Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sd-Steam.info popup on startup ( redirected to zodiac-game.info )


  • This topic is locked This topic is locked
4 replies to this topic

#1 Spawni

Spawni

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 22 August 2016 - 03:43 PM

Now I know that this topic has been posted recently as well, but I haven't been able to clear it myself, unfortunately. When I launch Win7 Chrome boots with a website (sd-steam.info ) that directs me to zodiac-game.info. I've looked through my reg files and found on Run > there is a file under my user name stating ''explorer.exe st-steam.info''. Deleting this helps, but temporarily as it always comes back shortly after
( it seems to come back when a black /cmd/ screen pops up for a slight second ). Restoring my pc to a point prior to the downloads didn't seem to help either. I've a few pirated games on this pc, but nothing too recent. I hope it won't cause an issue that the reg file under Run has been deleted ( in hopes of repair ).
 
FRST DATA:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by Antea (administrator) on ANTEA-PC (22-08-2016 22:37:18)
Running from C:\Users\Antea\Downloads
Loaded Profiles: Antea (Available Profiles: Antea)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CtHdaSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Qualcomm Atheros) C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Valve Corporation) B:\Games\Steam\Steam.exe
() C:\Program Files (x86)\Wireless 5-Mode Oscar Editor\OscarEditor.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos.exe
(A-Volute) C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzSurroundVADStreamingService.exe
(Hammer & Chisel, Inc.) C:\Users\Antea\AppData\Local\Discord\app-0.0.295\Discord.exe
(Nota Inc.) C:\Program Files (x86)\Gyazo\GyStation.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
() C:\Program Files\Qualcomm Atheros\Network Manager\NetworkManager.exe
(Curse, Inc) C:\Users\Antea\AppData\Roaming\Curse Client\Bin\Curse.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\SBRcni.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Intel® Corporation) C:\Program Files\Intel\NCS2\WMIProv\ncs2prov.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(NVIDIA Corporation) C:\Users\Antea\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\NvOAWrapperCache.exe
(Power Software Ltd) B:\Programs\PowerISO\PWRISOVM.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(ROCCAT GmbH) C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\CTJckCfg.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Hammer & Chisel, Inc.) C:\Users\Antea\AppData\Local\Discord\app-0.0.295\Discord.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
() C:\ProgramData\Razer\Synapse\RzStats\RzStats.Manager.exe
(Hammer & Chisel, Inc.) C:\Users\Antea\AppData\Local\Discord\app-0.0.295\Discord.exe
(Curse, Inc.) C:\Users\Antea\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Curse, Inc.) C:\Users\Antea\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Curse, Inc.) C:\Users\Antea\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Curse, Inc.) C:\Users\Antea\AppData\Roaming\Curse Client\Bin\Electron\CurseUI.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\InGameEngine\32bit\RazerIngameEngine.exe
(Razer, Inc.) C:\Users\Antea\AppData\Local\Razer\InGameEngine\cache\RzStats.Manager\rzcefrenderprocess.exe
(Valve Corporation) B:\Games\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicator.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-05-28] (Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2396096 2016-03-30] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\nvspcap64.dll [1767248 2016-03-30] (NVIDIA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [Sound Blaster Recon3Di SBX Control Panel] => C:\Program Files (x86)\Creative\Sound Blaster Recon3Di\Sound Blaster Recon3Di Control Panel\SBRcni.exe [1129984 2014-03-19] (Creative Technology Ltd)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-06-27] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2011-01-30] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [9103976 2016-08-19] (AVAST Software)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [591512 2015-11-19] (Razer Inc.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => B:\Programs\PowerISO\PWRISOVM.EXE -startup
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM-x32\...\Run: [RoccatIsku] => C:\Program Files (x86)\ROCCAT\Isku Keyboard\IskuMonitor.EXE [536576 2013-10-30] (ROCCAT GmbH)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe [3108480 2012-10-23] (DT Soft Ltd)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [Steam] => "B:\Games\Steam\steam.exe" -silent
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [OscarXG] => C:\Program Files (x86)\Wireless 5-Mode Oscar Editor\OscarEditor.exe [3515904 2011-09-02] ()
