Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Self Reinstalling Malicious Software


  • Please log in to reply
5 replies to this topic

#1 Mhroczyn

Mhroczyn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 23 July 2017 - 12:29 PM

Hello. My PC is probably infected with malware, spyware or adware, this is what I've noticed: the problem only affects Google Chrome, the malware or adware is NOT installed it only tries to install about 8 times every time I start chrome and at random when chrome is running but my antivirus deletes this malicious files (I'm using ESET NOD32 Antivirus). Every time I'm starting chrome the program blocks these files. Is it possible that there is a file or files that are undetected and which are starting installation of those files which antivirius deletes?

I've used this programs to clear my PC but the problem keeps coming back: ESET NOD32 Antivirus scanning, Malwarebytes Anti-Malware, Junkware Removal Tool, Microsoft Windows Malicious Software Removal Tool, Farbar Recovery Scan Tool, Chrome Cleanup Tool.

I've run all these programs, PC got clean, but after starting windows and running chrome something still tries to install files which are blocked by my antivirus. All program are showing that PC is clean except JRT, after starting windows but NOT before I run chrome JRT detects 2-4 files which paths look like this:

Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3BWQYHRF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\43PODFRA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDJUN9TK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D15STYW2 (Temporary Internet Files Folder)

the files are deleted and after starting windows they keep coming back. Earlier I was thinking that malicious files were somehow connected with my Google Account so I've cleaned all synced data, completely removed chrome and made clean reinstall of it. It didn't helped. Even without synced data or even without logging into my account ESET still prompted about detected self installing files while starting chrome after CLEAN installation. I've got similar problem few years back but then removing all synced data from my google account did the job (btw how the f@#$ google allow malicious software combined with my account data to be kept on their severs?!)

To sum up - I think that there is a file which is not detected by any programs which I've used, this file must somehow install/unpacking other files when starting google chrome, I'm deleting these files via JRT but after next system startup and only after starting chrome these files shows up again (can it be sth through internet connection?) I don't know what to do and I'm afraid even to use my bank accout.

Here are the paths which ESET shows me (the 4 above ESET doesn't detect only JRT does):

Successfully deleted: C:\Users\User1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3BWQYHRF (Temporary Internet Files Folder)
Successfully deleted: C:\Users\User1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\43PODFRA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\User1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDJUN9TK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\User1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D15STYW2 (Temporary Internet Files Folder)

C:\Users\User1\AppData\Local\Temp\scoped_dir_3040_17727\CRX_INSTALL\background.js (Danger: JS/Adware.Tablayouts.A aplication

C:\Users\User1\AppData\Local\Temp\scoped_dir_3040_7521\CRX_INSTALL\background.js (Danger: JS/Adware.Tablayouts.A aplication <---- A lot of those but with different numbers

c\users\user1\appdata\local\google\chrome\user data\default\extensions\bfkmdpfljdpopbemfaelnflapafblgn\0.9_0\bakcground.js (Danger: JS/Adware.Tablayouts.A aplication <---- Says that infection was found in file which starts automatically, object - Startup

I have a two users on PC and the same situation occur on second account.

Operating System: Windows 7 64 bit

Processor: AMD FX™-8350 Eight-Core Processor 4.00 GHz
RAM: 16 GB
Graphic Card: NVIDIA GeForce GTX 1070
Computer: Deskop



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 24 July 2017 - 08:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

:step3: Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post both logs.

Wait for further instructions.

