Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sd-steam.info (redirects to zodiac-game.info) popup on startup


  • This topic is locked This topic is locked
6 replies to this topic

#1 spdyrel

spdyrel

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 20 August 2016 - 07:38 PM

On Windows 10 startup, Firefox (my default browser) opens and loads up this ad site. I've run malwarebytes to no avail but I did find the registry location of part of the problem (attached image). Deleting the registry fixes it only temporarily until it is added again. I'm not sure what program is creating it or how to fully stop it. Any help would be appreciated! Also, yes I do have some pirated games but these are purely for demo reasons as I always purchase after trying them, although I did not download any around the time this started happening.

 

FRST Data:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2016
Ran by Ariel (administrator) on ARIEL-PC (20-08-2016 17:14:08)
Running from D:\Ariel\Downloads
Loaded Profiles: Ariel (Available Profiles: Ariel & DefaultAppPool)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Nightly\firefox.exe" -osint -url "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\1.06.26\AsusFanControlService.exe
() C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Scarlet.Crush Productions) D:\Program Files\SCP\ScpService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Electronic Arts) D:\Program Files (x86)\Origin\OriginWebHelperService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files (x86)\ASUS\AI Suite III\EZ Update\EzUpdt.exe
() C:\Program Files (x86)\ASUS\AI Suite III\DIP4\DIPAwayMode\DipAwayMode.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite III\AISuite3.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite III\Push Notice\PushNotifyServer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Flux Software LLC) C:\Users\Ariel\AppData\Local\FluxSoftware\Flux\flux.exe
(Deluge Team) C:\Program Files (x86)\Deluge\deluge.exe
() C:\Program Files (x86)\ASUS\AI Suite III\Push Notice\PushNoticeMonitor.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite III\USB 3.0 Boost\U3BoostSvr64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
() C:\Program Files (x86)\Func\KB-460\KB-460_Core.exe
() C:\Program Files (x86)\ASUS\AI Suite III\Push Notice\PushNotify_PCCtrl.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Rainmeter) C:\Program Files\Rainmeter\Rainmeter.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(Mozilla Corporation) C:\Program Files\Nightly\firefox.exe
(Mozilla Corporation) C:\Program Files\Nightly\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8495320 2015-06-23] (Realtek Semiconductor)
HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [15033976 2015-11-20] (Logitech Inc.)
HKLM\...\Run: [ShadowPlay] => C:\WINDOWS\system32\nvspcap64.dll [1838648 2016-08-16] (NVIDIA Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [296216 2015-06-15] (Intel Corporation)
HKLM-x32\...\Run: [Func KB-460] => C:\Program Files (x86)\Func\KB-460\KB-460_Core
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2857248 2016-08-16] (Valve Corporation)
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29500544 2016-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [f.lux] => C:\Users\Ariel\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [Google Update] => C:\Users\Ariel\AppData\Local\Google\Update\GoogleUpdate.exe [154440 2016-05-16] (Google Inc.)
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [Ariel] => explorer.exe hxxp://sd-steam.info <===== ATTENTION
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Ariel\AppData\Local\MEGAsync\ShellExtX64.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Ariel\AppData\Local\MEGAsync\ShellExtX64.dll [2014-05-01] ()
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Ariel\AppData\Local\MEGAsync\ShellExtX64.dll [2014-05-01] ()
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Ariel\AppData\Local\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Ariel\AppData\Local\MEGAsync\ShellExtX32.dll [2014-05-01] ()
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Ariel\AppData\Local\MEGAsync\ShellExtX32.dll [2014-05-01] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScpToolkit Tray Notifications.lnk [2016-07-26]
ShortcutTarget: ScpToolkit Tray Notifications.lnk -> D:\Program Files\SCP\ScpTrayApp.exe (Scarlet.Crush Productions)
Startup: C:\Users\Ariel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Deluge.lnk [2015-12-09]
ShortcutTarget: Deluge.lnk -> C:\Program Files (x86)\Deluge\deluge.exe (Deluge Team)
Startup: C:\Users\Ariel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Procmon.lnk [2016-08-20]
ShortcutTarget: Procmon.lnk -> D:\Ariel\Downloads\ProcessMonitor\Procmon.exe (Sysinternals - www.sysinternals.com)
Startup: C:\Users\Ariel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk [2016-03-05]
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe (Rainmeter)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{1f21c9bc-5937-43f1-a0d7-635b3ee80bf7}: [DhcpNameServer] 7.254.254.254
Tcpip\..\Interfaces\{65516451-53e2-4824-9b10-eb96910a55dc}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page =
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE01&ocid=UE01DHP
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-08-11] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-08-11] (NVIDIA Corporation)
FF Plugin HKU\S-1-5-21-3822628397-2931436756-777081172-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Ariel\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Plugin HKU\S-1-5-21-3822628397-2931436756-777081172-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Ariel\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-30] (Google Inc.)
FF Extension: Greasemonkey - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2016-08-19]
FF Extension: Cutyfox URL Shortener - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\cutyfox@apps.metzweb.net.xpi [2016-07-30]
FF Extension: BetterTTV - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\firefox@betterttv.net.xpi [2016-08-18]