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [HP Deskjet 3520 series (NET)] => C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [60688 2015-11-30] (Apple Inc.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [103696 2015-11-30] (Apple Inc.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [iCloudPhotos] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos.exe [349968 2015-11-30] (Apple Inc.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [Discord] => C:\Users\Antea\AppData\Local\Discord\app-0.0.295\Discord.exe [62385336 2016-08-01] (Hammer & Chisel, Inc.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [3582240 2016-06-13] (Nota Inc.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29494400 2016-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\MountPoints2: {1bcf22a1-a0cc-11e5-a961-fcaa142d4a70} - G:\LaunchU3.exe -a
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\SysWOW64\lol.scr
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2016-05-03] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShA64.dll [2016-08-19] (AVAST Software)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} =>  No File
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Killer Network Manager.lnk [2015-07-24]
ShortcutTarget: Killer Network Manager.lnk -> C:\Windows\Installer\{3A435941-E398-438A-9CAF-31D8996CF7C8}\NetworkManager.exe_130C27D738F34C89BDDF21BCFD74B56D.exe (Flexera Software LLC)
Startup: C:\Users\Antea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2015-10-17]
ShortcutTarget: Curse.lnk -> C:\Users\Antea\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C14C79FA-EB97-4C7F-8E0E-39C70BCFBDBB}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll [2016-08-19] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01-30] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [2016-08-19] (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-12-05] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1045298776-4018183215-3565104372-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.3 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2012-12-25] (Wacom)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-06-24] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-06-24] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-12-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-12-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-06-17] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-06-17] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-20] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-12-13] (VideoLAN)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.3 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2012-12-25] (Wacom)
FF Plugin HKU\S-1-5-21-1045298776-4018183215-3565104372-1000: thehappycloud.com/HappyCloudPlugin -> C:\ProgramData\HappyCloud\Application\npHappyCloudPlugin.dll [2013-11-17] (The Happy Cloud)
FF Plugin HKU\S-1-5-21-1045298776-4018183215-3565104372-1000: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2012-12-25] (Wacom)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2016-08-20]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\Alwil Software\Avast5\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\Alwil Software\Avast5\SafePrice\FF [2016-08-20]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\Alwil Software\Avast5\SafePrice\FF
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.youtube.com/
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=17.3.0.49&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=18.0.5.292&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=18.1.0.443&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=18.1.5.512&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=18.1.7.598&pid=safeguard&sg=&sap=hp","hxxps://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=18.1.9.799&pid=safeguard&sg=&sap=hp"
CHR Profile: C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-20]
CHR Extension: (YouTube) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-20]
CHR Extension: (Block site) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2016-08-21]
CHR Extension: (AdBlock) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-08-20]
CHR Extension: (Little Alchemy) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\knkapnclbofjjgicpkfoagdjohlfjhpd [2016-08-20]
CHR Extension: (Into The Mist) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgihmkgobaljfehcadcckdggpeojaadh [2016-08-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-20]
CHR Extension: (Gmail) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-20]
CHR Extension: (Chrome Media Router) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-20]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx <not found>
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [197128 2016-08-19] (AVAST Software)
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [429056 2013-10-28] (Creative Technology Ltd) [File not signed]
