Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuous Infection and Blue Screen


  • This topic is locked This topic is locked
8 replies to this topic

#1 ski.smitty

ski.smitty

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 13 July 2015 - 05:28 PM

I repeatedly find new viruses, malware, etc. from spybot every few days. I get occasional slowing of my computer, network interruptions, and the infections multiply quickly over time. Blue screen hits once every 2 weeks or so. Avast occasionally picks these up, but few. Thanks for any help! Below is FRST log:

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-07-2015
Ran by marsh (administrator) on MARSH-PC on 13-07-2015 15:21:30
Running from C:\Users\marsh\Downloads
Loaded Profiles: marsh (Available Profiles: marsh)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(A-Volute) C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Intel® Corporation) C:\Program Files\Intel\NCS2\WMIProv\ncs2prov.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(NVIDIA Corporation) C:\Users\marsh\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe
(ROCCAT GmbH) C:\Program Files (x86)\ROCCAT\Savu Mouse\Savu Monitor.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Razer Inc.) C:\Program Files (x86)\Razer\SurroundRedist\bin\RzMonitor.exe
(Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7636696 2014-08-21] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2754704 2015-06-24] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [293872 2014-08-25] (Intel Corporation)
HKLM-x32\...\Run: [ROCCAT Savu Gaming Mouse] => C:\Program Files (x86)\ROCCAT\Savu Mouse\Savu Monitor.exe [872048 2012-09-10] (ROCCAT GmbH)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-05-11] (Avast Software s.r.o.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [Razer Surround Redist] => C:\Program Files (x86)\Razer\SurroundRedist\bin\RzMonitor.exe [199480 2014-06-04] (Razer Inc.)
HKU\S-1-5-21-2745012454-68211438-2658042549-1000\...\Run: [GUDelayStartup] => C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [37152 2015-07-05] (Glarysoft Ltd)
HKU\S-1-5-21-2745012454-68211438-2658042549-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8322328 2015-05-08] (Piriform Ltd)
HKU\S-1-5-21-2745012454-68211438-2658042549-1000\...\MountPoints2: {1af352a2-d49f-11e4-811d-54a050e80e75} - E:\setup.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-04-25] (Avast Software s.r.o.)
BootExecute: autocheck autochk *  

