Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe (bitcoin miner?) runs 90%+ CPU


  • This topic is locked This topic is locked
5 replies to this topic

#1 FloppyDingo

FloppyDingo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 14 July 2015 - 06:08 PM

I recently downloaded a game to try before purchasing and ended up getting a bad torrent with a bitcoin miner in it. I've since removed the game itself, but the miner is still around. I found a similar topic on these forums and decided to make a post since that guy got his removed pretty easily. The file shows up as svchost.exe in my task manager, and when I open the file location it's in the temp folder of C:\Windows. It also has a file called lsass.exe in there as well that seems associated with it.

 

There's a couple of log files from this program in there as well, and it seems to be called Claymore CryptoNote CPU Miner  v3.3 Beta

 

Any help removing this would be appreciated.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-07-2015
Ran by FloppyDesktop (administrator) on FLOPPYDINGOPC on 14-07-2015 18:00:19
Running from C:\Users\FloppyDesktop\Desktop
Loaded Profiles: FloppyDesktop (Available Profiles: FloppyDesktop & HollyFish)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Tanuki Software, Ltd.) H:\PS3 Media Server\win32\service\wrapper.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\psia.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Oracle Corporation) C:\Program Files\Java\jre1.8.0_40\bin\java.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
() H:\Neverwinter Nights Diamond Edition\GLR.exe
(Flux Software LLC) C:\Users\FloppyDesktop\AppData\Local\FluxSoftware\Flux\flux.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\sua.exe
(SteelSeries) C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(SteelSeries) C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
(Valve Corporation) D:\Program Files\Steam.exe
(Valve Corporation) D:\Program Files\bin\steamwebhelper.exe
(Valve Corporation) D:\Program Files\bin\steamwebhelper.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) D:\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.Run.exe
(Microsoft Corporation) C:\Windows\Temp\RunBoot-Temp_.df44f9e3-27f7-4e2e-8e57-d4acfed73d10\MatsBoot.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1794704 2015-02-20] (NVIDIA Corporation)
HKLM-x32\...\Run: [SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse] => C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe [1993216 2011-08-18] (SteelSeries)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [888440 2015-06-16] (BlueStack Systems, Inc.)
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Run: [Gnomish Log Rotator] => H:\Neverwinter Nights Diamond Edition\GLR.exe [310272 2008-06-26] ()
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Run: [Google Update] => C:\Users\FloppyDesktop\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-04-01] (Google Inc.)
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Run: [f.lux] => C:\Users\FloppyDesktop\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [22065760 2014-10-01] (Skype Technologies S.A.)
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Run: [AmoltoRecorder] => "H:\Program Files (x86)\Amolto Call Recorder for Skype\AmoltoRecorder.exe" /minimized
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\Policies\Explorer: [NoLogOff] 0
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\MountPoints2: I - I:\Setup.exe
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\MountPoints2: J - J:\autorun.exe
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\MountPoints2: {17e3dfc0-7706-11e1-9773-14dae910f59c} - G:\Autorun.exe
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\MountPoints2: {45784a77-10df-11e1-ada0-14dae910f59c} - G:\autorun.exe -auto
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\...\MountPoints2: {c1782afb-dbaf-11e0-aca7-14dae910f59c} - H:\SETUP.EXE
AppInit_DLLs-x32: T => "T" File not found
Startup: C:\Users\HollyFish\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk [2011-09-26]
ShortcutTarget: OpenOffice.org 3.3.lnk -> D:\Program Files\program\quickstart.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-1553056162-2627379254-642699484-1000 -> DefaultScope {159CEE1A-CE98-4925-B970-96B7BA716333} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1553056162-2627379254-642699484-1000 -> {159CEE1A-CE98-4925-B970-96B7BA716333} URL = https://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-27] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-27] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-27] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} ->  No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-27] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1553056162-2627379254-642699484-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} 
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 66.17.96.6 66.17.99.77
Tcpip\..\Interfaces\{85875A09-725C-4162-9B70-7CC17AF5533F}: [DhcpNameServer] 7.254.254.254
Tcpip\..\Interfaces\{8E2351D1-866A-4618-BC3E-B91D30783CBC}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{8E2351D1-866A-4618-BC3E-B91D30783CBC}: [DhcpNameServer] 66.17.96.6 66.17.99.77
 