R2 CtHdaSvc; C:\Windows\sysWow64\CtHdaSvc.exe [103936 2014-05-23] (Creative Technology Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-03-30] (NVIDIA Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-05-28] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-06-24] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-03-30] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3632576 2016-03-30] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2521024 2016-03-30] (NVIDIA Corporation)
R2 Qualcomm Atheros Killer Service V2; C:\Program Files\Qualcomm Atheros\Network Manager\KillerService.exe [344576 2014-04-17] (Qualcomm Atheros) [File not signed]
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [54272 2015-12-18] (Razer Inc.) [File not signed]
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [188072 2015-11-05] ()
R2 RzSurroundVADStreamingService; C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzSurroundVADStreamingService.exe [4254720 2015-07-29] (A-Volute) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [621336 2013-12-04] (Wacom Technology, Corp.)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-08-19] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-08-19] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-08-19] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-08-19] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-08-19] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969560 2016-08-19] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-08-19] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-08-19] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-19] (AVAST Software)
R1 BfLwf; C:\Windows\System32\DRIVERS\bflwfx64.sys [82096 2014-04-10] (Qualcomm Atheros, Inc.)
R3 cthda; C:\Windows\System32\drivers\cthda.sys [1050904 2014-05-23] (Creative Technology Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [487704 2014-03-14] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-05-28] (Intel Corporation)
R3 Ke2200; C:\Windows\System32\DRIVERS\e22w7x64.sys [129200 2014-03-12] (Qualcomm Atheros, Inc.)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [125952 2014-06-24] (Intel Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw02.sys [3429344 2014-02-18] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-03-30] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-03-21] (NVIDIA Corporation)
R3 rzendpt; C:\Windows\System32\DRIVERS\rzendpt.sys [50392 2015-08-13] (Razer Inc)
R3 rzmpos; C:\Windows\System32\DRIVERS\rzmpos.sys [48840 2015-08-13] (Razer Inc)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [37184 2015-09-23] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [130880 2015-12-15] (Razer, Inc.)
R3 RZSURROUNDVADService; C:\Windows\System32\drivers\RzSurroundVAD.sys [40640 2015-07-29] (Windows ® Win 7 DDK provider)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2015-07-26] (Duplex Secure Ltd.)
U3 ard2nd9f; C:\Windows\System32\Drivers\ard2nd9f.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-22 22:33 - 2016-08-22 22:33 - 00038418 _____ C:\Users\Antea\Desktop\issue.txt
2016-08-22 22:14 - 2016-08-22 22:37 - 00027721 _____ C:\Users\Antea\Downloads\FRST.txt
2016-08-22 22:13 - 2016-08-22 22:37 - 00000000 ____D C:\FRST
2016-08-22 22:13 - 2016-08-22 22:13 - 02396672 _____ (Farbar) C:\Users\Antea\Downloads\FRST64.exe
2016-08-21 19:42 - 2016-08-21 19:42 - 00000745 _____ C:\Users\Public\Desktop\Starbound.lnk
2016-08-20 19:32 - 2016-08-20 19:32 - 00002278 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-20 19:31 - 2016-08-22 22:34 - 00000944 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-20 19:31 - 2016-08-22 21:42 - 00000948 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-20 19:31 - 2016-08-20 19:37 - 00003692 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-08-20 19:05 - 2016-08-20 19:05 - 00000000 _____ C:\autoexec.bat
2016-08-20 19:04 - 2016-08-20 19:04 - 00000000 ____D C:\sh4ldr
2016-08-20 19:04 - 2016-08-20 19:04 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-08-20 19:02 - 2016-08-20 19:31 - 00000000 ____D C:\Users\Antea\AppData\Local\Deployment
2016-08-20 19:02 - 2016-08-20 19:31 - 00000000 ____D C:\Users\Antea\AppData\Local\Apps\2.0
2016-08-20 17:44 - 2016-08-20 17:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-08-19 18:49 - 2016-08-19 18:49 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-08-19 18:49 - 2016-08-19 18:49 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-08-19 18:08 - 2016-08-20 17:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-19 01:59 - 2016-08-19 03:53 - 00000000 _____ C:\Windows\SysWOW64\last.dump
2016-08-17 21:03 - 2016-08-17 21:03 - 00000000 ____D C:\Users\Antea\AppData\LocalLow\Playdead
2016-08-17 00:55 - 2016-08-20 17:48 - 00000000 ____D C:\Users\Antea\Documents\Electronic Arts
2016-08-08 18:43 - 2016-08-08 18:43 - 00003484 _____ C:\Windows\System32\Tasks\Antea
2016-07-28 02:13 - 2016-07-28 02:13 - 00000000 ____D C:\dev
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-22 22:37 - 2015-09-25 21:04 - 00000000 _____ C:\Windows\system32\RzSurroundVADAudioDeviceManager_log.txt
