Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popup keeps showing up | KS.exe / ARCHIVER.exe | Malware infection


  • This topic is locked This topic is locked
4 replies to this topic

#1 Spleensindenial

Spleensindenial

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 31 August 2015 - 04:03 PM

I've got a Popup that keeps reappearing on my desktop after every startup and after certain time periods again. It is advertisement, mostly for Gameforge and it has a big yellow button that says "Skip ad", when clicking it, the Popup closes. It seems to be connected to a file named "KS.exe", since the Popup closes when ending the process in task manager. There's also a process running named "ARCHIVER.exe" that keeps reinstalling in the autostart folder after being deleted.

So far I ran Malwarebytes Anti-Malware, which didn't fix the problem.

Thanks in the meanwhile!

___________________

 

Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x64) Version:31-08-2015
durchgeführt von Spleen (Administrator) auf SPLEEN-PC (31-08-2015 22:39:06)
Gestartet von C:\Users\Spleen\Downloads
Geladene Profile: Spleen (Verfügbare Profile: Spleen)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Sprache: Deutsch (Deutschland)
Internet Explorer Version 11 (Standard-Browser: Chrome)
Start-Modus: Normal
 
==================== Prozesse (Nicht auf der Ausnahmeliste) =================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(EnTech Taiwan) C:\Program Files (x86)\softOSD\softOSD.exe
(EnTech Taiwan) C:\Windows\SysWOW64\softLCP.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\wscript.exe
() C:\Program Files (x86)\Philips\Philips SPC230NC Webcam\TrayMin230.exe
(ARCHIVER COMPANY 2015) C:\Users\Spleen\AppData\Roaming\ARCHIVER.exe
(SRS  @ 2015) C:\Users\Spleen\AppData\Local\Temp\SRSServ.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Advanced Micro Devices, Inc.) C:\Users\Spleen\AppData\Local\Temp\AutoDetectUtilApp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Advanced Micro Devices, Inc.) C:\Users\Spleen\AppData\Local\Temp\13-9-legacy_vista_win7_64_dd_ccc_whql.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Nicht auf der Ausnahmeliste) ===========================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)
 
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-07-18] (Advanced Micro Devices, Inc.)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-1664382679-120651803-3418255153-1000\...\Run: [WinFLService] => wscript.exe //B "C:\Users\Spleen\AppData\Roaming\WinFLService.vbs"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TrayMin230.lnk [2015-08-11]
ShortcutTarget: TrayMin230.lnk -> C:\Program Files (x86)\Philips\Philips SPC230NC Webcam\TrayMin230.exe ()
Startup: C:\Users\Spleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARCHIVER.lnk [2015-08-30]
ShortcutTarget: ARCHIVER.lnk -> C:\Users\Spleen\AppData\Roaming\ARCHIVER.exe (ARCHIVER COMPANY 2015)
Startup: C:\Users\Spleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SRSServ.lnk [2015-08-22]
ShortcutTarget: SRSServ.lnk -> C:\Users\Spleen\AppData\Local\Temp\SRSServ.exe (SRS  @ 2015)
Startup: C:\Users\Spleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinFLService.vbs [2015-08-22] ()
 
==================== Internet (Nicht auf der Ausnahmeliste) ====================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt..)
 
Hosts: Es ist mehr als ein Eintrag in der Hosts Datei zu finden. Siehe Hosts-Bereich in Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{A0A8033C-2074-41E5-AE8E-7014AE165BE9}: [DhcpNameServer] 10.0.0.138
 
Internet Explorer:
==================
HKU\S-1-5-21-1664382679-120651803-3418255153-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-at/?ocid=iehp
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-03-09] (Adobe Systems)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [Keine Datei]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)
 
Chrome: 
=======
CHR Profile: C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-27]
CHR Extension: (Google Docs) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-27]
CHR Extension: (Google Drive) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-27]
CHR Extension: (YouTube) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-27]
CHR Extension: (Google Search) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-27]
CHR Extension: (Google Sheets) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-27]
CHR Extension: (AdBlock) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-01-27]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Video Downloader [FVD]) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp [2015-02-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-27]
CHR Extension: (Gmail) - C:\Users\Spleen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-27]
 
==================== Dienste (Nicht auf der Ausnahmeliste) ========================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)
 
S4 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244392 2015-05-11] (Foxit Software Inc.)
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [Datei ist nicht signiert]
S4 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 softOSD; C:\Program Files (x86)\softOSD\softosd.exe [259832 2007-07-31] (EnTech Taiwan) [Datei ist nicht signiert]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-08-29] (Microsoft Corporation)
 