FireFox:
========
FF ProfilePath: C:\Users\FloppyDesktop\AppData\Roaming\Mozilla\Firefox\Profiles\hgrvxbu7.default
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: Yahoo!
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-27] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1219159.dll [2015-06-26] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-27] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-05] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-05] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.0.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1553056162-2627379254-642699484-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\FloppyDesktop\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-1553056162-2627379254-642699484-1000: @talk.google.com/O1DPlugin -> C:\Users\FloppyDesktop\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-1553056162-2627379254-642699484-1000: @tools.google.com/Google Update;version=3 -> C:\Users\FloppyDesktop\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-1553056162-2627379254-642699484-1000: @tools.google.com/Google Update;version=9 -> C:\Users\FloppyDesktop\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-1553056162-2627379254-642699484-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\FloppyDesktop\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-18] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-1553056162-2627379254-642699484-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2012-10-26] (Ubisoft)
FF Plugin ProgramFiles/Appdata: C:\Users\FloppyDesktop\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\FloppyDesktop\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
 
Chrome: 
=======
CHR Profile: C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Hide Fedora) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\acjgabfifnnmmlckmnijdbijgbfpedde [2015-01-26]
CHR Extension: (Angry Birds) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2013-10-25]
CHR Extension: (Beatlab) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\alnfdikmbdfgkcbdodjcbmedanjinmkk [2013-10-25]
CHR Extension: (Google Docs) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-08-22]
CHR Extension: (Google Drive) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-08-22]
CHR Extension: (Doodle or Die) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\baocjgbppdpelkefhfhblacenjhhmlmf [2013-10-25]
CHR Extension: (WOT) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2013-10-25]
CHR Extension: (YouTube) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-01]
CHR Extension: (Adblock Plus) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-10-25]
CHR Extension: (Google Search) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-01]
CHR Extension: (Tampermonkey) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2014-10-02]
CHR Extension: (Timer) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\edebbhkhcaafmolanelponjjanocpacd [2014-09-25]
CHR Extension: (AdBlock) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-08-23]
CHR Extension: (Cut the Rope) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkddaofiamhgfjmaccfcfpfolpgbeomj [2013-10-25]
CHR Extension: (Voyage Theme) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\hknaipmbfbaligohpolpamphhmfgfgln [2014-09-23]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2013-10-25]
CHR Extension: (Faerie Alchemy HD) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\imdilajngppdgdbemeighbingnbmpnpl [2013-10-25]
CHR Extension: (StumbleUpon) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcahibnffhnnjcedflmchmokndkjnhpg [2015-02-03]
CHR Extension: (Cargo Bridge) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\keembkgclppcbilkekfgpobhldjjhpmn [2013-10-25]
CHR Extension: (Little Alchemy) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\knkapnclbofjjgicpkfoagdjohlfjhpd [2013-10-25]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]
CHR Extension: (Parallel Kingdom) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\lindbaaodgocnekppljikhgdgedliclg [2013-10-25]
CHR Extension: (Ghostery) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2014-10-01]
CHR Extension: (Plants vs Zombies) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmcegpfdgcoclcdfkjahiimlikdpnina [2013-12-30]
CHR Extension: (Google Wallet) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Todo.ly) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\obhefmbclkekanpjjpkbciloojcmpkap [2013-10-25]
CHR Extension: (Gmail) - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-01]
StartMenuInternet: Google Chrome.STWXDKW5YEFEM656N62G56J62U - C:\Users\FloppyDesktop\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ADExchange; C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [43112 2012-02-15] (ArcSoft Inc.)
S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [433784 2015-06-16] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-06-16] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [822904 2015-06-16] (BlueStack Systems, Inc.)
S4 CorsairSSDToolBox; C:\Program Files (x86)\Corsair SSD Toolbox\CSSDTService.exe [1838352 2013-05-02] (Corsair) [File not signed]