2016-08-22 22:35 - 2016-07-14 23:21 - 00000000 ____D C:\Users\Antea\AppData\Roaming\Skype
2016-08-22 22:34 - 2016-03-04 17:25 - 00000000 ___RD C:\Users\Antea\iCloudDrive
2016-08-22 22:34 - 2015-10-17 23:42 - 00000000 ____D C:\Users\Antea\AppData\Roaming\Curse Client
2016-08-22 22:34 - 2015-07-25 12:49 - 00000264 _____ C:\Windows\Tasks\AutoKMS.job
2016-08-22 22:34 - 2015-07-24 13:21 - 00000000 ____D C:\ProgramData\NVIDIA
2016-08-22 22:34 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-22 22:33 - 2009-07-14 06:45 - 00010208 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-22 22:33 - 2009-07-14 06:45 - 00010208 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-22 21:50 - 2015-07-26 01:12 - 00000000 ____D C:\Users\Antea\AppData\Roaming\uTorrent
2016-08-22 20:50 - 2015-07-29 23:54 - 00000388 _____ C:\Windows\Tasks\update-sys.job
2016-08-22 19:53 - 2015-07-29 23:54 - 00000388 _____ C:\Windows\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000.job
2016-08-22 15:47 - 2009-07-14 07:13 - 00783114 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-22 15:47 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2016-08-21 19:43 - 2015-07-24 13:09 - 00000000 ____D C:\ProgramData\Package Cache
2016-08-21 19:43 - 2009-07-14 07:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-08-21 19:42 - 2016-01-30 16:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-08-21 18:27 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF
2016-08-20 19:37 - 2015-07-24 13:07 - 00003944 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-08-20 19:32 - 2015-07-24 13:07 - 00000000 ____D C:\Program Files (x86)\Google
2016-08-20 19:29 - 2016-02-14 23:47 - 00000000 ___SD C:\Users\Antea\AppData\LocalLow\Temp
2016-08-20 19:20 - 2016-03-04 15:24 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-20 19:08 - 2016-05-16 20:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\X-Mirage
2016-08-20 19:08 - 2016-05-03 17:36 - 00000000 ____D C:\Users\Antea\Documents\Overwatch
2016-08-20 19:08 - 2016-01-31 15:04 - 00000000 ____D C:\Users\Antea\Documents\FLiNGTrainer
2016-08-20 19:08 - 2015-12-03 18:10 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-08-20 19:08 - 2015-07-24 13:07 - 00000000 ____D C:\Users\Antea\AppData\Local\Google
2016-08-20 19:08 - 2015-07-24 09:43 - 00000000 ____D C:\Users\Antea
2016-08-20 19:08 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2016-08-20 19:07 - 2015-07-25 12:46 - 00000000 __RHD C:\MSOCache
2016-08-20 17:49 - 2015-07-31 21:01 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-08-20 17:48 - 2016-03-04 15:22 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-20 17:48 - 2016-01-02 16:38 - 00000000 ____D C:\Program Files (x86)\Razer Chroma SDK
2016-08-20 17:48 - 2015-10-08 20:59 - 00000000 ____D C:\Program Files\IDT
2016-08-20 17:48 - 2015-07-24 13:08 - 00000000 ____D C:\ProgramData\Google
2016-08-20 17:48 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\AppCompat
2016-08-20 17:43 - 2015-07-24 13:08 - 00000000 ____D C:\Program Files\Google
2016-08-19 19:19 - 2015-10-25 01:29 - 00000000 ____D C:\ProgramData\Origin
2016-08-19 19:03 - 2015-07-25 12:49 - 00000000 ____D C:\Windows\AutoKMS
2016-08-19 18:49 - 2016-07-11 22:36 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-08-19 18:49 - 2015-07-25 13:17 - 00163416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-08-19 18:49 - 2015-07-25 13:17 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-08-19 18:49 - 2015-07-25 13:11 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-08-19 18:49 - 2015-07-25 13:10 - 00969560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-08-19 18:49 - 2015-07-25 13:10 - 00292704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-08-19 18:49 - 2015-07-25 13:10 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-08-19 18:49 - 2015-07-25 13:07 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-08-19 18:49 - 2015-07-25 12:44 - 00513496 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-08-19 18:49 - 2015-07-25 12:44 - 00108816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-08-19 18:16 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-08-14 22:36 - 2015-07-31 23:26 - 00000000 ____D C:\Users\Antea\Documents\The Witcher 3
2016-08-06 21:33 - 2015-09-01 23:43 - 00000000 ____D C:\Users\Antea\AppData\Local\CrashDumps
2016-08-02 19:38 - 2015-07-30 15:39 - 00000000 ____D C:\Users\Antea\Documents\My Games
2016-08-02 02:37 - 2016-04-18 20:02 - 00000000 ____D C:\Users\Antea\AppData\Roaming\discord
2016-08-01 23:02 - 2016-04-18 20:02 - 00000000 ____D C:\Users\Antea\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc
2016-08-01 23:02 - 2016-04-18 20:02 - 00000000 ____D C:\Users\Antea\AppData\Local\Discord
2016-07-30 05:48 - 2015-07-29 22:46 - 00000000 ___RD C:\Users\Antea\Desktop\Main folder
2016-07-27 17:05 - 2016-07-14 23:21 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-07-27 17:05 - 2015-07-29 22:50 - 00000000 ____D C:\ProgramData\Skype
2016-07-27 05:44 - 2015-10-08 19:51 - 00000000 ____D C:\Users\Antea\AppData\Roaming\vlc
 