#3 Mhroczyn

Mhroczyn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 24 July 2017 - 03:07 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-07-2017
Ran by Rafal (administrator) on GRAPHENITE (24-07-2017 21:51:29)
Running from C:\Users\Rafal\Desktop\Nowy folder
Loaded Profiles: Rafal (Available Profiles: Rafal & Slawek)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Polski (Polska)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
() C:\Program Files (x86)\Edimax\Edimax Wireless LAN\WPSHWPBC.exe
() C:\Program Files (x86)\ASUSTek Computer Inc\ASUS USB-N14\WPSHWPBC.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(VIA Technologies, Inc.) C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe
() C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\vksts.exe
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe
(Cambridge Silicon Radio Limited) C:\Program Files (x86)\CSR\CSR Harmony Wireless Software Stack\CSRHarmonySkypePlugin.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Cambridge Silicon Radio Limited) C:\Program Files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Farbar) C:\Users\Rafal\Desktop\Nowy folder\EnglishFRST64.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8497368 2015-07-07] (Realtek Semiconductor)
HKLM\...\Run: [VIAxHCUtl] => C:\Program Files\VIA XHCI UASP Utility\usb3Monitor
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5595848 2015-01-28] (ESET)
HKLM\...\Run: [CsrHCRPServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrHCRPServer.exe [1134288 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CsrAudioguiCtrl] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrAudioguiCtrl.exe [511696 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CsrSyncMLServer] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrSyncMLServer.exe [244944 2012-03-22] ()
HKLM\...\Run: [vksts] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\vksts.exe [25792 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [HarmonyUserStartup] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\HarmonyUserStartup.exe [39128 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [CSRHarmonySkypePlugin] => C:\Program Files (x86)\CSR\CSR Harmony Wireless Software Stack\CSRHarmonySkypePlugin.exe [146656 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM\...\Run: [TrayApplication] => C:\Program Files\CSR\CSR Harmony Wireless Software Stack\TrayApplication.exe [529616 2012-03-22] (Cambridge Silicon Radio Limited)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-30] (Advanced Micro Devices, Inc.)
HKU\S-1-5-21-450926769-1737426013-1941627434-1004\...\MountPoints2: {320a46ec-c944-11e6-8808-1c1b0d6a73aa} - F:\stpdh2.exe
HKU\S-1-5-21-450926769-1737426013-1941627434-1004\...\MountPoints2: {f44b3d70-1517-11e7-b986-1c1b0d6a73aa} - G:\setup.exe
AppInit_DLLs-x32: acaptuser32.dll => C:\Windows\SysWOW64\acaptuser32.dll [112056 2009-12-21] (Adobe Systems Incorporated)
GroupPolicy: Restriction - Chrome <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.254 213.75.63.75 213.75.63.76
Tcpip\..\Interfaces\{25773CE1-82AF-49AB-80F7-055A65F56453}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{3AD0F3CB-88A6-45CC-BA5C-A3996B996F90}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A8104CC8-8ABF-4A4A-B153-542093BD7168}: [DhcpNameServer] 192.168.2.254 213.75.63.75 213.75.63.76

Internet Explorer:
==================
HKU\S-1-5-21-450926769-1737426013-1941627434-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.gazeta.pl/0,0.html?p=188
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-12-20] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-12-20] (Oracle Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-09-23] (Skype Technologies)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: w93h662y.default
FF ProfilePath: C:\Users\Rafal\AppData\Roaming\Mozilla\Firefox\Profiles\w93h662y.default [2017-07-24]
FF Homepage: Mozilla\Firefox\Profiles\w93h662y.default -> hxxps://www.google.pl/?gws_rd=ssl
FF Extension: (Adblock Plus) - C:\Users\Rafal\AppData\Roaming\Mozilla\Firefox\Profiles\w93h662y.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-07-23]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-12-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-12-20] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-06-27] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-06-27] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-23] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-23] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-05] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default [2017-07-24]
CHR Extension: (Prezentacje Google) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-07-23]
CHR Extension: (Dokumenty Google) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-07-23]
CHR Extension: (Dysk Google) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-23]
CHR Extension: (YouTube) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-23]
CHR Extension: (Adobe Acrobat) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-07-23]
CHR Extension: (Arkusze Google) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-07-23]
CHR Extension: (Dokumenty Google offline) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-23]
CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-07-23]
CHR Extension: (Gmail) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-23]
CHR Extension: (Chrome Media Router) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-23]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-08-30] (Advanced Micro Devices, Inc.) [File not signed]
R2 BtSwitcherService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\BtSwitcherService.exe [64216 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CSRBtAudioService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtAudioService.exe [465624 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CsrBtOBEXService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtOBEXService.exe [1041616 2012-03-22] (Cambridge Silicon Radio Limited)
R2 CsrBtService; C:\Program Files\CSR\CSR Harmony Wireless Software Stack\CsrBtService.exe [825032 2012-03-22] (Cambridge Silicon Radio Limited)
S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusServiceLite.exe [1471168 2016-12-22] (Disc Soft Ltd)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1349576 2015-01-28] (ESET)
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [488000 2017-06-29] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [8077376 2017-06-09] (GOG.com)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [495224 2017-06-21] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [495224 2017-06-21] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462968 2017-06-27] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [450168 2017-06-21] (NVIDIA Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WPSHWPBC; C:\Program Files (x86)\Edimax\Edimax Wireless LAN\WPSHWPBC.exe [311296 2014-04-21] () [File not signed]
R2 WPSHWPBC_ASUS; C:\Program Files (x86)\ASUSTek Computer Inc\ASUS USB-N14\WPSHWPBC.exe [318976 2015-07-08] ()