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [182304 2014-11-22] (EasyAntiCheat Ltd)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
S3 Origin Client Service; H:\Program Files (x86)\Origin\OriginClientService.exe [1997168 2015-06-03] (Electronic Arts)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2014-10-26] ()
R2 PS3 Media Server; H:\PS3 Media Server\win32\service\wrapper.exe [366872 2011-05-17] (Tanuki Software, Ltd.)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [994360 2011-10-14] (Secunia)
R2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [399416 2011-10-14] (Secunia)
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [145528 2015-06-16] (BlueStack Systems)
S3 dfg; C:\Windows\SysWOW64\DRIVERS\dfg.sys [23552 2008-12-10] (defrag Development Team) [File not signed]
S3 hidusbf; C:\Windows\System32\DRIVERS\hidusbf.sys [7808 2012-12-06] (SweetLow)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
S3 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2013-08-23] ()
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2012-12-16] (Duplex Secure Ltd.)
R3 SSMO3v2Filter; C:\Windows\System32\drivers\MO3v2Driver.sys [23040 2010-11-22] (Sagatek Co. Ltd.)
S3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
R3 VCSVADHWSer; C:\Windows\System32\DRIVERS\vcsvad.sys [21504 2008-12-26] (Avnex)
S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X]
S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X]
S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GPU-Z; \??\C:\Users\FLOPPY~1\AppData\Local\Temp\GPU-Z.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-14 18:00 - 2015-07-14 18:00 - 00024659 _____ C:\Users\FloppyDesktop\Desktop\FRST.txt
2015-07-14 17:50 - 2015-07-14 18:00 - 00000000 ____D C:\FRST
2015-07-14 17:50 - 2015-07-14 17:50 - 02133504 _____ (Farbar) C:\Users\FloppyDesktop\Desktop\FRST64.exe
2015-07-14 17:37 - 2015-07-14 17:59 - 00000000 ____D C:\MATS
2015-07-14 17:10 - 2015-07-14 17:10 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2015-07-14 17:10 - 2015-07-14 17:10 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2015-07-14 17:10 - 2015-07-14 17:10 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2015-07-14 17:06 - 2015-07-14 17:06 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-07-14 14:34 - 2015-07-14 14:34 - 05198336 _____ (AVAST Software) C:\Users\FloppyDesktop\Desktop\aswMBR.exe
2015-07-14 14:33 - 2015-07-14 14:33 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\FloppyDesktop\Desktop\tdsskiller.exe
2015-07-14 14:32 - 2015-07-14 14:32 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\FloppyDesktop\Desktop\rkill.exe
2015-07-14 14:27 - 2015-05-11 13:56 - 02508432 _____ (Sysinternals - www.sysinternals.com) C:\Users\FloppyDesktop\Desktop\procexp.exe
2015-07-13 16:31 - 2015-07-13 16:32 - 00000000 ____D C:\Program Files\ProFantasy
2015-07-10 23:27 - 2015-07-10 23:27 - 00000000 ____D C:\Users\FloppyDesktop\Documents\CPY_SAVES
2015-07-10 22:26 - 2015-07-10 22:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qBittorrent
2015-07-10 21:52 - 2015-07-10 21:52 - 00003152 _____ C:\Windows\System32\Tasks\Origin
2015-07-06 14:30 - 2015-07-06 14:30 - 00000000 _____ C:\Windows\nwcontbuild.INI
2015-07-04 02:25 - 2015-07-04 10:12 - 00000000 ____D C:\Users\FloppyDesktop\Desktop\FTB Infinity Server
2015-06-30 15:35 - 2015-06-30 15:35 - 00000210 _____ C:\Users\FloppyDesktop\Desktop\Terraria.url
2015-06-28 03:20 - 2015-06-28 03:20 - 00000868 _____ C:\Users\Public\Desktop\Pillars of Eternity.lnk
2015-06-27 07:07 - 2015-06-27 07:07 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RivaTuner Statistics Server
2015-06-27 07:07 - 2015-06-27 07:07 - 00000000 ____D C:\Program Files (x86)\RivaTuner Statistics Server
2015-06-24 02:10 - 2015-06-24 02:10 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Roaming\Amolto
2015-06-24 02:10 - 2015-06-24 02:10 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\AmoltoCallRecorder
2015-06-24 02:10 - 2015-06-24 02:10 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\Amolto
2015-06-21 13:12 - 2015-06-21 13:12 - 00001823 _____ C:\Users\Public\Desktop\Apps.lnk
2015-06-21 13:12 - 2015-06-21 13:12 - 00001807 _____ C:\Users\Public\Desktop\Start BlueStacks.lnk
2015-06-21 13:11 - 2015-06-21 13:11 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\Bluestacks
2015-06-21 13:11 - 2015-06-21 13:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlueStacks
2015-06-21 13:11 - 2015-06-21 13:11 - 00000000 ____D C:\ProgramData\BlueStacks
2015-06-21 13:11 - 2015-06-21 13:11 - 00000000 ____D C:\Program Files (x86)\BlueStacks
2015-06-21 01:41 - 2015-06-21 01:41 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft AppLocale
2015-06-19 14:21 - 2015-06-19 14:21 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Roaming\yiffalicious
2015-06-18 21:29 - 2015-06-18 21:29 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-18 11:08 - 2015-06-18 11:08 - 00000210 _____ C:\Users\FloppyDesktop\Desktop\Sonic CD.url
2015-06-17 15:32 - 2015-06-17 15:32 - 00000210 _____ C:\Users\FloppyDesktop\Desktop\Dust An Elysian Tail.url
2015-06-15 18:58 - 2015-06-17 15:27 - 00004370 _____ C:\Users\FloppyDesktop\Desktop\Kaholo Background.yml