===================== Treiber (Nicht auf der Ausnahmeliste) ==========================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)
 
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2015-02-05] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
R3 PAEAFLT.sys; C:\Windows\System32\DRIVERS\PAEAFLT.sys [9472 2007-09-26] (PixArt Imaging Incorporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-06-22] (Corel Corporation)
R1 se64a; C:\Windows\System32\Drivers\se64a.sys [14032 2007-05-03] (EnTech Taiwan)
R1 se64a; C:\Windows\SysWOW64\Drivers\se64a.sys [14032 2007-05-03] (EnTech Taiwan)
R3 SPC230NC; C:\Windows\System32\DRIVERS\SPC230NC.SYS [531968 2008-01-03] (PixArt Imaging Inc.)
S2 tandpl; C:\Windows\SysWOW64\drivers\tandpl.sys [4736 2003-04-19] () [Datei ist nicht signiert]
R3 TASCAM_US122144; C:\Windows\System32\Drivers\tascusb2.sys [520880 2014-11-07] (TASCAM)
R3 TASCAM_US122L_MK2_MIDI; C:\Windows\System32\drivers\tscusb2m.sys [32432 2014-11-07] (TASCAM)
R3 TASCAM_US122L_MK2_WDM; C:\Windows\System32\drivers\tscusb2a.sys [55984 2014-11-07] (TASCAM)
R3 VBAudioVACMME; C:\Windows\System32\DRIVERS\vbaudio_cable64_win7.sys [41192 2013-07-11] (Windows ® Win 7 DDK provider)
R3 VCSVADHWSer; C:\Windows\System32\DRIVERS\vcsvad.sys [21504 2008-12-26] (Avnex)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)
 
 
==================== Ein Monat: Erstellte Dateien und Ordner ========
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)
 