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 csravrcp; C:\Windows\System32\DRIVERS\csravrcp.sys [26304 2012-03-22] (Cambridge Silicon Radio Limited)
R3 CsrBthAudioHF; C:\Windows\System32\DRIVERS\CsrBthAudioHF.sys [39120 2012-03-22] (Cambridge Silicon Radio Limited)
R3 CsrBtPort; C:\Windows\System32\DRIVERS\CsrBtPort.sys [2784968 2012-03-22] (Cambridge Silicon Radio Limited)
R3 csrhfgcc; C:\Windows\System32\DRIVERS\csrhfgcc.sys [38080 2012-03-22] (Cambridge Silicon Radio Limited)
R3 csrpan; C:\Windows\System32\DRIVERS\csrpan.sys [39616 2012-03-22] (Cambridge Silicon Radio Limited)
R3 csrserial; C:\Windows\System32\DRIVERS\csrserial.sys [61128 2012-03-22] (Cambridge Silicon Radio Limited)
R3 csrusb; C:\Windows\System32\Drivers\csrusb.sys [47296 2012-03-22] (Cambridge Silicon Radio Limited)
R3 csrusbfilter; C:\Windows\System32\Drivers\csrusbfilter.sys [23752 2012-03-22] (Cambridge Silicon Radio Limited)
R3 csr_bthav; C:\Windows\System32\drivers\csrbthav.sys [99520 2012-03-22] (Cambridge Silicon Radio Limited)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2016-12-23] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2016-12-23] (Disc Soft Ltd)
R3 e1rexpress; C:\Windows\System32\DRIVERS\e1r62x64.sys [499184 2015-06-05] (Intel Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [246000 2015-02-23] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [241880 2015-02-23] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [169792 2015-02-23] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [159480 2015-02-23] (ESET)
R3 netr28ux; C:\Windows\System32\DRIVERS\netr28ux.sys [2247000 2016-05-30] (MediaTek Inc.)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30328 2017-06-21] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [48248 2017-06-21] (NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [76840 2017-04-01] (NVIDIA Corporation)
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [225792 2014-10-31] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [305664 2014-10-31] (VIA Technologies, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-24 21:50 - 2017-07-24 21:50 - 00000000 _____ C:\Users\Rafal\Desktop\Nowy dokument tekstowy (2).txt
2017-07-24 18:32 - 2017-07-24 21:51 - 00000000 ____D C:\Users\Rafal\Desktop\Nowy folder
2017-07-23 21:24 - 2017-07-23 21:24 - 00001481 _____ C:\Users\Rafal\Desktop\egui — skrót.lnk
2017-07-23 18:22 - 2017-07-23 19:15 - 00004179 _____ C:\Users\Rafal\Desktop\Nowy dokument tekstowy.txt
2017-07-23 17:25 - 2017-07-23 17:26 - 00000000 ____D C:\Users\Slawek\AppData\LocalLow\Mozilla
2017-07-23 17:25 - 2017-07-23 17:25 - 00000000 ____D C:\Users\Slawek\AppData\Roaming\Mozilla
2017-07-23 17:25 - 2017-07-23 17:25 - 00000000 ____D C:\Users\Slawek\AppData\Local\Mozilla
2017-07-23 16:55 - 2017-07-24 21:51 - 00000000 ____D C:\FRST
2017-07-23 16:53 - 2017-07-23 17:45 - 00000555 _____ C:\Users\Slawek\Desktop\JRT.txt
2017-07-23 16:51 - 2017-07-23 16:51 - 00000000 ____D C:\Users\Slawek\Downloads\Anty Anty
2017-07-23 16:49 - 2017-07-23 16:49 - 00000000 ____D C:\Users\Slawek\AppData\Local\ESET
2017-07-23 16:32 - 2017-07-24 05:55 - 00000882 _____ C:\Users\Rafal\Desktop\JRT.txt
2017-07-23 16:28 - 2017-07-23 16:28 - 00000000 ____D C:\Users\Rafal\Downloads\Anty Anty
2017-07-23 13:47 - 2017-07-23 18:11 - 00000000 ____D C:\Users\Rafal\AppData\Local\Google
2017-07-23 13:47 - 2017-07-23 13:47 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-07-23 13:46 - 2017-07-23 13:47 - 00000000 ____D C:\Program Files (x86)\Google
2017-07-23 13:46 - 2017-07-23 13:46 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-07-23 13:46 - 2017-07-23 13:46 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-07-22 15:04 - 2017-07-23 18:12 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-07-22 13:06 - 2017-07-22 13:07 - 00000000 ____D C:\Users\Rafal\AppData\Local\Deployment
2017-07-22 13:06 - 2017-07-22 13:06 - 00000000 ____D C:\Users\Rafal\AppData\Local\Apps\2.0
2017-07-22 11:29 - 2017-07-22 11:29 - 00000568 __RSH C:\ProgramData\ntuser.pol
2017-07-22 09:42 - 2008-10-15 06:22 - 05631312 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2017-07-22 09:42 - 2008-10-15 06:22 - 04379984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