2015-06-15 17:17 - 2015-02-01 16:28 - 00001190 _____ C:\Users\FloppyDesktop\Desktop\DyingLightGame.exe - Shortcut - Copy.lnk
2015-06-15 17:17 - 2014-12-25 18:57 - 00002515 _____ C:\Users\FloppyDesktop\Desktop\Skype.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-07-14 17:57 - 2014-06-12 05:34 - 00000633 _____ C:\Users\FloppyDesktop\Documents\Uninstall STAR WARS The Old Republic.log
2015-07-14 17:45 - 2011-09-07 01:01 - 01395245 _____ C:\Windows\WindowsUpdate.log
2015-07-14 17:44 - 2011-10-22 21:41 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Roaming\Skype
2015-07-14 17:43 - 2014-09-19 20:58 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\Glyph
2015-07-14 17:42 - 2014-07-30 18:56 - 00000000 ____D C:\ProgramData\Glyph
2015-07-14 17:30 - 2012-01-06 09:47 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-07-14 17:30 - 2011-09-07 21:59 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\CrashDumps
2015-07-14 17:19 - 2013-04-01 09:47 - 00000940 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1553056162-2627379254-642699484-1000UA.job
2015-07-14 17:18 - 2013-04-03 08:13 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1553056162-2627379254-642699484-1004UA1ce306d6226a8e.job
2015-07-14 17:10 - 2011-09-07 21:50 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-07-14 17:07 - 2011-09-07 21:50 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-07-14 17:06 - 2011-12-24 22:45 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 17:04 - 2014-08-23 16:42 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\Adobe
2015-07-14 15:43 - 2009-07-13 23:45 - 00022768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 15:43 - 2009-07-13 23:45 - 00022768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 15:40 - 2012-04-05 23:22 - 00000000 ____D C:\Program Files (x86)\TeamSpeak 3 Client
2015-07-14 15:39 - 2009-07-14 00:13 - 00788362 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-14 15:36 - 2013-09-17 08:54 - 00003048 _____ C:\Windows\System32\Tasks\MSIAfterburner
2015-07-14 15:35 - 2014-09-05 07:38 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-14 15:35 - 2013-08-23 10:11 - 00000000 ____D C:\ProgramData\NVIDIA
2015-07-14 15:35 - 2012-01-06 11:39 - 00000000 ____D C:\Windows\pss
2015-07-14 15:35 - 2011-12-24 22:45 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-14 15:35 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-14 15:26 - 2014-09-05 07:38 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-07-14 15:25 - 2014-09-05 07:38 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-14 15:25 - 2014-09-05 07:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-14 11:20 - 2013-04-01 09:48 - 00002409 _____ C:\Users\FloppyDesktop\Desktop\Google Chrome.lnk
2015-07-14 09:18 - 2013-04-03 08:13 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1553056162-2627379254-642699484-1004Core1ce306d60ebb34.job
2015-07-14 03:19 - 2013-04-01 09:47 - 00000888 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1553056162-2627379254-642699484-1000Core.job
2015-07-13 16:12 - 2015-03-06 14:28 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Roaming\qBittorrent
2015-07-12 21:08 - 2009-07-14 00:08 - 00032566 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-10 22:26 - 2015-03-06 14:28 - 00000000 ____D C:\Program Files (x86)\qBittorrent
2015-07-10 21:52 - 2014-06-02 00:00 - 00000000 ___HD C:\Users\FloppyDesktop\AppData\Roaming\Origin
2015-07-10 01:06 - 2011-09-07 21:35 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\Deployment
2015-07-06 14:30 - 2014-09-24 17:22 - 00000238 _____ C:\Users\FloppyDesktop\AppData\Roaming\NWNToolPrefs.txt
2015-07-05 20:32 - 2014-06-12 05:30 - 00000000 ____D C:\Users\FloppyDesktop\Desktop\Game Icons
2015-07-05 05:08 - 2011-09-07 21:28 - 00300704 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-06-28 23:18 - 2015-05-14 00:13 - 00019151 _____ C:\Users\FloppyDesktop\Desktop\dnd 5th stuff.txt
2015-06-28 03:20 - 2012-09-17 16:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2015-06-28 03:20 - 2009-07-14 00:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-06-27 07:08 - 2011-09-09 19:41 - 00000000 ____D C:\Windows\SysWOW64\directx
2015-06-27 07:07 - 2014-09-24 14:15 - 00001086 _____ C:\Users\FloppyDesktop\Desktop\MSI Afterburner.lnk
2015-06-27 07:03 - 2009-07-14 00:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-27 07:02 - 2014-01-21 23:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-23 15:03 - 2014-01-20 02:14 - 00000000 ____D C:\Users\FloppyDesktop\AppData\Local\Battle.net
2015-06-23 15:03 - 2014-01-20 02:14 - 00000000 ____D C:\Program Files (x86)\Battle.net
2015-06-21 13:13 - 2013-03-07 14:32 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2015-06-21 13:12 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Public\Libraries
2015-06-18 08:41 - 2014-09-05 07:38 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-18 08:41 - 2014-09-05 07:38 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-18 08:41 - 2012-02-17 10:05 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-18 01:22 - 2013-01-09 23:53 - 00000000 ____D C:\Users\FloppyDesktop\Documents\SavedGames
2015-06-14 10:34 - 2009-07-13 23:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
 
