Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/BitCoinMilner.grbmu virus in msiexec64.


  • This topic is locked This topic is locked
1 reply to this topic

#1 Felix_I.

Felix_I.

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto
  • Local time:02:56 PM

Posted 14 June 2018 - 08:04 PM

I get a popup from Avira w few times a day finding and blocking this virus but still coming back.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06.06.2018 01
Ran by Felix (administrator) on OWNER (14-06-2018 20:42:52)
Running from C:\Users\Felix\Downloads
Loaded Profiles: Felix (Available Profiles: Felix)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [316392 2018-05-11] (Adobe Systems, Incorporated)
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [98024 2018-03-28] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3643712 2018-06-04] (Dropbox, Inc.)
HKLM-x32\...\Run: [Avira System Speedup User Starter] => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.Core.Common.Starter.exe [64096 2018-06-05] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-1497577798-250006343-43434190-1008\...\Run: [GoogleChromeAutoLaunch_9E0E8FB6AB9E32E413BF1FD50A17F104] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1589592 2018-03-20] (Google Inc.)
HKU\S-1-5-21-1497577798-250006343-43434190-1008\...\Policies\Explorer: []
HKU\S-1-5-18\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [2007576 2017-02-03] (Autodesk, Inc.)
Startup: C:\Users\Felix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEGAsync.lnk [2018-04-24]
ShortcutTarget: MEGAsync.lnk -> C:\ProgramData\MEGAsync\MEGAsync.exe (Mega Limited)
Startup: C:\Users\Felix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2018-04-24]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.0 keystone.mwbsys.com
Tcpip\Parameters: [DhcpNameServer] 74.116.184.28 96.127.255.28 192.168.1.1
Tcpip\..\Interfaces\{53408D0E-1B6B-45BA-BA97-86BD5D72FA8B}: [DhcpNameServer] 74.116.184.28 96.127.255.28 192.168.1.1
Tcpip\..\Interfaces\{DD4006A9-257C-4D9C-A61F-9189A11AC269}: [DhcpNameServer] 74.116.184.28 96.127.255.28 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKU\S-1-5-21-1497577798-250006343-43434190-1008\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKU\S-1-5-21-1497577798-250006343-43434190-1008\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://search.avira.com/#/?show_is=1&source=art
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-04-28] (Microsoft Corporation)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2017-08-13] (IvoSoft)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2017-09-26] (Google Inc.)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2017-11-01] (Adobe Systems Incorporated)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2017-08-13] (IvoSoft)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2017-11-01] (Adobe Systems Incorporated)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2017-08-13] (IvoSoft)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2017-09-26] (Google Inc.)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2017-11-01] (Adobe Systems Incorporated)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2017-08-13] (IvoSoft)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2017-11-01] (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2017-09-26] (Google Inc.)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2017-08-13] (IvoSoft)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2017-11-01] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2017-09-26] (Google Inc.)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2017-08-13] (IvoSoft)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2017-11-01] (Adobe Systems Incorporated)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-28] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-28] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-28] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-04-28] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF DefaultProfile: 6w63u4d8.default
FF ProfilePath: C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\6w63u4d8.default [2018-06-14]
FF user.js: detected! => C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\6w63u4d8.default\user.js [2017-06-30]
FF Extension: (uBlock Origin) - C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\6w63u4d8.default\Extensions\uBlock0@raymondhill.net.xpi [2018-06-13]
FF Extension: (TLS 1.3 gradual roll-out fallback-limit) - C:\Users\Felix\AppData\Roaming\Mozilla\Firefox\Profiles\6w63u4d8.default\features\{440e7825-2628-40ce-8755-9cc0644b8811}\tls13-version-fallback-rollout-bug1462099@mozilla.org.xpi [2018-06-09] [Legacy]
FF HKLM\...\Firefox\Extensions: [web2pdfextension.17@acrobat.adobe.com] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn\WebExtn\signed_extn\adobe_acrobat-1.0-windows.xpi
FF Extension: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn\WebExtn\signed_extn\adobe_acrobat-1.0-windows.xpi [2017-11-01]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension.17@acrobat.adobe.com] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn\WebExtn\signed_extn\adobe_acrobat-1.0-windows.xpi
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-03-02] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-10-27] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-10-27] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-02-27] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=3.0.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2018-02-27] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2017-11-01] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-05-10] (Adobe Systems Inc.)