FF Extension: Magic Actions for YouTube™ - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\jid0-UVAeBCfd34Kk5usS8A1CBiobvM8@jetpack.xpi [2016-08-07]
FF Extension: Pushbullet - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\jid1-BYcQOfYfmBMd9A@jetpack.xpi [2016-07-30]
FF Extension: Reddit Enhancement Suite - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2016-07-30]
FF Extension: Menu Wizard - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\s3menu@wizard.xpi [2016-07-30]
FF Extension: uBlock Origin - C:\Users\Ariel\AppData\Roaming\Mozilla\Firefox\Profiles\m24uk2jy.default-1469862374068\Extensions\uBlock0@raymondhill.net.xpi [2016-08-07]
StartMenuInternet: FIREFOX.EXE - C:\Program Files\Nightly\firefox.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2015-05-07] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe [954648 2015-05-07] (ASUSTeK Computer Inc.)
R2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.06.26\AsusFanControlService.exe [397592 2015-07-02] (ASUSTeK Computer Inc.)
R2 Ds3Service; D:\Program Files\SCP\ScpService.exe [394944 2016-04-12] (Scarlet.Crush Productions)
S3 EasyAntiCheat; C:\WINDOWS\SysWOW64\EasyAntiCheat.exe [237328 2016-05-26] (EasyAntiCheat Ltd)
S3 GalaxyClientService; D:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [244800 2016-07-07] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6506048 2016-08-13] (GOG.com)
R3 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [207360 2015-02-13] (Intel Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223008 2015-06-02] (Intel Corporation)
R2 LogiRegistryService; C:\Program Files\Logitech Gaming Software\Drivers\APOService\LogiRegistryService.exe [193144 2015-11-20] (Logitech Inc.)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [458808 2016-08-16] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [458808 2016-08-16] (NVIDIA Corporation)
R2 NVIDIA Wireless Controller Service; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\nvwirelesscontroller.exe [1165368 2016-08-16] (NVIDIA Corporation)
S3 Origin Client Service; D:\Program Files (x86)\Origin\OriginClientService.exe [2123784 2016-08-19] (Electronic Arts)
R2 Origin Web Helper Service; D:\Program Files (x86)\Origin\OriginWebHelperService.exe [2193424 2016-08-19] (Electronic Arts)
S3 TunngleService; D:\Program Files (x86)\Tunngle\TnglCtrl.exe [872432 2016-06-23] (Tunngle.net GmbH)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-06-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AndroidAFD; C:\Windows\SysWow64\drivers\AndroidAFDx64.sys [43064 2015-06-11] (ASUSTek Computer Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-09-08] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2014-02-24] ()
R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-19] (MCCI Corporation)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
S3 Hamachi; C:\Windows\system32\DRIVERS\Hamdrv.sys [45680 2015-11-12] (LogMeIn Inc.)
R3 I1KBFLTR; C:\Windows\system32\drivers\I1KBFLTR.sys [29440 2014-06-26] ()
R4 IOMap; C:\WINDOWS\system32\drivers\IOMap64.sys [24824 2015-05-14] (ASUSTeK Computer Inc.)
R2 LGCoreTemp; C:\Program Files\Logitech Gaming Software\Drivers\LgCoreTemp\lgcoretemp.sys [14184 2015-06-21] (Logitech)
R3 LGJoyXlCore; C:\Windows\system32\drivers\LGJoyXlCore.sys [68384 2015-06-10] (Logitech Inc.)
R3 LGSHidFilt; C:\Windows\system32\DRIVERS\LGSHidFilt.Sys [64280 2013-05-30] (Logitech Inc.)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [46016 2016-07-04] (NVIDIA Corporation)
U5 PROCMON23; C:\Windows\System32\Drivers\PROCMON23.sys [92344 2016-08-20] (Sysinternals - www.sysinternals.com)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [895256 2015-06-29] (Realtek                                            )
R3 ScpVBus; C:\Windows\System32\drivers\ScpVBus.sys [42856 2016-03-27] (Nefarius Software Solutions)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [221824 2016-04-25] (Samsung Electronics Co., Ltd.)
R3 tap0901t; C:\Windows\System32\drivers\tap0901t.sys [48824 2016-04-26] (Tunngle.net GmbH)
S3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [117248 2010-11-20] (Microsoft Corporation) [File not signed]
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-20 17:03 - 2016-08-20 17:14 - 00000000 ____D C:\FRST
2016-08-20 16:26 - 2016-08-20 16:26 - 00000000 ____D C:\Users\Ariel\Documents\ALI213
2016-08-20 16:16 - 2016-08-20 16:16 - 00000218 _____ C:\Users\Ariel\AppData\Local\recently-used.xbel
2016-08-20 16:10 - 2016-08-20 16:19 - 00000000 ____D C:\Program Files\Nightly
2016-08-20 00:53 - 2016-08-20 16:20 - 00092344 ____H (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\Drivers\PROCMON23.SYS
2016-08-19 23:58 - 2016-08-19 23:58 - 00000000 ____D C:\Users\Ariel\.QtWebEngineProcess
2016-08-19 23:58 - 2016-08-19 23:58 - 00000000 ____D C:\Users\Ariel\.Origin
2016-08-19 22:07 - 2016-08-19 22:07 - 00000000 ____D C:\ProgramData\Tunngle
2016-08-19 17:04 - 2016-08-19 17:13 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-08-19 16:50 - 2016-08-19 23:16 - 00000000 ____D C:\AdwCleaner
2016-08-19 16:31 - 2016-08-19 16:31 - 00000000 ____D C:\Users\Ariel\Documents\Singularity
2016-08-19 16:30 - 2016-08-19 16:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Singularity [GOG.com]
2016-08-18 15:07 - 2016-08-18 15:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Okhlos [GOG.com]
2016-08-18 14:46 - 2016-08-11 04:30 - 00138808 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvStreaming.exe