2015-08-31 22:39 - 2015-08-31 22:39 - 00010728 _____ C:\Users\Spleen\Downloads\FRST.txt
2015-08-31 22:38 - 2015-08-31 22:39 - 00000000 ____D C:\FRST
2015-08-31 22:38 - 2015-08-31 22:38 - 02188800 _____ (Farbar) C:\Users\Spleen\Downloads\FRST64.exe
2015-08-31 22:18 - 2015-08-31 22:18 - 05455048 _____ (Advanced Micro Devices, Inc.) C:\Users\Spleen\Downloads\autodetectutility.exe
2015-08-31 21:59 - 2015-08-31 21:59 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-08-31 21:59 - 2015-08-31 21:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-08-30 16:40 - 2015-08-30 16:40 - 00071680 _____ (ARCHIVER COMPANY 2015) C:\Users\Spleen\AppData\Roaming\ARCHIVER.exe
2015-08-29 16:12 - 2015-08-29 16:12 - 00001253 _____ C:\Users\Spleen\Desktop\PillarsOfEternity.lnk
2015-08-29 15:40 - 2015-08-29 15:40 - 00000000 __SHD C:\Users\Spleen\AppData\Local\EmieUserList
2015-08-29 15:40 - 2015-08-29 15:40 - 00000000 __SHD C:\Users\Spleen\AppData\Local\EmieSiteList
2015-08-29 15:40 - 2015-08-29 15:40 - 00000000 __SHD C:\Users\Spleen\AppData\Local\EmieBrowserModeList
2015-08-29 12:54 - 2015-08-29 12:54 - 00000000 ____D C:\Windows\pss
2015-08-24 16:25 - 2015-08-24 16:25 - 00003506 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-Spleen-PC-Spleen
2015-08-24 16:21 - 2015-08-24 16:21 - 00000000 ____D C:\Program Files (x86)\My Company Name
2015-08-24 16:21 - 2012-06-22 03:01 - 00056336 ____N (Corel Corporation) C:\Windows\system32\Drivers\PxHlpa64.sys
2015-08-24 16:21 - 2012-04-24 03:01 - 00011376 ____N (Corel Corporation) C:\Windows\system32\Drivers\cdralw2k.sys
2015-08-24 16:21 - 2012-04-24 03:01 - 00010864 ____N (Corel Corporation) C:\Windows\system32\Drivers\cdr4_xp.sys
2015-08-24 15:24 - 2015-08-24 15:24 - 00000000 ____D C:\Program Files\VB
2015-08-24 15:21 - 2013-07-11 08:57 - 00041192 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\vbaudio_cable64_win7.sys
2015-08-24 15:17 - 2015-08-24 15:18 - 00000000 ____D C:\Program Files (x86)\VSTHost
2015-08-24 15:03 - 2015-08-24 15:03 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Screaming Bee
2015-08-24 15:02 - 2015-08-24 15:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Screaming Bee
2015-08-24 15:02 - 2015-08-24 15:02 - 00000000 ____D C:\Program Files (x86)\Screaming Bee
2015-08-24 15:01 - 2015-08-24 15:01 - 02970992 _____ C:\Users\Spleen\Downloads\MorphVOXJunior_Install-1.exe
2015-08-24 14:59 - 2015-08-24 14:59 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Avnex
2015-08-24 14:50 - 2015-08-24 14:50 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Equalizer APO 0.9.2
2015-08-24 14:50 - 2015-08-24 14:50 - 00000000 ____D C:\Program Files\EqualizerAPO
2015-08-24 14:50 - 2008-12-26 12:56 - 00021504 _____ (Avnex) C:\Windows\system32\Drivers\vcsvad.sys
2015-08-24 14:47 - 2015-08-31 22:21 - 00004108 _____ C:\Windows\setupact.log
2015-08-24 14:47 - 2015-08-24 14:47 - 00000000 _____ C:\Windows\setuperr.log
2015-08-24 14:33 - 2015-08-24 14:33 - 00081148 _____ C:\Users\Spleen\Documents\cc_20150824_143256.reg
2015-08-24 14:33 - 2015-08-24 14:33 - 00004978 _____ C:\Users\Spleen\Documents\cc_20150824_143314.reg
2015-08-24 14:31 - 2015-08-24 14:31 - 00002794 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-08-24 14:31 - 2015-08-24 14:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-08-24 14:31 - 2015-08-24 14:31 - 00000000 ____D C:\Program Files\CCleaner
2015-08-23 16:59 - 2015-08-31 18:02 - 00019968 _____ (newup) C:\Users\Spleen\AppData\Roaming\newup.exe
2015-08-23 10:58 - 2015-08-23 13:03 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\FreeFixer
2015-08-23 10:58 - 2015-08-23 11:02 - 00000000 ____D C:\Users\Spleen\AppData\Local\FreeFixer
2015-08-23 10:58 - 2015-08-23 10:58 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFixer
2015-08-23 10:58 - 2015-08-23 10:58 - 00000000 ____D C:\Program Files\FreeFixer
2015-08-23 08:10 - 2015-08-23 08:10 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-23 08:09 - 2015-08-23 08:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-23 08:09 - 2015-08-23 08:09 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-08-23 08:09 - 2015-08-23 08:09 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-08-23 08:09 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-08-23 08:09 - 2015-06-18 08:41 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-08-23 08:09 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-08-22 22:35 - 2015-08-22 22:36 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\SCK2014
2015-08-22 21:20 - 2015-08-22 21:20 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\MMFApplications
2015-08-22 21:20 - 2015-08-22 21:20 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Joymasher
2015-08-22 20:56 - 2015-08-22 20:56 - 04556035 _____ C:\Users\Spleen\AppData\Roaming\WinFLService.vbs
2015-08-17 16:41 - 2015-08-17 16:41 - 00921632 _____ C:\SPC230NC.DAT
2015-08-17 13:01 - 2015-08-17 13:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uplink
2015-08-15 18:22 - 2015-08-15 18:42 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\FLV Extract
2015-08-15 13:10 - 2015-08-15 16:52 - 00000000 ____D C:\Users\Spleen\Desktop\SC Art of War
2015-08-11 19:01 - 2015-08-11 19:01 - 00000000 ____D C:\Windows\Philips
2015-08-11 19:01 - 2015-08-11 19:01 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\InstallShield
2015-08-11 19:01 - 2015-08-11 19:01 - 00000000 ____D C:\Program Files (x86)\Philips
2015-08-11 19:01 - 2008-01-04 10:25 - 00135680 _____ (PixArt Imaging Incorporation) C:\Windows\SysWOW64\SPC230NC.AX
2015-08-11 19:01 - 2008-01-03 18:13 - 00531968 _____ (PixArt Imaging Inc.) C:\Windows\system32\Drivers\SPC230NC.SYS
2015-08-11 19:01 - 2007-12-10 16:08 - 00000842 _____ C:\Windows\SysWOW64\SPC230NC.INI
2015-08-11 19:01 - 2007-09-26 14:32 - 00009472 _____ (PixArt Imaging Incorporation) C:\Windows\system32\Drivers\PAEAFLT.sys
2015-08-09 14:54 - 2014-11-07 23:42 - 00520880 _____ (TASCAM) C:\Windows\system32\Drivers\tascusb2.sys
2015-08-09 14:54 - 2014-11-07 23:42 - 00055984 _____ (TASCAM) C:\Windows\system32\Drivers\tscusb2a.sys
2015-08-09 14:54 - 2014-11-07 23:42 - 00032432 _____ (TASCAM) C:\Windows\system32\Drivers\tscusb2m.sys
2015-08-08 23:27 - 2015-08-31 18:05 - 00000000 ____D C:\Users\Spleen\Downloads\SORT
 
