3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2013-09-04] (Broadcom Corporation.)
S3 BthA2DP; C:\Windows\system32\drivers\BthA2DP.sys [132608 2015-01-29] (Microsoft Corporation)
S3 BthHFAud; C:\Windows\System32\drivers\BthHfAud.sys [32768 2014-10-08] (Microsoft Corporation)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
S3 hxsyol; C:\WINDOWS\system32\hxsy64.sys [86352 2015-01-18] ()
R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [17280 2013-05-17] ()
R0 mv61xx; C:\Windows\System32\drivers\mv61xx.sys [181040 2011-02-09] (Marvell Semiconductor, Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-06-06] ()
U0 wbxsytwk; C:\Windows\System32\drivers\kntdqq.sys [79064 2015-06-06] (Malwarebytes Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
S3 xusb22; C:\Windows\System32\drivers\xusb22.sys [87040 2014-03-18] (Microsoft Corporation)
R3 yukonw8; C:\Windows\system32\DRIVERS\yk63x64.sys [295216 2013-06-18] (Marvell)
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 EagleX64; \??\C:\WINDOWS\system32\drivers\EagleX64.sys [X]
S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X]
S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-06 12:25 - 2015-06-06 12:25 - 00016179 _____ C:\Users\Kyle\Desktop\FRST.txt
2015-06-06 12:24 - 2015-06-06 12:25 - 00000000 ____D C:\FRST
2015-06-06 12:24 - 2015-06-06 12:24 - 02108928 _____ (Farbar) C:\Users\Kyle\Desktop\FRST64.exe
2015-06-06 12:24 - 2015-06-06 12:24 - 01147392 _____ (Farbar) C:\Users\Kyle\Desktop\FRST.exe
2015-06-06 10:46 - 2015-06-06 10:46 - 00001377 _____ C:\Users\Kyle\Desktop\JRT.txt
2015-06-06 10:44 - 2015-06-06 10:44 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-CHUBS-Windows-8.1-(64-bit).dat
2015-06-06 10:44 - 2015-06-06 10:44 - 00000000 ____D C:\RegBackup
2015-06-06 10:43 - 2015-06-06 10:43 - 00079064 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\kntdqq.sys
2015-06-06 10:40 - 2015-06-06 10:40 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-06-06 10:40 - 2015-06-06 10:40 - 00000000 ____D C:\ProgramData\RogueKiller
2015-06-06 10:30 - 2015-06-06 10:44 - 00000080 _____ C:\Users\Kyle\Desktop\FxSasser.log
2015-06-06 10:13 - 2015-06-06 10:13 - 00151696 _____ (Symantec Corporation) C:\Users\Kyle\Desktop\FxSasser.exe
2015-06-06 09:45 - 2015-06-06 09:45 - 00001820 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-06-06 09:45 - 2015-06-06 09:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-06-06 09:45 - 2015-06-06 09:45 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-06-06 09:38 - 2015-06-06 09:38 - 00000000 ____D C:\KVRT_Data
2015-06-06 09:35 - 2015-06-06 09:35 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\SUPERAntiSpyware.com
2015-06-06 09:34 - 2015-06-06 09:34 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-06-04 07:39 - 2015-06-04 07:40 - 168526616 _____ (Microsoft Corporation) C:\Users\Kyle\Desktop\msert.exe
2015-06-01 18:00 - 2015-06-01 18:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Plex Media Server
2015-06-01 18:00 - 2015-06-01 18:00 - 00000000 ____D C:\Program Files (x86)\Plex
2015-06-01 17:55 - 2015-06-01 17:55 - 00000000 ____D C:\Users\Kyle\AppData\Local\GWX
2015-05-28 07:54 - 2015-06-02 17:39 - 00000000 ____D C:\Program Files (x86)\Villagers and Heroes
2015-05-28 07:54 - 2015-05-28 07:54 - 00001112 _____ C:\Users\Public\Desktop\Villagers and Heroes.lnk
2015-05-28 07:54 - 2015-05-28 07:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Villagers and Heroes
2015-05-23 11:24 - 2015-05-23 11:25 - 97464104 _____ C:\Users\Kyle\Desktop\The Psyke Project - Guillotine -full album 2013.zip
2015-05-22 09:02 - 2015-05-22 09:02 - 00000208 _____ C:\Users\Kyle\Desktop\Ziggurat.url
2015-05-21 15:18 - 2015-05-21 15:18 - 00001933 _____ C:\Users\Public\Desktop\Neverwinter.lnk
2015-05-21 15:12 - 2015-05-25 11:34 - 00000000 ____D C:\Program Files (x86)\Neverwinter_en
2015-05-21 14:09 - 2015-05-21 15:18 - 00000000 ___HD C:\ArcTemp
2015-05-21 14:08 - 2015-06-06 09:50 - 00000000 ____D C:\Program Files (x86)\Arc