2016-08-18 14:44 - 2016-08-15 22:45 - 00054728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvhdap64.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 40070200 _____ C:\WINDOWS\system32\nvcompiler.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 35182648 _____ C:\WINDOWS\SysWOW64\nvcompiler.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 34837952 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 28236856 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglv32.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 20208360 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvwgf2um.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 10728856 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 10530960 _____ C:\WINDOWS\system32\nvptxJitCompiler.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 10273096 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 09086344 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 08681720 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 08644456 _____ C:\WINDOWS\SysWOW64\nvptxJitCompiler.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 02914752 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 02553912 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 01922616 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6437254.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 01585088 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6437254.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 01023544 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvFBC64.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00961080 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00945088 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00897592 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00803096 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFTH264.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00802072 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncMFThevc.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00694952 _____ C:\WINDOWS\system32\nvfatbinaryLoader.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00644648 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFTH264.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00642904 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncMFThevc.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00612528 _____ C:\WINDOWS\system32\nvmcumd.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00584712 _____ C:\WINDOWS\SysWOW64\nvfatbinaryLoader.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00574120 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvumdshimx.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00471424 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvumdshim.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00442816 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00413256 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncodeAPI64.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00393664 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00386104 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvDecMFTMjpeg.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00348728 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvDecMFTMjpeg.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00345936 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00181488 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvinitx.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00159352 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvinit.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00153184 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglshim64.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00131536 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglshim32.dll
2016-08-18 14:44 - 2016-08-11 07:33 - 00000669 _____ C:\WINDOWS\SysWOW64\nv-vk32.json
2016-08-18 14:44 - 2016-08-11 07:33 - 00000669 _____ C:\WINDOWS\system32\nv-vk64.json
2016-08-18 14:39 - 2016-08-14 05:36 - 00001951 _____ C:\WINDOWS\NvContainerRecovery.bat
2016-08-13 17:41 - 2016-08-19 21:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\No Man's Sky [GOG.com]
2016-08-13 17:41 - 2016-08-13 17:42 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\HelloGames
2016-08-10 11:58 - 2016-08-10 12:08 - 00000000 ____D C:\Users\Ariel\Documents\Rise of the Tomb Raider
2016-08-10 11:58 - 2016-08-10 11:58 - 00000000 ____D C:\Users\Ariel\Documents\CPY_SAVES
2016-08-10 11:58 - 2016-08-10 11:58 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Crystal Dynamics
2016-08-10 01:03 - 2016-08-03 04:14 - 01505984 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-08-10 01:03 - 2016-08-03 04:14 - 00092352 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-08-10 01:03 - 2016-08-03 04:14 - 00050368 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-08-10 01:03 - 2016-08-03 03:36 - 07469408 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-08-10 01:03 - 2016-08-03 03:36 - 00099680 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pdc.sys
2016-08-10 01:03 - 2016-08-03 03:36 - 00037744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wldp.dll
2016-08-10 01:03 - 2016-08-03 03:30 - 00026408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-08-10 01:03 - 2016-08-03 03:23 - 00693600 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2016-08-10 01:03 - 2016-08-03 03:23 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2016-08-10 01:03 - 2016-08-03 03:22 - 01322760 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-08-10 01:03 - 2016-08-03 03:22 - 00808288 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-08-10 01:03 - 2016-08-03 03:22 - 00465248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2016-08-10 01:03 - 2016-08-03 03:22 - 00331616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
2016-08-10 01:03 - 2016-08-03 03:22 - 00058408 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsNativeApi.dll
2016-08-10 01:03 - 2016-08-03 03:21 - 22561256 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-08-10 01:03 - 2016-08-03 03:21 - 03675512 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-08-10 01:03 - 2016-08-03 03:21 - 00566112 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
2016-08-10 01:03 - 2016-08-03 03:21 - 00303216 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe
2016-08-10 01:03 - 2016-08-03 03:20 - 01540224 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2016-08-10 01:03 - 2016-08-03 03:20 - 00692136 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll
2016-08-10 01:03 - 2016-08-03 03:19 - 00604928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-08-10 01:03 - 2016-08-03 03:19 - 00161632 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-08-10 01:03 - 2016-08-03 03:13 - 01988448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-08-10 01:03 - 2016-08-03 03:13 - 00576864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-08-10 01:03 - 2016-08-03 03:13 - 00393056 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2016-08-10 01:03 - 2016-08-03 03:11 - 00422744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rdbss.sys
2016-08-10 01:03 - 2016-08-03 02:51 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdlrecover.exe
2016-08-10 01:03 - 2016-08-03 02:51 - 00084480 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2016-08-10 01:03 - 2016-08-03 02:46 - 22384128 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-08-10 01:03 - 2016-08-03 02:44 - 00189952 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-08-10 01:03 - 2016-08-03 02:44 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshbth.dll
2016-08-10 01:03 - 2016-08-03 02:44 - 00044544 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll
2016-08-10 01:03 - 2016-08-03 02:43 - 16985088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2016-08-10 01:03 - 2016-08-03 02:41 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepositoryClient.dll
2016-08-10 01:03 - 2016-08-03 02:41 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepositoryBroker.dll
2016-08-10 01:03 - 2016-08-03 02:40 - 00127488 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEDataLayerHelpers.dll
2016-08-10 01:03 - 2016-08-03 02:40 - 00091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\bthserv.dll
2016-08-10 01:03 - 2016-08-03 02:40 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe
2016-08-10 01:03 - 2016-08-03 02:40 - 00047616 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmTasks.dll
2016-08-10 01:03 - 2016-08-03 02:39 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\system32\cdd.dll
2016-08-10 01:03 - 2016-08-03 02:39 - 00104448 _____ (Microsoft Corporation) C:\WINDOWS\system32\BluetoothApis.dll
2016-08-10 01:03 - 2016-08-03 02:38 - 00412160 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2016-08-10 01:03 - 2016-08-03 02:38 - 00379392 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2016-08-10 01:03 - 2016-08-03 02:37 - 00110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\IdCtrls.dll
2016-08-10 01:03 - 2016-08-03 02:36 - 00221696 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-08-10 01:03 - 2016-08-03 02:36 - 00211456 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2016-08-10 01:03 - 2016-08-03 02:36 - 00198144 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2016-08-10 01:03 - 2016-08-03 02:35 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-08-10 01:03 - 2016-08-03 02:35 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUDFPlatform.dll
2016-08-10 01:03 - 2016-08-03 02:34 - 00383488 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-08-10 01:03 - 2016-08-03 02:33 - 00339968 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorService.dll
2016-08-10 01:03 - 2016-08-03 02:33 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEEventDispatcher.dll
2016-08-10 01:03 - 2016-08-03 02:31 - 00506880 _____ (Microsoft Corporation) C:\WINDOWS\system32\tileobjserver.dll
2016-08-10 01:03 - 2016-08-03 02:31 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsApi.dll
2016-08-10 01:03 - 2016-08-03 02:31 - 00247296 _____ (Microsoft Corporation) C:\WINDOWS\system32\wevtutil.exe
2016-08-10 01:03 - 2016-08-03 02:30 - 24613888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-08-10 01:03 - 2016-08-03 02:30 - 00970752 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-08-10 01:03 - 2016-08-03 02:30 - 00515072 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneDriveSettingSyncProvider.dll
2016-08-10 01:03 - 2016-08-03 02:29 - 14252544 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll
2016-08-10 01:03 - 2016-08-03 02:29 - 02127360 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-08-10 01:03 - 2016-08-03 02:29 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe
2016-08-10 01:03 - 2016-08-03 02:29 - 01387520 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-08-10 01:03 - 2016-08-03 02:29 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-08-10 01:03 - 2016-08-03 02:28 - 01213440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll
2016-08-10 01:03 - 2016-08-03 02:28 - 00848896 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-08-10 01:03 - 2016-08-03 02:28 - 00529920 _____ (Microsoft Corporation) C:\WINDOWS\system32\LogonController.dll
2016-08-10 01:03 - 2016-08-03 02:27 - 07536640 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll
2016-08-10 01:03 - 2016-08-03 02:27 - 01752576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-08-10 01:03 - 2016-08-03 02:27 - 01717760 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2016-08-10 01:03 - 2016-08-03 02:27 - 00381952 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll
2016-08-10 01:03 - 2016-08-03 02:20 - 13390336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-08-10 01:03 - 2016-08-03 02:18 - 06974464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-08-10 01:03 - 2016-08-03 02:18 - 02067968 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2016-08-10 01:03 - 2016-08-03 02:18 - 01388032 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-08-10 01:03 - 2016-08-03 02:17 - 02175488 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2016-08-10 01:03 - 2016-08-03 02:16 - 05123072 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2016-08-10 01:03 - 2016-08-03 02:16 - 03589120 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-08-10 01:03 - 2016-08-03 02:16 - 02635776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2016-08-10 01:03 - 2016-08-03 02:16 - 01732096 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-08-10 01:03 - 2016-08-03 02:15 - 07833088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-08-10 01:03 - 2016-08-03 02:14 - 04895232 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-08-10 01:03 - 2016-08-03 02:14 - 01997824 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
2016-08-10 01:03 - 2016-08-03 02:13 - 03025920 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-08-10 01:03 - 2016-08-03 02:13 - 02280960 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-08-10 01:03 - 2016-08-03 02:12 - 02746368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll
2016-08-10 01:03 - 2016-08-03 02:11 - 04171264 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2016-08-10 01:03 - 2016-08-02 22:52 - 00034088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wldp.dll
2016-08-10 01:03 - 2016-08-02 22:34 - 00501592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2016-08-10 01:03 - 2016-08-02 22:34 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2016-08-10 01:03 - 2016-08-02 22:33 - 00051128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsNativeApi.dll
2016-08-10 01:03 - 2016-08-02 22:31 - 02921368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-08-10 01:03 - 2016-08-02 22:31 - 00957608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-08-10 01:03 - 2016-08-02 22:31 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-08-10 01:03 - 2016-08-02 22:30 - 21123320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-08-10 01:03 - 2016-08-02 22:30 - 00465760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
2016-08-10 01:03 - 2016-08-02 22:30 - 00255168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe
2016-08-10 01:03 - 2016-08-02 21:57 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdlrecover.exe
2016-08-10 01:03 - 2016-08-02 21:48 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshbth.dll
2016-08-10 01:03 - 2016-08-02 21:47 - 13018112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2016-08-10 01:03 - 2016-08-02 21:44 - 00048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepositoryClient.dll
2016-08-10 01:03 - 2016-08-02 21:44 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepositoryBroker.dll
2016-08-10 01:03 - 2016-08-02 21:42 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BluetoothApis.dll
2016-08-10 01:03 - 2016-08-02 21:40 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IdCtrls.dll
2016-08-10 01:03 - 2016-08-02 21:39 - 19351040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-08-10 01:03 - 2016-08-02 21:37 - 00335872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-08-10 01:03 - 2016-08-02 21:37 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEEventDispatcher.dll
2016-08-10 01:03 - 2016-08-02 21:35 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsApi.dll
2016-08-10 01:03 - 2016-08-02 21:35 - 00178688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wevtutil.exe
2016-08-10 01:03 - 2016-08-02 21:34 - 00792064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-08-10 01:03 - 2016-08-02 21:34 - 00400896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll
2016-08-10 01:03 - 2016-08-02 21:33 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-08-10 01:03 - 2016-08-02 21:33 - 02050048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-08-10 01:03 - 2016-08-02 21:33 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-08-10 01:03 - 2016-08-02 21:32 - 12585984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll
2016-08-10 01:03 - 2016-08-02 21:32 - 01526272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-08-10 01:03 - 2016-08-02 21:32 - 01467392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2016-08-10 01:03 - 2016-08-02 21:32 - 00434688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LogonController.dll
2016-08-10 01:03 - 2016-08-02 21:31 - 06743040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll
2016-08-10 01:03 - 2016-08-02 21:31 - 00705536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-08-10 01:03 - 2016-08-02 21:29 - 12133376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-08-10 01:03 - 2016-08-02 21:28 - 03663360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-08-10 01:03 - 2016-08-02 21:25 - 05323776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-08-10 01:03 - 2016-08-02 21:25 - 04078080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2016-08-10 01:03 - 2016-08-02 21:23 - 05660672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-08-10 01:03 - 2016-08-02 21:23 - 01799680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2016-08-10 01:03 - 2016-08-02 21:22 - 02501120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-08-10 01:03 - 2016-08-02 21:22 - 01502208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-08-10 01:03 - 2016-08-02 21:21 - 01708032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
2016-08-10 01:03 - 2016-08-02 21:19 - 02180096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepository.dll
2016-08-10 00:50 - 2016-08-10 00:50 - 00000000 ____D C:\Users\Ariel\AppData\LocalLow\noio
2016-08-10 00:50 - 2016-08-10 00:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kingdom [GOG.com]
2016-08-10 00:50 - 2016-08-10 00:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kingdom - New Lands [GOG.com]
2016-08-07 21:06 - 2016-08-07 22:26 - 00000000 ____D C:\Users\Ariel\AppData\Local\AM2R
2016-08-07 12:37 - 2016-08-07 12:37 - 00003530 _____ C:\WINDOWS\System32\Tasks\Ariel
2016-08-07 12:24 - 2016-08-07 12:24 - 00000000 ____D C:\Users\Ariel\AppData\LocalLow\Playdead
2016-08-04 13:44 - 2016-08-04 13:44 - 00000000 ___HD C:\$WINDOWS.~BT
2016-08-04 13:41 - 2016-08-04 13:42 - 00000000 ____D C:\Users\Default\AppData\Local\LogMeIn Hamachi
2016-08-04 13:41 - 2016-08-04 13:42 - 00000000 ____D C:\Users\Default User\AppData\Local\LogMeIn Hamachi
2016-08-04 13:40 - 2016-08-04 13:40 - 00343932 _____ C:\WINDOWS\Minidump\080416-6312-01.dmp
2016-07-31 22:06 - 2016-08-14 22:35 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\discordptb
2016-07-26 12:22 - 2016-03-27 13:52 - 00042856 _____ (Nefarius Software Solutions) C:\WINDOWS\system32\Drivers\ScpVBus.sys
2016-07-26 12:14 - 2016-08-16 11:00 - 00000314 _____ C:\WINDOWS\Tasks\ScpUpdater.job
2016-07-26 12:14 - 2016-07-26 12:14 - 00002932 _____ C:\WINDOWS\System32\Tasks\ScpUpdater
2016-07-26 12:14 - 2016-07-26 12:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ScpToolkit
2016-07-26 11:50 - 2016-07-26 11:50 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Doublefine
2016-07-26 11:18 - 2016-07-26 11:20 - 00000000 ____D C:\Users\Ariel\AppData\Local\Teeching Feeling