==================== Files in the root of some directories =======
 
2015-05-07 13:14 - 2015-05-07 13:14 - 0000132 _____ () C:\Users\FloppyDesktop\AppData\Roaming\Adobe BMP Format CS6 Prefs
2013-12-16 12:01 - 2015-05-07 17:37 - 0000132 _____ () C:\Users\FloppyDesktop\AppData\Roaming\Adobe PNG Format CS6 Prefs
2013-05-15 21:34 - 2013-06-18 15:08 - 0000132 _____ () C:\Users\FloppyDesktop\AppData\Roaming\Adobe Targa Format CS6 Prefs
2014-09-24 17:22 - 2015-07-06 14:30 - 0000238 _____ () C:\Users\FloppyDesktop\AppData\Roaming\NWNToolPrefs.txt
2012-05-28 19:59 - 2012-05-28 20:01 - 0013312 ___SH () C:\Users\FloppyDesktop\AppData\Roaming\Thumbs.db
2014-02-28 11:26 - 2014-02-28 11:26 - 0000600 _____ () C:\Users\FloppyDesktop\AppData\Roaming\winscp.rnd
2012-09-09 13:04 - 2012-12-07 12:23 - 0011776 _____ () C:\Users\FloppyDesktop\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-20 11:18 - 2012-07-20 11:18 - 0000101 _____ () C:\Users\FloppyDesktop\AppData\Local\fusioncache.dat
2012-06-23 09:06 - 2014-05-03 13:02 - 0007608 _____ () C:\Users\FloppyDesktop\AppData\Local\Resmon.ResmonCfg
2008-02-05 15:28 - 2008-02-05 15:28 - 0000051 _____ () C:\Users\FloppyDesktop\AppData\Local\setup.txt
2012-11-22 21:43 - 2012-11-22 21:43 - 4446016 ____N () C:\Users\FloppyDesktop\AppData\Local\Tempmusic.ogg
 
Files to move or delete:
====================
C:\Users\FloppyDesktop\AppData\Roaming\Origin\update.vbe
 
 
Some files in TEMP:
====================
C:\Users\FloppyDesktop\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\FloppyDesktop\AppData\Local\Temp\_is56D8.exe
C:\Users\HollyFish\AppData\Local\Temp\-8ml932n.dll
C:\Users\HollyFish\AppData\Local\Temp\-wqgt5lp.dll
C:\Users\HollyFish\AppData\Local\Temp\8lrjcdqz.dll
C:\Users\HollyFish\AppData\Local\Temp\dplinst.exe
C:\Users\HollyFish\AppData\Local\Temp\DSETUP.dll
C:\Users\HollyFish\AppData\Local\Temp\dsetup32.dll
C:\Users\HollyFish\AppData\Local\Temp\DXSETUP.exe
C:\Users\HollyFish\AppData\Local\Temp\e8o1k1qk.dll
C:\Users\HollyFish\AppData\Local\Temp\jewel-craft_s1_l1_gF2194T1L1_d1472630398.exe
C:\Users\HollyFish\AppData\Local\Temp\loxhefzp.dll
C:\Users\HollyFish\AppData\Local\Temp\sfamcc00001.dll
C:\Users\HollyFish\AppData\Local\Temp\{C28DC3F6-7A58-4BEB-8408-AB9863649015}-26.0.1410.64_26.0.1410.43_chrome_updater.exe
C:\Users\HollyFish\AppData\Local\Temp\{F5B06B13-DFD1-4D2A-B02E-54DBE06AB7A5}-24.0.1312.56_23.0.1271.97_chrome_updater.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-07-13 00:20
 
