Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Google Chrome Facebook incorrect encoding, other browsers are unaffected

This is a discussion on Google Chrome Facebook incorrect encoding, other browsers are unaffected within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi there, Last night, I started having issues with Google Chrome. Main symptom of the problem is that, on first

Thread Tools Search this Thread
Old 06-09-2016, 11:10 PM   #1
Registered Member
Join Date: Jan 2010
Posts: 6
OS: Windows 7

Hi there,

Last night, I started having issues with Google Chrome. Main symptom of the problem is that, on first restart, I can connect to Facebook on the Google Chrome fine, but after a few minutes, the encoding of the page seems to be corrupted. It's only affecting Chrome, Edge and Firefox are fine. With it being a single browser only, I'm suspecting some form of malware is responsible for a redirect, I'm just not sure what, so I've come here to see whether you guys can find anything I couldn't. I am willing, as a last resort, to run a complete refresh of the device, and I have a Windows 10 Build 1511 ISO that can be used in such a circumstance, ready to go.

I ran Kaspersky and it found OpenCandy in an installer for CrystalDiskInfo, though that installer hasn't been executed since the last refresh I did so I don't believe that is the culprit for my woes, and the redirect still appears to be happening even after Kaspersky removed it from the system. Otherwise, Kaspersky has found no threats with Rootkit detection or a Full Scan of the system which I left it to do overnight.

Just to note, some of the errors you see in the logs and files relate to the computer having an issue with the motherboard hardware freezing/rebooting intermittently (which needs to be replaced), so apologies for that. It has been an intermittent issue with the machine for a number of years, to do with the power supply.

Thanks in advance for the assistance, I realise you folks are busy. :)

EDIT: One thing to note, I did try clearing my browser store and unlinking my account from Chome to try and diagnose the issue earlier on. I will be changing my passwords ASAP. The desktop has no further connection to the internet, and Kaspersky is scanning the drive I'm using to transfer files between the machine I believe to be clean, and the desktop.


