Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected DLLs and other exe


  • This topic is locked This topic is locked
17 replies to this topic

#1 Sellat

Sellat

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 10 October 2015 - 01:12 PM

Boxes showing that some DLL stopped working and then the pc becomes real slow. (rundll32)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-10-2015
Ran by Avell (administrator) on AVELL-PC (10-10-2015 15:02:48)
Running from C:\Users\Avell\Desktop
Loaded Profiles: Avell & UpdatusUser (Available Profiles: Avell & UpdatusUser)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Português (Brasil)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Egis Technology Inc. ) C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Motorola Solutions, Inc.) C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
(Motorola Solutions, Inc.) C:\Program Files\Motorola\Bluetooth\audiosrv.exe
(Motorola Solutions, Inc.) C:\Program Files\Motorola\Bluetooth\obexsrv.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Company) C:\Program Files (x86)\Popcorn Time\Updater.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Macrovision Europe Ltd.) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(SteelSeries ApS) C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Piriform Ltd) C:\Program Files (x86)\CCleaner\CCleaner64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(TODO: <Company name>) C:\Program Files (x86)\BTOPtm\BTOptm.exe
(InstallShield Software Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Developed by Alejandro Cortés) C:\Program Files (x86)\sXe Injected\sXe Injected.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\PresentationHost.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_185.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_185.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13353064 2012-01-12] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2816816 2012-03-11] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-15] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [418672 2011-06-22] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [202608 2011-06-22] (Egis Technology Inc.)
HKLM-x32\...\Run: [BTOptm] => C:\Program Files (x86)\BTOPtm\BTOptm.exe [1907056 2012-03-09] (TODO: <Company name>)
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [81920 2004-08-09] (InstallShield Software Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
Winlogon\Notify\ GbPluginBb: C:\Program Files (x86)\GbPlugin\gbieh.dll [2014-07-31] (Banco do Brasil)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-08-09] (InstallShield Software Corporation)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [SteelSeries Engine] => C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [87040 2014-10-09] (SteelSeries ApS)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [MSConfig] => C:\Users\Avell\lluuitgg.exe [48287744 2015-10-05] (AhnLab, Inc.)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [Ocics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Avell\AppData\Local\ATDworks\sgssytcb.dll
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [CCleaner Monitoring] => C:\Program Files (x86)\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [Ewtion] => regsvr32.exe C:\Users\Avell\AppData\Local\Ewtion\bbbcidnn.dll <===== ATTENTION
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3696912 2014-03-04] (Disc Soft Ltd)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Policies\Explorer\Run: [IM Providers] => C:\Users\Avell\AppData\Roaming\srjtutcf\dgjrchwc.exe [94946 2013-08-28] ()
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Policies\Explorer: [TaskbarNoNotification] 1
ShellExecuteHooks-x32: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\Program Files (x86)\GbPlugin\gbieh.dll [1754664 2014-07-31] (Banco do Brasil)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{6362CEAB-E522-4659-81BF-FBDB80662937}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.br/
HKU\S-1-5-21-2315785857-4177499487-4149518941-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://br.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2014-11-12] (Microsoft Corporation)
BHO: EgisPBIE Sign-in Helper -> {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} -> C:\Program Files (x86)\EgisTec BioExcess\x64\EgisPBIE.dll [2011-10-26] (Egis Technology Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2014-11-12] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2012-08-02] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-10-18] (Oracle Corporation)
BHO-x32: Auxiliar de Conexão de Conta da Microsoft -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-10-14] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261
FF Homepage: hxxps://www.google.com.br/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-10-02] ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll [2012-08-02] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40620.0\npctrl.dll [2015-06-20] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-10-02] ()
FF Plugin-x32: @esn/npbattlelog,version=2.4.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.4.0\npbattlelog.dll [2014-05-26] (EA Digital Illusions CE AB)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-10-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-10-18] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-05-21] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40620.0\npctrl.dll [2015-06-19] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-06-28] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-06-28] (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\Avell\AppData\Roaming\raidcall\plugins\nprcplugin.dll [2013-03-30] (Raidcall)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)
FF Plugin-x32: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll [2006-11-03] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Avell\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Avell\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2013-11-25] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: gastecnologia.com.br/sf/bb -> C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\npsf_bb.dll No File
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: gastecnologia.com.br/sf/cef64 -> C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\npsf_cef_64.dll [2015-07-14] (GAS Tecnologia)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2014-05-21] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Avell\AppData\Roaming\mozilla\plugins\np-mswmp.dll [2009-09-25] (Microsoft Corporation)
FF Extension: Undo command invocation - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{50C4B6EC-3716-346D-2A39-9BD11D35CB33} [2015-10-09]
FF Extension: FT DeepDark - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{77d2ed30-4cd2-11e0-b8af-0800200c9a66} [2015-06-26]
FF Extension: Noia Fox - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{7b90e860-5d61-11e0-80e3-0800200c9a66}.xpi [2015-02-01]
FF Extension: Adblock Plus - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-07-19]
FF HKLM-x32\...\Firefox\Extensions: [{41ecbc0b-34d5-4cd4-935f-253a30e2cb7e}] - C:\Program Files (x86)\EgisTec BioExcess\FFExt
FF Extension:  Online Accounts Extension  - C:\Program Files (x86)\EgisTec BioExcess\FFExt [2012-08-01]
FF HKLM-x32\...\Firefox\Extensions: [{d4da7309-b89a-45ec-8ebb-cfb2ae13618b}] - C:\Program Files (x86)\EgisTec BioExcess\FFExt20
FF Extension:  Online Accounts Extension  - C:\Program Files (x86)\EgisTec BioExcess\FFExt20 [2012-08-01]
FF HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Firefox\Extensions: [{87F8774F-B485-47E2-A755-A40A8A5E886C}] - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\bb\sf.xpi => not found
