Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Trojan (laktrd), has been on pc for approx 9 months...found yesterday


  • Please log in to reply
7 replies to this topic

#1 Keck

Keck

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 29 August 2016 - 11:25 AM

Hello,
 
First off I would like to both thank anyone ahead who is looking at this and attempting to help and apologizing as it will be quite a long post to effectively explain what is going on.
 
Approximately 9 months ago I started to experience a flickering problem with my pc.
Mostly with high video performance games, but sometimes I would notice it with other applications as well.
It progressively got worse over the moths to the point I would stop play some games and using different applications on my pc as it would just frustrate me.
Sometimes the flickering would get so bad that just typing (such as in this box now) I would have to backspace a dozen time per sentence as it wouldn't respond to keystrokes.
My Task Manager would always show as not responding.
 
After many months and multiple virus/malware scans nothing had shown up.
 
My cousin and I always loved to play video games together and we live far away and this had been our way to keep in contact.
 
We spent about 3 days looking up everything we could about the problem and I THOUGHT if found a fix... this is the article if found
 

1. Click Start.
2. In the Start Search textbox type Services.msc If prompted by the UAC, provide a password or confirmation. Click Continue.
3. Scroll down until you locate the entry that is labeled Desktop Window Manager Session Manager.
4. Right-Click on this service. Select Stop from the context menu.
5. Right Click once again on the entry. Select Properties from the context menu.
6. Go to the “General Tab” to change the start up type to Disabled. Click OK.
keckjoseph: http://forums.toshiba.com/t5/General-Troubleshooting/quot-Not-Responding-quot-message-flashing-amp-screen-flickers/td-p/79874

 
 
BOOM the flickering had stopped...even my test subject (DC Universe Online, which was the worse...the only was to log in was to type my username and password into a notepad and copy/paste it into the client)
 
But doing to did cause a smaller and slightly irritating issue which forced disabling aero effects and left my start menu that I loved in black transparent with a nasty win95/98 solid metal blue color...BUT I WAS FINE WITH IT.
 
I few months ago I received an email from my ISP
 

Dear Valued Verizon Customer,

Verizon has been notified that copyrighted content may have been shared using your Internet connection without permission of the copyright owner. 

What does this mean to me?

Content owners (for example, artists, moviemakers, authors) and their representatives routinely monitor peer-to-peer and file sharing networks to see if their content (like music, movies, and TV shows) is being shared without their permission (without it being paid for). If they notice somebody sharing their content without their permission through a Verizon account, they inform Verizon by sending us a notice along with information about the copyrighted work and the Verizon Internet protocol (IP) address of the computer sharing the content. As the primary account holder, you are responsible for making sure your account is not used for copyright infringement. Sharing content without the copyright owner's permission is a violation of U.S. copyright laws, and our terms of service and acceptable use policy. 

What was shared and when? 

File Name: Empire.2015.S02E17.HDTV.x264-FLEET[eztv].mkv
Content Title: EMPIRE (2015)
Timestamp: 05-23-2016 20:47:18 UTC
IP Address: *****
Notice ID: 222126659705

 
This made no since to me at all as I have a MAC ADDRESS filter on my network...and there was no way any of my computers could have downloaded it...it was clearly a torrent file...but I thought maybe they goofed up and thought very little of it...I knew it wasn't from my house or my internet at all.
 
I purchased a brand new 2gb ddr5 video card thinking that might have been causing the issues...maybe the old card was going as it was a replacement and after a little research we noticed the card that was in the pc was using more power than the power supply provided so I picked up a 600w power supply and new card. They both helped with graphics and game play, but did not fix my aero & deskstop windows session manager problem.
 
For months I would play a game called League of Legends with my cousin and my lag (latency) would spike at times up to 400-1200ms...when the regular it would be between 40-120ms. This would cause me to SCREAM at my 5 children to turn off all their phones, tablets, ps3s, pcs.  I would get quite upset about it...screaming and yelling that one of them was streaming or downloading something when they knew I was spending time with my cousin and LAST NIGHT it happened again...
 
THIS TIME...after everything was turned off the lag spikes continued...so my cousin Patrick and I spent 3 hours trying to figure out why.
 
We loaded the Resource Manger to see that Rundll32.dll was sending and receiving up to total of 230,000 b/sec.
Patrick knows more than I do about this and said that it shouldn't be...he thought it was windows update...as he recently got a win10 pc that took him weeks to figure out how to disable auto updates...so I disabled all of the programs that even looked for updates...windows, my video card, adobe, java...u name it.
 