2017-07-22 09:42 - 2008-10-15 06:22 - 02605920 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2017-07-22 09:42 - 2008-10-15 06:22 - 02036576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
2017-07-22 09:42 - 2008-10-15 06:22 - 00519000 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2017-07-22 09:42 - 2008-10-15 06:22 - 00452440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
2017-07-18 18:35 - 2017-07-18 18:55 - 00000000 ____D C:\Users\Rafal\AppData\Local\Ori and the Blind Forest DE
2017-07-18 18:30 - 2017-07-18 19:28 - 00000000 ____D C:\Users\Rafal\AppData\LocalLow\Thunder Lotus Games
2017-07-18 06:11 - 2017-07-18 06:11 - 00001471 _____ C:\Users\Rafal\Desktop\Ori and the Blind Forest.lnk
2017-07-18 06:00 - 2017-07-18 06:11 - 00000000 ____D C:\Program Files (x86)\Ori and The Blind Forest
2017-07-08 22:03 - 2017-07-08 22:07 - 00000000 ____D C:\Program Files (x86)\Vikings - Wolves of Midgard
2017-07-08 22:03 - 2017-07-08 22:03 - 00001830 _____ C:\Users\Public\Desktop\Vikings - Wolves of Midgard.lnk
2017-07-05 20:56 - 2017-07-05 20:56 - 00000000 ____D C:\Users\Rafal\AppData\LocalLow\Games Farm s_r_o_
2017-07-04 20:40 - 2017-07-04 20:40 - 00000000 ____D C:\Users\Rafal\AppData\Local\FinchGame
2017-07-03 18:56 - 2017-07-03 18:56 - 00000000 ____D C:\ProgramData\Dishonored 2
2017-07-02 11:37 - 2017-07-02 11:37 - 00000000 ____D C:\Users\Rafal\AppData\LocalLow\Team Cherry
2017-07-02 11:24 - 2017-07-02 11:24 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2017-07-02 11:24 - 2017-06-27 22:27 - 00135616 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2017-07-02 11:24 - 2017-03-10 23:17 - 00536864 _____ C:\Windows\system32\vulkan-1.dll
2017-07-02 11:24 - 2017-03-10 23:17 - 00525600 _____ C:\Windows\SysWOW64\vulkan-1.dll
2017-07-02 11:24 - 2017-03-10 23:17 - 00254240 _____ C:\Windows\system32\vulkaninfo.exe
2017-07-02 11:24 - 2017-03-10 23:17 - 00233760 _____ C:\Windows\SysWOW64\vulkaninfo.exe
2017-07-02 11:21 - 2017-06-28 00:38 - 40239736 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 35798136 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 35314296 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 28922488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 17806048 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 15437248 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2017-07-02 11:21 - 2017-06-28 00:38 - 14688096 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvd3dum.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 13559376 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 12337112 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 12132272 _____ (NVIDIA Corporation) C:\Windows\system32\nvptxJitCompiler.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 11501960 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 10381336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 09982456 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvptxJitCompiler.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 03803256 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 03359168 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 01988216 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6438476.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 01597888 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6438476.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 01066616 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 01004480 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00972736 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00924280 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00689808 _____ (NVIDIA Corporation) C:\Windows\system32\nvfatbinaryLoader.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00609728 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFROpenGL.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00578056 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvfatbinaryLoader.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00512672 _____ (NVIDIA Corporation) C:\Windows\system32\nvEncodeAPI64.