FF HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Firefox\Extensions: [{87F8774F-B485-47E2-A755-A40A8A5E886D}] - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\cef\xpi
FF Extension: GBBD Caixa Economica Federal - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\cef\xpi [2015-07-14]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com.br/
CHR StartupUrls: Default -> "hxxp://www.google.com.br/"
CHR Profile: C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Apresentações) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-19]
CHR Extension: (Google Docs) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-19]
CHR Extension: (Google Drive) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-19]
CHR Extension: (AdBlock Plus) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbihjkbifdakjlfjkpfeadmgefejcdk [2014-10-19]
CHR Extension: (YouTube) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-19]
CHR Extension: (Google Search) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-19]
CHR Extension: (Planilhas do Google) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-19]
CHR Extension: (Documentos Google off-line) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-03]
CHR Extension: (Online Accounts Extension ) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ladimmjldcgbeamniagencjbodhnmgen [2014-10-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-17]
CHR Extension: (Pagamentos da Chrome Web Store) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-19]
CHR Extension: (Simple Adblock) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ockogkkjjhgjelcddamlnjcfnmiegjfg [2014-10-19]
CHR Extension: (Gmail) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-19]
CHR HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pgacfjdigcddmmncljpflgcfpfahebkh] - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\bb\sf.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [ladimmjldcgbeamniagencjbodhnmgen] - C:\Program Files (x86)\EgisTec BioExcess\ChromeEx\EgisPBChromeExt.crx [2011-10-26]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [433784 2015-06-16] (BlueStack Systems, Inc.)
S3 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-06-16] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [831096 2015-07-21] (BlueStack Systems, Inc.)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [175136 2014-09-02] (EasyAntiCheat Ltd)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [647680 2012-08-01] (Macrovision Europe Ltd.) [File not signed]
R3 FLEXnet Licensing Service 64; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [1028096 2012-08-01] (Macrovision Europe Ltd.) [File not signed]
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [8704 2015-08-11] (Hi-Rez Studios) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [271920 2007-05-16] (Nero AG)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [5070784 2013-08-01] (INCA Internet Co., Ltd.)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-06-16] ()
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [335872 2015-07-06] (Company) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [145528 2015-06-16] (BlueStack Systems)
S3 danewFltr; C:\Windows\System32\drivers\danew.sys [12032 2010-03-23] (Razer (Asia-Pacific) Pte Ltd) [File not signed]
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-10-25] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 ENTECH64; C:\Windows\system32\DRIVERS\ENTECH64.sys [12744 2008-09-17] (EnTech Taiwan)
S0 GbpKm; C:\Windows\SysWOW64\drivers\GbpKm.sys [49536 2013-05-08] (GAS Tecnologia)
R3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [49304 2014-12-15] (Visicom Media Inc.)
R3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [35440 2014-05-13] (Visicom Media Inc.)
R3 SAlphamHid; C:\Windows\System32\DRIVERS\SAlpham64.sys [39168 2014-12-23] (SteelSeries Corporation)
R3 seehcri; C:\Windows\System32\DRIVERS\seehcri.sys [34032 2014-06-07] (Sony Ericsson Mobile Communications)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2013-06-20] (Anchorfree Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-01-12] ()
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-10 15:02 - 2015-10-10 15:04 - 00024354 _____ C:\Users\Avell\Desktop\FRST.txt
2015-10-10 15:02 - 2015-10-10 15:02 - 02195456 _____ (Farbar) C:\Users\Avell\Desktop\FRST64.exe
2015-10-09 23:27 - 2015-10-10 10:52 - 00000392 _____ C:\Windows\setupact.log
2015-10-09 23:27 - 2015-10-09 23:27 - 00000000 _____ C:\Windows\setuperr.log
2015-10-09 18:03 - 2015-10-09 18:03 - 00066447 _____ C:\Users\Avell\Desktop\Arrow - 04x01 - Green Arrow.lol.Portuguese (Brazilian).orig.Addic7ed.com.srt
2015-10-09 17:47 - 2015-10-09 17:47 - 00000000 ____D C:\Users\Avell\Desktop\Arrow.S04E01.HDTV.x264-LOL[ettv]
2015-10-09 10:56 - 2015-10-10 14:36 - 00000902 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-09 10:56 - 2015-10-09 10:56 - 00003840 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-10-09 10:07 - 2015-10-10 10:11 - 00000314 _____ C:\Windows\Tasks\tsfry.job
2015-10-09 10:07 - 2015-10-09 10:07 - 00473600 __RSH C:\Windows\SysWOW64\regsvr32D.dll
2015-10-09 10:07 - 2015-10-09 10:07 - 00002594 _____ C:\Windows\System32\Tasks\tsfry
2015-10-09 10:06 - 2015-10-09 10:08 - 00000000 ___HD C:\Users\Todos os Usuários\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-09 10:06 - 2015-10-09 10:08 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-09 10:04 - 2015-10-09 10:04 - 05041152 _____ C:\Users\Avell\Desktop\Aula 2 RCP.ppt
2015-10-09 10:04 - 2010-11-23 23:31 - 00004283 _____ C:\Users\Avell\Desktop\config.cfg
2015-10-09 10:03 - 2015-10-09 10:03 - 00001862 _____ C:\Users\Avell\Desktop\443070c700c76060.zip
2015-10-09 08:55 - 2015-10-09 08:55 - 00037971 _____ C:\Users\Avell\Desktop\American Horror Story - 05x01 - Checking In.KILLERS.Portuguese (Brazilian).orig.Addic7ed.com.srt
2015-10-08 16:44 - 2015-10-08 17:13 - 00000000 ____D C:\Users\Avell\Desktop\The.Flash.2014.S02E01.HDTV.x264-LOL[ettv]
2015-10-08 15:49 - 2015-10-08 15:56 - 00000000 ____D C:\Users\Avell\Desktop\American.Horror.Story.S05E01.HDTV.x264-KILLERS[ettv]
2015-10-06 20:32 - 2015-10-06 20:32 - 00000000 ____D C:\Users\Avell\Desktop\linha defensiva
2015-10-06 15:43 - 2015-10-06 16:26 - 1334385367 _____ C:\Users\Avell\Desktop\Batman – Contra o Capuz Vermelho Filme dublado em português completo HD[2].mp4
2015-10-06 14:24 - 2015-10-06 14:24 - 00000000 ____D C:\Users\Avell\Desktop\Fear.The.Walking.Dead.S01E04.HDTV.x264-KILLERS[ettv]
2015-10-05 05:58 - 2015-10-05 05:58 - 48287744 ____H (AhnLab, Inc.) C:\Users\Avell\lluuitgg.exe
2015-10-03 01:16 - 2015-10-10 11:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-02 00:50 - 2015-10-02 00:50 - 04670302 _____ C:\Users\Avell\Desktop\20151001205038.mp4
2015-09-30 16:54 - 2015-09-30 23:37 - 00001186 _____ C:\Users\Avell\Desktop\BLOCO DE NOTAS.txt
2015-09-27 10:52 - 2015-09-27 10:52 - 00389490 _____ C:\Users\Avell\Desktop\20150927065209.opus
2015-09-21 15:19 - 2015-09-21 15:26 - 00000000 ____D C:\Users\Avell\Desktop\Avatar (2009)
2015-09-21 05:11 - 2015-09-21 05:11 - 00000002 _____ C:\Windows\SysWOW64\HRUPPROG.TXT
2015-09-21 01:41 - 2015-09-21 01:41 - 00000000 ____D C:\Users\Avell\Documents\Electronic Arts
2015-09-21 01:35 - 2014-10-19 15:54 - 00447752 _____ (On2.com) C:\Windows\SysWOW64\vp6vfw.dll
2015-09-21 01:33 - 2015-09-21 02:19 - 00001211 _____ C:\Users\Public\Desktop\The Sims 4.lnk
2015-09-21 01:33 - 2015-09-21 01:33 - 00001195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Sims 4.lnk
2015-09-21 01:23 - 2015-09-21 01:33 - 00000000 ____D C:\Program Files (x86)\The Sims 4