DDR.txt contents:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.10586.20
Run by Craig at 6:42:45 on 2016-06-10
Microsoft Windows 10 Pro 10.0.10586.0.1252.44.2057.18.12271.9033 [GMT 1:00]
AV: Kaspersky Total Security *Enabled/Updated* {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky Total Security *Enabled/Updated* {3D579475-6DDE-A186-1569-44B9F9DE8725}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Total Security *Enabled* {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3}
============== Running Processes ===============
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\avp.exe
C:\WINDOWS\System32\svchost.exe -k utcsvc
C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k appmodel
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\avpui.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Samsung\Samsung Magician\Samsung Magician.exe
C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup
C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
============== Pseudo HJT Report ===============
uLocal Page = %11%\blank.htm
BHO: Kaspersky Protection: {03993315-5CE9-4F00-8790-D14A94F1D91A} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\IEExt\ie_plugin.dll
TB: Kaspersky Protection Toolbar: {001032CB-B0AC-4F2C-A650-AD4B2B26E5DA} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\IEExt\ie_plugin.dll
uRun: [OneDrive] "C:\Users\Craig\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [Spotify Web Helper] "C:\Users\Craig\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
uRun: [Spotify] "C:\Users\Craig\AppData\Roaming\Spotify\Spotify.exe" -autostart -minimized
uRun: [f.lux] "C:\Users\Craig\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
mRun: [Dropbox] "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
mRun: [Razer Synapse] "C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-System: DSCAutomationHostEnabled = dword:2
TCP: NameServer =
TCP: Interfaces\{f534325b-6291-4d2f-87fa-54cb1cbef049} : DHCPNameServer =
Handler: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\syswow64\tbauth.dll
Handler: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\syswow64\tbauth.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = ""
CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC} - C:\WINDOWS\System32\windows.storage.dll
x64-BHO: Kaspersky Protection: {03993315-5CE9-4F00-8790-D14A94F1D91A} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\x64\IEExt\ie_plugin.dll
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll
x64-TB: Kaspersky Protection Toolbar: {001032CB-B0AC-4F2C-A650-AD4B2B26E5DA} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\x64\IEExt\ie_plugin.dll
x64-Run: [RTHDVCPL] "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [ShadowPlay] "C:\WINDOWS\System32\rundll32.exe" C:\WINDOWS\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-Run: [SamsungRapidApp] C:\Program Files (x86)\Samsung\RAPID\CacheFilter\SamsungRapidApp.exe
x64-Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
x64-mPolicies-System: DSCAutomationHostEnabled = dword:2
x64-Handler: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\WINDOWS\System32\tbauth.dll
x64-Handler: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\WINDOWS\System32\tbauth.dll
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - /UserInstall
x64-mASetup: {89820200-ECBD-11cf-8B85-00AA005B4340} - U
x64-mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC} - C:\WINDOWS\System32\windows.storage.dll
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\c1um42x7.default\
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1223183.dll
============= SERVICES / DRIVERS ===============
R0 cm_km;Kaspersky Lab ZAO Cryptographic Module x64 (Weak);C:\WINDOWS\System32\drivers\cm_km.sys [2015-7-6 389816]
R0 klbackupdisk;Kaspersky Lab klbackupdisk;C:\WINDOWS\System32\drivers\klbackupdisk.sys [2015-6-6 53432]
R0 pwdrvio;pwdrvio;C:\WINDOWS\System32\pwdrvio.sys [2016-3-5 19152]
R0 SamsungRapidDiskFltr;SAMSUNG RAPID Mode Disk Filter Driver;C:\WINDOWS\System32\drivers\SamsungRapidDiskFltr.sys [2016-2-28 271968]
R0 SamsungRapidFSFltr;SamsungRapidFSFltr;C:\WINDOWS\System32\drivers\SamsungRapidFSFltr.sys [2015-9-4 110688]
R0 WindowsTrustedRT;Windows Trusted Execution Environment Class Extension;C:\WINDOWS\System32\drivers\WindowsTrustedRT.sys [2015-10-30 106520]
R0 WindowsTrustedRTProxy;Microsoft Windows Trusted Runtime Secure Service;C:\WINDOWS\System32\drivers\WindowsTrustedRTProxy.sys [2015-10-30 17944]
R0 Wof;Windows Overlay File System Filter Driver;C:\WINDOWS\System32\drivers\wof.sys [2015-10-30 199008]
R1 ahcache;Application Compatibility Cache;C:\WINDOWS\System32\drivers\ahcache.sys [2015-10-30 218624]
R1 FileCrypt;FileCrypt;C:\WINDOWS\System32\drivers\filecrypt.sys [2016-5-11 87552]
R1 GpuEnergyDrv;GPU Energy Driver;C:\WINDOWS\System32\drivers\gpuenergydrv.sys [2015-10-30 8192]
R1 klbackupflt;Kaspersky Lab klbackupflt;C:\WINDOWS\System32\drivers\klbackupflt.sys [2015-12-1 79752]
R1 klhk;Kaspersky Lab service driver;C:\WINDOWS\System32\drivers\klhk.sys [2016-3-28 237488]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\WINDOWS\System32\drivers\klim6.sys [2015-12-1 51288]
R1 klpd;Kaspersky Lab format recognizer driver;C:\WINDOWS\System32\drivers\klpd.sys [2015-12-7 45960]
R1 klwfp;klwfp;C:\WINDOWS\System32\drivers\klwfp.sys [2015-10-6 87944]
R1 Klwtp;KLwtp - WFP callout traffic inspector;C:\WINDOWS\System32\drivers\klwtp.sys [2015-12-3 112520]
R1 kneps;kneps;C:\WINDOWS\System32\drivers\kneps.sys [2015-12-3 194440]