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR res: Infected resources.pak (Adware script). Reinstall Chrome. <==== ATTENTION
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR NewTab: Default ->  Not-active:"chrome-extension://pbdpajcdgknpendpmecafmopknefafha/index.html"
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default [2018-06-14]
CHR Extension: (Slides) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-31]
CHR Extension: (Docs) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-31]
CHR Extension: (Google Drive) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-10-31]
CHR Extension: (YouTube) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-10-31]
CHR Extension: (uBlock Origin) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2018-06-08]
CHR Extension: (Dropbox for Gmail) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpdmhfocilnekecfjgimjdeckachfbec [2018-04-25]
CHR Extension: (Adobe Acrobat) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-10-31]
CHR Extension: (Sheets) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-31]
CHR Extension: (Google Docs Offline) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-11-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-10]
CHR Extension: (Quick Searcher) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbdpajcdgknpendpmecafmopknefafha [2018-04-23]
CHR Extension: (Gmail) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-10-31]
CHR Extension: (Chrome Media Router) - C:\Users\Felix\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-29]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2017-11-01]
StartMenuInternet: Google Chrome - Chrome.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AdAppMgrSvc; C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe [1374072 2018-03-10] (Autodesk Inc.)
S2 AGMService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe [2321384 2018-05-11] (Adobe Systems, Incorporated)
S2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2128872 2018-05-11] (Adobe Systems, Incorporated)
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [879128 2018-06-05] (Avira Operations GmbH & Co. KG)
S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [224472 2018-06-05] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [224472 2018-06-05] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1165320 2018-06-05] (Avira Operations GmbH & Co. KG)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-03-29] (Apple Inc.)
S4 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2017-09-26] ()
S4 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [31160 2015-02-05] (Autodesk, Inc.)
S2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [449240 2018-03-28] (Avira Operations GmbH & Co. KG)
S2 AviraOptimizerHost; C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe [2980336 2018-05-04] (Avira Operations GmbH & Co. KG)
S2 AviraPhantomVPN; C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe [0 2018-05-17] () <==== ATTENTION (zero byte File/Folder)
S2 AviraUpdaterService; C:\Program Files (x86)\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe [103328 2018-06-07] (Avira Operations GmbH & Co. KG)
S4 AvrcpService; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\AvrcpService.exe [35328 2013-05-07] (Realtek Semiconductor Corporation) [File not signed]
S4 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
S4 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [59392 2013-09-26] () [File not signed]
S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [0 2018-05-24] () <==== ATTENTION (zero byte File/Folder)
S2 CrypKey License; C:\Windows\system32\crypserv.exe [126976 2013-04-11] (CrypKey (Canada) Ltd.) [File not signed]
S4 D-Link DWA-192_PBC_WPS; C:\Program Files (x86)\D-Link\DWA-192\ALPBCSVC.exe [65536 2013-01-15] () [File not signed]
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-10-01] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-10-01] (Dropbox, Inc.)
S2 DbxSvc; C:\Windows\system32\DbxSvc.exe [51024 2018-06-04] (Dropbox, Inc.)
S2 DSAService; C:\Program Files (x86)\Intel Driver and Support Assistant\DSAService.exe [22816 2017-09-18] (Intel)
S2 ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [824592 2017-03-07] ()
S2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [1194512 2018-06-06] (Garmin Ltd. or its subsidiaries)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6440736 2018-03-03] (Malwarebytes)
S4 RunSwUSB; C:\Windows\runSW.exe [44760 2014-12-12] ()
S2 SystemUsageReportSvc_QUEENCREEK; C:\Program Files\Intel Driver and Support Assistant\SUR\SurSvc.exe [157456 2017-03-07] ()
S2 USER_ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [824592 2017-03-07] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 anodlwf; C:\Windows\system32\DRIVERS\anodlwfx.sys [15872 2017-09-26] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2017-09-26] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R0 avdevprot; C:\Windows\System32\DRIVERS\avdevprot.sys [60920 2017-10-07] (Avira Operations GmbH & Co. KG)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [179376 2018-05-08] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [169864 2018-05-08] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [44488 2017-02-15] (Avira Operations GmbH & Co. KG)
S2 avnetflt; C:\Windows\system32\DRIVERS\avnetflt.sys [88488 2017-02-15] (Avira Operations GmbH & Co. KG)
R0 avusbflt; C:\Windows\System32\Drivers\avusbflt.sys [38048 2018-04-24] (Avira Operations GmbH & Co. KG)