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-20 17:06 - 2016-01-05 16:29 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3822628397-2931436756-777081172-1000UA.job
2016-08-20 16:25 - 2015-12-09 16:37 - 01009692 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-20 16:25 - 2015-10-30 00:21 - 00000000 ____D C:\WINDOWS\INF
2016-08-20 16:21 - 2015-12-09 17:14 - 00000000 ____D C:\Users\Ariel\AppData\LocalLow\Mozilla
2016-08-20 16:19 - 2015-12-14 16:44 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-08-20 16:19 - 2015-12-09 17:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-08-20 16:19 - 2015-12-09 17:13 - 00000000 ____D C:\Program Files (x86)\Steam
2016-08-20 16:19 - 2015-12-09 16:38 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-20 16:19 - 2015-12-09 16:36 - 00000000 ____D C:\ProgramData\NVIDIA
2016-08-20 16:19 - 2015-10-29 23:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-08-20 16:11 - 2016-05-16 00:52 - 00002557 _____ C:\Users\Ariel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome Canary.lnk
2016-08-20 15:59 - 2015-12-09 17:37 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-20 15:23 - 2016-01-05 16:44 - 00000000 ____D C:\Users\Ariel\AppData\Local\ElevatedDiagnostics
2016-08-20 15:18 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-08-20 01:12 - 2015-12-09 16:36 - 00252064 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-08-20 00:05 - 2015-12-09 17:16 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Skype
2016-08-20 00:04 - 2016-02-02 19:53 - 00000000 ____D C:\ProgramData\Origin
2016-08-20 00:04 - 2016-01-21 15:00 - 00000000 ____D C:\Users\Ariel\AppData\Local\Ubisoft Game Launcher
2016-08-20 00:03 - 2016-02-02 19:53 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Origin
2016-08-20 00:00 - 2016-05-06 17:56 - 00000000 ____D C:\Users\Ariel\AppData\Local\Battle.net
2016-08-19 23:58 - 2016-02-02 19:53 - 00000000 ____D C:\Users\Ariel\AppData\Local\Origin
2016-08-19 23:58 - 2015-12-09 16:37 - 00000000 ____D C:\Users\Ariel
2016-08-19 23:37 - 2015-12-09 17:13 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-08-19 23:37 - 2015-12-09 17:13 - 00000000 ____D C:\ProgramData\Skype
2016-08-19 22:42 - 2016-07-20 04:03 - 00004152 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{4A39D6A4-ECF6-4740-8DA1-4FADCD5EEBD3}
2016-08-19 22:22 - 2016-04-21 21:33 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Nefarius Software Solutions
2016-08-19 22:07 - 2016-01-16 16:35 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Tunngle
2016-08-19 20:22 - 2016-07-13 00:12 - 00000000 ____D C:\Users\Ariel\AppData\Local\Deployment
2016-08-19 17:04 - 2015-12-09 17:13 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-08-19 16:32 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\Resources
2016-08-19 16:30 - 2015-12-09 19:20 - 00000000 ____D C:\NVIDIA
2016-08-19 16:22 - 2015-10-30 00:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-08-18 15:34 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\rescache
2016-08-18 14:53 - 2015-12-09 19:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2016-08-18 14:53 - 2015-12-09 17:43 - 09567472 _____ C:\WINDOWS\PE_Rom.dll
2016-08-18 14:46 - 2015-12-09 16:36 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-08-18 14:46 - 2015-12-09 03:02 - 00000000 ____D C:\Temp
2016-08-18 14:45 - 2016-03-09 17:40 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2016-08-18 14:39 - 2016-07-01 01:21 - 00003988 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2016-08-18 14:39 - 2016-07-01 01:21 - 00003960 _____ C:\WINDOWS\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2016-08-18 14:39 - 2016-07-01 01:21 - 00003924 _____ C:\WINDOWS\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2016-08-18 14:39 - 2016-07-01 01:21 - 00003898 _____ C:\WINDOWS\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2016-08-18 14:39 - 2016-07-01 01:21 - 00003694 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2016-08-18 14:39 - 2015-12-09 19:22 - 00000000 ____D C:\Users\Ariel\AppData\Local\NVIDIA Corporation
2016-08-18 14:39 - 2015-12-09 16:36 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-08-18 14:39 - 2015-12-09 16:36 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2016-08-16 09:02 - 2016-07-01 01:21 - 01838648 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspcap64.dll
2016-08-16 09:02 - 2016-07-01 01:21 - 01756728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
2016-08-16 09:02 - 2016-07-01 01:21 - 01441848 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2016-08-16 09:02 - 2016-07-01 01:21 - 01318968 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2016-08-16 09:02 - 2016-07-01 01:21 - 00121912 _____ C:\WINDOWS\system32\NvRtmpStreamer64.dll
2016-08-16 08:44 - 2016-07-07 23:49 - 14199352 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvlddmkm.sys
2016-08-15 22:45 - 2016-07-07 23:49 - 01588688 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvhdagenco6420103.dll
2016-08-15 22:45 - 2015-08-29 01:31 - 00223304 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvhda64v.sys
2016-08-14 23:43 - 2015-12-15 17:10 - 00000000 ____D C:\Users\Ariel\AppData\Local\CrashDumps
2016-08-14 22:35 - 2016-03-12 16:39 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc
2016-08-14 22:35 - 2016-03-12 16:39 - 00000000 ____D C:\Users\Ariel\AppData\Local\DiscordPTB
2016-08-13 17:21 - 2015-12-09 16:51 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-08-11 07:33 - 2016-07-07 23:49 - 23699584 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvwgf2umx.dll
2016-08-11 07:33 - 2016-07-07 23:49 - 17619464 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvd3dumx.dll
2016-08-11 07:33 - 2016-07-07 23:49 - 14476904 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvd3dum.dll
2016-08-11 07:33 - 2016-07-07 23:49 - 03901520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvapi64.dll
2016-08-11 07:33 - 2016-07-07 23:49 - 03443152 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvapi.dll
2016-08-11 07:33 - 2016-05-16 00:54 - 00040827 _____ C:\WINDOWS\system32\nvinfo.pb
2016-08-11 05:27 - 2015-12-30 20:55 - 00548920 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshext.dll
2016-08-11 05:27 - 2015-12-30 20:55 - 00081856 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshextr.dll
2016-08-11 05:27 - 2015-12-09 16:36 - 06386048 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcpl.dll
2016-08-11 05:27 - 2015-12-09 16:36 - 02468288 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc64.dll
2016-08-11 05:27 - 2015-12-09 16:36 - 01762752 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvcr.dll
2016-08-11 05:27 - 2015-12-09 16:36 - 01365048 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvvsvc.exe
2016-08-11 05:27 - 2015-12-09 16:36 - 00392128 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmctray.dll
2016-08-11 05:27 - 2015-12-09 16:36 - 00069568 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvshext.dll
2016-08-10 12:39 - 2015-10-30 02:07 - 00000000 ____D C:\Program Files\Windows Journal
2016-08-10 12:39 - 2015-10-30 00:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-08-10 12:39 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-08-10 01:09 - 2015-12-09 16:55 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-08-10 01:09 - 2015-10-30 00:24 - 00000000 ____D C:\WINDOWS\system32\SecureBootUpdates
2016-08-10 01:09 - 2015-10-30 00:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-08-10 01:05 - 2015-12-09 16:55 - 147640136 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-08-09 09:06 - 2015-12-09 16:36 - 07255045 _____ C:\WINDOWS\system32\nvcoproc.bin
2016-08-08 00:06 - 2016-01-05 16:29 - 00000874 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3822628397-2931436756-777081172-1000Core.job
2016-08-07 12:17 - 2015-12-14 01:53 - 00000000 ____D C:\WINDOWS\SysWOW64\directx
2016-08-07 12:10 - 2015-12-09 17:23 - 00000000 ____D C:\Users\Ariel\Documents\Enpass
2016-08-07 02:52 - 2016-06-29 10:21 - 00000000 ____D C:\Users\Ariel\AppData\Local\tyranoscript
2016-08-04 13:45 - 2015-12-09 16:35 - 00000000 ___DC C:\WINDOWS\Panther
2016-08-04 13:42 - 2016-02-14 00:48 - 00000000 ____D C:\Users\Ariel\AppData\Local\LogMeIn Hamachi
2016-08-04 13:40 - 2016-02-21 16:52 - 835676025 _____ C:\WINDOWS\MEMORY.DMP
2016-08-04 13:40 - 2016-02-21 16:52 - 00000000 ____D C:\WINDOWS\Minidump
2016-07-30 00:01 - 2016-01-05 16:29 - 00004042 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3822628397-2931436756-777081172-1000UA
2016-07-30 00:01 - 2016-01-05 16:29 - 00003666 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3822628397-2931436756-777081172-1000Core
2016-07-27 12:25 - 2010-11-20 20:27 - 00504488 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-07-26 12:08 - 2016-05-25 14:45 - 00000000 ____D C:\Users\Ariel\AppData\Roaming\DS4Windows
2016-07-26 11:14 - 2016-06-28 23:00 - 00000000 ____D C:\Users\Ariel\AppData\LocalLow\DefaultCompany
2016-07-26 10:51 - 2016-07-20 03:00 - 00000000 ____D C:\Users\Ariel\AppData\Local\akumuichinoana