R2 Apple Mobile Device Service;Apple Mobile Device Service;C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2016-3-2 83768]
R2 AVP16.0.1;Kaspersky Anti-Virus Service 16.0.1;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\avp.exe [2015-12-22 236928]
R2 CoreMessagingRegistrar;CoreMessaging;C:\WINDOWS\System32\svchost.exe -k LocalServiceNoNetwork [2015-10-30 43944]
R2 DiagTrack;Connected User Experiences and Telemetry;C:\WINDOWS\System32\svchost.exe -k utcsvc [2015-10-30 43944]
R2 GfExperienceService;NVIDIA GeForce Experience Service;C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [2016-2-28 1165368]
R2 IntelHaxm;Intel HAXM Service;C:\WINDOWS\System32\drivers\IntelHaxm.sys [2016-5-21 96776]
R2 kldisk;kldisk;C:\WINDOWS\System32\drivers\kldisk.sys [2015-12-2 78200]
R2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-12-6 214896]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2016-2-28 1881144]
R2 Razer Game Scanner Service;Razer Game Scanner;C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [2015-11-5 188072]
R2 rzpmgrk;rzpmgrk;C:\WINDOWS\System32\drivers\rzpmgrk.sys [2016-4-30 37184]
R2 rzpnk;rzpnk;C:\WINDOWS\System32\drivers\rzpnk.sys [2016-4-30 130880]
R2 SamsungRapidSvc;Samsung RAPID Mode Service;system32\RAPID\SamsungRapidSvc.exe --> system32\RAPID\SamsungRapidSvc.exe [?]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe [2016-6-8 424384]
R2 storqosflt;Storage QoS Filter Driver;C:\WINDOWS\System32\drivers\storqosflt.sys [2015-10-30 78848]
R2 tiledatamodelsvc;Tile Data model server;C:\WINDOWS\System32\svchost.exe -k appmodel [2015-10-30 43944]
R2 UserManager;User Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
R3 AppXSvc;AppX Deployment Service (AppXSVC);C:\WINDOWS\System32\svchost.exe -k wsappx [2015-10-30 43944]
R3 ClipSVC;Client License Service (ClipSVC);C:\WINDOWS\System32\svchost.exe -k wsappx [2015-10-30 43944]
R3 klflt;Kaspersky Lab Kernel DLL;C:\WINDOWS\System32\drivers\klflt.sys [2016-3-28 182664]
R3 klids;klids;C:\ProgramData\Kaspersky Lab\AVP16.0.1\Bases\klids.sys [2016-3-28 178872]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\WINDOWS\System32\drivers\klkbdflt.sys [2015-11-11 52608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\WINDOWS\System32\drivers\klmouflt.sys [2015-6-7 41656]
R3 lfsvc;Geolocation Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
R3 LicenseManager;Windows License Manager Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2015-10-30 43944]
R3 NcbService;Network Connection Broker;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
R3 NdisVirtualBus;Microsoft Virtual Network Adapter Enumerator;C:\WINDOWS\System32\drivers\NdisVirtualBus.sys [2015-10-30 20480]
R3 NgcCtnrSvc;Microsoft Passport Container;C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted [2015-10-30 43944]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\WINDOWS\System32\drivers\nvvad64v.sys [2016-2-28 56384]
R3 rt640x64;Realtek RT640 NT Driver;C:\WINDOWS\System32\drivers\rt640x64.sys [2015-10-30 589824]
R3 rzdaendpt;Razer DeathAdder end point;C:\WINDOWS\System32\drivers\rzdaendpt.sys [2015-8-13 43720]
R3 rzudd;Razer Mouse Driver;C:\WINDOWS\System32\drivers\rzudd.sys [2015-8-13 202952]
R3 rzvkeyboard;Razer Virtual Keyboard Driver;C:\WINDOWS\System32\drivers\rzvkeyboard.sys [2015-8-13 44232]
R3 StateRepository;State Repository Service;C:\WINDOWS\System32\svchost.exe -k appmodel [2015-10-30 43944]
R3 WUDFWpdMtp;WUDFWpdMtp;C:\WINDOWS\System32\drivers\WUDFRd.sys [2015-10-30 216064]
S0 klelam;klelam;C:\WINDOWS\System32\drivers\klelam.sys [2015-6-24 30328]
S2 dbupdate;Dropbox Update Service (dbupdate);C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-2-28 143144]
S2 DoSvc;Delivery Optimization;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S2 MapsBroker;Downloaded Maps Manager;C:\WINDOWS\System32\svchost.exe -k NetworkService [2015-10-30 43944]
S2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2016-2-28 2522680]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2016-3-23 327808]
S3 ADP80XX;ADP80XX;C:\WINDOWS\System32\drivers\adp80xx.sys [2015-10-30 1135456]
S3 AJRouter;AllJoyn Router Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2015-10-30 43944]
S3 AppReadiness;App Readiness;C:\WINDOWS\System32\svchost.exe -k AppReadiness [2015-10-30 43944]
S3 bcmfn;bcmfn Service;C:\WINDOWS\System32\drivers\bcmfn.sys [2015-10-30 9728]
S3 bcmfn2;bcmfn2 Service;C:\WINDOWS\System32\drivers\bcmfn2.sys [2015-10-30 9728]
S3 BthHFSrv;Bluetooth Handsfree Service;C:\WINDOWS\System32\svchost.exe -k LocalServiceAndNoImpersonation [2015-10-30 43944]
S3 buttonconverter;Service for Portable Device Control devices;C:\WINDOWS\System32\drivers\buttonconverter.sys [2015-10-30 37376]
S3 CapImg;HID driver for CapImg touch screen;C:\WINDOWS\System32\drivers\capimg.sys [2015-12-4 117248]
S3 dbupdatem;Dropbox Update Service (dbupdatem);C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-2-28 143144]
S3 DcpSvc;DataCollectionPublishingService;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 DevQueryBroker;DevQuery Background Discovery Broker;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 diagnosticshub.standardcollector.service;Microsoft (R) Diagnostics Hub Standard Collector Service;C:\WINDOWS\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe [2015-10-30 31744]