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00499320 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFROpenGL.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00429920 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvEncodeAPI.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00407064 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00218712 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2017-07-02 11:21 - 2017-06-28 00:38 - 00171384 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00154208 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00149224 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00132072 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00045976 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2017-07-02 11:21 - 2017-06-28 00:38 - 00044110 _____ C:\Windows\system32\nvinfo.pb
2017-07-02 11:21 - 2017-06-28 00:38 - 00000669 _____ C:\Windows\SysWOW64\nv-vk32.json
2017-07-02 11:21 - 2017-06-28 00:38 - 00000669 _____ C:\Windows\system32\nv-vk64.json
2017-07-02 11:09 - 2017-07-02 11:09 - 00000000 ____D C:\Program Files (x86)\Anvsoft
2017-07-02 10:56 - 2017-07-12 18:12 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-07-02 10:56 - 2017-07-02 10:56 - 00002047 _____ C:\Users\Public\Desktop\Acrobat Reader.lnk
2017-07-02 10:12 - 2017-06-21 09:07 - 00179320 _____ (NVIDIA Corporation) C:\Windows\system32\nvaudcap64v.dll
2017-07-02 10:12 - 2017-06-21 09:07 - 00146552 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2017-07-02 10:12 - 2017-06-21 09:07 - 00048248 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2017-07-02 00:06 - 2017-07-02 00:06 - 00001452 _____ C:\Users\Rafal\Desktop\Hollow Knight.lnk
2017-07-02 00:02 - 2017-07-02 00:07 - 00000000 ____D C:\Program Files (x86)\Hollow Knight
2017-06-25 20:49 - 2017-07-09 16:59 - 00000000 ____D C:\Users\Rafal\AppData\Local\Adobe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-24 21:50 - 2011-04-12 15:21 - 00739694 _____ C:\Windows\system32\perfh015.dat
2017-07-24 21:50 - 2011-04-12 15:21 - 00155268 _____ C:\Windows\system32\perfc015.dat
2017-07-24 21:50 - 2009-07-14 07:13 - 01668226 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-24 21:50 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf
2017-07-24 21:49 - 2009-07-14 06:45 - 00023136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-07-24 21:49 - 2009-07-14 06:45 - 00023136 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-07-24 21:47 - 2017-04-15 21:31 - 00000000 ____D C:\Users\Rafal\AppData\LocalLow\Mozilla
2017-07-24 21:46 - 2016-12-20 18:42 - 00000000 ____D C:\ProgramData\NVIDIA
2017-07-24 21:44 - 2016-12-20 18:36 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2017-07-24 21:43 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-24 20:21 - 2016-12-23 23:55 - 00000000 ____D C:\Users\Rafal\AppData\Roaming\Skype
2017-07-24 18:37 - 2016-12-23 09:34 - 00000000 ____D C:\Users\Rafal\AppData\Roaming\Azureus
2017-07-23 16:53 - 2016-12-23 10:00 - 00063160 _____ C:\Users\Slawek\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-23 16:40 - 2016-12-23 18:12 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-07-23 11:58 - 2016-12-23 22:55 - 00000000 ____D C:\Users\Rafal\AppData\Roaming\DAEMON Tools Lite
2017-07-23 11:57 - 2017-01-04 17:36 - 00000000 ____D C:\Users\Rafal\AppData\Local\CrashDumps
2017-07-22 11:29 - 2009-07-14 05:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-07-22 11:29 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-07-20 20:18 - 2017-05-13 12:00 - 00000000 ____D C:\Program Files (x86)\Neverwinter Nights
2017-07-19 18:46 - 2016-12-22 15:38 - 00003350 _____ C:\Windows\System32\Tasks\ESET Windows 10 upgrade – Refresh settings
2017-07-18 19:28 - 2017-03-21 15:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2017-07-18 06:03 - 2009-07-14 07:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2017-07-09 16:57 - 2017-06-23 21:54 - 00000000 ____D C:\Users\Rafal\AppData\Roaming\Adobe
2017-07-06 21:48 - 2017-02-09 21:29 - 00000000 ____D C:\Program Files (x86)\Gwent
2017-07-04 20:40 - 2017-05-12 22:10 - 00000000 ____D C:\Users\Rafal\AppData\Local\UnrealEngine
2017-07-04 20:32 - 2016-12-23 18:57 - 00000000 ____D C:\Users\Rafal\AppData\Local\Battle.net