==================== Files in the root of some directories =======

2016-08-20 16:16 - 2016-08-20 16:16 - 0000218 _____ () C:\Users\Ariel\AppData\Local\recently-used.xbel
2015-12-09 16:36 - 2015-12-09 16:36 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-08-18 15:20

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 22 August 2016 - 10:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [Ariel] => explorer.exe hxxp://sd-steam.info <===== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
U3 idsvc; no ImagePath
Task: {00FFF6CF-B620-424D-8533-B5FC4D456D71} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0133E53C-1BE7-4A5B-AA40-5C762BA182D0} - \Update\Nvvdsync -> No File <==== ATTENTION
Task: {1FF2E1C5-28E3-47F3-B26A-D89931F4DFE8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {43B43B1F-6E1C-4B0D-AFAF-9BDBB07F25A1} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {4C25370A-871A-42E9-8927-281413F5C021} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {781F1ED3-3A36-4787-AD8E-3C9B46BE624A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {7D312DE4-19D6-4076-8B86-C0FCD90EBD16} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {85BF60EB-75CF-42DC-9E9F-43F174823114} - System32\Tasks\Ariel => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ariel /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
Task: {8E555CA8-CD01-45B5-8351-C0930019C19E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C901A3F5-6C8C-400E-A414-C88708DA1119} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {D8BF3CB3-5E32-4098-ABEE-D951EA8CA30E} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {E20909C1-BCC9-44CE-9DC7-BC604C7E473B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E39FE043-3B4C-4685-A181-7CC1CA044814} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTIONU3 wpcsvc; no ImagePath

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please post the log and let me know if the problem persists.