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-10 15:03 - 2015-01-08 12:04 - 00000000 ____D C:\FRST
2015-10-10 14:42 - 2014-12-23 16:08 - 01071655 _____ C:\Windows\WindowsUpdate.log
2015-10-10 14:29 - 2015-01-13 19:54 - 00001070 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-10 13:51 - 2015-01-14 00:13 - 00000000 ____D C:\Users\Avell\AppData\Local\CrashDumps
2015-10-10 13:50 - 2013-03-15 13:45 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2315785857-4177499487-4149518941-1000UA.job
2015-10-10 13:50 - 2013-03-15 13:45 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2315785857-4177499487-4149518941-1000Core.job
2015-10-10 11:17 - 2012-01-09 18:01 - 00000024 _____ C:\Users\Todos os Usuários\BTOptm.ini
2015-10-10 11:17 - 2012-01-09 18:01 - 00000024 _____ C:\ProgramData\BTOptm.ini
2015-10-10 10:19 - 2013-03-02 17:34 - 00000000 ____D C:\Program Files (x86)\Steam
2015-10-10 10:18 - 2015-01-14 00:13 - 00000000 ____D C:\Program Files (x86)\sXe Injected
2015-10-10 10:18 - 2009-07-14 01:45 - 00030864 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-10 10:18 - 2009-07-14 01:45 - 00030864 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-10 10:11 - 2015-01-13 19:54 - 00001066 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-10 10:11 - 2013-03-15 21:19 - 00000430 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-10-10 10:11 - 2012-08-02 03:19 - 00000830 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-10-10 10:11 - 2012-08-01 16:38 - 00000000 ____D C:\Users\Todos os Usuários\NVIDIA
2015-10-10 10:11 - 2012-08-01 16:38 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-10 10:11 - 2009-07-14 02:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-10 00:43 - 2012-08-02 03:09 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{735F6201-B70F-4D5B-AA89-EDA8CDA60315}
2015-10-09 23:48 - 2013-05-30 14:11 - 05100032 ___SH C:\Users\Avell\Desktop\Thumbs.db
2015-10-09 20:22 - 2013-03-02 19:58 - 00000000 ____D C:\Users\Avell\AppData\Roaming\uTorrent
2015-10-09 15:25 - 2012-08-02 03:19 - 00000832 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-10-09 10:56 - 2012-08-01 16:40 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-09 10:56 - 2012-08-01 16:40 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-09 10:08 - 2014-12-20 02:47 - 00000000 ____D C:\Users\Avell\AppData\Local\ATDworks
2015-10-09 10:07 - 2014-12-23 13:54 - 00000000 ____D C:\Users\Avell\AppData\Local\Ewtion
2015-10-09 10:05 - 2015-07-03 01:19 - 00000000 ____D C:\Users\Avell\AppData\Local\Spotify
2015-10-09 10:05 - 2015-07-03 01:12 - 00000000 ____D C:\Users\Avell\AppData\Roaming\Spotify
2015-10-09 09:24 - 2013-03-15 14:50 - 00000000 ____D C:\Users\Avell\AppData\Roaming\LolClient
2015-10-08 14:04 - 2013-03-09 15:11 - 00000000 ____D C:\PS2
2015-10-08 12:16 - 2011-04-12 10:40 - 00706008 _____ C:\Windows\system32\prfh0416.dat
2015-10-08 12:16 - 2011-04-12 10:40 - 00147848 _____ C:\Windows\system32\prfc0416.dat
2015-10-08 12:16 - 2009-07-14 02:13 - 01635826 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-08 10:38 - 2009-07-14 02:08 - 00032608 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-05 10:07 - 2013-03-15 17:50 - 00000000 ____D C:\Users\Avell\AppData\Roaming\Skype
2015-10-05 05:59 - 2012-08-01 17:30 - 00000000 ____D C:\Program Files (x86)\EgisTec BioExcess
2015-10-05 05:58 - 2012-08-02 03:07 - 00000000 ____D C:\Users\Avell
2015-10-02 16:18 - 2015-07-31 14:15 - 00001669 _____ C:\Users\Avell\Desktop\Smite.lnk
2015-10-01 16:27 - 2013-02-19 20:23 - 00000000 ____D C:\Windows\CSC
2015-10-01 00:11 - 2015-08-29 15:02 - 00000000 ____D C:\Users\Avell\Desktop\Dragon Ball
2015-09-22 15:45 - 2013-11-18 11:16 - 00000000 ____D C:\Users\Avell\AppData\Roaming\DAEMON Tools Lite
2015-09-22 15:45 - 2013-03-02 19:00 - 00000000 ____D C:\Users\Avell\AppData\Roaming\TS3Client
2015-09-21 01:35 - 2013-12-23 15:16 - 00000000 ____D C:\Users\Todos os Usuários\Package Cache
2015-09-21 01:35 - 2013-12-23 15:16 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-21 01:35 - 2009-07-14 02:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-09-20 23:28 - 2014-05-08 16:57 - 00000000 ____D C:\Users\Avell\AppData\Roaming\PSPDocMaker
2015-09-15 22:24 - 2015-01-13 19:54 - 00004066 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-15 22:24 - 2015-01-13 19:54 - 00003814 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-14 20:41 - 2012-08-02 09:29 - 00000000 ____D C:\Users\Avell\AppData\Local\Google
2015-09-11 12:19 - 2015-05-23 03:11 - 00107498 _____ C:\Users\Avell\Desktop\CONVERSA LUANA.txt