2017-07-04 20:32 - 2016-12-23 18:48 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-07-03 05:49 - 2017-01-04 17:32 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-07-03 05:48 - 2017-02-19 20:53 - 00000000 ____D C:\ProgramData\Adobe
2017-07-03 05:36 - 2009-07-14 06:45 - 00293776 _____ C:\Windows\system32\FNTCACHE.DAT
2017-07-02 11:28 - 2016-12-23 23:19 - 00000000 ____D C:\Program Files (x86)\Steam
2017-07-02 11:25 - 2016-12-20 18:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2017-07-02 11:25 - 2016-12-20 18:42 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-07-02 11:16 - 2016-12-24 00:21 - 00000000 ____D C:\Program Files (x86)\Calibre
2017-07-02 11:09 - 2016-12-24 00:21 - 00000000 ____D C:\Users\Rafal\AppData\Roaming\calibre
2017-07-02 11:09 - 2016-12-23 18:09 - 00000000 ____D C:\Users\Rafal\AppData\Roaming\Anvsoft
2017-07-02 11:02 - 2016-12-23 23:04 - 00000000 ____D C:\Program Files (x86)\DCmp3
2017-07-02 11:01 - 2016-12-23 21:17 - 00000000 ____D C:\Program Files (x86)\SpeedFan
2017-07-02 11:01 - 2016-12-22 17:35 - 00063160 _____ C:\Users\Rafal\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-02 10:56 - 2016-12-21 01:30 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-07-02 10:40 - 2017-06-13 20:53 - 00000000 ____D C:\Users\Rafal\.gimp-2.8
2017-07-02 10:12 - 2017-05-20 17:21 - 00003814 _____ C:\Windows\System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2017-03-09 20:51 - 00001412 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2017-07-02 10:12 - 2017-03-09 20:50 - 00004146 _____ C:\Windows\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-21 01:24 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-07-02 10:12 - 2016-12-20 18:43 - 00003852 _____ C:\Windows\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-20 18:43 - 00003738 _____ C:\Windows\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-20 18:43 - 00003738 _____ C:\Windows\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-20 18:43 - 00003730 _____ C:\Windows\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-20 18:43 - 00003554 _____ C:\Windows\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-20 18:43 - 00003494 _____ C:\Windows\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-07-02 10:12 - 2016-12-20 18:42 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-07-01 19:49 - 2016-12-20 18:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-07-01 12:48 - 2017-04-15 13:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-06-29 21:46 - 2016-12-22 19:38 - 00000000 ____D C:\Program Files (x86)\GalaxyClient
2017-06-28 21:54 - 2017-05-06 23:40 - 00000132 _____ C:\Users\Rafal\AppData\Roaming\Adobe Targa Format CS6 Prefs
2017-06-28 00:38 - 2017-05-02 20:22 - 18726880 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2017-06-28 00:38 - 2016-12-20 18:39 - 21432048 _____ (NVIDIA Corporation) C:\Windows\system32\nvwgf2umx.dll
2017-06-28 00:38 - 2016-12-20 18:39 - 04186824 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2017-06-28 00:38 - 2016-12-20 18:39 - 03691192 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2017-06-28 00:38 - 2016-12-20 18:39 - 01615448 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco6420103.dll
2017-06-28 00:38 - 2016-12-20 18:39 - 00491720 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 06462400 _____ (NVIDIA Corporation) C:\Windows\system32\nvcpl.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 02478712 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvc64.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 01762936 _____ (NVIDIA Corporation) C:\Windows\system32\nvsvcr.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 00549312 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshext.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 00392312 _____ (NVIDIA Corporation) C:\Windows\system32\nvmctray.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 00082040 _____ (NVIDIA Corporation) C:\Windows\system32\nv3dappshextr.dll
2017-06-27 23:03 - 2016-12-20 18:42 - 00069752 _____ (NVIDIA Corporation) C:\Windows\system32\nvshext.dll
2017-06-27 22:52 - 2016-12-20 18:42 - 00001951 _____ C:\Windows\NvContainerRecovery.bat