==================== Ein Monat: Geänderte Dateien und Ordner ========
 
(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)
 
2015-08-31 22:29 - 2009-07-14 06:45 - 00021472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-31 22:29 - 2009-07-14 06:45 - 00021472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-31 22:27 - 2015-01-27 02:58 - 00001110 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-31 22:24 - 2015-01-27 02:28 - 01841862 _____ C:\Windows\WindowsUpdate.log
2015-08-31 22:21 - 2015-01-27 02:58 - 00001106 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-31 22:21 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-31 21:59 - 2015-03-29 22:36 - 00002699 _____ C:\Users\Public\Desktop\Skype.lnk
2015-08-31 21:59 - 2015-03-29 22:36 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Skype
2015-08-31 21:59 - 2015-03-29 22:36 - 00000000 ____D C:\ProgramData\Skype
2015-08-31 21:58 - 2015-02-07 14:20 - 00000000 ____D C:\Users\Spleen\AppData\Local\Battle.net
2015-08-31 02:00 - 2015-01-29 23:24 - 00000000 ____D C:\Users\Spleen\AppData\Local\Adobe
2015-08-30 11:34 - 2015-02-07 14:20 - 00000000 ____D C:\Program Files (x86)\Battle.net
2015-08-29 23:14 - 2015-02-05 23:18 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\vlc
2015-08-29 15:42 - 2015-03-13 13:19 - 00000000 ___RD C:\Users\Spleen\Documents\MAGIX
2015-08-29 15:42 - 2015-03-13 13:19 - 00000000 ____D C:\ProgramData\MAGIX
2015-08-29 15:42 - 2014-07-06 11:35 - 00000000 ____D C:\Games
2015-08-29 11:53 - 2015-03-28 20:18 - 00000340 _____ C:\Users\Spleen\AppData\Roaming\softOSM.ini
2015-08-29 05:22 - 2015-01-27 02:58 - 00004106 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-08-29 05:22 - 2015-01-27 02:58 - 00003854 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-08-26 10:15 - 2009-07-14 07:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-08-26 10:04 - 2015-02-05 17:26 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\DAEMON Tools Lite
2015-08-25 15:31 - 2011-04-12 09:43 - 00699090 _____ C:\Windows\system32\perfh007.dat
2015-08-25 15:31 - 2011-04-12 09:43 - 00149230 _____ C:\Windows\system32\perfc007.dat
2015-08-25 15:31 - 2009-07-14 07:13 - 01619272 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-25 02:00 - 2015-03-11 19:36 - 00000000 ____D C:\ProgramData\Adobe
2015-08-24 19:26 - 2015-05-24 13:14 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\OBS
2015-08-24 16:21 - 2015-03-13 13:19 - 00000000 ____D C:\ProgramData\Package Cache
2015-08-24 15:10 - 2015-05-24 13:14 - 00000000 ____D C:\Program Files (x86)\OBS
2015-08-24 15:00 - 2015-01-27 02:55 - 00000000 ____D C:\Users\Spleen
2015-08-24 14:32 - 2015-01-27 02:24 - 00000000 ____D C:\Windows\Panther
2015-08-24 14:31 - 2015-07-04 12:55 - 00000000 ____D C:\Windows\Minidump
2015-08-23 17:16 - 2015-02-26 20:34 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Audacity
2015-08-23 13:46 - 2015-04-26 13:43 - 00000000 ____D C:\Program Files (x86)\GOG.com
2015-08-23 13:46 - 2015-02-11 19:13 - 00000000 ____D C:\GOG Games
2015-08-23 13:44 - 2015-01-29 22:51 - 00000000 ____D C:\Users\Spleen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-08-23 13:43 - 2015-02-14 14:39 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-08-23 13:40 - 2015-02-13 16:49 - 00000000 ____D C:\Windows\system32\appmgmt
2015-08-23 13:38 - 2015-02-11 19:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2015-08-23 13:37 - 2015-07-19 15:48 - 00000000 ____D C:\Users\Spleen\Documents\ChessBase
2015-08-23 13:36 - 2009-07-14 05:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-08-23 08:23 - 2015-01-27 20:10 - 00000000 ____D C:\ProgramData\APN
2015-08-22 20:56 - 2015-02-22 13:45 - 00466456 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll
2015-08-22 20:56 - 2015-02-22 13:45 - 00444952 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2015-08-22 20:56 - 2015-02-22 13:45 - 00122904 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll
2015-08-22 20:56 - 2015-02-22 13:45 - 00109080 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2015-08-22 10:27 - 2015-01-27 21:55 - 00000000 ____D C:\Users\Spleen\Documents\My Games
2015-08-21 12:59 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF
2015-08-09 14:55 - 2015-02-20 21:37 - 00000000 ____D C:\Windows\usb-audio.deTascam
2015-08-04 09:41 - 2009-07-14 07:08 - 00032640 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-02 04:12 - 2015-01-27 02:58 - 00000000 ____D C:\Users\Spleen\AppData\Local\Google
 