S3 DmEnrollmentSvc;Device Management Enrollment Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 dmwappushservice;dmwappushsvc;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 DsSvc;Data Sharing Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 embeddedmode;embeddedmode;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 EntAppSvc;Enterprise App Management Service;C:\WINDOWS\System32\svchost.exe -k appmodel [2015-10-30 43944]
S3 fcvsc;fcvsc;C:\WINDOWS\System32\drivers\fcvsc.sys [2015-10-30 31232]
S3 genericusbfn;Generic USB Function Class;C:\WINDOWS\System32\drivers\genericusbfn.sys [2015-10-30 20992]
S3 hidinterrupt;Common Driver for HID Buttons implemented with interrupts;C:\WINDOWS\System32\drivers\hidinterrupt.sys [2015-10-30 50016]
S3 iai2c;Intel(R) Serial IO I2C Host Controller;C:\WINDOWS\System32\drivers\iai2c.sys [2015-10-30 81408]
S3 iaLPSS2i_I2C;Intel(R) Serial IO I2C Driver v2;C:\WINDOWS\System32\drivers\iaLPSS2i_I2C.sys [2015-10-30 165888]
S3 iaLPSSi_GPIO;Intel(R) Serial IO GPIO Controller Driver;C:\WINDOWS\System32\drivers\iaLPSSi_GPIO.sys [2015-10-30 38128]
S3 iaLPSSi_I2C;Intel(R) Serial IO I2C Controller Driver;C:\WINDOWS\System32\drivers\iaLPSSi_I2C.sys [2015-10-30 113152]
S3 iaStorAV;Intel(R) SATA RAID Controller Windows;C:\WINDOWS\System32\drivers\iaStorAV.sys [2015-10-30 673120]
S3 ibbus;Mellanox InfiniBand Bus/AL (Filter Driver);C:\WINDOWS\System32\drivers\ibbus.sys [2015-10-30 424800]
S3 icssvc;Windows Mobile Hotspot Service;C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted [2015-10-30 43944]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\WINDOWS\System32\ieetwcollector.exe [2015-10-30 117760]
S3 intelpep;Intel(R) Power Engine Plug-in Driver;C:\WINDOWS\System32\drivers\intelpep.sys [2015-10-30 46432]
S3 IoQos;IoQos;C:\WINDOWS\System32\drivers\ioqos.sys [2015-10-30 26624]
S3 klvssbrigde64;klvssbrigde64;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\x64\vssbridge64.exe [2015-12-22 152488]
S3 LSI_SAS2i;LSI_SAS2i;C:\WINDOWS\System32\drivers\lsi_sas2i.sys [2015-10-30 104800]
S3 LSI_SAS3i;LSI_SAS3i;C:\WINDOWS\System32\drivers\lsi_sas3i.sys [2015-10-30 99168]
S3 mlx4_bus;Mellanox ConnectX Bus Enumerator;C:\WINDOWS\System32\drivers\mlx4_bus.sys [2015-10-30 705376]
S3 ndfltr;NetworkDirect Service;C:\WINDOWS\System32\drivers\ndfltr.sys [2015-10-30 76128]
S3 NetSetupSvc;Network Setup Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 NgcSvc;Microsoft Passport;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2016-2-28 28216]
S3 NvStreamNetworkSvc;NVIDIA Streamer Network Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [2016-2-28 3634232]
S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\WINDOWS\System32\drivers\nvstusb.sys [2015-11-12 460960]
S3 percsas2i;percsas2i;C:\WINDOWS\System32\drivers\percsas2i.sys [2015-10-30 58208]
S3 percsas3i;percsas3i;C:\WINDOWS\System32\drivers\percsas3i.sys [2015-10-30 58720]
S3 PhoneSvc;Phone Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2015-10-30 43944]
S3 pwdspio;pwdspio;C:\WINDOWS\System32\pwdspio.sys [2016-3-5 12504]
S3 ReFSv1;ReFSv1;C:\WINDOWS\System32\drivers\refsv1.sys [2015-10-30 930656]
S3 RetailDemo;Retail Demo Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 rzjstk;Razer Virtual Joystick Driver;C:\WINDOWS\System32\drivers\rzjstk.sys [2015-8-13 36568]
S3 rzkeypadendpt;Razer Keypad Endpoint;C:\WINDOWS\System32\drivers\rzkeypadendpt.sys [2015-8-13 46280]
S3 rzvmouse;Razer Virtual Mouse;C:\WINDOWS\System32\drivers\rzvmouse.sys [2015-8-13 42712]
S3 ScDeviceEnum;Smart Card Device Enumeration Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 SensorDataService;Sensor Data Service;C:\WINDOWS\System32\SensorDataService.exe [2015-10-30 1297408]
S3 SensorService;Sensor Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 SerCx2;Serial UART Support Library;C:\WINDOWS\System32\drivers\SerCx2.sys [2015-10-30 155488]
S3 smphost;Microsoft Storage Spaces SMP;C:\WINDOWS\System32\svchost.exe -k smphost [2015-10-30 43944]
S3 SmsRouter;Microsoft Windows SMS Router Service.;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 stornvme;Microsoft Standard NVM Express Driver;C:\WINDOWS\System32\drivers\stornvme.sys [2015-10-30 79200]
S3 storufs;Microsoft Universal Flash Storage (UFS) Driver;C:\WINDOWS\System32\drivers\storufs.sys [2015-10-30 34144]
S3 TieringEngineService;Storage Tiers Management;C:\WINDOWS\System32\TieringEngineService.exe [2015-10-30 290304]
S3 UcmCx0101;USB Connector Manager KMDF Class Extension;C:\WINDOWS\System32\drivers\UcmCx.sys [2016-5-11 63488]
S3 UcmUcsi;USB Connector Manager UCSI Client;C:\WINDOWS\System32\drivers\UcmUcsi.sys [2015-10-30 46592]
S3 UdeCx;USB Device Emulation Support Library;C:\WINDOWS\System32\drivers\Udecx.sys [2015-10-30 45056]
S3 UEFI;Microsoft UEFI Driver;C:\WINDOWS\System32\drivers\uefi.sys [2015-10-30 28512]
S3 Ufx01000;USB Function Class Extension;C:\WINDOWS\System32\drivers\ufx01000.sys [2016-4-12 258912]
S3 UfxChipidea;USB Chipidea Controller;C:\WINDOWS\System32\drivers\UfxChipidea.sys [2015-10-30 94048]
S3 ufxsynopsys;USB Synopsys Controller;C:\WINDOWS\System32\drivers\ufxsynopsys.sys [2016-5-11 131424]
S3 UrsChipidea;Chipidea USB Role-Switch Driver;C:\WINDOWS\System32\drivers\urschipidea.sys [2015-10-30 28512]
S3 UrsCx01000;USB Role-Switch Support Library;C:\WINDOWS\System32\drivers\urscx01000.sys [2015-10-30 57696]
S3 UrsSynopsys;Synopsys USB Role-Switch Driver;C:\WINDOWS\System32\drivers\urssynopsys.sys [2015-10-30 27488]
S3 USBAAPL64;Apple Mobile USB Driver;C:\WINDOWS\System32\drivers\usbaapl64.sys [2015-6-17 54784]
S3 UsoSvc;Update Orchestrator Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 vhf;Virtual HID Framework (VHF) Driver;C:\WINDOWS\System32\drivers\vhf.sys [2015-10-30 31744]