==================== Files in the root of some directories =======

2017-05-01 21:28 - 2017-05-28 16:01 - 0000132 _____ () C:\Users\Rafal\AppData\Roaming\Adobe BMP Format CS6 Prefs
2017-04-30 19:33 - 2017-06-12 21:00 - 0000132 _____ () C:\Users\Rafal\AppData\Roaming\Adobe PNG Format CS6 Prefs
2017-05-06 23:40 - 2017-06-28 21:54 - 0000132 _____ () C:\Users\Rafal\AppData\Roaming\Adobe Targa Format CS6 Prefs
2017-06-18 12:41 - 2017-06-18 12:41 - 0011589 _____ () C:\Users\Rafal\AppData\Local\recently-used.xbel
2016-12-21 01:06 - 2016-12-21 01:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
2017-07-24 20:05 - 2017-07-24 20:44 - 0032305 _____ () C:\Users\Rafal\AppData\Local\Temp\t.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-22 16:21

==================== End of FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 25 July 2017 - 07:25 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR Extension: (Platnosci w sklepie Chrome Web Store) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-07-23]
CHR Extension: (Chrome Media Router) - C:\Users\Rafal\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-23]
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers04: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers05: [ACE] -> ----{5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
Task: {0816E6FA-A644-4E36-A117-AEA8680A494C} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2016-12-20] ()
Task: {6767ADF4-438E-4C1D-ADDB-BDCF5453D6D3} - System32\Tasks\{4F581D0A-B1BB-4E7B-A069-D793A60953E7} => "c:\program files (x86)\google\chrome\application\chrome.exe" hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=7.18.0.112&LastError=404
C:\Windows\AutoKMS
C:\Windows\System32\Tasks\{4F581D0A-B1BB-4E7B-A069-D793A60953E7}

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)

If the problem persists let me know what is being reinstalled.

#5 Mhroczyn

Mhroczyn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 25 July 2017 - 01:17 PM

So I did what you've told me. I had reset Chrome and updated Java and it seem that the code which you provided did the job! Thank you very much! It wasn't possible to achieve for a (not completely) casual PC user like me;)


Edited by Mhroczyn, 25 July 2017 - 01:19 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,573 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:26 AM

Posted 26 July 2017 - 06:29 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users