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2745012454-68211438-2658042549-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-04-05] (Avast Software s.r.o.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2015-05-28] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-28] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-04-05] (Avast Software s.r.o.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-05-28] (Microsoft Corporation)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{1FD4803B-D726-49D6-99BE-0C080B130DA1}: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_203.dll [2015-07-13] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-02-27] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll [2015-07-13] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-01-08] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-03-13] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-03-13] (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-2745012454-68211438-2658042549-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Extension: Adblock Plus Pop-up Addon - C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default\Extensions\adblockpopups@jessehakanen.net.xpi [2014-12-16]
FF Extension: MEGA - C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default\Extensions\firefox@mega.co.nz.xpi [2015-01-19]
FF Extension: Adblock Plus - C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-12-20]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-12-13]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-04-05]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-04-05]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-01-28] ()
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe [1360016 2014-04-24] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-04-25] (Avast Software s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-19] (Microsoft Corporation)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [238376 2015-07-10] (EasyAntiCheat Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1152656 2015-06-24] (NVIDIA Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1868432 2015-06-24] (NVIDIA Corporation)
S4 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [23007376 2015-06-24] (NVIDIA Corporation)
R2 RzMaelstromVADStreamingService; C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe [4250624 2014-05-23] (A-Volute) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-01-28] ()
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-04-25] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [89944 2015-04-25] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-04-25] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-04-25] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-04-25] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-06-26] (Avast Software s.r.o.)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [137288 2015-04-25] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [272248 2015-04-25] ()
S3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30352 2015-03-28] (Disc Soft Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [487704 2014-03-14] (Intel Corporation)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [20160 2015-05-06] (Glarysoft Ltd)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-04-12] (REALiX™)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-06-24] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [46768 2015-05-18] (NVIDIA Corporation)
R3 RZMAELSTROMVADService; C:\Windows\System32\drivers\RzMaelstromVAD.sys [32768 2014-05-23] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-13 15:21 - 2015-07-13 15:21 - 02133504 _____ (Farbar) C:\Users\marsh\Downloads\FRST64.exe
2015-07-13 15:21 - 2015-07-13 15:21 - 00014610 _____ C:\Users\marsh\Downloads\FRST.txt
2015-07-13 15:20 - 2015-07-13 15:20 - 02133504 _____ (Farbar) C:\Users\marsh\Desktop\FRST64(1).exe
2015-07-13 15:16 - 2015-07-13 15:21 - 00000000 ____D C:\FRST
2015-07-13 09:53 - 2015-07-13 09:53 - 00000328 _____ C:\Windows\PFRO.log
2015-07-13 02:05 - 2015-07-13 02:05 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-13 02:05 - 2015-07-13 02:05 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-13 02:02 - 2015-07-13 02:02 - 00001159 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-07-13 02:02 - 2015-07-13 02:02 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-07-13 02:02 - 2015-07-13 02:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-11 11:45 - 2015-07-11 11:45 - 01310095 _____ C:\Users\marsh\Downloads\COMPO-PACK6_for_alpha12.1.zip
2015-07-10 15:14 - 2015-07-10 15:12 - 00238376 _____ (EasyAntiCheat Ltd) C:\Windows\SysWOW64\EasyAntiCheat.exe
2015-07-07 16:31 - 2015-07-13 15:18 - 00001904 _____ C:\Windows\setupact.log
2015-07-07 16:31 - 2015-07-07 16:31 - 00000000 _____ C:\Windows\setuperr.log
2015-07-07 09:11 - 2015-07-07 09:11 - 00000000 ____D C:\Users\marsh\AppData\Roaming\7DaysToDie
2015-07-06 22:02 - 2015-07-13 02:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-28 15:13 - 2015-06-28 15:13 - 00000000 ____D C:\Users\marsh\Downloads\Ozzy Osbourne - Greatest Hits 2CD (2009) 320 vtwin88cube
2015-06-25 23:38 - 2015-05-18 20:29 - 00046768 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2015-06-25 23:38 - 2015-05-18 20:14 - 00061616 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2015-06-25 23:38 - 2015-05-18 20:14 - 00057520 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2015-06-21 10:15 - 2015-06-21 10:15 - 00000000 ____D C:\Razer
2015-06-21 10:15 - 2015-06-21 10:15 - 00000000 ____D C:\ProgramData\RzMaelstromVAD_1.1.58.1854
2015-06-21 10:15 - 2015-06-21 10:15 - 00000000 ____D C:\ProgramData\Razer
2015-06-21 10:15 - 2015-06-21 10:15 - 00000000 ____D C:\Program Files (x86)\Razer
2015-06-19 16:20 - 2015-06-19 16:20 - 00000000 ____D C:\Program Files (x86)\AGEIA Technologies
2015-06-16 21:51 - 2015-06-16 21:51 - 00007359 _____ C:\Users\marsh\AppData\Local\recently-used.xbel