Still it continued to send and receive high amounts of data. So I started to google as did he while we spoke on raidcall about the issue and found msconfig.exe
 
BOOM AGAIN...under Startup was
 

msconfig.exe
Startup
Name: laktrd
Command: rundll32.exe "C:\Users\owner\AppData\Local\laktrd.dll",laktrd
Location:  HKCU\SOFTWARE\Micrsoft\Windows\CurrentVersion\Run

 
 
So i went into the appdata folder and delted it...and the other 2 files that were placed in the folder at the same minute.
 
I also disabled it from startup.
 
Now there is no more data send/receive issues via rundll32.exe
 
 
Here's the kicker and where I still need help...I still can not enable windows desktop session manager as the flickering is still there, so i still have no aero and windows basic color (the less important issue). But the file even tho deleted and not running on startup is still on my PC...I have run malware bytes and Malicious Software Removal Tool (MRT.exe) and after 17 hours neither could find and removed it. 
 
Clearly I cannot simply delete the rundll32.exe file as it is a system file, but I need to get this attached trojan out of it...I am looking for help/advise as to how to get remove this virus completely, or get a clean copy of rundll32.exe without reformatting my computer.
 
The virus was using my ISP as a VPN and causing me so many issues and even tho it seems as tho it is quarantined I don't know if this file could be written to come back again. So that is another concern.
 
Pat was able to find that there were only 2 of 27 virus scanners that was able to find this virus, however he didn't catch the names and lost the page so we will be looking for that again today while waiting for replies.
 
Thank you again for anyone who is reading everything here and your time,
Keck

Edited by Al1000, 29 August 2016 - 11:54 AM.
remove IP address from quote


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 PM

Posted 30 August 2016 - 09:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

#3 Keck

Keck
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 30 August 2016 - 02:02 PM

nasdaq,

 

First thank you so much for responding, I really appreciate the help and your time :)

Here is the copy/paste from the FRST.txt file

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-08-2016

Ran by owner (administrator) on KECK (30-08-2016 14:52:54)
Running from C:\Users\owner\Downloads\FarBar
Loaded Profiles: owner (Available Profiles: owner)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
() C:\Windows\SysWOW64\AmoWindowService.exe
(Apple Inc.) C:\Program Files (x86)\Xamarin\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\Bluetooth Software\btwdins.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Hewlett-Packard ) C:\Program Files\IDT\WDM\beats64.exe
(VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Broadcom Corporation.) C:\Program Files\Bluetooth Software\BTTray.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Broadcom Corporation.) C:\Program Files\Bluetooth Software\BTStackServer.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\Steam\SteamApps\common\Sins of a Solar Empire Rebellion\Galaxy Forge\GalaxyForge.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Windows\System32\calc.exe
(Ironclad Games) C:\Program Files (x86)\Steam\SteamApps\common\Sins of a Solar Empire Rebellion\Sins of a Solar Empire Rebellion.exe
(Valve Corporation) C:\Program Files (x86)\Steam\GameOverlayUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BeatsOSDApp] => C:\Program Files\IDT\WDM\beats64.exe [37888 2011-11-01] (Hewlett-Packard )
HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2011-07-12] (VIA Technologies, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1424896 2011-11-01] (IDT, Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2397120 2016-06-14] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\nvspcap64.dll [1767944 2016-06-14] (NVIDIA Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2691480 2014-03-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3477640 2012-09-23] (Adobe Systems Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NPSStartup] => [X]
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [1010144 2016-06-21] (DivX, LLC)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\...\Run: [AutoStartNPSAgent] => C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe [95576 2010-07-04] (Samsung Electronics Co., Ltd.)
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3696912 2014-03-04] (Disc Soft Ltd)
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\...\MountPoints2: {a4d896dd-1dc1-11e4-983e-50e549d2e5c8} - J:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\...\MountPoints2: {ee72b011-ad1b-11e2-a52e-806e6f6e6963} - D:\Autorun.exe
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
Lsa: [Notification Packages] scecli C:\Program Files\Bluetooth Software\BtwProximityCP.dll
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-03-20] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-03-20] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-03-20] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2016-01-23]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{4DBC2CC2-B58D-4970-A3BC-5992E5CE3CB4}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = 
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-08-09] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2012-09-23] (Adobe Systems Incorporated)
BHO-x32: Microsoft Web Test Recorder 14.0 Helper -> {b924f0b4-0b3c-49c0-bab2-213fb9ebd1d3} -> C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll [2015-07-07] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-09] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2012-09-23] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2012-09-23] (Adobe Systems Incorporated)
DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1259.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
 