#3 spdyrel

spdyrel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 22 August 2016 - 01:14 PM

Thanks for the reply nasdac. I did want to let you know that I deleted the sd-steam registry last time I was on my computer (prior to your reply) so I hope that didn't mess with the fix. I'll try and keep my computer running and restart a few times to see if it pops up again. Here's the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01
Ran by Ariel (22-08-2016 10:56:03) Run:1
Running from D:\Ariel\Downloads
Loaded Profiles: Ariel (Available Profiles: Ariel & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3822628397-2931436756-777081172-1000\...\Run: [Ariel] => explorer.exe hxxp://sd-steam.info <===== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
U3 idsvc; no ImagePath
Task: {00FFF6CF-B620-424D-8533-B5FC4D456D71} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0133E53C-1BE7-4A5B-AA40-5C762BA182D0} - \Update\Nvvdsync -> No File <==== ATTENTION
Task: {1FF2E1C5-28E3-47F3-B26A-D89931F4DFE8} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {43B43B1F-6E1C-4B0D-AFAF-9BDBB07F25A1} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {4C25370A-871A-42E9-8927-281413F5C021} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {781F1ED3-3A36-4787-AD8E-3C9B46BE624A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {7D312DE4-19D6-4076-8B86-C0FCD90EBD16} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {85BF60EB-75CF-42DC-9E9F-43F174823114} - System32\Tasks\Ariel => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ariel /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
Task: {8E555CA8-CD01-45B5-8351-C0930019C19E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C901A3F5-6C8C-400E-A414-C88708DA1119} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {D8BF3CB3-5E32-4098-ABEE-D951EA8CA30E} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {E20909C1-BCC9-44CE-9DC7-BC604C7E473B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {E39FE043-3B4C-4685-A181-7CC1CA044814} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTIONU3 wpcsvc; no ImagePath

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3822628397-2931436756-777081172-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ariel => value not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
idsvc => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{00FFF6CF-B620-424D-8533-B5FC4D456D71}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00FFF6CF-B620-424D-8533-B5FC4D456D71}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0133E53C-1BE7-4A5B-AA40-5C762BA182D0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0133E53C-1BE7-4A5B-AA40-5C762BA182D0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update\Nvvdsync" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1FF2E1C5-28E3-47F3-B26A-D89931F4DFE8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FF2E1C5-28E3-47F3-B26A-D89931F4DFE8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{43B43B1F-6E1C-4B0D-AFAF-9BDBB07F25A1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{43B43B1F-6E1C-4B0D-AFAF-9BDBB07F25A1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4C25370A-871A-42E9-8927-281413F5C021}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C25370A-871A-42E9-8927-281413F5C021}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{781F1ED3-3A36-4787-AD8E-3C9B46BE624A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{781F1ED3-3A36-4787-AD8E-3C9B46BE624A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7D312DE4-19D6-4076-8B86-C0FCD90EBD16}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7D312DE4-19D6-4076-8B86-C0FCD90EBD16}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{85BF60EB-75CF-42DC-9E9F-43F174823114}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{85BF60EB-75CF-42DC-9E9F-43F174823114}" => key removed successfully
C:\WINDOWS\System32\Tasks\Ariel => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ariel" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8E555CA8-CD01-45B5-8351-C0930019C19E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8E555CA8-CD01-45B5-8351-C0930019C19E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C901A3F5-6C8C-400E-A414-C88708DA1119}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C901A3F5-6C8C-400E-A414-C88708DA1119}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D8BF3CB3-5E32-4098-ABEE-D951EA8CA30E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8BF3CB3-5E32-4098-ABEE-D951EA8CA30E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E20909C1-BCC9-44CE-9DC7-BC604C7E473B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E20909C1-BCC9-44CE-9DC7-BC604C7E473B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E39FE043-3B4C-4685-A181-7CC1CA044814}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E39FE043-3B4C-4685-A181-7CC1CA044814}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 2194993 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 90042465 B
Java, Flash, Steam htmlcache => 596492760 B
Windows/system/drivers => 53524 B
Edge => 726834 B
Chrome => 0 B
Firefox => 308854423 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 648222 B
Ariel => 51195232 B
DefaultAppPool => 0 B

RecycleBin => 0 B
EmptyTemp: => 1001.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:56:15 ====


Edited by spdyrel, 22 August 2016 - 01:16 PM.


#4 spdyrel

spdyrel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 22 August 2016 - 02:31 PM

My computer has been on for a bit and so far that regedit entry has not popped up again so looking good so far. I'll reply tomorrow with how it's going.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 23 August 2016 - 07:48 AM

That"s OK the Value was not found in the fix.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#6 spdyrel

spdyrel
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 26 August 2016 - 12:22 PM

Just following up with an update. Haven't had that problem since so thanks so much for the help!



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 AM

Posted 27 August 2016 - 08:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users