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-13 15:19 - 2014-12-08 14:11 - 00000000 ____D C:\Program Files (x86)\Glary Utilities 5
2015-07-13 15:19 - 2014-12-07 23:54 - 00000000 ____D C:\Program Files (x86)\Steam
2015-07-13 15:18 - 2014-12-29 23:38 - 01386443 _____ C:\Windows\WindowsUpdate.log
2015-07-13 15:18 - 2014-12-07 23:47 - 00000000 ____D C:\ProgramData\NVIDIA
2015-07-13 15:18 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-13 10:56 - 2014-12-14 01:52 - 00000000 ____D C:\Users\marsh\AppData\Roaming\vlc
2015-07-13 10:01 - 2009-07-13 21:45 - 00022064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-13 10:01 - 2009-07-13 21:45 - 00022064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-13 09:59 - 2009-07-13 22:13 - 00782470 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-13 02:05 - 2014-12-08 01:42 - 00000000 ____D C:\Users\marsh\AppData\Local\Adobe
2015-07-13 01:48 - 2014-12-09 20:28 - 00000000 __SHD C:\Users\marsh\AppData\Local\EmieUserList
2015-07-13 01:48 - 2014-12-09 20:28 - 00000000 __SHD C:\Users\marsh\AppData\Local\EmieSiteList
2015-07-13 01:48 - 2014-12-09 20:28 - 00000000 __SHD C:\Users\marsh\AppData\Local\EmieBrowserModeList
2015-07-13 00:59 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2015-07-12 11:34 - 2014-12-13 19:08 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-07-10 13:35 - 2014-12-09 18:12 - 00000000 ____D C:\Users\marsh\AppData\Roaming\TS3Client
2015-07-10 13:06 - 2014-12-09 18:00 - 00000000 ____D C:\Users\marsh\Documents\My Games
2015-07-10 12:55 - 2014-12-09 18:00 - 00000000 ____D C:\Users\marsh\AppData\Local\Skyrim
2015-07-10 12:54 - 2014-12-10 13:01 - 00000890 _____ C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2015-07-10 12:54 - 2014-12-10 13:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nexus Mod Manager
2015-07-10 12:54 - 2014-12-10 13:01 - 00000000 ____D C:\Program Files\Nexus Mod Manager
2015-07-07 16:28 - 2014-12-13 19:06 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-07-07 16:25 - 2015-03-22 20:28 - 00000000 ____D C:\Users\marsh\AppData\Roaming\DAEMON Tools Lite
2015-07-07 16:25 - 2015-02-02 14:33 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-07-07 16:25 - 2015-02-02 14:33 - 00000000 ____D C:\Program Files\CCleaner
2015-07-07 16:25 - 2014-12-13 19:06 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-07 16:25 - 2014-12-13 19:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-07 16:25 - 2014-12-13 19:06 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-07 16:24 - 2014-12-08 14:11 - 00003312 _____ C:\Windows\System32\Tasks\GlaryInitialize 5
2015-07-07 16:24 - 2014-12-08 14:11 - 00001092 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5.lnk
2015-07-07 16:24 - 2014-12-08 14:11 - 00001080 _____ C:\Users\Public\Desktop\Glary Utilities 5.lnk
2015-07-07 16:23 - 2015-03-01 00:52 - 00000000 ____D C:\Users\marsh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DarthMod Empire
2015-07-07 16:23 - 2015-02-26 03:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Deus lo Vult 6.0
2015-07-07 16:23 - 2015-01-11 05:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stainless Steel
2015-07-07 16:23 - 2015-01-09 18:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Europa Barbarorum II
2015-07-07 16:23 - 2015-01-09 17:12 - 00000000 ____D C:\Users\marsh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IB2 Conqvestvs Britanniae III
2015-06-29 15:58 - 2015-05-31 00:08 - 00000000 ____D C:\Users\marsh\Documents\Paradox Interactive
2015-06-26 10:39 - 2014-12-13 19:08 - 00442264 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswsp.sys
2015-06-25 23:40 - 2014-12-07 23:35 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2015-06-24 04:36 - 2014-12-07 23:35 - 01756424 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2015-06-24 04:36 - 2014-12-07 23:35 - 01571696 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2015-06-24 04:36 - 2014-12-07 23:35 - 01320120 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2015-06-24 04:36 - 2014-12-07 23:35 - 01316000 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2015-06-23 13:30 - 2010-11-20 20:27 - 00300704 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-06-23 10:58 - 2015-01-08 21:25 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-06-19 16:20 - 2014-12-22 00:23 - 00000000 ____D C:\Users\marsh\AppData\Roaming\NVIDIA
2015-06-19 16:20 - 2014-12-07 23:35 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2015-06-18 08:41 - 2014-12-13 19:06 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-18 08:41 - 2014-12-13 19:06 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-18 08:41 - 2014-12-13 19:06 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-16 21:56 - 2015-01-19 00:08 - 00000000 ____D C:\Users\marsh\.gimp-2.8
2015-06-13 01:21 - 2015-03-22 20:28 - 00000000 ____D C:\Program Files\DAEMON Tools Lite