FireFox:
========
FF ProfilePath: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\uk6juro9.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF DefaultSearchUrl: 
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2014-05-22] (DivX, LLC.)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2014-03-21] (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll [2013-01-23] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll [2014-05-22] (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll [2016-06-22] (DivX, LLC)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-07-10] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-07-10] (NVIDIA Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\owner\AppData\Roaming\raidcall\plugins\nprcplugin.dll [2014-03-10] (Raidcall)
FF Plugin-x32: @raidcall.tw/RCplugin -> C:\Users\owner\AppData\Roaming\RCTW\plugins\nprcplugin.dll [2013-06-25] (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2012-09-23] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2014-03-21] (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [2013-01-23] (Adobe Systems)
FF Plugin HKU\S-1-5-21-2183697155-2262375841-144936973-1000: @my.com/Games -> C:\Users\owner\AppData\Local\MyComGames\NPMyComDetector.dll [2016-05-18] (MY.COM B.V.)
FF Plugin HKU\S-1-5-21-2183697155-2262375841-144936973-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\owner\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-03-10] (Unity Technologies ApS)
FF user.js: detected! => C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\uk6juro9.default\user.js [2014-12-13]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2016-04-12] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-23]
CHR Extension: (Google Docs) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-23]
CHR Extension: (Google Drive) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-23]
CHR Extension: (YouTube) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-23]
CHR Extension: (Google Search) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-23]
CHR Extension: (Adobe Acrobat) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2016-01-24]
CHR Extension: (Google Sheets) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-23]
CHR Extension: (Google Docs Offline) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-23]
CHR Extension: (Chrome Media Router) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-29]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2012-09-23]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-12-19] (Advanced Micro Devices, Inc.) [File not signed]
R2 Amodb Service; C:\Windows\SysWOW64\AmoWindowService.exe [245248 2016-01-21] () [File not signed]
R2 Bonjour Service; C:\Program Files (x86)\Xamarin\Bonjour\mDNSResponder.exe [394752 2015-07-15] (Apple Inc.) [File not signed]
R2 btwdins; C:\Program Files\Bluetooth Software\btwdins.exe [1005944 2012-09-24] (Broadcom Corporation.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163712 2016-06-14] (NVIDIA Corporation)
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2015-12-30] (Hi-Rez Studios) [File not signed]
R2 IpOverUsbSvc; C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe [21184 2016-03-29] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-06-14] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [3632576 2016-06-14] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2521024 2016-06-14] (NVIDIA Corporation)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [188072 2015-11-04] ()
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 Te.Service; C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF\Wex.Services.exe [137216 2016-03-29] (Microsoft Corporation) [File not signed]
S3 VSStandardCollectorService140; C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe [56552 2016-03-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [11172864 2012-04-26] (Advanced Micro Devices, Inc.) [File not signed]
S3 amdkmdap; C:\Windows\System32\DRIVERS\atikmpag.sys [339456 2012-04-26] (Advanced Micro Devices, Inc.) [File not signed]
S3 dg_ssudbus; C:\Windows\System32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-03-24] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 EvolveVirtualAdapter; C:\Windows\System32\DRIVERS\evolve.sys [21656 2016-07-01] (Echobit, LLC)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-06-14] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [56384 2016-04-14] (NVIDIA Corporation)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [37184 2015-09-22] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [130880 2015-12-14] (Razer, Inc.)