2015-05-21 14:08 - 2015-05-21 15:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Perfect World Entertainment
2015-05-21 14:08 - 2015-05-21 14:09 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\Arc
2015-05-21 14:08 - 2015-05-21 14:08 - 00001604 _____ C:\Users\Public\Desktop\Arc.lnk
2015-05-21 13:52 - 2015-06-03 21:17 - 00000983 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-05-21 13:52 - 2015-06-03 21:17 - 00000971 _____ C:\Users\Public\Desktop\TeamViewer 10.lnk
2015-05-21 13:52 - 2015-05-21 13:52 - 00000000 ____D C:\Users\Kyle\AppData\Local\TeamViewer
2015-05-21 13:51 - 2015-06-03 21:17 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2015-05-21 13:49 - 2015-05-21 13:50 - 08006912 _____ (TeamViewer GmbH) C:\Users\Kyle\Desktop\TeamViewer_Setup_en.exe
2015-05-16 15:29 - 2015-05-16 15:29 - 32983363 _____ C:\Users\Kyle\Downloads\bearvsursos.mp4
2015-05-16 15:29 - 2015-05-16 15:29 - 22128993 _____ C:\Users\Kyle\Downloads\bearvsursos — beachbatorbleeper_ bleep spanish tourist doggy....mp4
2015-05-16 15:29 - 2015-05-16 15:29 - 14734015 _____ C:\Users\Kyle\Downloads\bearvsursos — gordomaduro_ me gusta que rico„,.mp4
2015-05-16 15:29 - 2015-05-16 15:29 - 14108111 _____ C:\Users\Kyle\Downloads\bearvsursos_2.mp4
2015-05-14 19:53 - 2015-05-14 19:53 - 00000000 ____D C:\Users\Kyle\AppData\Local\SKIDROW
2015-05-14 19:53 - 2015-05-14 19:53 - 00000000 ____D C:\Users\Kyle\AppData\Local\BigHugeEngine
2015-05-13 08:17 - 2015-04-30 15:35 - 00124112 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 08:17 - 2015-04-30 15:35 - 00102608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 07:46 - 2015-05-13 07:46 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-13 07:34 - 2015-04-30 18:05 - 00429568 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2015-05-13 07:34 - 2015-04-30 17:48 - 00358912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2015-05-13 07:34 - 2015-04-24 16:32 - 00036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\UtcResources.dll
2015-05-13 07:34 - 2015-04-21 12:14 - 24971776 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-05-13 07:34 - 2015-04-21 11:50 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-05-13 07:34 - 2015-04-21 11:50 - 00417792 _____ (Microsoft Corporation) C:\WINDOWS\system32\html.iec
2015-05-13 07:34 - 2015-04-21 11:49 - 02885120 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-05-13 07:34 - 2015-04-21 11:37 - 00633856 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-05-13 07:34 - 2015-04-21 11:35 - 00816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-05-13 07:34 - 2015-04-21 11:31 - 06025728 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-05-13 07:34 - 2015-04-21 11:24 - 19691008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-05-13 07:34 - 2015-04-21 11:13 - 00107520 _____ (Microsoft Corporation) C:\WINDOWS\system32\inseng.dll
2015-05-13 07:34 - 2015-04-21 11:11 - 00504320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-05-13 07:34 - 2015-04-21 11:09 - 00341504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\html.iec
2015-05-13 07:34 - 2015-04-21 11:08 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-05-13 07:34 - 2015-04-21 11:07 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2015-05-13 07:34 - 2015-04-21 11:05 - 00316928 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-05-13 07:34 - 2015-04-21 11:04 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-05-13 07:34 - 2015-04-21 10:59 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-05-13 07:34 - 2015-04-21 10:58 - 00664576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-05-13 07:34 - 2015-04-21 10:52 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-05-13 07:34 - 2015-04-21 10:49 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-05-13 07:34 - 2015-04-21 10:49 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-05-13 07:34 - 2015-04-21 10:49 - 00374272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-05-13 07:34 - 