==================== Files in the root of some directories =======

2015-06-13 00:36 - 2015-06-13 00:38 - 1762689113 _____ () C:\Program Files\Coisas.rar
2014-10-02 13:18 - 2014-10-19 20:19 - 0000004 _____ () C:\Users\Avell\AppData\Roaming\appdataFr2.bin
2014-09-01 05:18 - 2014-09-01 05:18 - 0001248 _____ () C:\Users\Avell\AppData\Roaming\FLOSEV
2014-09-01 05:18 - 2014-09-01 05:18 - 0002086 _____ () C:\Users\Avell\AppData\Roaming\PG
2013-03-15 23:09 - 2013-03-29 00:04 - 0045270 _____ () C:\Users\Avell\AppData\Roaming\room_v3.dat
2013-06-30 18:50 - 2013-06-30 18:50 - 0720082 _____ () C:\Users\Avell\AppData\Roaming\unins000.exe
2013-07-14 17:04 - 2014-05-12 00:01 - 0009006 _____ () C:\Users\Avell\AppData\Local\mbt-actwiz.log
2012-01-09 18:01 - 2015-10-10 11:17 - 0000024 _____ () C:\ProgramData\BTOptm.ini
2015-06-01 00:55 - 2015-06-01 00:55 - 0000016 _____ () C:\ProgramData\mntemp

Files to move or delete:
====================
C:\Users\Avell\lluuitgg.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-01 09:41

==================== End of FRST.txt ============================

Attached Files


Edited by Sellat, 10 October 2015 - 01:13 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 11 October 2015 - 09:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Company) C:\Program Files (x86)\Popcorn Time\Updater.exe
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [MSConfig] => C:\Users\Avell\lluuitgg.exe [48287744 2015-10-05] (AhnLab, Inc.)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [Ocics] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Avell\AppData\Local\ATDworks\sgssytcb.dll
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [Ewtion] => regsvr32.exe C:\Users\Avell\AppData\Local\Ewtion\bbbcidnn.dll <===== ATTENTION
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Policies\Explorer\Run: [IM Providers] => C:\Users\Avell\AppData\Roaming\srjtutcf\dgjrchwc.exe [94946 2013-08-28] ()
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\PROGRA~2\MICROS~1\Office15\GROOVEEX.DLL No File
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: gastecnologia.com.br/sf/bb -> C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\npsf_bb.dll No File
FF HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Firefox\Extensions: [{87F8774F-B485-47E2-A755-A40A8A5E886C}] - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\bb\sf.xpi => not found
CHR HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pgacfjdigcddmmncljpflgcfpfahebkh] - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\bb\sf.crx <not found>
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [335872 2015-07-06] (Company) [File not signed]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
C:\Program Files (x86)\Popcorn Time
C:\Users\Avell\lluuitgg.exe
C:\Users\Avell\AppData\Local\ATDworks\sgssytcb.dll
C:\Users\Avell\AppData\Roaming\srjtutcf
C:\Users\Avell\AppData\Local\Ewtion
AlternateDataStreams: C:\Windows\System32:BCA29B4E_Bb.gbp
AlternateDataStreams: C:\Users\Avell\Local Settings:init

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

How is the computer running now?

#3 Sellat

Sellat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 11 October 2015 - 11:11 AM

Well the computer seems okay right now , but i will test some more and see if the pop up window or the slowdowns comeback anyway thanks in advance.

 

EDIT: THE ISSUES CONTINUE.

Attached Files


Edited by Sellat, 11 October 2015 - 11:24 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 11 October 2015 - 12:41 PM


Looking at your Addition.txt I found these two unidentified entries/files.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {61B817E7-96D1-4D67-89B6-FB5DACD8D3CE} - System32\Tasks\tsfry => Rundll32.exe "C:\Windows\SysWOW64\regsvr32D.dll",EYNXWKWZY
Task: C:\Windows\Tasks\tsfry.job => C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\regsvr32D.dll
C:\Windows\SysWOW64\regsvr32D.dll
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Restart the computer normally to reset the registry.

How is the computer running now?

#5 Sellat

Sellat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 11 October 2015 - 12:52 PM

That's exactly what the pop up window shows when it appears, an error about this "Rundll32.exe"

 

anyway here's the log, going to test and see if any error continues.

Attached Files


Edited by Sellat, 11 October 2015 - 12:52 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:52 PM

Posted 12 October 2015 - 01:17 PM

Moved from Report topics

Posted Today, 02:06 PM


Sellat, on 11 Oct 2015 - 1:52 PM, said:



That's exactly what the pop up window shows when it appears, an error about this "Rundll32.exe"



anyway here's the log, going to test and see if any error continues.


reporting to say that no error has appeared this time , no slowdown and no error window appearing on the screen.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 13 October 2015 - 06:17 AM

Make sure your System Restore is ON>

Turn System Restore ON - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 19 October 2015 - 08:04 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 19 October 2015 - 01:32 PM

This topic has been re-opened at the request of the person who originally posted.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 19 October 2015 - 01:33 PM

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Please run the Farbar tool and include a fresh FRST log for my review.

#11 Sellat

Sellat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 19 October 2015 - 03:53 PM

Flash disinfector didn't started , there's no error message no anything when i try to open it.