==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======
 
2015-08-30 16:40 - 2015-08-30 16:40 - 0071680 _____ (ARCHIVER COMPANY 2015) C:\Users\Spleen\AppData\Roaming\ARCHIVER.exe
2015-08-22 20:55 - 2015-08-22 20:55 - 69371049 _____ (Artur Games) C:\Users\Spleen\AppData\Roaming\installe.exe
2015-08-23 16:59 - 2015-08-31 18:02 - 0019968 _____ (newup) C:\Users\Spleen\AppData\Roaming\newup.exe
2015-03-28 20:18 - 2015-08-29 11:53 - 0000340 _____ () C:\Users\Spleen\AppData\Roaming\softOSM.ini
2015-08-22 20:56 - 2015-08-22 20:56 - 4556035 _____ () C:\Users\Spleen\AppData\Roaming\WinFLService.vbs
 
Dateien, die verschoben oder gelöscht werden sollten:
====================
C:\Windows\SysWOW64\ntshrui.dll
 
 
Einige Dateien in TEMP:
====================
C:\Users\Spleen\AppData\Local\Temp\13-9-legacy_vista_win7_64_dd_ccc_whql.exe
C:\Users\Spleen\AppData\Local\Temp\AutoDetectUtilApp.exe
C:\Users\Spleen\AppData\Local\Temp\GLF76A8.tmp.dll
C:\Users\Spleen\AppData\Local\Temp\KS.exe
C:\Users\Spleen\AppData\Local\Temp\SRSServ.exe
 
 
==================== Bamital & volsnap =================
 
(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)
 
C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\wininit.exe => Datei ist digital signiert
C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\SysWOW64\explorer.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\SysWOW64\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\SysWOW64\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\SysWOW64\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\SysWOW64\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert
 
 
LastRegBack: 2015-08-22 19:11
 
==================== Ende von FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:03 PM

Posted 01 September 2015 - 03:38 AM

Hey, :)

 

STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is selected and click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
  •  

STEP 2
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3

BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab, and click Cleaning
  • Follow the prompts and allow your computer to reboot
  • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[S1].txt.

 
======================================================

STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM log
  • JRT.txt
  • AdwCleaner[C1].txt

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 Spleensindenial

Spleensindenial
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 02 September 2015 - 10:39 AM

Hey Machivelli!

Thank you very much for this extensiv reply and please excuse, that I only reply now. After using FRST I went over the log files and singled out the entries that concerned the KS.exe and ARCHIVER.exe file and removed those files from their respective locations, as well as the corresponding RegEdit entries manually. I also unchecked the respective processes in msconfig and then ran CCleaner a couple of times over. 

I had no furhter popups since then and the ARCHIVER didn't install itself over in the Autostart folder. 

I hope this concludes the issue and I'm very sorry for having bothered you. If anything shows up again, I'll make sure to give an update on the problem,

Thanks again!

all the best



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:03 PM

Posted 03 September 2015 - 04:45 AM

OK

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:03 PM

Posted 03 September 2015 - 04:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users