==================== Files in the root of some directories =======

2015-06-16 21:51 - 2015-06-16 21:51 - 0007359 _____ () C:\Users\marsh\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
C:\Users\marsh\AppData\Local\Temp\Nexus Mod Manager-0.55.8.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-13 12:46

==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 15 July 2015 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing suspicious was found on your logs.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#3 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 15 July 2015 - 06:51 PM

Do those results save somewhere on the computer? The zoek-results.log I mean.

 

I didn't save the file when it opened on reboot, does it get stored somewhere?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 16 July 2015 - 07:21 AM

The log is also found on the systemdrive, normally C:\

If not there then search the computer for this file zoek-results.log

#5 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 17 July 2015 - 09:39 AM

Got them, there were two, I believe I interrupted the first one with a restart.

 

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by marsh on Wed 07/15/2015 at 16:36:07.57.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\marsh\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

7/15/2015 4:36:25 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\Ubisoft deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\WinZip deleted successfully
C:\PROGRA~3\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} deleted successfully
C:\Users\marsh\AppData\Roaming\DiskDefrag deleted successfully
C:\Users\marsh\AppData\Roaming\My Battle for Middle-earth™ II Files deleted successfully
C:\Users\marsh\AppData\Local\Adobe deleted successfully
C:\Users\marsh\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\marsh\AppData\Local\EmieSiteList deleted successfully
C:\Users\marsh\AppData\Local\EmieUserList deleted successfully
 

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by marsh on Wed 07/15/2015 at 16:41:28.25.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\marsh\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2015-07-15-233705.log    1160 bytes

==== System Restore Info ======================

7/15/2015 4:42:23 PM Zoek.exe System Restore Point Created Successfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Users\marsh\AppData\Roaming\ProductData deleted
C:\PROGRA~3\ProductData deleted
C:\PROGRA~3\Package Cache deleted
C:\Windows\Syswow64\SET73E.tmp deleted
C:\Windows\Syswow64\SETB2B.tmp deleted
C:\Users\marsh\Documents\Add-in Express deleted
C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default\extensions\firefox@mega.co.nz.xpi deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default
user_pref("browser.search.defaultenginename.US", "Google");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [04/25/2015 12:43 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default
- Adblock Plus Pop-up Addon - %ProfilePath%\extensions\adblockpopups@jessehakanen.net.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\marsh\AppData\Roaming\Mozilla\Firefox\Profiles\m52gx14y.default
18CF51689186AEB9D1D149AEB0E92D03    - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL -    Microsoft Office 2013
FD82108FD60B63010325D9AF6F00AF99    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll -    Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[04/05/2015 09:17 AM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[04/05/2015 09:17 AM]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\marsh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\marsh\AppData\Local\Mozilla\Firefox\Profiles\m52gx14y.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache is not empty, a reboot is needed

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=37 folders=34 67192519 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\marsh\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\marsh\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\marsh\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\K6F4JA56\media1.s-nbcnews.com"  not found

==== EOF on Wed 07/15/2015 at 16:49:17.25 ======================
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 17 July 2015 - 10:34 AM

How is the computer running now?

#7 ski.smitty

ski.smitty
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 18 July 2015 - 08:45 PM

Seems to be running great, nothing wrong I can note in performance.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 19 July 2015 - 07:29 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 19 July 2015 - 07:29 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users