R1 butldsk; C:\Windows\System32\drivers\butldsk.sys [192408 2018-04-18] ()
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 D_RtlWlanu; C:\Windows\system32\DRIVERS\D_rtwlanu.sys [5632520 2016-12-12] (Realtek Semiconductor Corporation )
S1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [76200 2018-01-18] ()
S2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193248 2018-04-24] (Malwarebytes)
S3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [109800 2018-04-24] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253664 2018-06-14] (Malwarebytes)
S3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [101600 2018-04-24] (Malwarebytes)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
S1 NetworkX; C:\Windows\System32\ckldrv.sys [31416 2013-04-11] ()
S3 NVVADARM; C:\Windows\system32\drivers\nvvadarm.sys [54896 2017-11-09] (NVIDIA Corporation)
S3 phantomtap; C:\Windows\system32\DRIVERS\phantomtap.sys [35664 2017-10-25] (The OpenVPN Project)
S3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [548056 2017-09-26] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3759320 2014-12-01] (Realtek Semiconductor Corporation )
S3 semav6msr64; C:\Windows\system32\drivers\semav6msr64.sys [21984 2016-10-18] ()
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
S3 MBAMProtection; \SystemRoot\system32\DRIVERS\mbam.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-14 20:42 - 2018-06-14 20:43 - 000021897 _____ C:\Users\Felix\Downloads\FRST.txt
2018-06-14 20:42 - 2018-06-14 20:42 - 002413056 _____ (Farbar) C:\Users\Felix\Downloads\FRST64.exe
2018-06-14 20:42 - 2018-06-14 20:42 - 000000000 ____D C:\FRST
2018-06-14 20:19 - 2018-06-14 20:19 - 000002426 _____ C:\Windows\system32\default_error_stack-000000-000000.txt
2018-06-14 20:18 - 2018-06-14 20:19 - 000412648 _____ C:\Windows\Minidump\061418-80234-01.dmp
2018-06-14 20:17 - 2018-06-14 20:17 - 000003600 ____N C:\bootsqm.dat
2018-06-14 20:17 - 2018-06-14 20:17 - 000000000 __SHD C:\found.002
2018-06-14 19:59 - 2018-06-14 19:59 - 000000000 _____ C:\Users\Felix\Desktop\tool.txt
2018-06-13 18:52 - 2018-06-14 20:21 - 000328192 _____ C:\Windows\SysWOW64\SelfFolder.idc
2018-06-13 18:18 - 2018-06-13 18:18 - 000001906 _____ C:\Users\Public\Desktop\Garmin Express.lnk
2018-06-13 18:18 - 2018-06-13 18:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
2018-06-12 21:53 - 2018-06-12 21:53 - 000412504 _____ C:\Windows\Minidump\061218-26031-01.dmp
2018-06-11 19:12 - 2018-06-14 20:23 - 000000000 ___HD C:\Users\Felix\AppData\Local\Microsoft Websites
2018-06-10 15:11 - 2018-06-10 15:11 - 000029091 _____ C:\Users\Felix\Desktop\PLANNER 2 - May 6.xlsx
2018-06-10 09:14 - 2018-06-10 09:14 - 000001045 _____ C:\Users\Public\Desktop\EaseUS Data Recovery Wizard.lnk
2018-06-10 09:14 - 2018-06-10 09:14 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EaseUS Data Recovery Wizard
2018-06-10 09:14 - 2018-06-10 09:14 - 000000000 ____D C:\Program Files\EaseUS
2018-06-09 09:03 - 2018-06-14 19:54 - 000000000 ____D C:\Users\Felix\Desktop\errors
2018-06-08 19:12 - 2018-06-10 23:02 - 000000000 ___HD C:\Users\Felix\AppData\Local\DiskManagement
2018-06-08 19:08 - 2018-06-08 19:08 - 000412560 _____ C:\Windows\Minidump\060818-28406-01.dmp
2018-06-07 17:02 - 2018-06-11 21:16 - 000000000 ____D C:\Users\Felix\Desktop\ROM + GREECE
2018-06-06 20:45 - 2018-06-13 22:49 - 001755987 _____ C:\Users\Felix\Desktop\Nexus Application.pdf
2018-06-06 20:06 - 2018-06-06 20:06 - 000001898 _____ C:\Users\Felix\Desktop\IrfanView Thumbnails.lnk
2018-06-06 20:06 - 2018-06-06 20:06 - 000001006 _____ C:\Users\Felix\Desktop\IrfanView.lnk
2018-06-06 20:06 - 2018-06-06 20:06 - 000000000 ____D C:\Users\Felix\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView
2018-06-06 20:05 - 2018-06-06 20:06 - 000000000 ____D C:\Users\Felix\AppData\Roaming\IrfanView
2018-06-06 20:05 - 2018-06-06 20:05 - 000000000 ____D C:\Program Files (x86)\IrfanView
2018-06-06 16:10 - 2018-06-06 16:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2018-06-05 17:24 - 2018-06-05 17:24 - 003531400 _____ (Irfan Skiljan) C:\Users\Felix\Downloads\iview451_x64_setup (2).exe
2018-06-05 17:24 - 2018-06-05 17:24 - 002466952 _____ (Irfan Skiljan) C:\Users\Felix\Downloads\iview451_setup.exe
2018-06-05 17:23 - 2018-06-05 17:23 - 003531400 _____ (Irfan Skiljan) C:\Users\Felix\Downloads\iview451_x64_setup (1).exe
2018-06-05 17:22 - 2018-06-05 17:22 - 003531400 _____ (Irfan Skiljan) C:\Users\Felix\Downloads\iview451_x64_setup.exe
2018-06-05 15:20 - 2018-06-14 20:21 - 000000000 ____D C:\Users\Public\Speedup Sessions
2018-06-05 15:15 - 2018-06-05 15:15 - 000412584 _____ C:\Windows\Minidump\060518-18062-01.dmp
2018-06-04 06:18 - 2018-06-04 06:18 - 000051024 _____ (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2018-06-04 06:18 - 2018-06-04 06:18 - 000050232 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-dev.sys
2018-06-04 06:18 - 2018-06-04 06:18 - 000045672 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-canary.sys
2018-06-04 06:18 - 2018-06-04 06:18 - 000045640 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-stable.sys
2018-05-17 03:41 - 2018-05-17 03:43 - 000000000 ____D C:\Windows\system32\config\Backup
2018-05-17 00:37 - 2018-05-17 01:22 - 025559040 _____ C:\Users\Felix\Desktop\Win8.1_English_x64.iso
2018-05-16 23:47 - 2018-05-16 23:47 - 000317832 _____ C:\Windows\Minidump\051618-73281-01.dmp
2018-05-16 22:46 - 2018-06-14 20:29 - 000688450 _____ C:\Windows\ntbtlog.txt
2018-05-16 19:02 - 2018-05-16 19:02 - 000000000 __SHD C:\found.001