==================== Files in the root of some directories =======
 
2016-03-25 00:37 - 2016-05-27 22:57 - 0000132 _____ () C:\Users\Antea\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-12-05 19:02 - 2015-12-05 19:02 - 0000017 _____ () C:\Users\Antea\AppData\Local\resmon.resmoncfg
2015-07-29 23:54 - 2015-07-29 23:54 - 0000003 _____ () C:\Users\Antea\AppData\Local\updater.log
2015-07-29 23:54 - 2015-07-29 23:54 - 0000424 _____ () C:\Users\Antea\AppData\Local\UserProducts.xml
2016-01-30 18:35 - 2016-01-30 18:35 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some files in TEMP:
====================
C:\Users\Antea\AppData\Local\Temp\bdfilters.dll
C:\Users\Antea\AppData\Local\Temp\Gw2.exe
C:\Users\Antea\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\Antea\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Antea\AppData\Local\Temp\nvStInst.exe
C:\Users\Antea\AppData\Local\Temp\SkypeSetup.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-16 18:17
 
==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 23 August 2016 - 10:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please run this fix first.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1045298776-4018183215-3565104372-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Antea"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

Next execute this fix.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [AdobeBridge] => [X]
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
Toolbar: HKU\S-1-5-21-1045298776-4018183215-3565104372-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=17.3.0.49&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:... (long line)
CHR Extension: (Chrome Web Store Payments) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-20]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx <not found>
Task: {71C879FF-1667-4F5F-9CF4-A7B03D5C1CE3} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: {7FE1B07B-3DE8-462B-8F7B-30976A397524} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {98CD67E6-7649-4E1D-A0EB-8C486E011E15} - System32\Tasks\Antea => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Antea /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
Task: {BF188D62-51BF-4B77-A072-F05C8DED1816} - System32\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
AlternateDataStreams: C:\Users\Antea\AppData\Local\ARIMpUEC:iN9idYYGW5iRjF8NlgXbMLis [2344]
AlternateDataStreams: C:\Users\Antea\AppData\Local\Temporary Internet Files:okhruKhiKdf4fCHFZ7OwJ [2128]
U3 ard2nd9f; C:\Windows\System32\Drivers\ard2nd9f.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files (x86)\Skillbrains
C:\Windows\AutoKMS
C:\Windows\System32\Drivers\ard2nd9f.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader Via the Control Panel > Programs > Programs and Features.
Adobe Reader X (10.0.1) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA0000000001}) (Version: 10.0.1 - Adobe Systems Incorporated)
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 66 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218066F0}) (Version: 8.0.660.18 - Oracle Corporation)

Please post the log and let me know what problem persists.

#3 Spawni

Spawni
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 23 August 2016 - 11:42 AM

Thank you so much for the quick response! You have been great help!

 

 

My pc was restarted several times, and it appears that the website (sd-steam.info) no longer comes up! I did recieve a popup for Block Site thanking me for install on the first boot (browser restart perhaps).

I have looked through Control Panel several times however I have been unable to locate Adobe Reader X, so I assume it has been removed during the newer version's install ( uncertain as I was not present ). I have also updated Java to the newest version through the website you have given me and the old one has been removed without any problems.