S3 vmicguestinterface;Hyper-V Guest Service Interface;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 vmicvmsession;Hyper-V VM Session Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2015-10-30 43944]
S3 WalletService;WalletService;C:\WINDOWS\System32\svchost.exe -k appmodel [2015-10-30 43944]
S3 wdiwifi;WDI Driver Framework;C:\WINDOWS\System32\drivers\WdiWiFi.sys [2016-4-12 694784]
S3 WdNisDrv;Windows Defender Network Inspection System Driver;C:\WINDOWS\System32\drivers\WdNisDrv.sys [2015-10-30 118112]
S3 WdNisSvc;Windows Defender Network Inspection Service;C:\Program Files\Windows Defender\NisSrv.exe [2015-10-30 364464]
S3 WEPHOSTSVC;Windows Encryption Provider Host Service;C:\WINDOWS\System32\svchost.exe -k WepHostSvcGroup [2015-10-30 43944]
S3 WinMad;WinMad Service;C:\WINDOWS\System32\drivers\winmad.sys [2015-10-30 26976]
S3 WinVerbs;WinVerbs Service;C:\WINDOWS\System32\drivers\winverbs.sys [2015-10-30 59232]
S3 workfolderssvc;Work Folders;C:\WINDOWS\System32\svchost.exe -k LocalService [2015-10-30 43944]
S3 WpnService;Windows Push Notifications Service;C:\WINDOWS\System32\svchost.exe -k wswpnservice [2015-10-30 43944]
S3 WSDScan;WSD Scan Support;C:\WINDOWS\System32\drivers\WSDScan.sys [2015-10-30 24576]
S3 XblAuthManager;Xbox Live Auth Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 XblGameSave;Xbox Live Game Save;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 xboxgip;Xbox Game Input Protocol Driver;C:\WINDOWS\System32\drivers\xboxgip.sys [2016-3-1 238592]
S3 XboxNetApiSvc;Xbox Live Networking Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2015-10-30 43944]
S3 xinputhid;XINPUT HID Filter Driver;C:\WINDOWS\System32\drivers\xinputhid.sys [2016-4-12 26112]
S3 xusb22;Xbox 360 Wireless Receiver Driver Service 22;C:\WINDOWS\System32\drivers\xusb22.sys [2015-10-30 95744]
S4 CDPSvc;Connected Device Platform Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2015-10-30 43944]
S4 tzautoupdate;Auto Time Zone Updater;C:\WINDOWS\System32\svchost.exe -k LocalService [2015-10-30 43944]
=============== Created Last 30 ================
2016-06-08 21:15:30 983488 ----a-w- C:\WINDOWS\System32\NvFBC64.dll
2016-05-31 19:27:40 -------- d-----w- C:\Users\Craig\AppData\Local\Mozilla
2016-05-30 19:16:19 -------- d-----w- C:\Users\Craig\AndroidStudioProjects
2016-05-28 18:58:24 -------- d-----w- C:\Users\Craig\AppData\Roaming\Motorola
2016-05-28 18:58:12 -------- d-----w- C:\Program Files\Motorola Inc
2016-05-28 18:58:12 -------- d-----w- C:\Program Files\Common Files\Motorola Shared
2016-05-28 18:58:11 -------- d-----w- C:\Program Files (x86)\Motorola
2016-05-28 18:57:49 -------- d-----w- C:\Program Files (x86)\ClockworkMod
2016-05-21 12:51:06 -------- d-----w- C:\WINDOWS\LastGood.Tmp
2016-05-21 12:51:03 113216 ----a-w- C:\WINDOWS\System32\nvaudcap64v.dll
2016-05-21 12:51:03 102976 ----a-w- C:\WINDOWS\SysWow64\nvaudcap32v.dll
2016-05-21 10:12:17 -------- d-----w- C:\Users\Craig\.android
2016-05-21 10:11:55 -------- d-----w- C:\Program Files (x86)\Android
2016-05-21 09:14:25 96776 ----a-w- C:\WINDOWS\System32\drivers\IntelHaxm.sys
2016-05-19 18:02:29 1167568 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{810AB943-E061-43AC-8509-9380496C2815}\gapaengine.dll
2016-05-19 18:02:22 11695896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CA679C53-E7AC-41EC-9A55-8BF8213EF940}\mpengine.dll
2016-05-16 17:55:23 11695896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
==================== Find3M ====================
2016-06-04 00:51:14 13553096 ----a-w- C:\WINDOWS\System32\drivers\nvlddmkm.sys
2016-06-03 03:59:19 6364216 ----a-w- C:\WINDOWS\System32\nvcpl.dll
2016-06-03 03:59:19 2455608 ----a-w- C:\WINDOWS\System32\nvsvc64.dll
2016-06-03 03:59:17 81856 ----a-w- C:\WINDOWS\System32\nv3dappshextr.dll
2016-06-03 03:59:17 69568 ----a-w- C:\WINDOWS\System32\nvshext.dll
2016-06-03 03:59:17 534072 ----a-w- C:\WINDOWS\System32\nv3dappshext.dll
2016-06-03 03:59:17 392128 ----a-w- C:\WINDOWS\System32\nvmctray.dll
2016-06-03 03:59:17 1762752 ----a-w- C:\WINDOWS\System32\nvsvcr.dll
2016-06-03 03:59:17 1352760 ----a-w- C:\WINDOWS\System32\nvvsvc.exe
2016-06-03 03:59:09 6452948 ----a-w- C:\WINDOWS\System32\nvcoproc.bin
2016-06-03 03:28:41 111552 ----a-w- C:\WINDOWS\SysWow64\nvStreaming.exe
2016-05-11 19:57:14 829944 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2016-05-11 19:57:14 176632 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2016-05-06 04:53:48 95072 ----a-w- C:\WINDOWS\System32\drivers\sdport.sys
2016-05-06 04:05:35 241664 ----a-w- C:\WINDOWS\SysWow64\cryptngc.dll
2016-05-06 04:03:20 649216 ----a-w- C:\WINDOWS\System32\ngcsvc.dll
2016-05-06 03:53:21 351232 ----a-w- C:\WINDOWS\System32\NgcCtnr.dll
2016-05-06 03:49:14 289792 ----a-w- C:\WINDOWS\System32\NgcCtnrSvc.dll
2016-05-06 03:44:10 582656 ----a-w- C:\WINDOWS\System32\ngccredprov.dll
2016-05-06 03:43:46 320000 ----a-w- C:\WINDOWS\System32\cryptngc.dll
2016-05-06 03:23:53 76288 ----a-w- C:\WINDOWS\System32\ngcpopkeysrv.dll
2016-05-04 02:23:30 129824 ----a-w- C:\WINDOWS\SysWow64\vulkan-1.dll
2016-05-04 02:23:30 129824 ----a-w- C:\WINDOWS\SysWow64\vulkan-1-1-0-11-1.dll
2016-05-04 02:22:58 40224 ----a-w- C:\WINDOWS\SysWow64\vulkaninfo.exe
2016-05-04 02:22:58 40224 ----a-w- C:\WINDOWS\SysWow64\vulkaninfo-1-1-0-11-1.exe
2016-05-04 02:22:42 130848 ----a-w- C:\WINDOWS\System32\vulkan-1.dll
2016-05-04 02:22:42 130848 ----a-w- C:\WINDOWS\System32\vulkan-1-1-0-11-1.dll