R1 VBoxUSBMon; C:\Windows\System32\DRIVERS\VBoxUSBMon.sys [127432 2015-09-16] (BigNox Corporation)
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2011-11-14] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2011-11-14] (VIA Technologies, Inc.)
R1 XQHDrv; C:\Windows\System32\DRIVERS\XQHDrv.sys [253384 2015-09-15] (BigNox Corporation)
R1 XQHDrv; C:\Windows\SysWOW64\DRIVERS\XQHDrv.sys [253384 2015-09-15] (BigNox Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-30 14:52 - 2016-08-30 14:52 - 00000000 ____D C:\FRST
2016-08-30 14:50 - 2016-08-30 14:52 - 00000000 ____D C:\Users\owner\Downloads\FarBar
2016-08-26 21:52 - 2016-08-26 21:54 - 63658806 _____ C:\Users\owner\Downloads\com.nianticlabs.pokemongo_0.35.0-2016082200_minAPI19(armeabi-v7a)(nodpi)_apkmirror.com.apk
2016-08-21 22:03 - 2016-08-21 22:03 - 02735107 _____ C:\Users\owner\Downloads\TemplateSheet_Icons_96x96 (1).psd
2016-08-21 20:46 - 2016-08-21 20:46 - 00087508 _____ C:\Users\owner\Downloads\Poison Spitter.dds
2016-08-21 19:50 - 2016-08-21 19:50 - 00000132 _____ C:\Users\owner\AppData\Roaming\Adobe GIF Format CS6 Prefs
2016-08-21 19:19 - 2016-08-21 19:19 - 02735107 _____ C:\Users\owner\Downloads\TemplateSheet_Icons_96x96.psd
2016-08-20 16:44 - 2016-08-20 16:46 - 01842658 _____ C:\Users\owner\Downloads\ODD 1.0.7z
2016-08-16 09:53 - 2016-08-16 09:53 - 00000000 ____D C:\Users\owner\AppData\Local\razer
2016-08-16 09:53 - 2016-08-16 09:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Razer
2016-08-16 09:53 - 2015-12-14 17:24 - 00130880 _____ (Razer, Inc.) C:\Windows\system32\Drivers\rzpnk.sys
2016-08-16 09:52 - 2016-08-16 09:53 - 00000000 ____D C:\ProgramData\Razer
2016-08-16 09:52 - 2016-08-16 09:53 - 00000000 ____D C:\Program Files (x86)\Razer
2016-08-16 09:52 - 2015-09-22 17:36 - 00037184 _____ (Razer, Inc.) C:\Windows\system32\Drivers\rzpmgrk.sys
2016-08-16 09:42 - 2016-08-16 09:48 - 152766304 _____ (Razer Inc.) C:\Users\owner\Downloads\RazerComms5.12.59.exe
2016-08-13 20:48 - 2016-08-13 20:51 - 64461254 _____ C:\Users\owner\Downloads\com.nianticlabs.pokemongo_0.33.0-2016080700_minAPI19(armeabi-v7a)(nodpi)_apkmirror.com.apk
2016-08-13 10:39 - 2015-09-16 02:07 - 00127432 _____ (BigNox Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2016-08-13 10:38 - 2016-08-13 10:39 - 00000000 ____D C:\Program Files\Bignox
2016-08-13 10:38 - 2015-09-15 23:29 - 00253384 _____ (BigNox Corporation) C:\Windows\system32\Drivers\XQHDrv.sys
2016-08-13 10:37 - 2016-08-13 10:37 - 00000000 ____D C:\Users\owner\AppData\Roaming\Nox
2016-08-13 10:21 - 2016-08-13 10:31 - 372662088 _____ (Duodian Technology Co. Ltd.) C:\Users\owner\Downloads\nox_setup_v3.7.1.0_full_en_pokemon_0801.exe
2016-08-10 23:04 - 2016-08-10 23:04 - 00000000 ____D C:\Users\owner\.QtWebEngineProcess
2016-08-10 23:04 - 2016-08-10 23:04 - 00000000 ____D C:\Users\owner\.Glyph
2016-08-10 22:57 - 2016-08-21 17:14 - 00000000 ____D C:\Users\owner\AppData\Roaming\NVIDIA
2016-08-09 19:54 - 2016-08-09 19:54 - 00000000 ____D C:\Users\owner\AppData\Roaming\Carbon
2016-08-09 14:53 - 2016-08-09 14:53 - 00000000 ____D C:\Users\owner\AppData\LocalLow\Trion Worlds
2016-08-09 13:21 - 2016-07-10 22:13 - 01887800 _____ (NVIDIA Corporation) C:\Windows\system32\NvCamera64.dll
2016-08-09 13:21 - 2016-07-10 22:13 - 01595840 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvCamera32.dll
2016-08-09 13:21 - 2016-06-14 16:01 - 00112216 _____ C:\Windows\system32\NvRtmpStreamer64.dll
2016-08-09 13:20 - 2016-08-09 13:20 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2016-08-09 13:20 - 2016-07-10 19:17 - 00547896 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshext.dll
2016-08-09 13:20 - 2016-07-10 19:17 - 00081856 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshextr.dll
2016-08-09 13:20 - 2016-07-10 18:36 - 00127424 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2016-08-09 13:20 - 2016-05-03 22:23 - 00129824 _____ C:\Windows\SysWOW64\vulkan-1.dll
2016-08-09 13:20 - 2016-05-03 22:22 - 00130848 _____ C:\Windows\system32\vulkan-1.dll
2016-08-09 13:20 - 2016-05-03 22:22 - 00045344 _____ C:\Windows\system32\vulkaninfo.exe
2016-08-09 13:20 - 2016-05-03 22:22 - 00040224 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2016-08-09 13:18 - 2016-07-15 14:15 - 00214592 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2016-08-09 13:18 - 2016-07-15 14:15 - 00046016 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 39977920 _____ C:\Windows\system32\nvcompiler.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 35115968 _____ C:\Windows\SysWOW64\nvcompiler.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 31640512 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 25414080 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 19220352 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 14371384 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 13581880 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2016-08-09 13:18 - 2016-07-10 22:13 - 10691632 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 10656112 _____ C:\Windows\system32\nvptxJitCompiler.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 10234336 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 09020656 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 08742360 _____ C:\Windows\SysWOW64\nvptxJitCompiler.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 08615336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 03542072 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 03393576 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 03099072 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 01939000 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6436881.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 01571776 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6436881.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 01001016 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00930360 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00909880 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00852024 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00694672 _____ C:\Windows\system32\nvfatbinaryLoader.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00583736 _____ C:\Windows\SysWOW64\nvfatbinaryLoader.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00490744 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00406064 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00177952 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00155768 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00153416 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00131584 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2016-08-09 13:18 - 2016-07-10 22:13 - 00000594 _____ C:\Windows\SysWOW64\nv-vk32.json
2016-08-09 13:18 - 2016-07-10 22:13 - 00000594 _____ C:\Windows\system32\nv-vk64.json
2016-08-09 13:18 - 2016-04-14 01:38 - 00102976 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2016-08-09 13:18 - 2016-04-14 01:38 - 00056384 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2016-08-09 11:36 - 2016-08-09 11:44 - 357682568 _____ (NVIDIA Corporation) C:\Users\owner\Downloads\368.81-desktop-win8-win7-winvista-64bit-international-whql.exe
2016-08-09 11:16 - 2016-08-09 11:24 - 359350576 _____ (NVIDIA Corporation) C:\Users\owner\Downloads\369.05-desktop-win8-win7-winvista-64bit-international-whql.exe
2016-08-09 10:58 - 2016-08-09 11:07 - 360576160 _____ (NVIDIA Corporation) C:\Users\owner\Downloads\368.81-desktop-win10-64bit-international-whql.exe
2016-08-09 10:19 - 2016-08-28 00:29 - 00000000 ____D C:\ProgramData\NVIDIA
2016-08-09 10:19 - 2016-08-09 13:22 - 00000000 ____D C:\Users\owner\AppData\Local\NVIDIA
2016-08-09 10:19 - 2016-07-10 19:17 - 06384064 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2016-08-09 10:19 - 2016-07-10 19:17 - 02465848 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2016-08-09 10:19 - 2016-07-10 19:17 - 01762752 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2016-08-09 10:19 - 2016-07-10 19:17 - 01364536 _____ (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
2016-08-09 10:19 - 2016-07-10 19:17 - 00392128 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2016-08-09 10:19 - 2016-07-10 19:17 - 00071224 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2016-08-09 10:19 - 2016-07-07 13:03 - 07211925 _____ C:\Windows\system32\nvcoproc.bin
2016-08-09 10:19 - 2016-06-14 16:01 - 01767944 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2016-08-09 10:19 - 2016-06-14 16:01 - 01756424 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2016-08-09 10:19 - 2016-06-14 16:01 - 01377800 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2016-08-09 10:19 - 2016-06-14 16:01 - 01316184 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2016-08-09 10:18 - 2016-07-10 22:13 - 17321352 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2016-08-09 10:18 - 2016-07-10 22:13 - 16790552 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2016-08-09 10:18 - 2016-07-10 22:13 - 03840096 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2016-08-09 10:18 - 2016-07-10 22:13 - 00039124 _____ C:\Windows\system32\nvinfo.pb
2016-08-09 10:18 - 2016-04-14 01:38 - 00113216 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2016-08-09 10:18 - 2014-07-02 16:48 - 01890080 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6434052.dll
2016-08-09 10:18 - 2014-07-02 16:48 - 01539928 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6434052.dll
2016-08-02 09:14 - 2016-08-02 09:13 - 573512691 _____ C:\Users\owner\Desktop\IME Visit 06292016.mp4
2016-08-01 20:54 - 2016-08-01 20:58 - 00000000 ____D C:\Users\owner\Downloads\Criminal 2016 1080p BluRay x264 DTS-JYK
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-08-30 14:51 - 2014-12-13 17:26 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-30 14:28 - 2013-04-29 18:24 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-30 14:00 - 2013-05-08 20:18 - 00000000 ____D C:\Program Files (x86)\Steam
2016-08-30 13:59 - 2013-10-15 19:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-30 10:19 - 2009-07-14 00:45 - 00023904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-30 10:19 - 2009-07-14 00:45 - 00023904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-29 19:28 - 2013-04-29 18:24 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-29 16:35 - 2016-02-18 17:32 - 00003856 _____ C:\Users\owner\Documents\Report Card Payout.txt
2016-08-29 16:34 - 2013-04-26 16:32 - 00007580 _____ C:\Users\owner\AppData\Local\resmon.resmoncfg
2016-08-28 22:17 - 2013-04-30 20:07 - 00000000 ____D C:\Users\owner\AppData\Local\Adobe
2016-08-28 00:35 - 2009-07-14 01:13 - 00782470 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-28 00:35 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-08-28 00:29 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-27 18:13 - 2016-07-29 10:53 - 00000000 ____D C:\Users\owner\AppData\Local\Nox
2016-08-27 09:15 - 2016-04-19 00:18 - 00000000 ____D C:\Users\owner\.android
2016-08-27 09:14 - 2016-07-29 10:55 - 00000000 ____D C:\Users\owner\vmlogs
2016-08-27 09:14 - 2016-07-29 10:54 - 00000000 ____D C:\Users\owner\.BigNox
2016-08-27 08:59 - 2015-10-06 09:19 - 00000000 ____D C:\Users\owner\AppData\Local\CrashDumps
2016-08-26 10:23 - 2013-11-25 17:40 - 00000000 ____D C:\ProgramData\Package Cache
2016-08-26 10:23 - 2013-05-10 14:33 - 00000000 ____D C:\Users\owner\Documents\My Games
2016-08-25 10:50 - 2016-07-21 13:03 - 00000000 ____D C:\Users\owner\Desktop\Canada
2016-08-25 10:50 - 2015-11-02 11:54 - 00000000 ____D C:\Users\owner\Desktop\Comp
2016-08-21 19:53 - 2014-03-24 00:57 - 00000132 _____ C:\Users\owner\AppData\Roaming\Adobe PNG Format CS6 Prefs
2016-08-21 08:08 - 2013-04-29 17:03 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-08-20 16:01 - 2013-05-16 09:40 - 00008212 _____ C:\Users\owner\AppData\Roaming\wklnhst.dat
2016-08-19 18:30 - 2013-04-29 18:24 - 00000000 ____D C:\Program Files (x86)\Google
2016-08-16 13:31 - 2013-11-23 12:07 - 00000000 ____D C:\Program Files (x86)\Zenimax Online
2016-08-16 13:27 - 2013-04-24 13:28 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-08-16 13:27 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-08-16 13:24 - 2016-05-18 09:41 - 00000000 ____D C:\Users\owner\AppData\Local\Glyph
2016-08-13 10:38 - 2016-07-29 10:53 - 00000000 ____D C:\Program Files\DIFX
2016-08-13 10:38 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2016-08-10 23:04 - 2013-04-24 13:26 - 00000000 ____D C:\Users\owner
2016-08-09 14:41 - 2016-01-23 21:19 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-09 13:22 - 2015-09-14 10:38 - 00000000 ____D C:\Users\owner\AppData\Local\NVIDIA Corporation
2016-08-09 13:21 - 2016-07-22 00:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2016-08-09 13:21 - 2013-04-29 17:02 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-08-09 10:47 - 2016-04-18 23:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit
2016-08-09 10:47 - 2016-02-20 13:15 - 00000000 ____D C:\Program Files (x86)\Java
2016-08-09 10:47 - 2015-07-16 09:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-08-09 10:47 - 2013-10-15 19:54 - 00000000 ____D C:\ProgramData\Oracle
2016-08-09 10:46 - 2015-10-21 07:10 - 00000000 ____D C:\Users\owner\.oracle_jre_usage
2016-08-09 10:46 - 2015-07-16 09:45 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-08-09 10:19 - 2013-04-29 17:03 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2016-08-09 10:19 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\Help
2016-08-02 19:28 - 2013-04-29 18:44 - 00000000 ____D C:\Users\owner\AppData\Roaming\BitTorrent
2016-08-01 10:21 - 2014-02-01 22:24 - 00000000 ____D C:\ProgramData\CanonIJPLM
 
==================== Files in the root of some directories =======
 
2014-03-23 12:41 - 2014-03-23 12:47 - 0001194 _____ () C:\Users\owner\AppData\Roaming\ACInitialize.log
2016-08-21 19:50 - 2016-08-21 19:50 - 0000132 _____ () C:\Users\owner\AppData\Roaming\Adobe GIF Format CS6 Prefs
2014-03-24 00:57 - 2016-08-21 19:53 - 0000132 _____ () C:\Users\owner\AppData\Roaming\Adobe PNG Format CS6 Prefs
2013-05-16 09:40 - 2016-08-20 16:01 - 0008212 _____ () C:\Users\owner\AppData\Roaming\wklnhst.dat
2016-07-10 19:21 - 2016-07-10 19:21 - 0004608 _____ () C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-07-22 15:56 - 2016-07-22 15:56 - 0004618 _____ () C:\Users\owner\AppData\Local\recently-used.xbel
2013-04-26 16:32 - 2016-08-29 16:34 - 0007580 _____ () C:\Users\owner\AppData\Local\resmon.resmoncfg
2016-01-25 23:16 - 2016-01-25 23:18 - 0000614 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Some files in TEMP:
====================
C:\Users\owner\AppData\Local\Temp\AAMHelper.exe
C:\Users\owner\AppData\Local\Temp\AdobeApplicationManager.exe
C:\Users\owner\AppData\Local\Temp\brastub_amobl_inst.exe
C:\Users\owner\AppData\Local\Temp\Creative Cloud Helper.exe
C:\Users\owner\AppData\Local\Temp\fp_pl_pfs_installer.exe
C:\Users\owner\AppData\Local\Temp\GdiPlus.dll
C:\Users\owner\AppData\Local\Temp\GenericUninstall.exe
C:\Users\owner\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\owner\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\owner\AppData\Local\Temp\hsbing_717_active.exe
C:\Users\owner\AppData\Local\Temp\installapi.exe
C:\Users\owner\AppData\Local\Temp\InstallerMessageBox.exe
C:\Users\owner\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\owner\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\owner\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\owner\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\owner\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\owner\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\owner\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u40-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u45-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\owner\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\owner\AppData\Local\Temp\MSETUP4.EXE
C:\Users\owner\AppData\Local\Temp\NPSInstallerProxy.exe
C:\Users\owner\AppData\Local\Temp\NPSInstallerProxyMessageBoxHookDll.dll
C:\Users\owner\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\owner\AppData\Local\Temp\nvStInst.exe
C:\Users\owner\AppData\Local\Temp\Runner2.exe
C:\Users\owner\AppData\Local\Temp\Runner4.exe
C:\Users\owner\AppData\Local\Temp\setup.dll
C:\Users\owner\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\owner\AppData\Local\Temp\uninstall.exe
C:\Users\owner\AppData\Local\Temp\uninstaller.exe
C:\Users\owner\AppData\Local\Temp\utils.dll
C:\Users\owner\AppData\Local\Temp\uttDB28.tmp.exe
C:\Users\owner\AppData\Local\Temp\WSSetup.exe
C:\Users\owner\AppData\Local\Temp\_is9B06.exe
C:\Users\owner\AppData\Local\Temp\_isC5ED.exe
C:\Users\owner\AppData\Local\Temp\{6F653AB0-9FDB-40EC-9AB8-54EC28B7316A}-ciff-3.2.0-12247.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-08-28 09:00
 
==================== End of FRST.txt ============================

 

Also I have attached the Addition.txt file as requested.

 

Attached File  Addition.txt   81.82KB   2 downloadsAttached File  Addition.txt   81.82KB   2 downloads

 

Again thank you so much for your time and efforts in helping me fix this.

 

I have found a website that say 3/86 virus scanners was able to find it, but 2 are business programs and the 3 ins't inexpensive. And i am currently disabled and out of work so finances are not amazing.

 

Thank you again,

Keck



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 PM

Posted 31 August 2016 - 12:21 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

C:\Windows\SysWOW64\AmoWindowService.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [NPSStartup] => [X]
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2183697155-2262375841-144936973-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF user.js: detected! => C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\uk6juro9.default\user.js [2014-12-13]
CHR Extension: (Chrome Web Store Payments) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
R2 Amodb Service; C:\Windows\SysWOW64\AmoWindowService.exe [245248 2016-01-21] () [File not signed]
AlternateDataStreams: C:\Windows\system32\Drivers\sdfhgdf.sys:{799ecd20-c226-11e5-b4a0-74de2b79a921} [20]
AlternateDataStreams: C:\Windows\system32\Drivers\sdfhgdf.sys:{799ecd21-c226-11e5-b4a0-74de2b79a921} [31]
AlternateDataStreams: C:\Windows\system32\Drivers\sdfhgdf.sys:{9e52f855-c22b-11e5-9b19-74de2b79a921} [20]
AlternateDataStreams: C:\Windows\system32\Drivers\sdfhgdf.sys:{9e52f856-c22b-11e5-9b19-74de2b79a921} [31]
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\laktrd
MSCONFIG\startupreg: laktrd => rundll32.exe "C:\Users\owner\AppData\Local\laktrd.dll",laktrd
C:\Users\owner\AppData\Local\laktrd.dll
C:\Windows\SysWOW64\AmoWindowService.exe
C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know what problems persists.

#5 Keck

Keck
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 31 August 2016 - 07:38 PM

nasdaq,

 

First off thank you so much, that file u sent me has eradicated the laktrd file and all traces of it. Everything is working perfectly except DC Universe Online, but it was installed after the laktrd was downloaded and I don't really play it anymore. I am tho just to be sure going to uninstall the game and download a fresh copy to see if that helps.

 

Attached is the Fixlog.txt file as requested.

Attached File  Fixlog.txt   5.6KB   1 downloads

 

Thank you again so much,

I will reply tomorrow as to if that one program works after a fresh install.

 

Thank You,

Keck

 

 

P.S. I hope this isn't against the rules, but this has been such a problem for so long and I'm so happy that you were able to fix it so quickly that even malware-bytes couldn't do I was wondering if you are allowed to accept like a tip via PayPal. 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 PM

Posted 01 September 2016 - 08:27 AM


Thank you for the offer but my services are free.
Make a contribution to this cause if possible.
http://www.bleepingcomputer.com/forums/t/604046/we-need-your-help-bleepingcomputer-is-being-sued-by-the-creators-of-spyhunter/?hl=%2Bspyhunter#entry3927248

Thank you.

===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 Keck

Keck
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 02 September 2016 - 01:57 PM

Thank you I definitely will.

 

The virus seems to be completely gone, I still am having "flickering" (where programs are saying not responding in the task manager than a second later it is not and repeating).

This only happens when Windows Desktop Session Manager is enabled and also ONLY when Aero effects are on.

I am not sure it is related or not, I do however know that the flickering is not nearly as bad as it was...it use to be if i was on a game in a chat window I couldn't finish a single word without having to fix the word due to keystrokes not being recording when during the tenth of seconds the programs were not responding. Now it doesn't effect anything in game or the chat windows...but I still see programs on the task bar flicker. Also more importantly I do NOT have any kind of latency due to laktrd attached to rundll32.exe using my bandwidth so for that I am very great full.

I am not sure if there is any other suggestions you may have for me to look into as far as the screen flickering. Video Card is new, Wires are new, Monitor is a 42" tv that works perfectly...and it is seems to happen mostly when using programs that use a larger amount of memory (I have 10gb ddr3 ram and none of them come close to using that tho) and like I said it is much better after the file u sent me.

 

Thank you again,

Joseph 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,225 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:28 PM

Posted 03 September 2016 - 07:55 AM

Navigate to this page.
http://secunia.com/vulnerability_scanning/personal/

Download and install the Secunia PSI.

Run the application and updates all the programs/drivers that needs to be updated.

===
p.s.

Secunia will start looking for new updates every time you boot the system.
This is an overkill. When all is well you can remove it using the Add/Remove programs applet.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users