2015-04-21 10:46 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-05-13 07:34 - 2015-04-21 10:40 - 14401536 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-05-13 07:34 - 2015-04-21 10:38 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-05-13 07:34 - 2015-04-21 10:37 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-05-13 07:34 - 2015-04-21 10:36 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-05-13 07:34 - 2015-04-21 10:31 - 04305920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-05-13 07:34 - 2015-04-21 10:28 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-05-13 07:34 - 2015-04-21 10:27 - 02352128 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-05-13 07:34 - 2015-04-21 10:26 - 00688640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-05-13 07:34 - 2015-04-21 10:26 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-05-13 07:34 - 2015-04-21 10:25 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-05-13 07:34 - 2015-04-21 10:17 - 12828672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-05-13 07:34 - 2015-04-21 10:15 - 01547264 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-05-13 07:34 - 2015-04-21 10:02 - 01882112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-05-13 07:34 - 2015-04-21 09:58 - 01310208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-05-13 07:34 - 2015-04-13 17:48 - 04180480 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-05-13 07:34 - 2015-04-09 20:00 - 01996800 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll
2015-05-13 07:34 - 2015-04-09 19:50 - 01387008 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll
2015-05-13 07:34 - 2015-04-09 19:34 - 02256896 _____ (Microsoft Corporation) C:\WINDOWS\system32\dwmcore.dll
2015-05-13 07:34 - 2015-04-09 19:26 - 01560576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWrite.dll
2015-05-13 07:34 - 2015-04-09 19:11 - 01943040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dwmcore.dll
2015-05-13 07:34 - 2015-04-08 17:55 - 00410128 _____ (Microsoft Corporation) C:\WINDOWS\system32\services.exe
2015-05-13 07:34 - 2015-04-02 19:35 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhotoMetadataHandler.dll
2015-05-13 07:34 - 2015-04-02 19:14 - 00364544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PhotoMetadataHandler.dll
2015-05-13 07:34 - 2015-04-01 17:22 - 02985984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2015-05-13 07:34 - 2015-04-01 17:20 - 04417536 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2015-05-13 07:34 - 2015-03-31 22:45 - 01491456 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbghelp.dll
2015-05-13 07:34 - 2015-03-31 21:31 - 01207296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbghelp.dll
2015-05-13 07:34 - 2015-03-30 00:47 - 00561928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2015-05-13 07:34 - 2015-03-26 22:27 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-05-13 07:34 - 2015-03-26 21:50 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-05-13 07:34 - 2015-03-26 21:48 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-05-13 07:34 - 2015-03-19 20:56 - 00080384 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-05-13 07:34 - 2015-03-17 12:26 - 00467776 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBHUB3.SYS
2015-05-13 07:34 - 2015-03-12 23:03 - 00239424 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\sdbus.sys
2015-05-13 07:34 - 2015-03-12 23:03 - 00154432 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dumpsd.sys
2015-05-13 07:34 - 2015-03-12 21:02 - 00316416 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\udfs.sys
2015-05-13 07:34 - 2015-03-12 20:11 - 02162176 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2015-05-13 07:34 - 2015-03-12 19:39 - 01812992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
2015-05-13 07:34 - 2015-03-12 19:29 - 00410017 _____ C:\WINDOWS\system32\ApnDatabase.xml
2015-05-13 07:34 - 2015-03-10 20:49 - 00024576 _____ (Microsoft Corporation) C:\WINDOWS\system32\sdbinst.exe