 

FIXLOG.TXT

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01

Ran by Antea (23-08-2016 18:06:37) Run:1
Running from C:\Users\Antea\Downloads
Loaded Profiles: Antea (Available Profiles: Antea)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\...\Run: [AdobeBridge] => [X]
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
Toolbar: HKU\S-1-5-21-1045298776-4018183215-3565104372-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:21:26&v=17.3.0.49&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={8F05D898-705C-4162-A028-4AA1AE2B46DE}&mid=ce5c99748ffa4d818f62a0c33fd3225a-c4d7a0646fe52238f74978ec7bdb00614363ffa0&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-11 18:... (long line)
CHR Extension: (Chrome Web Store Payments) - C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-20]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx <not found>
Task: {71C879FF-1667-4F5F-9CF4-A7B03D5C1CE3} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: {7FE1B07B-3DE8-462B-8F7B-30976A397524} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {98CD67E6-7649-4E1D-A0EB-8C486E011E15} - System32\Tasks\Antea => /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Antea /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
Task: {BF188D62-51BF-4B77-A072-F05C8DED1816} - System32\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
AlternateDataStreams: C:\Users\Antea\AppData\Local\ARIMpUEC:iN9idYYGW5iRjF8NlgXbMLis [2344]
AlternateDataStreams: C:\Users\Antea\AppData\Local\Temporary Internet Files:okhruKhiKdf4fCHFZ7OwJ [2128]
U3 ard2nd9f; C:\Windows\System32\Drivers\ard2nd9f.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files (x86)\Skillbrains
C:\Windows\AutoKMS
C:\Windows\System32\Drivers\ard2nd9f.sys
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found. 
HKU\S-1-5-21-1045298776-4018183215-3565104372-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. 
Chrome StartupUrls => removed successfully
C:\Users\Antea\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71C879FF-1667-4F5F-9CF4-A7B03D5C1CE3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71C879FF-1667-4F5F-9CF4-A7B03D5C1CE3}" => key removed successfully
C:\Windows\System32\Tasks\update-sys => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update-sys" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{7FE1B07B-3DE8-462B-8F7B-30976A397524}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FE1B07B-3DE8-462B-8F7B-30976A397524}" => key removed successfully
C:\Windows\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{98CD67E6-7649-4E1D-A0EB-8C486E011E15}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{98CD67E6-7649-4E1D-A0EB-8C486E011E15}" => key removed successfully
C:\Windows\System32\Tasks\Antea => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Antea" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BF188D62-51BF-4B77-A072-F05C8DED1816}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF188D62-51BF-4B77-A072-F05C8DED1816}" => key removed successfully
C:\Windows\System32\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update-S-1-5-21-1045298776-4018183215-3565104372-1000" => key removed successfully
C:\Windows\Tasks\AutoKMS.job => moved successfully
C:\Windows\Tasks\update-S-1-5-21-1045298776-4018183215-3565104372-1000.job => moved successfully
C:\Windows\Tasks\update-sys.job => moved successfully
C:\Users\Antea\AppData\Local\ARIMpUEC => ":iN9idYYGW5iRjF8NlgXbMLis" ADS removed successfully.
"C:\Users\Antea\AppData\Local\Temporary Internet Files" => ":okhruKhiKdf4fCHFZ7OwJ" ADS not found.
ard2nd9f => service not found.
gdrv => service removed successfully
Synth3dVsc => service removed successfully
tsusbhub => service removed successfully
VGPU => service removed successfully
"C:\Program Files (x86)\Skillbrains" => not found.
C:\Windows\AutoKMS => moved successfully
"C:\Windows\System32\Drivers\ard2nd9f.sys" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 69287433 B
Java, Flash, Steam htmlcache => 408886474 B
Windows/system/drivers => 165772135 B
Edge => 0 B
Chrome => 488026794 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 117851 B
systemprofile32 => 83526 B
LocalService => 132244 B
NetworkService => 83444 B
Antea => 1856961037 B
 
RecycleBin => 6434 B
EmptyTemp: => 2.8 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 18:06:54 ====

 

Once again, thank you a lot.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 23 August 2016 - 12:59 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 29 August 2016 - 08:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users