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-06-14 20:37 - 2017-09-27 02:37 - 000000000 ____D C:\Users\Felix\AppData\LocalLow\Mozilla
2018-06-14 20:33 - 2014-09-24 03:15 - 000872716 _____ C:\Windows\system32\PerfStringBackup.INI
2018-06-14 20:33 - 2013-08-22 09:36 - 000000000 ____D C:\Windows\Inf
2018-06-14 20:29 - 2018-04-24 19:16 - 000253664 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-06-14 20:28 - 2013-08-22 10:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-06-14 20:27 - 2013-08-22 11:20 - 000000000 ____D C:\Windows\CbsTemp
2018-06-14 20:23 - 2017-10-01 15:28 - 000000918 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2018-06-14 20:22 - 2017-09-26 23:59 - 000000000 ____D C:\Users\Felix\AppData\Local\ClassicShell
2018-06-14 20:20 - 2013-08-22 09:25 - 000020867 _____ C:\Windows\win.ini
2018-06-14 20:19 - 2017-10-01 15:28 - 000000914 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2018-06-14 20:18 - 2017-12-07 19:18 - 000000000 ____D C:\Windows\Minidump
2018-06-14 20:18 - 2017-09-26 14:43 - 000000000 ____D C:\ProgramData\NVIDIA
2018-06-14 20:17 - 2018-05-04 22:10 - 1246352180 _____ C:\Windows\MEMORY.DMP
2018-06-14 19:50 - 2017-10-01 15:31 - 000000000 ___RD C:\Users\Felix\Dropbox
2018-06-14 19:41 - 2017-09-30 04:07 - 001267712 ___SH C:\Users\Felix\Desktop\Thumbs.db
2018-06-14 19:34 - 2017-09-27 00:02 - 000003770 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{580546D7-7945-4E5C-BD1E-58B193BFBA8C}
2018-06-13 19:33 - 2017-09-27 00:03 - 000003594 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1497577798-250006343-43434190-1008
2018-06-13 18:19 - 2018-01-24 01:16 - 000000000 ____D C:\Program Files (x86)\Garmin
2018-06-13 18:19 - 2017-09-26 15:34 - 000000000 ____D C:\ProgramData\Package Cache
2018-06-13 18:18 - 2018-01-24 01:16 - 000003554 _____ C:\Windows\System32\Tasks\GarminUpdaterTask
2018-06-13 18:18 - 2018-01-24 01:16 - 000000000 ____D C:\ProgramData\Garmin
2018-06-12 22:16 - 2013-08-22 09:25 - 000524288 ___SH C:\Windows\system32\config\BBI
2018-06-12 21:56 - 2017-11-19 20:42 - 000000000 ____D C:\Program Files (x86)\Intel Driver and Support Assistant
2018-06-12 21:53 - 2017-09-27 02:36 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-06-11 23:14 - 2017-09-26 23:58 - 000000000 ____D C:\Users\Felix
2018-06-09 17:20 - 2013-08-22 11:36 - 000000000 ____D C:\Windows\AppReadiness
2018-06-08 19:30 - 2017-10-06 23:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2018-06-08 19:13 - 2017-09-27 02:36 - 000000980 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-06-08 19:13 - 2017-09-27 02:36 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-06-06 16:10 - 2017-10-01 15:28 - 000000000 ____D C:\Program Files (x86)\Dropbox
2018-06-05 15:20 - 2018-04-24 20:35 - 000003664 _____ C:\Windows\System32\Tasks\AviraSystemSpeedupUpdate
2018-06-05 15:20 - 2017-09-27 03:05 - 000000000 ____D C:\Program Files (x86)\Avira
2018-06-05 15:19 - 2018-04-24 21:58 - 000000000 ____D C:\ProgramData\MEGAsync
2018-06-05 15:18 - 2017-10-01 15:28 - 000003890 _____ C:\Windows\System32\Tasks\DropboxUpdateTaskMachineUA
2018-06-05 15:18 - 2017-10-01 15:28 - 000003654 _____ C:\Windows\System32\Tasks\DropboxUpdateTaskMachineCore
2018-06-05 15:15 - 2017-09-27 02:00 - 000000000 ____D C:\Windows\System32\Tasks\NCH Software
2018-05-16 23:57 - 2017-09-27 01:48 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-05-16 23:57 - 2017-09-26 16:18 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2018-05-16 23:56 - 2017-09-26 16:18 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2018-05-16 18:37 - 2017-09-27 02:02 - 000207779 ____H C:\Users\Felix\AppData\Local\IconCache.db.backup

==================== Files in the root of some directories =======

1601-01-03 21:33 - 1601-01-03 21:33 - 000059904 ____N (Microsoft Corporation) C:\Program Files (x86)\YdRUEUXIq.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000059904 ____N (Microsoft Corporation) C:\Program Files (x86)\Common Files\xFnUUPuYWbiq.exe
2017-12-04 21:47 - 2018-03-15 20:15 - 000000034 _____ () C:\Users\Felix\AppData\Roaming\AdobeWLCMCache.dat
2017-10-17 20:20 - 2017-10-18 23:45 - 000037877 _____ () C:\Users\Felix\AppData\Roaming\Comma Separated Values.ADR
2017-09-27 02:00 - 2018-03-28 21:02 - 000001167 _____ () C:\Users\Felix\AppData\Roaming\trace_FilterInstaller.1.txt
2017-09-27 02:00 - 2017-09-28 03:16 - 000000905 _____ () C:\Users\Felix\AppData\Roaming\trace_FilterInstaller.2.txt
2017-09-27 02:00 - 2017-09-27 02:00 - 000001167 _____ () C:\Users\Felix\AppData\Roaming\trace_FilterInstaller.3.txt
2017-09-27 02:00 - 2018-04-13 20:23 - 000000905 _____ () C:\Users\Felix\AppData\Roaming\trace_FilterInstaller.txt
2017-09-27 02:00 - 2018-04-13 20:23 - 000000000 _____ () C:\Users\Felix\AppData\Roaming\trace_FilterInstaller.txt-CRT.txt
2017-09-26 23:58 - 2018-04-24 00:01 - 000265685 _____ () C:\Users\Felix\AppData\Local\BTServer.log
2018-04-23 23:43 - 2018-04-23 23:43 - 000140800 _____ () C:\Users\Felix\AppData\Local\installer.dat
2018-04-23 23:43 - 2018-04-24 00:14 - 000929792 _____ () C:\Users\Felix\AppData\Local\sham.db
2018-04-23 23:42 - 2018-04-23 23:42 - 000000003 _____ () C:\Users\Felix\AppData\Local\wbem.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-05-12 04:49

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:56 PM

Posted 14 June 2018 - 10:21 PM

Closing duplicate.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users