Also there's Adware pop up on browsers.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:18-10-2015
Ran by Avell (administrator) on AVELL-PC (19-10-2015 17:49:06)
Running from C:\Users\Avell\Desktop
Loaded Profiles: Avell & UpdatusUser (Available Profiles: Avell & UpdatusUser)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Português (Brasil)a
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Egis Technology Inc. ) C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
(Egis Technology Inc. ) C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Motorola Solutions, Inc.) C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
(Motorola Solutions, Inc.) C:\Program Files\Motorola\Bluetooth\audiosrv.exe
(Motorola Solutions, Inc.) C:\Program Files\Motorola\Bluetooth\obexsrv.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(SteelSeries ApS) C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe
(Piriform Ltd) C:\Program Files (x86)\CCleaner\CCleaner64.exe
(Spotify Ltd) C:\Users\Avell\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(TODO: <Company name>) C:\Program Files (x86)\BTOPtm\BTOptm.exe
(InstallShield Software Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Macrovision Europe Ltd.) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Developed by Alejandro Cortés) C:\Program Files (x86)\sXe Injected\sXe Injected.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\PresentationHost.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13353064 2012-01-12] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2816816 2012-03-11] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-15] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [418672 2011-06-22] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [202608 2011-06-22] (Egis Technology Inc.)
HKLM-x32\...\Run: [BTOptm] => C:\Program Files (x86)\BTOPtm\BTOptm.exe [1907056 2012-03-09] (TODO: <Company name>)
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [81920 2004-08-09] (InstallShield Software Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
Winlogon\Notify\ GbPluginBb: C:\Program Files (x86)\GbPlugin\gbieh.dll [2014-07-31] (Banco do Brasil)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-08-09] (InstallShield Software Corporation)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [SteelSeries Engine] => C:\Program Files\SteelSeries\SteelSeries Engine\SteelSeriesEngine.exe [87040 2014-10-09] (SteelSeries ApS)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [CCleaner Monitoring] => C:\Program Files (x86)\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3696912 2014-03-04] (Disc Soft Ltd)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Run: [Spotify Web Helper] => C:\Users\Avell\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2025016 2015-10-02] (Spotify Ltd)
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Policies\Explorer: [TaskbarNoNotification] 1
ShellExecuteHooks-x32: GbPluginObj Class - {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\Program Files (x86)\GbPlugin\gbieh.dll [1754664 2014-07-31] (Banco do Brasil)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{6362CEAB-E522-4659-81BF-FBDB80662937}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com.br/
HKU\S-1-5-21-2315785857-4177499487-4149518941-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://br.msn.com/?ocid=iehp
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2014-11-12] (Microsoft Corporation)
BHO: EgisPBIE Sign-in Helper -> {7B51CCBE-4AF9-44A6-BDAB-D7F7E4C4E6F9} -> C:\Program Files (x86)\EgisTec BioExcess\x64\EgisPBIE.dll [2011-10-26] (Egis Technology Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2014-11-12] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2012-08-02] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-10-18] (Oracle Corporation)
BHO-x32: Auxiliar de Conexão de Conta da Microsoft -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2014-10-14] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261
FF Homepage: hxxps://www.google.com.br/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-10-02] ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll [2012-08-02] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40620.0\npctrl.dll [2015-06-20] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-10-02] ()
FF Plugin-x32: @esn/npbattlelog,version=2.4.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.4.0\npbattlelog.dll [2014-05-26] (EA Digital Illusions CE AB)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-10-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-10-18] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-05-21] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40620.0\npctrl.dll [2015-06-19] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-22] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-06-28] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-06-28] (NVIDIA Corporation)
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\Avell\AppData\Roaming\raidcall\plugins\nprcplugin.dll [2013-03-30] (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin-x32: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll [2006-11-03] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Avell\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Avell\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2013-11-25] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: gastecnologia.com.br/sf/cef64 -> C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\npsf_cef_64.dll [2015-07-14] (GAS Tecnologia)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2014-05-21] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Avell\AppData\Roaming\mozilla\plugins\np-mswmp.dll [2009-09-25] (Microsoft Corporation)
FF Extension: Undo command invocation - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{50C4B6EC-3716-346D-2A39-9BD11D35CB33} [2015-10-09] [not signed]
FF Extension: FT DeepDark - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{77d2ed30-4cd2-11e0-b8af-0800200c9a66} [2015-06-26]
FF Extension: Noia Fox - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{7b90e860-5d61-11e0-80e3-0800200c9a66}.xpi [2015-02-01]
FF Extension: Adblock Plus - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-07-19]
FF HKLM-x32\...\Firefox\Extensions: [{41ecbc0b-34d5-4cd4-935f-253a30e2cb7e}] - C:\Program Files (x86)\EgisTec BioExcess\FFExt
FF Extension:  Online Accounts Extension  - C:\Program Files (x86)\EgisTec BioExcess\FFExt [2012-08-01] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{d4da7309-b89a-45ec-8ebb-cfb2ae13618b}] - C:\Program Files (x86)\EgisTec BioExcess\FFExt20
FF Extension:  Online Accounts Extension  - C:\Program Files (x86)\EgisTec BioExcess\FFExt20 [2012-08-01] [not signed]
FF HKU\S-1-5-21-2315785857-4177499487-4149518941-1000\...\Firefox\Extensions: [{87F8774F-B485-47E2-A755-A40A8A5E886D}] - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\cef\xpi
FF Extension: GBBD Caixa Economica Federal - C:\Users\Avell\AppData\Local\GAS Tecnologia\GBBD\cef\xpi [2015-07-14] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com.br/
CHR StartupUrls: Default -> "hxxp://www.google.com.br/"
CHR Profile: C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Apresentações) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-19]
CHR Extension: (Google Docs) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-19]
CHR Extension: (Google Drive) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-19]
CHR Extension: (AdBlock Plus) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhbihjkbifdakjlfjkpfeadmgefejcdk [2014-10-19]
CHR Extension: (YouTube) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-19]
CHR Extension: (Google Search) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-19]
CHR Extension: (Planilhas do Google) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-19]
CHR Extension: (Documentos Google off-line) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-03]
CHR Extension: (Online Accounts Extension ) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ladimmjldcgbeamniagencjbodhnmgen [2014-10-19]
CHR Extension: (Pagamentos da Chrome Web Store) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-19]
CHR Extension: (Simple Adblock) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ockogkkjjhgjelcddamlnjcfnmiegjfg [2014-10-19]
CHR Extension: (Gmail) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-19]
CHR HKLM-x32\...\Chrome\Extension: [ladimmjldcgbeamniagencjbodhnmgen] - C:\Program Files (x86)\EgisTec BioExcess\ChromeEx\EgisPBChromeExt.crx [2011-10-26]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [433784 2015-06-16] (BlueStack Systems, Inc.)
S3 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-06-16] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [831096 2015-07-21] (BlueStack Systems, Inc.)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [175136 2014-09-02] (EasyAntiCheat Ltd)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [647680 2012-08-01] (Macrovision Europe Ltd.) [File not signed]
R3 FLEXnet Licensing Service 64; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [1028096 2012-08-01] (Macrovision Europe Ltd.) [File not signed]
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [8704 2015-09-02] (Hi-Rez Studios) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [271920 2007-05-16] (Nero AG)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [5070784 2013-08-01] (INCA Internet Co., Ltd.)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-06-16] ()
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [145528 2015-06-16] (BlueStack Systems)
S3 danewFltr; C:\Windows\System32\drivers\danew.sys [12032 2010-03-23] (Razer (Asia-Pacific) Pte Ltd) [File not signed]
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-10-25] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 ENTECH64; C:\Windows\system32\DRIVERS\ENTECH64.sys [12744 2008-09-17] (EnTech Taiwan)
S0 GbpKm; C:\Windows\SysWOW64\drivers\GbpKm.sys [49536 2013-05-08] (GAS Tecnologia)
R3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [49304 2014-12-15] (Visicom Media Inc.)
R3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [35440 2014-05-13] (Visicom Media Inc.)
R3 SAlphamHid; C:\Windows\System32\DRIVERS\SAlpham64.sys [39168 2014-12-23] (SteelSeries Corporation)
R3 seehcri; C:\Windows\System32\DRIVERS\seehcri.sys [34032 2014-06-07] (Sony Ericsson Mobile Communications)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2013-06-20] (Anchorfree Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-01-12] ()