==================== End of log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 FloppyDingo

FloppyDingo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 14 July 2015 - 09:46 PM

I seem to have smote the beast. A search on google for the name I found in those log files lead me to reddit where they noted that people who had this problem found a script that was running from appdata local and appdata roaming (as well as C:\ProgramData) from folders labeled Origin. I deleted all three Origin folders, ran some clean up, and it doesn't seem to have returned.

 

I'd still like to clean up my PC if anyone doesn't mind, if there's other stuff on it. I learned a harsh lesson about torrents today (my friend said they were a safe way to try games, seems not). If I need a new FRST log and Addition.txt let me know. :)



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 16 July 2015 - 09:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

AppInit_DLLs-x32: T => "T" File not found
ShortcutTarget: OpenOffice.org 3.3.lnk -> D:\Program Files\program\quickstart.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO-x32: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} ->  No File
Toolbar: HKU\S-1-5-21-1553056162-2627379254-642699484-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
S2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [X]
S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X]
S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X]
S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GPU-Z; \??\C:\Users\FLOPPY~1\AppData\Local\Temp\GPU-Z.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
Task: {9CA56CBE-A1D7-4671-A72A-CACF50550368} - System32\Tasks\Origin => C:\Users\FloppyDesktop\AppData\Roaming\Origin\update.vbe [2015-07-10] () <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:ADF211B1
C:\Users\FloppyDesktop\AppData\Roaming\Origin\update.vbe

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

How is the computer running now?

#4 FloppyDingo

FloppyDingo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 16 July 2015 - 11:10 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:13-07-2015
Ran by FloppyDesktop at 2015-07-16 11:02:42 Run:1
Running from C:\Users\FloppyDesktop\Desktop\Fixing Stuff
Loaded Profiles: FloppyDesktop (Available Profiles: FloppyDesktop & HollyFish)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
AppInit_DLLs-x32: T => "T" File not found
ShortcutTarget: OpenOffice.org 3.3.lnk -> D:\Program Files\program\quickstart.exe (No File)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO-x32: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} ->  No File
Toolbar: HKU\S-1-5-21-1553056162-2627379254-642699484-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
S2 Hamachi2Svc; "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s [X]
S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X]
S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X]
S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 GPU-Z; \??\C:\Users\FLOPPY~1\AppData\Local\Temp\GPU-Z.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
Task: {9CA56CBE-A1D7-4671-A72A-CACF50550368} - System32\Tasks\Origin => C:\Users\FloppyDesktop\AppData\Roaming\Origin\update.vbe [2015-07-10] () <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:ADF211B1
C:\Users\FloppyDesktop\AppData\Roaming\Origin\update.vbe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"T" => value data removed successfully.
D:\Program Files\program\quickstart.exe not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}" => key removed successfully
HKCR\Wow6432Node\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} => key not found. 
HKU\S-1-5-21-1553056162-2627379254-642699484-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA}" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9" => key removed successfully
Hamachi2Svc => Service removed successfully
AthBTPort => Service removed successfully
BTATH_A2DP => Service removed successfully
BTATH_BUS => Service removed successfully
BTATH_HCRP => Service removed successfully
BTATH_LWFLT => Service removed successfully
BTATH_RCP => Service removed successfully
BtFilter => Service removed successfully
EagleX64 => Service removed successfully
GPU-Z => Service removed successfully
lmimirr => Service removed successfully
nvvad_WaveExtensible => Service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9CA56CBE-A1D7-4671-A72A-CACF50550368}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9CA56CBE-A1D7-4671-A72A-CACF50550368}" => key removed successfully
C:\Windows\System32\Tasks\Origin => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Origin" => key removed successfully
C:\ProgramData\TEMP => ":ADF211B1" ADS removed successfully.
"C:\Users\FloppyDesktop\AppData\Roaming\Origin\update.vbe" => File/Folder not found.
EmptyTemp: => 1.6 GB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 11:03:08 ====
 
 
 
 
The computer is running much better, especially once the miner was gone. :)


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 16 July 2015 - 12:53 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:23 AM

Posted 22 July 2015 - 07:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users