2015-05-13 07:34 - 2015-03-10 20:09 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sdbinst.exe
2015-05-13 07:34 - 2015-03-08 21:02 - 00057856 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthhfenum.sys
2015-05-13 07:34 - 2015-03-05 22:08 - 02067968 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpdshext.dll
2015-05-13 07:34 - 2015-03-05 21:47 - 01696256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wevtsvc.dll
2015-05-13 07:34 - 2015-03-05 21:43 - 01969664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wpdshext.dll
2015-05-13 07:34 - 2015-03-04 18:09 - 01429504 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
2015-05-13 07:34 - 2015-03-03 20:32 - 00172544 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Input.Inking.dll
2015-05-13 07:34 - 2015-03-03 20:12 - 00141824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Input.Inking.dll
2015-05-13 07:34 - 2015-02-17 18:19 - 00186368 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapisrv.dll
2015-05-13 07:34 - 2015-01-29 19:53 - 02819584 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers.dll
2015-05-13 07:34 - 2014-11-14 01:58 - 00116736 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemSettingsDatabase.dll
2015-05-13 07:33 - 2015-04-21 10:32 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-05-13 07:33 - 2015-04-21 10:03 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-05-13 07:33 - 2015-04-21 09:56 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-05-09 08:46 - 2015-05-09 08:46 - 00001340 _____ C:\Users\Public\Desktop\Freemake Video Converter.lnk
2015-05-09 08:45 - 2015-05-22 20:24 - 00000000 ____D C:\Users\Kyle\Desktop\t
2015-05-07 15:15 - 2015-05-07 19:03 - 00000000 ____D C:\Users\Kyle\Documents\eFile Express 2014
2015-05-07 15:15 - 2015-05-07 15:15 - 00002145 _____ C:\Users\Kyle\Desktop\eFile Express 2014.lnk
2015-05-07 15:15 - 2015-05-07 15:15 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\eFile Express 2014
2015-05-07 15:15 - 2015-05-07 15:15 - 00000000 ____D C:\Program Files (x86)\eFile Express 2014
2015-05-07 06:58 - 2015-05-07 06:59 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\Tera_Awesomium
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-06 12:23 - 2014-07-11 19:43 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1562672214-3536400489-3838108396-1001
2015-06-06 12:19 - 2015-03-14 11:43 - 00000000 ____D C:\Program Files\Common Files\Adobe
2015-06-06 12:19 - 2014-08-30 14:34 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-06-06 12:19 - 2014-08-30 14:33 - 00000000 ____D C:\ProgramData\Adobe
2015-06-06 12:19 - 2014-07-11 19:38 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\Adobe
2015-06-06 12:16 - 2014-07-11 19:48 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\ClassicShell
2015-06-06 12:06 - 2014-07-11 20:41 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-06 12:02 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-06-06 11:58 - 2015-04-30 21:41 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2015-06-06 10:43 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\TAPI
2015-06-06 10:21 - 2014-07-12 16:56 - 00136408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-06-06 10:20 - 2015-03-25 11:12 - 00000000 ____D C:\Users\Kyle\AppData\Local\MyComGames
2015-06-06 10:20 - 2014-07-11 21:33 - 00000000 ___RD C:\Users\Kyle\Google Drive
2015-06-06 10:19 - 2014-07-17 22:57 - 00000000 ____D C:\ProgramData\NzbDrone
2015-06-06 10:19 - 2014-07-11 20:41 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-06 10:19 - 2013-08-22 09:46 - 00311770 _____ C:\WINDOWS\setupact.log
2015-06-06 10:19 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-06-06 10:18 - 2014-12-13 19:52 - 00000000 ____D C:\AdwCleaner
2015-06-06 10:18 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-06-06 10:14 - 2014-07-12 16:55 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-06 10:09 - 2014-07-11 20:33 - 01109959 _____ C:\WINDOWS\WindowsUpdate.log
