Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing netsupport hijacking


  • Please log in to reply
5 replies to this topic

#1 henhenhen15

henhenhen15

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 13 July 2015 - 05:02 PM

Recently my laptop was hijacked by netsupport taking my steam items and I fear that portion of the malware is still in my laptop. I ran malwarebyte and MSE at the same time and nothing came out. Netsupport keeps asking to access my firewall but I keep pressing cancel.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-07-2015
Ran by Ron (administrator) on RON-PC on 13-07-2015 17:52:46
Running from C:\Users\Ron\Downloads
Loaded Profiles: Ron (Available Profiles: Ron)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AuthenTec, Inc) C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Bison Inc.) C:\Program Files (x86)\BisonCam\PID_0361\DeLay.exe
(Authentec) C:\Program Files\AuthenTec TrueSuite\KeepSafe\fvsvr.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files (x86)\Hotkey\PowerBiosServer.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Nota Inc.) C:\Program Files (x86)\Gyazo\GyStation.exe
() C:\Program Files (x86)\Hotkey\Hotkey.exe
() C:\Program Files\Qualcomm Atheros\Killer Network Manager\KillerNetManager.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
() C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
() C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(AuthenTec Inc.) C:\Program Files\AuthenTec TrueSuite\TouchControl.exe
(AuthenTec Inc.) C:\Program Files\AuthenTec TrueSuite\BioMonitor.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(NetSupport Ltd) C:\Users\Ron\AppData\Roaming\Schema\clock.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13374568 2011-12-13] (Realtek Semiconductor)
HKLM\...\Run: [THXCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [DeLay] => C:\Program Files (x86)\BisonCam\PID_0361\DeLay.exe [53248 2008-12-05] (Bison Inc.)
HKLM\...\Run: [KeepSafe] => C:\Program Files\AuthenTec TrueSuite\KeepSafe\fvsvr.exe [38728 2011-10-21] (Authentec)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2328360 2010-09-16] (Synaptics Incorporated)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [1020064 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [800416 2012-02-13] (Atheros Commnucations)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585744 2015-02-05] (NVIDIA Corporation)
HKLM-x32\...\Run: [THX Audio Control Panel] => C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe [1374720 2010-11-01] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-26] (Intel Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2044034397-327355318-1520998327-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8322328 2015-05-08] (Piriform Ltd)
HKU\S-1-5-21-2044034397-327355318-1520998327-1000\...\Run: [clock] => C:\Users\Ron\AppData\Roaming\Schema\clock.exe [34808 2011-10-07] (NetSupport Ltd)
HKU\S-1-5-21-2044034397-327355318-1520998327-1000\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [3097912 2015-07-08] (Nota Inc.)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2015-02-12] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [177624 2015-02-05] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [164752 2015-02-05] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Hotkey.lnk [2015-06-20]
ShortcutTarget: Hotkey.lnk -> C:\Program Files (x86)\Hotkey\Hotkey.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Qualcomm Atheros Killer Network Manager.lnk [2015-02-11]
ShortcutTarget: Qualcomm Atheros Killer Network Manager.lnk -> C:\Program Files\Qualcomm Atheros\Killer Network Manager\KillerNetManager.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk [2015-02-12]
ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe ()
ShellIconOverlayIdentifiers: [UEAFOverlay] -> {BC6D10E6-AE59-4cef-83DB-FD4C9BC7B7F2} => C:\Program Files\AuthenTec TrueSuite\KeepSafe\fvns.dll [2011-10-21] (Authentec)
ShellIconOverlayIdentifiers: [UEAFOverlayOpen] -> {93BB455E-3D52-4fba-9733-E5103B30FC12} => C:\Program Files\AuthenTec TrueSuite\KeepSafe\fvns.dll [2011-10-21] (Authentec)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2044034397-327355318-1520998327-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files\AuthenTec TrueSuite\IEBHO.dll [2011-11-03] (AuthenTec Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-21] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-04-15] (Oracle Corporation)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files\AuthenTec TrueSuite\x86\IEBHO.dll [2011-11-03] (AuthenTec Inc.)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-02-13] (Atheros Commnucations)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-15] (Oracle Corporation)
Winsock: Catalog9 01 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9 02 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9 03 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9 04 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9 05 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9 06 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9 17 C:\Windows\SysWOW64\BfLLR.dll [196096 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 01 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 02 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 03 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 04 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 05 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 06 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Winsock: Catalog9-x64 17 C:\Windows\system32\BfLLR.dll [216064 2012-07-23] (Bigfoot Networks, Inc.)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{06ED0053-6B73-4554-8022-BFFA76E68230}: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{9EC1BAEA-603D-4FBE-B5F6-3BC9BCBFCF3A}: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_203.dll [2015-07-09] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll [2015-07-09] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-15] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-03-31] (Microsoft Corporation)
 
Chrome: 
=======
CHR Profile: C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-11]
CHR Extension: (Google Docs) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-11]
CHR Extension: (Google Drive) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-11]
CHR Extension: (YouTube) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-11]
CHR Extension: (Adblock Plus) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-04-11]
CHR Extension: (Google Search) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-11]
CHR Extension: (Website Logon) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\eioaimhbaiomogmbefipmnbpjmefhhoc [2015-02-11]
CHR Extension: (Google Sheets) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-11]
CHR Extension: (LoungeDestroyer) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghahcnmfjfckcedfajbhekgknjdplfcl [2015-02-26]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Steam Theme) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcphcjcjgkjmbphkfjleamgkinaeebnm [2015-03-26]
CHR Extension: (Google Wallet) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-11]
CHR Extension: (Gmail) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-11]
CHR HKLM-x32\...\Chrome\Extension: [eioaimhbaiomogmbefipmnbpjmefhhoc] - C:\Program Files\AuthenTec TrueSuite\x86\tschrome.crx [2011-09-02]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [106144 2012-02-13] (Atheros Commnucations) [File not signed]
R2 FPLService; C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe [299848 2011-11-03] (AuthenTec, Inc)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2015-02-05] (NVIDIA Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [127320 2012-03-14] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [162648 2012-03-14] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706128 2015-02-05] (NVIDIA Corporation)
R2 PowerBiosServer; C:\Program Files (x86)\Hotkey\PowerBiosServer.exe [35840 2012-06-28] () [File not signed]
R2 Qualcomm Atheros Killer Service; C:\Program Files\Qualcomm Atheros\Killer Network Manager\BFNService.exe [490496 2012-07-23] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 Ak27x64; C:\Windows\System32\DRIVERS\Ak27x64.sys [3364720 2012-07-23] (Qualcomm Atheros, Inc.)
R1 BfLwf; C:\Windows\System32\DRIVERS\bflwfx64.sys [66928 2012-07-23] (Qualcomm Atheros, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-04-14] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2015-02-05] (NVIDIA Corporation)
S3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [25088 2015-02-02] (SteelSeries ApS)
R3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [42056 2015-02-02] (SteelSeries ApS)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-13 17:52 - 2015-07-13 17:53 - 00019594 _____ C:\Users\Ron\Downloads\FRST.txt
2015-07-13 17:52 - 2015-07-13 17:52 - 02133504 _____ (Farbar) C:\Users\Ron\Downloads\FRST64.exe
2015-07-13 17:52 - 2015-07-13 17:52 - 00000000 ____D C:\FRST
2015-07-13 16:06 - 2015-07-13 16:15 - 00000168 _____ C:\Windows\setupact.log
2015-07-13 16:06 - 2015-07-13 16:06 - 00000000 _____ C:\Windows\setuperr.log
2015-07-11 17:30 - 2015-07-11 17:30 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_btath_hcrp_01009.Wdf
2015-07-11 17:28 - 2015-07-11 17:28 - 00000000 ____D C:\Users\Ron\AppData\Local\BMExplorer
2015-07-09 14:08 - 2015-07-09 14:08 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Gyazo
2015-07-09 14:07 - 2015-07-10 14:07 - 00000000 ____D C:\Program Files (x86)\Gyazo
2015-07-09 14:07 - 2015-07-09 14:07 - 09987128 _____ (Nota Inc. ) C:\Users\Ron\Downloads\Gyazo-3.1.1.exe
2015-07-09 14:07 - 2015-07-09 14:07 - 00003396 _____ C:\Windows\System32\Tasks\GyazoUpdateTaskMachineDaily
2015-07-09 14:07 - 2015-07-09 14:07 - 00003270 _____ C:\Windows\System32\Tasks\GyazoUpdateTaskMachine
2015-07-09 14:07 - 2015-07-09 14:07 - 00000982 _____ C:\Users\Public\Desktop\Gyazo.lnk
2015-07-09 14:07 - 2015-07-09 14:07 - 00000982 _____ C:\Users\Public\Desktop\Gyazo GIF.lnk
2015-07-09 14:07 - 2015-07-09 14:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gyazo
2015-07-06 19:57 - 2015-07-06 19:57 - 00057047 _____ C:\Users\Ron\Downloads\Kool_Aid_Man.jpeg
2015-06-29 21:24 - 2015-06-29 21:24 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Dofus-2
2015-06-29 19:39 - 2015-07-07 20:07 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Dofus
2015-06-26 20:52 - 2015-06-26 20:52 - 06456928 _____ (Ankama Studio) C:\Users\Ron\Downloads\dofus.exe
2015-06-20 10:58 - 2015-07-13 15:54 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-20 10:57 - 2015-06-20 10:57 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-20 10:57 - 2015-06-20 10:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-20 10:57 - 2015-06-20 10:57 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-20 10:57 - 2015-06-20 10:57 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-20 10:57 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-20 10:57 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-20 10:57 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-19 18:41 - 2015-06-20 10:28 - 00000000 ____D C:\Windows\pss
2015-06-19 17:54 - 2015-06-19 17:54 - 00000399 _____ C:\Users\Ron\AppData\Roaming\passwords.txt
2015-06-19 17:54 - 2015-06-19 17:54 - 00000397 _____ C:\Users\Ron\AppData\Roaming\pass.txt
2015-06-19 17:54 - 2015-06-19 17:54 - 00000017 _____ C:\Users\Ron\AppData\Roaming\ds.txt
2015-06-19 17:06 - 2015-06-19 17:07 - 00587776 _____ (Igor Pavlov) C:\Users\Ron\AppData\Roaming\inside.exe
2015-06-19 17:06 - 2015-05-20 13:29 - 00000000 _RSHD C:\Users\Ron\AppData\Roaming\Schema
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-13 17:49 - 2015-02-26 16:28 - 01468014 _____ C:\Windows\WindowsUpdate.log
2015-07-13 17:35 - 2015-02-12 11:44 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-13 17:35 - 2015-02-11 23:48 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-13 16:14 - 2009-07-14 00:45 - 00014960 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-13 16:14 - 2009-07-14 00:45 - 00014960 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-13 16:06 - 2015-02-11 23:48 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-13 16:06 - 2015-02-11 23:40 - 00000000 ____D C:\ProgramData\Bigfoot Networks
2015-07-13 16:06 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-12 23:12 - 2015-04-04 17:22 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-07-12 23:12 - 2015-04-04 17:22 - 00000000 ___SD C:\Windows\system32\GWX
2015-07-11 17:31 - 2009-07-14 01:13 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-11 17:29 - 2015-02-11 23:43 - 00000000 ____D C:\ProgramData\Atheros
2015-07-11 17:28 - 2009-07-13 23:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-07-11 12:35 - 2015-02-12 15:35 - 00000000 ____D C:\Users\Ron\AppData\Local\SteelSeries Engine 3 Client
2015-07-09 14:59 - 2015-04-15 18:59 - 18510000 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-07-09 14:59 - 2015-02-12 11:44 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-09 14:59 - 2015-02-12 11:44 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-09 14:59 - 2015-02-12 11:44 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-08 15:44 - 2015-03-14 16:47 - 00000008 _____ C:\Users\Ron\AppData\Roaming\DofusAppId0_2
2015-07-08 15:40 - 2015-03-14 15:29 - 00000113 _____ C:\Users\Ron\AppData\Roaming\D2Info0
2015-07-08 15:40 - 2015-03-14 15:23 - 00008868 _____ C:\Users\Ron\AppData\Localtransition_f36f04c9313e8b00fe519faf99ff1650.ini
2015-07-07 20:07 - 2015-03-14 15:29 - 00000008 _____ C:\Users\Ron\AppData\Roaming\DofusAppId0_1
2015-07-07 17:00 - 2015-02-11 23:49 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-07-06 15:43 - 2009-07-13 23:20 - 00000000 __RHD C:\Users\Public\Libraries
2015-07-05 06:08 - 2015-02-11 23:52 - 00300704 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-06-28 19:57 - 2015-02-12 11:54 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-06-27 13:55 - 2015-02-16 19:35 - 00000000 ____D C:\Users\Ron\AppData\Local\CrashDumps
2015-06-27 13:55 - 2015-02-15 13:26 - 00000000 ____D C:\Users\Ron\AppData\Roaming\TS3Client
2015-06-27 12:25 - 2015-03-14 15:23 - 00001001 _____ C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Dofus.lnk
2015-06-27 12:25 - 2015-03-14 15:23 - 00000999 _____ C:\Users\Ron\Desktop\Dofus.lnk
2015-06-24 21:44 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2015-06-22 18:29 - 2015-03-14 18:25 - 00000008 _____ C:\Users\Ron\AppData\Roaming\DofusAppId0_3
2015-06-22 11:15 - 2015-02-12 11:43 - 00000000 ____D C:\Users\Ron\AppData\Local\Adobe
2015-06-20 10:25 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2015-06-14 14:39 - 2015-05-24 21:45 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Curse Client
 
==================== Files in the root of some directories =======
 
2015-05-28 18:00 - 2015-05-28 18:00 - 0535758 _____ () C:\Users\Ron\AppData\Roaming\browsers.exe
2015-04-22 18:19 - 2015-04-22 18:19 - 0792314 _____ () C:\Users\Ron\AppData\Roaming\chromes.exe
2015-03-14 15:29 - 2015-07-08 15:40 - 0000113 _____ () C:\Users\Ron\AppData\Roaming\D2Info0
2015-03-14 15:29 - 2015-07-07 20:07 - 0000008 _____ () C:\Users\Ron\AppData\Roaming\DofusAppId0_1
2015-03-14 16:47 - 2015-07-08 15:44 - 0000008 _____ () C:\Users\Ron\AppData\Roaming\DofusAppId0_2
2015-03-14 18:25 - 2015-06-22 18:29 - 0000008 _____ () C:\Users\Ron\AppData\Roaming\DofusAppId0_3
2015-03-21 13:45 - 2015-03-21 14:49 - 0000008 _____ () C:\Users\Ron\AppData\Roaming\DofusAppId0_4
2015-06-19 17:54 - 2015-06-19 17:54 - 0000017 _____ () C:\Users\Ron\AppData\Roaming\ds.txt
2015-06-19 17:06 - 2015-06-19 17:07 - 0587776 _____ (Igor Pavlov) C:\Users\Ron\AppData\Roaming\inside.exe
2015-04-20 04:38 - 2015-04-20 04:38 - 0212552 _____ () C:\Users\Ron\AppData\Roaming\ip.exe
2015-04-24 19:18 - 2015-04-24 19:18 - 0212553 _____ () C:\Users\Ron\AppData\Roaming\ip2.exe
2015-06-19 17:54 - 2015-06-19 17:54 - 0000397 _____ () C:\Users\Ron\AppData\Roaming\pass.txt
2015-06-19 17:54 - 2015-06-19 17:54 - 0000399 _____ () C:\Users\Ron\AppData\Roaming\passwords.txt
2015-04-19 19:49 - 2015-04-19 21:21 - 0033193 _____ () C:\Users\Ron\AppData\Roaming\UserTile.png
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-07-13 12:58
 
==================== End of log ============================

Attached Files


Edited by henhenhen15, 13 July 2015 - 05:09 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:15 PM

Posted 15 July 2015 - 05:20 PM

Hi,

​Iam only on this site once or twice per day so you may not get a reply back from me until the following day.

If you still need help you can do this:

​Copy/paste whats between the two lines below into notepad. Save it as fixlist.txt in the same location you have FRST.

​Start FRST like before except this time click on the Fix button once. Machine may reboot to finish. You will find a fixlog.txt in the same location as FRST once its done. Please post the fixlog.txt in your reply

​------------------------------------------------------

​HKLM\...\Run: [] => [X]

​HKU\S-1-5-21-2044034397-327355318-1520998327-1000\...\Run: [clock] => C:\Users\Ron\AppData\Roaming\Schema\clock.exe [34808 2011-10-07] (NetSupport Ltd)

​EmptyTemp:

​-----------------------------------------------------


How Can I Reduce My Risk to Malware?


#3 henhenhen15

henhenhen15
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 15 July 2015 - 08:16 PM

here you go

Attached Files



#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:15 PM

Posted 16 July 2015 - 04:50 PM

That didnt come out right. I think there was space preceding the lines. Lets do it again.

 

Just like before: ​Copy/paste whats below into notepad. Save it as fixlist.txt in the same location you have FRST. ​Start FRST like before except this time click on the Fix button once. Machine may reboot to finish. You will find a fixlog.txt in the same location as FRST once its done. Please post the fixlog.txt in your reply

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2044034397-327355318-1520998327-1000\...\Run: [clock] => C:\Users\Ron\AppData\Roaming\Schema\clock.exe [34808 2011-10-07] (NetSupport Ltd)
EmptyTemp:

How Can I Reduce My Risk to Malware?


#5 henhenhen15

henhenhen15
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 16 July 2015 - 06:07 PM

here you go

Attached Files



#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:15 PM

Posted 18 July 2015 - 06:57 AM

ok. that one worked. If all is good you can delete the FRST icon and its logs as well as the FRST folder in your root drive C:

Happy Safe surfing out there.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users