2016-05-04 02:22:10 45344 ----a-w- C:\WINDOWS\System32\vulkaninfo.exe
2016-05-04 02:22:10 45344 ----a-w- C:\WINDOWS\System32\vulkaninfo-1-1-0-11-1.exe
2016-05-02 05:39:01 1377800 ----a-w- C:\WINDOWS\SysWow64\nvspcap.dll
2016-05-02 05:39:01 1316184 ----a-w- C:\WINDOWS\SysWow64\nvspbridge.dll
2016-05-02 05:38:42 1767944 ----a-w- C:\WINDOWS\System32\nvspcap64.dll
2016-05-02 05:38:42 1756608 ----a-w- C:\WINDOWS\System32\nvspbridge64.dll
2016-05-02 05:38:42 112032 ----a-w- C:\WINDOWS\System32\NvRtmpStreamer64.dll
2016-04-30 13:57:38 110144 ----a-w- C:\WINDOWS\System32\WindowsAccessBridge-64.dll
2016-04-30 06:42:19 1387520 ----a-w- C:\WINDOWS\System32\win32kbase.sys
2016-04-30 06:31:37 3591168 ----a-w- C:\WINDOWS\System32\win32kfull.sys
2016-04-28 19:22:57 237488 ----a-w- C:\WINDOWS\System32\drivers\klhk.sys
2016-04-23 06:12:45 294592 ----a-w- C:\WINDOWS\System32\invagent.dll
2016-04-23 06:12:45 190144 ----a-w- C:\WINDOWS\System32\DeviceCensus.exe
2016-04-23 06:12:45 1401024 ----a-w- C:\WINDOWS\System32\appraiser.dll
2016-04-23 06:12:45 1184960 ----a-w- C:\WINDOWS\System32\aeinv.dll
2016-04-23 06:12:44 92352 ----a-w- C:\WINDOWS\System32\acmigration.dll
2016-04-23 06:12:44 713920 ----a-w- C:\WINDOWS\System32\generaltel.dll
2016-04-23 06:12:44 514752 ----a-w- C:\WINDOWS\System32\devinv.dll
2016-04-23 06:12:44 46784 ----a-w- C:\WINDOWS\System32\CompatTelRunner.exe
2016-04-23 05:28:43 1542816 ----a-w- C:\WINDOWS\SysWow64\ntdll.dll
2016-04-23 05:28:40 1557768 ----a-w- C:\WINDOWS\SysWow64\KernelBase.dll
2016-04-23 05:26:12 707608 ----a-w- C:\WINDOWS\SysWow64\rpcrt4.dll
2016-04-23 05:24:45 7474528 ----a-w- C:\WINDOWS\System32\ntoskrnl.exe
2016-04-23 05:24:41 1997328 ----a-w- C:\WINDOWS\System32\KernelBase.dll
2016-04-23 05:24:37 99680 ----a-w- C:\WINDOWS\System32\drivers\pdc.sys
2016-04-23 05:24:37 638816 ----a-w- C:\WINDOWS\System32\drivers\fvevol.sys
2016-04-23 05:24:28 1819208 ----a-w- C:\WINDOWS\System32\ntdll.dll
2016-04-23 05:24:16 335712 ----a-w- C:\WINDOWS\System32\drivers\fastfat.sys
2016-04-23 05:24:13 754664 ----a-w- C:\WINDOWS\System32\CoreMessaging.dll
2016-04-23 05:22:15 1161120 ----a-w- C:\WINDOWS\System32\rpcrt4.dll
2016-04-23 05:13:12 306832 ----a-w- C:\WINDOWS\SysWow64\wlanapi.dll
2016-04-23 05:13:01 84832 ----a-w- C:\WINDOWS\SysWow64\NetSetupApi.dll
2016-04-23 05:13:01 502104 ----a-w- C:\WINDOWS\SysWow64\NetSetupEngine.dll
2016-04-23 05:12:48 413536 ----a-w- C:\WINDOWS\System32\wifitask.exe
2016-04-23 05:12:42 451928 ----a-w- C:\WINDOWS\SysWow64\MFCaptureEngine.dll
2016-04-23 05:12:33 925064 ----a-w- C:\WINDOWS\SysWow64\mfplat.dll
2016-04-23 05:11:52 390496 ----a-w- C:\WINDOWS\System32\wlanapi.dll
2016-04-23 05:11:44 696672 ----a-w- C:\WINDOWS\System32\NetSetupEngine.dll
2016-04-23 05:11:43 115040 ----a-w- C:\WINDOWS\System32\NetSetupApi.dll
2016-04-23 05:11:30 1092464 ----a-w- C:\WINDOWS\System32\mfplat.dll
2016-04-23 05:11:27 498960 ----a-w- C:\WINDOWS\System32\MFCaptureEngine.dll
2016-04-23 05:11:14 131424 ----a-w- C:\WINDOWS\System32\drivers\ufxsynopsys.sys
2016-04-23 05:10:41 330072 ----a-w- C:\WINDOWS\System32\drivers\pci.sys
2016-04-23 05:09:39 255168 ----a-w- C:\WINDOWS\SysWow64\LockAppHost.exe
2016-04-23 05:09:36 465760 ----a-w- C:\WINDOWS\SysWow64\SettingSyncHost.exe
2016-04-23 05:09:27 5240960 ----a-w- C:\WINDOWS\SysWow64\windows.storage.dll
2016-04-23 05:09:18 569744 ----a-w- C:\WINDOWS\SysWow64\SHCore.dll
2016-04-23 05:09:18 4074160 ----a-w- C:\WINDOWS\SysWow64\explorer.exe
2016-04-23 05:09:00 565600 ----a-w- C:\WINDOWS\System32\SettingSyncHost.exe
2016-04-23 05:09:00 303216 ----a-w- C:\WINDOWS\System32\LockAppHost.exe
2016-04-23 05:08:45 6605504 ----a-w- C:\WINDOWS\System32\windows.storage.dll
2016-04-23 05:08:41 725776 ----a-w- C:\WINDOWS\System32\SHCore.dll
2016-04-23 05:08:40 4515256 ----a-w- C:\WINDOWS\explorer.exe
2016-04-23 05:07:38 183904 ----a-w- C:\WINDOWS\SysWow64\rsaenh.dll
2016-04-23 05:07:34 1536088 ----a-w- C:\WINDOWS\SysWow64\crypt32.dll
2016-04-23 05:07:26 204048 ----a-w- C:\WINDOWS\System32\rsaenh.dll
2016-04-23 05:07:19 1848072 ----a-w- C:\WINDOWS\System32\crypt32.dll
2016-04-23 0557 291360 ----a-w- C:\WINDOWS\System32\wininit.exe
2016-04-23 05:02:02 188256 ----a-w- C:\WINDOWS\SysWow64\AppxAllUserStore.dll
2016-04-23 05:01:54 217440 ----a-w- C:\WINDOWS\System32\AppxAllUserStore.dll
2016-04-23 05:01:25 619296 ----a-w- C:\WINDOWS\System32\d3d10level9.dll
2016-04-23 05:01:25 1996640 ----a-w- C:\WINDOWS\System32\drivers\dxgkrnl.sys
2016-04-23 05:01:17 650304 ----a-w- C:\WINDOWS\System32\dxgi.dll
2016-04-23 05:01:15 393568 ----a-w- C:\WINDOWS\System32\drivers\dxgmms1.sys
2016-04-23 05:01:13 513368 ----a-w- C:\WINDOWS\SysWow64\d3d10level9.dll
2016-04-23 05:01:11 577368 ----a-w- C:\WINDOWS\System32\drivers\dxgmms2.sys
2016-04-23 05:01:10 522176 ----a-w- C:\WINDOWS\SysWow64\dxgi.dll
2016-04-23 05:00:52 1776768 ----a-w- C:\WINDOWS\System32\WindowsCodecs.dll
2016-04-23 05:00:45 550656 ----a-w- C:\WINDOWS\System32\directmanipulation.dll
2016-04-23 05:00:45 1399224 ----a-w- C:\WINDOWS\System32\user32.dll
2016-04-23 05:00:43 1594920 ----a-w- C:\WINDOWS\System32\gdi32.dll
2016-04-23 05:00:43 1522152 ----a-w- C:\WINDOWS\SysWow64\WindowsCodecs.dll
2016-04-23 05:00:40 453472 ----a-w- C:\WINDOWS\SysWow64\directmanipulation.dll
============= FINISH: 6:42:59.06 ===============
Attached Files
File Type: txt attach.txt (13.9 KB, 228 views)
Tathrim is offline  
Sponsored Links
Old 06-10-2016, 03:46 AM   #2
Security Team
tekir06's Avatar
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)