2015-06-06 09:53 - 2015-04-11 19:50 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\Curse Client
2015-06-06 09:52 - 2015-04-27 16:54 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\Skype
2015-06-06 09:51 - 2014-07-11 20:22 - 00000000 ____D C:\Program Files (x86)\Razer
2015-06-06 09:50 - 2013-08-22 09:44 - 05003832 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-06-05 17:12 - 2014-07-11 22:41 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\KeePass
2015-06-05 05:46 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-06-04 20:33 - 2014-07-13 02:49 - 01551360 ___SH C:\Users\Kyle\Desktop\Thumbs.db
2015-06-04 08:47 - 2014-08-18 14:28 - 00000000 ____D C:\Users\Kyle\AppData\Local\Battle.net
2015-06-02 20:18 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2015-06-02 10:57 - 2014-07-11 22:41 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\vlc
2015-06-02 09:42 - 2015-03-28 20:21 - 00000000 ____D C:\Program Files (x86)\Battle.net
2015-06-01 18:00 - 2014-07-11 19:42 - 00000000 ____D C:\ProgramData\Package Cache
2015-05-29 20:02 - 2014-08-03 15:15 - 00123904 ___SH C:\Users\Kyle\Downloads\Thumbs.db
2015-05-28 07:54 - 2014-08-16 14:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-05-25 20:06 - 2014-07-11 20:43 - 00002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-23 12:54 - 2014-07-11 22:41 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\foobar2000
2015-05-22 09:03 - 2014-07-11 20:41 - 00000000 ____D C:\Program Files (x86)\Google
2015-05-21 19:04 - 2014-07-11 22:09 - 00252977 _____ C:\WINDOWS\DirectX.log
2015-05-21 14:08 - 2014-07-11 19:43 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-05-20 21:35 - 2015-04-30 21:35 - 00003824 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1430447726
2015-05-20 21:35 - 2015-04-30 21:35 - 00001063 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2015-05-20 21:35 - 2015-04-30 21:34 - 00000000 ____D C:\Program Files (x86)\Opera
2015-05-19 17:47 - 2013-08-22 10:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-05-19 17:46 - 2015-04-05 02:09 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-05-19 17:46 - 2015-04-05 02:09 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-05-18 20:56 - 2014-10-18 16:16 - 00000000 ____D C:\FTV
2015-05-17 05:01 - 2014-07-11 20:41 - 00003890 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-05-17 05:01 - 2014-07-11 20:41 - 00003654 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-05-17 03:44 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\rescache
2015-05-16 15:34 - 2014-07-12 17:23 - 00000000 ____D C:\Users\Kyle\AppData\Local\JDownloader 2.0
2015-05-16 13:03 - 2014-07-16 22:45 - 00000000 ____D C:\Users\Kyle\AppData\Roaming\TeraCopy
2015-05-16 11:33 - 2015-04-30 21:41 - 00003848 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
2015-05-16 11:33 - 2014-09-21 13:01 - 00000000 ____D C:\Users\Kyle\AppData\Local\Adobe
2015-05-16 10:58 - 2014-09-05 20:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-05-16 10:58 - 2014-03-18 04:54 - 00051944 _____ C:\WINDOWS\PFRO.log
2015-05-16 10:55 - 2013-08-22 10:36 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2015-05-16 10:55 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\AdvancedInstallers
2015-05-14 19:53 - 2014-07-11 22:14 - 00000000 ____D C:\Users\Kyle\Documents\My Games
2015-05-14 19:14 - 2014-08-16 14:49 - 00008354 _____ C:\Users\Kyle\Documents\Uninstall STAR WARS The Old Republic.log
2015-05-13 08:17 - 2014-07-14 04:16 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-05-13 08:11 - 2014-07-14 04:16 - 140425016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-05-13 08:10 - 2014-03-18 04:45 - 00000000 ____D C:\Program Files\Windows Journal
2015-05-09 08:48 - 2015-01-20 09:04 - 00000000 ____D C:\ProgramData\Freemake
2015-05-09 08:46 - 2015-01-20 09:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freemake
2015-05-07 17:02 - 2014-07-11 21:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
 
==================== Files in the root of some directories =======
 
2015-03-14 11:58 - 2015-03-14 11:58 - 184702896 _____ () C:\Users\Kyle\AppData\Local\ACCCx2_9_1_474.zip.aamdownload
2015-03-14 11:58 - 2015-03-14 11:58 - 0002216 _____ () C:\Users\Kyle\AppData\Local\ACCCx2_9_1_474.zip.aamdownload.aamd
2015-03-14 22:15 - 2015-04-09 21:06 - 0001456 _____ () C:\Users\Kyle\AppData\Local\Adobe Save for Web 13.0 Prefs
2015-01-20 08:56 - 2015-01-20 08:56 - 0010743 _____ () C:\Users\Kyle\AppData\Local\recently-used.xbel
 
Some files in TEMP:
====================
C:\Users\Kyle\AppData\Local\Temp\27fff54a706caf16275619fa9b79269c.dll
C:\Users\Kyle\AppData\Local\Temp\4e6cf5d72520e51ea54dbf30164d13e3.dll
C:\Users\Kyle\AppData\Local\Temp\51ee653d1a3be65eb7c9adbc9f6bf613.dll
C:\Users\Kyle\AppData\Local\Temp\78069df3d26d60b7f0a63ba36654a697.dll
C:\Users\Kyle\AppData\Local\Temp\AdobeApplicationManager.exe
C:\Users\Kyle\AppData\Local\Temp\amd-catalyst-omega-14.12-without-dotnet45-win8.1-64bit.exe
C:\Users\Kyle\AppData\Local\Temp\AutoDetectUtilApp.exe
C:\Users\Kyle\AppData\Local\Temp\BRSVC_2490360484_hlp.exe
C:\Users\Kyle\AppData\Local\Temp\BRSVC_7069687_hlp.exe
C:\Users\Kyle\AppData\Local\Temp\BRSVC_974669828_hlp.exe
C:\Users\Kyle\AppData\Local\Temp\BullseyeCoverage-2-x86.dll
C:\Users\Kyle\AppData\Local\Temp\cde16b7fae63b5287f4ff8e5757bbd92.dll
C:\Users\Kyle\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Kyle\AppData\Local\Temp\FreemakeVideoConverterFull.exe
C:\Users\Kyle\AppData\Local\Temp\Gw2.exe
C:\Users\Kyle\AppData\Local\Temp\handbrake-setup.exe
C:\Users\Kyle\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\Kyle\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\Kyle\AppData\Local\Temp\JDSetup130496260731990179.exe
C:\Users\Kyle\AppData\Local\Temp\JDSetup130496266280414079.exe
C:\Users\Kyle\AppData\Local\Temp\JDSetup130496773124497555.exe
C:\Users\Kyle\AppData\Local\Temp\jna2970961822347017224.dll
C:\Users\Kyle\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\Kyle\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Kyle\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Kyle\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Kyle\AppData\Local\Temp\MediaBrowser.Uninstaller.exe
C:\Users\Kyle\AppData\Local\Temp\msvcp120.dll
C:\Users\Kyle\AppData\Local\Temp\msvcr120.dll
C:\Users\Kyle\AppData\Local\Temp\npp.6.7.4.Installer.exe
C:\Users\Kyle\AppData\Local\Temp\pc-decrapifier.exe
C:\Users\Kyle\AppData\Local\Temp\proxy_vole7478474931553357257.dll
C:\Users\Kyle\AppData\Local\Temp\Quarantine.exe
C:\Users\Kyle\AppData\Local\Temp\raptrpatch.exe
C:\Users\Kyle\AppData\Local\Temp\raptr_stub.exe
C:\Users\Kyle\AppData\Local\Temp\sqlite3.dll
C:\Users\Kyle\AppData\Local\Temp\Unins000.exe
C:\Users\Kyle\AppData\Local\Temp\Uninstaller-4864.exe
C:\Users\Kyle\AppData\Local\Temp\Uninstaller-5916.exe
C:\Users\Kyle\AppData\Local\Temp\vlc-2.1.5-win32.exe
C:\Users\Kyle\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\Kyle\AppData\Local\Temp\xmlUpdater.exe
C:\Users\Kyle\AppData\Local\Temp\__pythonRunner.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-05 05:45
 
==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 vivisect

vivisect
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 09 June 2015 - 08:52 PM

I know I am not supposed to bump, but there are way newer threads that have been answered. If I submitted wrong, I'm sorry. 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 11 June 2015 - 07:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
CHR HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
U0 wbxsytwk; C:\Windows\System32\drivers\kntdqq.sys [79064 2015-06-06] (Malwarebytes Corporation)
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 EagleX64; \??\C:\WINDOWS\system32\drivers\EagleX64.sys [X]
S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X]
S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
Task: {C16AB5C1-3FDE-4F50-8495-4F8F8E8E3DA2} - System32\Tasks\Origin => C:\ProgramData\Origin\update.vbe [2015-02-15] () <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Kyle\OneDrive:ms-properties
C:\Windows\System32\drivers\kntdqq.sys

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#4 vivisect

vivisect
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 11 June 2015 - 08:57 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:06-06-2015
Ran by Kyle at 2015-06-11 08:11:38 Run:1
Running from C:\Users\Kyle\Desktop
Loaded Profiles: Kyle (Available Profiles: Kyle)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
start
 
CloseProcesses:
 
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
CHR HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
U0 wbxsytwk; C:\Windows\System32\drivers\kntdqq.sys [79064 2015-06-06] (Malwarebytes Corporation)
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 EagleX64; \??\C:\WINDOWS\system32\drivers\EagleX64.sys [X]
S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X]
S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]
Task: {C16AB5C1-3FDE-4F50-8495-4F8F8E8E3DA2} - System32\Tasks\Origin => C:\ProgramData\Origin\update.vbe [2015-02-15] () <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:DocumentSummaryInformation
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:SummaryInformation
AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Kyle\OneDrive:ms-properties
C:\Windows\System32\drivers\kntdqq.sys
 
End
*****************
 
Processes closed successfully.
"HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect" => key removed successfully
"HKU\S-1-5-21-1562672214-3536400489-3838108396-1001\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => key removed successfully
wbxsytwk => Service not found.
BRDriver64_1_3_3_E02B25FC => Service removed successfully
EagleX64 => Service removed successfully
X6va029 => Service removed successfully
xhunter1 => Service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C16AB5C1-3FDE-4F50-8495-4F8F8E8E3DA2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C16AB5C1-3FDE-4F50-8495-4F8F8E8E3DA2}" => key removed successfully
C:\Windows\System32\Tasks\Origin => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Origin" => key removed successfully
"C:\WINDOWS\SysWOW64\zlib.dll" => ":DocumentSummaryInformation" ADS not found.
"C:\WINDOWS\SysWOW64\zlib.dll" => ":SummaryInformation" ADS not found.
C:\WINDOWS\SysWOW64\zlib.dll => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Users\Kyle\OneDrive" => ":ms-properties" ADS not found.
"C:\Windows\System32\drivers\kntdqq.sys" => File/Folder not found.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 08:11:38 ====
 
It looks like it is working! Neither process seemed to start this time. No longer 100% CPU.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 11 June 2015 - 12:40 PM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 17 June 2015 - 07:43 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users