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-19 17:49 - 2015-10-19 17:50 - 00021841 _____ C:\Users\Avell\Desktop\FRST.txt
2015-10-19 17:48 - 2015-10-19 17:48 - 02196992 _____ (Farbar) C:\Users\Avell\Desktop\FRST64.exe
2015-10-19 17:48 - 2015-10-19 17:48 - 00000000 ____D C:\Users\Avell\Desktop\FRST-OlderVersion
2015-10-19 17:45 - 2015-10-19 17:45 - 00132597 _____ C:\Users\Avell\Desktop\Flash_Disinfector.exe
2015-10-19 17:20 - 2015-10-19 17:24 - 00000000 ____D C:\Users\Avell\Desktop\2015 - The Oblivion Particle
2015-10-19 11:31 - 2015-10-19 11:31 - 419859462 _____ C:\Users\Avell\Desktop\Dragon_Ball_Super_015_HD.mkv
2015-10-19 09:55 - 2015-10-19 12:14 - 00000392 _____ C:\Windows\setupact.log
2015-10-19 09:55 - 2015-10-19 09:55 - 00000000 _____ C:\Windows\setuperr.log
2015-10-18 17:13 - 2015-10-18 17:13 - 00144821 _____ C:\Users\Avell\Desktop\legendas_tv_20151013224205.rar
2015-10-18 16:58 - 2015-10-18 17:14 - 00000000 ____D C:\Users\Avell\Desktop\The.Flash.2014.S02E01.HDTV.x264-LOL[ettv]
2015-10-18 16:58 - 2015-10-18 17:14 - 00000000 ____D C:\Users\Avell\Desktop\Arrow.S04E01.HDTV.x264-LOL[ettv]
2015-10-18 13:34 - 2015-10-18 17:15 - 00000000 ____D C:\Users\Avell\Desktop\Arrow.S04E02.HDTV.x264-LOL[ettv]
2015-10-18 13:34 - 2015-10-18 17:14 - 00000000 ____D C:\Users\Avell\Desktop\The.Flash.2014.S02E02.HDTV.x264-LOL[ettv]
2015-10-18 13:34 - 2015-10-18 17:14 - 00000000 ____D C:\Users\Avell\Desktop\Everest.2015.HD-TS.XVID.AC3.HQ.Hive-CM8
2015-10-17 20:40 - 2015-10-17 20:44 - 00000000 ____D C:\Users\Avell\Desktop\American.Horror.Story.S05E02.PROPER.HDTV.x264-KILLERS[ettv]
2015-10-17 20:39 - 2015-10-17 20:39 - 00006379 _____ C:\Users\Avell\Desktop\[kat.cr]american.horror.story.s05e02.proper.hdtv.x264.killers.ettv.torrent
2015-10-16 00:51 - 2015-10-16 00:51 - 00001867 _____ C:\Users\Avell\Desktop\The Sims™ 3.lnk
2015-10-16 00:40 - 2015-10-16 00:40 - 00000000 ____D C:\Program Files (x86)\Microsoft WSE
2015-10-16 00:25 - 2015-10-16 20:07 - 00000000 ____D C:\Program Files (x86)\Electronic Arts
2015-10-15 22:45 - 2015-10-19 13:53 - 00000000 ____D C:\Users\Avell\Desktop\the sims 3
2015-10-15 16:08 - 2015-10-19 11:45 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-12 13:38 - 2015-10-12 13:38 - 07277632 _____ C:\Users\Avell\Desktop\OBS_0_656b_Installer.exe
2015-10-12 13:38 - 2015-10-12 13:38 - 00000939 _____ C:\Users\Avell\Desktop\Open Broadcaster Software.lnk
2015-10-12 13:38 - 2015-10-12 13:38 - 00000000 ____D C:\Users\Avell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Open Broadcaster Software
2015-10-12 13:38 - 2015-10-12 13:38 - 00000000 ____D C:\Program Files\OBS
2015-10-12 13:38 - 2015-10-12 13:38 - 00000000 ____D C:\Program Files (x86)\OBS
2015-10-11 14:15 - 2015-10-11 14:15 - 00000016 _____ C:\Users\Todos os Usuários\mntemp
2015-10-11 14:15 - 2015-10-11 14:15 - 00000016 _____ C:\ProgramData\mntemp
2015-10-11 13:43 - 2015-10-11 13:43 - 00000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2015-10-11 13:10 - 2015-10-11 14:15 - 00000000 ____D C:\Users\Avell\Desktop\Knock Knock 2015 720p WEB-DL x264 AC3-JYK
2015-10-11 13:08 - 2015-10-16 01:20 - 00000000 ____D C:\Users\Avell\Desktop\The Last Witch Hunter 2015 720p BrRip x264 - ARROW
2015-10-11 10:29 - 2015-10-11 10:29 - 00007602 _____ C:\Users\Avell\AppData\Local\Resmon.ResmonCfg
2015-10-10 21:15 - 2015-10-08 22:02 - 00036967 _____ C:\Users\Avell\Desktop\American.Horror.Story.S05E01.HDTV.x264-KILLERS.srt
2015-10-10 21:14 - 2015-10-10 21:14 - 00147481 _____ C:\Users\Avell\Desktop\legendas_tv_20151008232431.rar
2015-10-09 10:56 - 2015-10-19 17:36 - 00000902 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-09 10:56 - 2015-10-09 10:56 - 00003840 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-10-09 10:06 - 2015-10-09 10:08 - 00000000 ___HD C:\Users\Todos os Usuários\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-09 10:06 - 2015-10-09 10:08 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-09 10:04 - 2015-10-09 10:04 - 05041152 _____ C:\Users\Avell\Desktop\Aula 2 RCP.ppt
2015-10-08 15:49 - 2015-10-08 15:56 - 00000000 ____D C:\Users\Avell\Desktop\American.Horror.Story.S05E01.HDTV.x264-KILLERS[ettv]
2015-10-06 20:32 - 2015-10-11 14:53 - 00000000 ____D C:\Users\Avell\Desktop\linha defensiva
2015-10-06 15:43 - 2015-10-06 16:26 - 1334385367 _____ C:\Users\Avell\Desktop\Batman – Contra o Capuz Vermelho Filme dublado em português completo HD[2].mp4
2015-09-21 05:11 - 2015-09-21 05:11 - 00000002 _____ C:\Windows\SysWOW64\HRUPPROG.TXT
2015-09-21 01:41 - 2015-10-16 00:52 - 00000000 ____D C:\Users\Avell\Documents\Electronic Arts
2015-09-21 01:33 - 2015-09-21 02:19 - 00001211 _____ C:\Users\Public\Desktop\The Sims 4.lnk
2015-09-21 01:33 - 2015-09-21 01:33 - 00001195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Sims 4.lnk
2015-09-21 01:23 - 2015-09-21 01:33 - 00000000 ____D C:\Program Files (x86)\The Sims 4

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-19 17:49 - 2015-01-08 12:04 - 00000000 ____D C:\FRST
2015-10-19 17:34 - 2013-03-02 19:58 - 00000000 ____D C:\Users\Avell\AppData\Roaming\uTorrent
2015-10-19 17:29 - 2015-01-13 19:54 - 00001070 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-19 16:52 - 2013-05-30 14:11 - 05282304 ___SH C:\Users\Avell\Desktop\Thumbs.db
2015-10-19 16:50 - 2013-03-15 13:45 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2315785857-4177499487-4149518941-1000UA.job
2015-10-19 16:11 - 2013-03-09 15:11 - 00000000 ____D C:\PS2
2015-10-19 15:25 - 2012-08-02 03:19 - 00000832 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2015-10-19 13:59 - 2011-04-12 10:40 - 00706008 _____ C:\Windows\system32\prfh0416.dat
2015-10-19 13:59 - 2011-04-12 10:40 - 00147848 _____ C:\Windows\system32\prfc0416.dat
2015-10-19 13:59 - 2009-07-14 02:13 - 01635826 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-19 13:50 - 2013-03-15 13:45 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2315785857-4177499487-4149518941-1000Core.job
2015-10-19 13:03 - 2013-03-02 17:34 - 00000000 ____D C:\Program Files (x86)\Steam
2015-10-19 12:54 - 2012-08-02 03:09 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{735F6201-B70F-4D5B-AA89-EDA8CDA60315}
2015-10-19 10:04 - 2009-07-14 01:45 - 00030864 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-19 10:04 - 2009-07-14 01:45 - 00030864 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-19 09:59 - 2014-12-23 16:08 - 01486455 _____ C:\Windows\WindowsUpdate.log
2015-10-19 09:57 - 2015-01-14 00:13 - 00000000 ____D C:\Program Files (x86)\sXe Injected
2015-10-19 09:56 - 2015-01-13 19:54 - 00001066 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-19 09:56 - 2013-03-15 21:19 - 00000430 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-10-19 09:56 - 2012-08-02 03:19 - 00000830 _____ C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2015-10-19 09:55 - 2012-08-01 16:38 - 00000000 ____D C:\Users\Todos os Usuários\NVIDIA
2015-10-19 09:55 - 2012-08-01 16:38 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-19 09:55 - 2009-07-14 02:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-19 09:54 - 2012-01-09 18:01 - 00000024 _____ C:\Users\Todos os Usuários\BTOptm.ini
2015-10-19 09:54 - 2012-01-09 18:01 - 00000024 _____ C:\ProgramData\BTOptm.ini
2015-10-19 09:45 - 2015-01-14 00:13 - 00000000 ____D C:\Users\Avell\AppData\Local\CrashDumps
2015-10-17 19:57 - 2013-11-18 11:16 - 00000000 ____D C:\Users\Avell\AppData\Roaming\DAEMON Tools Lite
2015-10-17 19:28 - 2015-07-01 17:24 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-10-16 20:13 - 2009-07-14 02:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-10-16 20:07 - 2012-08-02 03:16 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-10-16 01:21 - 2015-09-02 22:25 - 00000000 ____D C:\Users\Avell\Desktop\MOTO G
2015-10-16 01:21 - 2015-06-13 18:13 - 00000000 ____D C:\Users\Avell\Desktop\Lana Del Rey
2015-10-16 01:18 - 2015-08-29 15:02 - 00000000 ____D C:\Users\Avell\Desktop\Dragon Ball
2015-10-16 01:17 - 2014-04-14 17:06 - 00000000 ___RD C:\Users\Avell\Desktop\Seriados -  Filmes Shows - Animes
2015-10-16 00:54 - 2014-05-28 21:13 - 00000000 ____D C:\Users\Todos os Usuários\Electronic Arts
2015-10-16 00:54 - 2014-05-28 21:13 - 00000000 ____D C:\ProgramData\Electronic Arts
2015-10-14 16:12 - 2015-07-01 17:25 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-13 08:21 - 2015-07-11 14:15 - 00001359 _____ C:\Users\Public\Desktop\Popcorn Time.lnk
2015-10-12 18:24 - 2013-07-20 22:51 - 00000000 ____D C:\Users\Avell\AppData\Roaming\OBS
2015-10-12 00:47 - 2015-01-14 00:59 - 00001059 _____ C:\Users\Avell\Desktop\sXe Injected.lnk
2015-10-11 13:43 - 2015-07-31 14:15 - 00001669 _____ C:\Users\Avell\Desktop\Smite.lnk
2015-10-11 13:05 - 2014-12-23 16:03 - 00000000 ____D C:\AdwCleaner
2015-10-11 12:56 - 2012-08-01 16:54 - 00000000 ___SD C:\Users\Avell\AppData\LocalLow\Temp
2015-10-11 12:55 - 2014-12-20 02:47 - 00000000 ____D C:\Users\Avell\AppData\Local\ATDworks
2015-10-11 12:55 - 2012-08-02 03:07 - 00000000 ____D C:\Users\Avell
2015-10-11 00:15 - 2015-07-03 01:12 - 00000000 ____D C:\Users\Avell\AppData\Roaming\Spotify
2015-10-11 00:14 - 2015-07-03 01:19 - 00000000 ____D C:\Users\Avell\AppData\Local\Spotify
2015-10-10 21:10 - 2014-02-18 16:49 - 00000000 ____D C:\Users\Avell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-10-09 10:56 - 2012-08-01 16:40 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-09 10:56 - 2012-08-01 16:40 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-09 09:24 - 2013-03-15 14:50 - 00000000 ____D C:\Users\Avell\AppData\Roaming\LolClient
2015-10-08 10:38 - 2009-07-14 02:08 - 00032608 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-05 10:07 - 2013-03-15 17:50 - 00000000 ____D C:\Users\Avell\AppData\Roaming\Skype
2015-10-05 05:59 - 2012-08-01 17:30 - 00000000 ____D C:\Program Files (x86)\EgisTec BioExcess
2015-10-01 16:27 - 2013-02-19 20:23 - 00000000 ____D C:\Windows\CSC
2015-09-22 15:45 - 2013-03-02 19:00 - 00000000 ____D C:\Users\Avell\AppData\Roaming\TS3Client
2015-09-21 01:35 - 2013-12-23 15:16 - 00000000 ____D C:\Users\Todos os Usuários\Package Cache
2015-09-21 01:35 - 2013-12-23 15:16 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-20 23:28 - 2014-05-08 16:57 - 00000000 ____D C:\Users\Avell\AppData\Roaming\PSPDocMaker

==================== Files in the root of some directories =======

2015-06-13 00:36 - 2015-06-13 00:38 - 1762689113 _____ () C:\Program Files\Coisas.rar
2014-10-02 13:18 - 2014-10-19 20:19 - 0000004 _____ () C:\Users\Avell\AppData\Roaming\appdataFr2.bin
2014-09-01 05:18 - 2014-09-01 05:18 - 0001248 _____ () C:\Users\Avell\AppData\Roaming\FLOSEV
2014-09-01 05:18 - 2014-09-01 05:18 - 0002086 _____ () C:\Users\Avell\AppData\Roaming\PG
2013-03-15 23:09 - 2013-03-29 00:04 - 0045270 _____ () C:\Users\Avell\AppData\Roaming\room_v3.dat
2013-06-30 18:50 - 2013-06-30 18:50 - 0720082 _____ () C:\Users\Avell\AppData\Roaming\unins000.exe
2013-07-14 17:04 - 2014-05-12 00:01 - 0009006 _____ () C:\Users\Avell\AppData\Local\mbt-actwiz.log
2015-10-11 10:29 - 2015-10-11 10:29 - 0007602 _____ () C:\Users\Avell\AppData\Local\Resmon.ResmonCfg
2012-01-09 18:01 - 2015-10-19 09:54 - 0000024 _____ () C:\ProgramData\BTOptm.ini
2015-10-11 14:15 - 2015-10-11 14:15 - 0000016 _____ () C:\ProgramData\mntemp

Some files in TEMP:
====================
C:\Users\Avell\AppData\Local\Temp\nircmd.exe
C:\Users\Avell\AppData\Local\Temp\pv.exe
C:\Users\Avell\AppData\Local\Temp\vfind.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-11 04:21

==================== End of FRST.txt ============================

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 20 October 2015 - 06:54 AM


ATTENTION: System Restore is disabled

How to: Turn System Restore ON or OFF - Windows
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7

Remove this program in bold using the Add/Remove Programs Applet.
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.3.1.0 - Popcorn Time)

Do you know what this is.
It's suspicious to me.
FF Extension: Undo command invocation - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{50C4B6EC-3716-346D-2A39-9BD11D35CB33} [2015-10-09] [not signed]

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

Restart the computer normally.

If the problem persists run this tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

Let me know what problem persists.

#13 Sellat

Sellat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 21 October 2015 - 06:52 PM

Before anything, i didn't answered before because i was extremely busy , so i'm reporting that right now i can't use my computer in normal mode (it becomes extremely slow at the point i have to enter in security mode to use it) .

Also i can't reactivate my system restoration and security center don't open, a error message appears.

 

EDIT: After using the script i could enter in normal mode again no slowdown in the past 15min

 

Also i did another Farbar scan.

 

Thanks again and sorry for my poor english.

 

About the FF extension i don't know about it, windows pop ups continue to appear even on the bleeping computer page or in any other page that doesn't have ads, just clicking on any blank point of the page opens another unrelated tab.

Attached Files


Edited by Sellat, 21 October 2015 - 08:07 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,746 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:52 PM

Posted 22 October 2015 - 08:50 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

EmptyTemp:
CloseProcesses:

FF Plugin-x32: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files (x86)\Yahoo!\Common\npyaxmpb.dll [No File]
FF Plugin HKU\S-1-5-21-2315785857-4177499487-4149518941-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Avell\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [No File]
FF Extension: Undo command invocation - C:\Users\Avell\AppData\Roaming\Mozilla\Firefox\Profiles\edsy5ug4.default-1422844402261\Extensions\{50C4B6EC-3716-346D-2A39-9BD11D35CB33} [2015-10-09] [not signed]
CHR Extension: (Simple Adblock) - C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ockogkkjjhgjelcddamlnjcfnmiegjfg [2014-11-30]
C:\Users\Avell\AppData\Local\Google\Chrome\User Data\Default\Extensions\ockogkkjjhgjelcddamlnjcfnmiegjfg

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How to clear cache and browsing history with Microsoft Edge
http://www.techulator.com/resources/14556-How-to-clear-cache-and-browsing-history-with-Microsoft-Edge.aspx

How to use Microsoft Edge, Windows 10
http://www.pcworld.com/article/2952392/browsers/how-to-use-microsoft-edge-windows-10s-new-browser.html
<<<>>>

Lets check the availability of the important services.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

Which browser if any gives you popups.
===

p.s.

To replace the Chrome Simple Adblock I suggest you install AdBlock Plus. It's more safer.
https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

#15 Sellat

Sellat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:52 PM

Posted 22 October 2015 - 12:59 PM

About the browser, i only use firefox and was the one giving popups and for the Adblock plus it's the one i use on firefox too.

 

EDIT: I'm testing to see if i still got any popup as for right now no popup appeared.

 

EDIT2: Still no popup and no slowdown.

 

EDIT3: just to confirm that i had no other problems , the pc is fully operational without problems besides security central and restoration.

Attached Files


Edited by Sellat, 22 October 2015 - 06:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users