Hello Tathrim,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we? Please do the below steps.


Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Cleaning
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.


Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.


Things I need to see in your next post:
  • AdwCleaner[C#].txt
  • FRST.txt
  • Addition.txt
tekir06 is offline  
Old 06-11-2016, 12:52 AM   #3
Registered Member
Join Date: Jan 2010
Posts: 6
OS: Windows 7

Hi Tolga, thanks for the assistnace.

AdwCleaner[C1].txt log:

# AdwCleaner v5.119 - Logfile created 11/06/2016 at 08:39:51
# Updated 30/05/2016 by Xplode
# Database : 2016-06-10.1 [Server]
# Operating system : Windows 10 Pro (X64)
# Username : Craig - CRAIG-DESKTOP
# Running from : C:\Users\Craig\Desktop\AdwCleaner.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{649CCF8F-C1C9-4275-88B7-31CA8B31154C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F44DC845-F9E1-4907-8D9C-1472F72E8326}

***** [ Web browsers ] *****

[-] [C:\Users\Craig\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : uk.ask.com


:: "Tracing" keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C1].txt - [998 bytes] - [11/06/2016 08:39:51]
C:\AdwCleaner\AdwCleaner[S1].txt - [1041 bytes] - [11/06/2016 08:38:54]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1143 bytes] ########### AdwCleaner v5.119 - Logfile created 11/06/2016 at 08:39:51
# Updated 30/05/2016 by Xplode
# Database : 2016-06-10.1 [Server]
# Operating system : Windows 10 Pro (X64)
# Username : Craig - CRAIG-DESKTOP
# Running from : C:\Users\Craig\Desktop\AdwCleaner.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{649CCF8F-C1C9-4275-88B7-31CA8B31154C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F44DC845-F9E1-4907-8D9C-1472F72E8326}

***** [ Web browsers ] *****

[-] [C:\Users\Craig\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : uk.ask.com


:: "Tracing" keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C1].txt - [998 bytes] - [11/06/2016 08:39:51]
C:\AdwCleaner\AdwCleaner[S1].txt - [1041 bytes] - [11/06/2016 08:38:54]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1143 bytes] ##########

The others are attached, as requested.
Attached Files
File Type: txt Addition.txt (43.5 KB, 12 views)
File Type: txt FRST.txt (35.8 KB, 10 views)
Tathrim is offline  
Sponsored Links
Old 06-11-2016, 03:11 PM   #4
Security Team
tekir06's Avatar
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)

Hello Tathrim,

You're Welcome

I did not see much of a problem in your logs.


I see you have P2P software ( qBittorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features


Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

HKLM-x32\...\Run: [] => [X]
SearchScopes: HKU\S-1-5-21-4288939476-3977357252-1923381630-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FirewallRules: [{294C56E0-F958-4EC1-9AAE-CC08FF8B73D9}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
FirewallRules: [{3C0C9F99-9953-422E-AE07-2ADE181E4A89}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
CMD: bitsadmin /reset /allusers
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
tekir06 is offline  
Old 06-12-2016, 01:12 AM   #5
Registered Member
Join Date: Jan 2010
Posts: 6
OS: Windows 7

Hi Tolga,

qBittorrrent is uninstalled. Was only using it for Linux distributions, as that's what they reccommended on their site. I'll switch to something like DownthenAll! for Firefox or something similar in future.

Here's fixresult.txt:

Fix result of Farbar Recovery Scan Tool (x64) Version:10-06-2016
Ran by Craig (2016-06-12 09:04:48) Run:1
Running from C:\Users\Craig\Desktop
Loaded Profiles: Craig (Available Profiles: Craig)
Boot Mode: Normal

fixlist content:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKU\S-1-5-21-4288939476-3977357252-1923381630-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FirewallRules: [{294C56E0-F958-4EC1-9AAE-CC08FF8B73D9}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
FirewallRules: [{3C0C9F99-9953-422E-AE07-2ADE181E4A89}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
CMD: bitsadmin /reset /allusers

Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-4288939476-3977357252-1923381630-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
C:\ProgramData\DP45977C.lfl => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{294C56E0-F958-4EC1-9AAE-CC08FF8B73D9} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3C0C9F99-9953-422E-AE07-2ADE181E4A89} => value not found.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-4288939476-3977357252-1923381630-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-4288939476-3977357252-1923381630-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 5.1 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 0918 ====


Tathrim is offline  
Old 06-12-2016, 11:57 PM   #6
Security Team
tekir06's Avatar
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)

Hello Tathrim,

Thanks for the log. Please do the below steps.


Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click mbam-setup- and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:

  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

Click Finish.
At the end of the installation, a database update will be performed.
Click on Scan Now.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.


Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
Click the blue Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
Click on Advanced Settings
Make sure that the option Remove found threats is unticked.
Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.


Things I need to see in your next post:
  • MBAM log
  • Eset log
tekir06 is offline  
Old 06-13-2016, 01:20 PM   #7
Registered Member
Join Date: Jan 2010
Posts: 6
OS: Windows 7

ESET log contents:

E:\Users\Craig\Downloads\spsetup126.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application


That's a Speccy installer (and I make sure that I don't have any toolbars installed), otherwise nothing was found. MBAM was clean, as you'll see.
Attached Files
File Type: txt MBAM Scan log.txt (1.0 KB, 9 views)
Tathrim is offline  
Old 06-13-2016, 11:06 PM   #8
Security Team
tekir06's Avatar
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)

Hello Tathrim,

Please do the following. Then, please tell me How is the machine behaving now? What problems do you still have?

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
tekir06 is offline  
Old 06-15-2016, 10:45 AM   #9
Registered Member
Join Date: Jan 2010
Posts: 6
OS: Windows 7

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Pro x64
Ran by Craig (Administrator) on 15/06/2016 at 18:39:08.54

File System: 1

Successfully deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\search.lnk (Shortcut)

Registry: 3

Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03993315-5CE9-4F00-8790-D14A94F1D91A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03993315-5CE9-4F00-8790-D14A94F1D91A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{001032CB-B0AC-4F2C-A650-AD4B2B26E5DA} (Registry Value)

Scan was completed on 15/06/2016 at 18:39:45.47
End of JRT log

PC now seems to be running OK, thanks. Probably the clearing of temporary application data so Chrome was forced to recreate something completely from scratch, come to think of it (which I should have thought about earlier, rather than being paranoid about malware being the actual cause).
Tathrim is offline  
Old 06-15-2016, 11:34 PM   #10
Security Team
tekir06's Avatar
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)

Hello Tathrim,

Thanks for the log.
PC now seems to be running OK, thanks.
I'm glad to hear that.

Your reports are clear. Let's remove all tools and logs that we use.


Please download delfix to your desktop.

  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.

Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.



It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn on Automatic Updates in Windows 10


Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows



Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to, which is the IP of your local computer. See guide here and for Windows 10 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
tekir06 is offline  
Old 06-18-2016, 04:08 AM   #11
Registered Member
Join Date: Jan 2010
Posts: 6
OS: Windows 7

That all makes sense. Cleanup done. For some reason I didn't get notified of this last post, need to check my spam folders...

Thanks again!
Tathrim is offline  
Old 06-19-2016, 10:57 PM   #12
Security Team
tekir06's Avatar
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)

Hello Tathrim,

You're welcome. I'm glad to help. Thank you for your patience and cooperation.
tekir06 is offline  

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Google Chrome - Facebook slow.
Hey guys, been having an issue with Facebook on google chrome the past 3 days. It's unusable. Very slow loading, constant "spinning" loading icon and when it finally does semi-load (30 mins - 1 hour) the entire layout is all screwed up and interacting with the website causes it to get stuck...
JCarp Windows 7 , Windows Vista Support 12 02-09-2016 02:15 PM
Virus and Trojan problems on my computer
I have been having problems with my computer today. I have run Spybot S&D many times and everytime I run it, it comes up with a malware known as "SmithFraud-C.Generic." It tells me to fix the problem and I do. I run the S&D again to double check and the problem is back. Also, I have run...
MAVSFAN82 Resolved HJT Threads 50 12-30-2011 12:53 PM
Google patches Pwn2Own WebKit bug in Chrome
Google has patched a WebKit flaw in its Chrome browser that was exploited by a multinational team to hack the BlackBerry Torch smartphone at Pwn2Own. Although Chrome was unchallenged at Pwn2Own, the browser relies on the open-source WebKit browser engine, and so needed to be patched. Friday's...
Glaswegian Computer Security News 0 03-14-2011 12:22 PM
[SOLVED] I created a User and cannot now access google chrome browser
Hello there. There was only one user account on my xp system named Administrator. Google chrome browser was installed and working properly. Then I created another user account. (Why I needed new user is a long story). After that there is no user account named Administrator and moreover, with...
bringo Windows XP Support 9 03-05-2011 06:20 PM
Google fixes Chrome flaws before Pwn2Own
Google on Monday patched 19 vulnerabilities in Chrome, paying nine researchers $14,000 in bug bounties for reporting the flaws. As it did last year, Google beefed up the security of its browser a week before the kickoff of Pwn2Own, the annual hacking contest held at the CanSecWest security...
Glaswegian Computer Security News 0 03-02-2011 12:28 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Post a Question

» Site Navigation
 > FAQ
Powered by vBadvanced CMPS v3.2.3

All times are GMT -7. The time now is 08:18 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts