Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


unknown fake processes pretend to belong to "google.inc" & can't be terminated

  • This topic is locked This topic is locked
2 replies to this topic

#1 firzenj


  • Members
  • 6 posts
  • Gender:Male
  • Local time:05:34 AM

Posted 23 October 2014 - 03:03 PM

Hi, Today I occasionally find these weird things in the Process Explorer(PE), and I can tell there must be bad things going on:
I have a habit that keeping the Process Explorer since last time I used it the hold the POWELIKS from wreak havoc. And this time I find something on spot.
Firstly,I find a weird named process “°ntrusted” and its icon is the same to Sogou(an IME tool) imagein the PE, so I viewed the property with PE, then it shows this process belong to "Aogou.inc"(should be Sougo.inc) and "3/4"..(I suspect that A and 3/4 should be some ASCII code) saying this theme does't have signature(in Chinese)... ... I guess I really need to keep an eye on it, so I monitored it for a while and it does changed to a process named “Mandatory” and stealing chrome's icon, and in the property panel it belongs to "Google.inc"& "Aogou.inc" , without signature either. 

here is the screen-print I got for above process. Attached File  sougo.jpg   172.58KB   0 downloads

additionally, the path showed in both property panel are the same but the SGTool.exe is in disk Q...rather than as shown in disk "E?"

the parent & user are weird too. 

So I decide to suspend and kill this process, but failed....then google for some advices, but seemed the browser was fail to connect the internet while the internet connection icon is on and indeed connected```then I disconnected the internet in case the bad trojan/virus was in action...

then I left it alone and went for some lunch`````


Secondly, After I reconnected the internet I found the the  process disappeared, but there came another one, also had the similar but not the same syndrome.

please see the screenprint Attached File  atieclxx.jpg   126.83KB   0 downloads

thx for watching! and this time, it was atieclxx.exe process that be pretended, and showing the weird path&parent &user...



I don't know what to say for this, but I think someone must be interested in this``````

and also one other thing I need to mention is recently there will be black screen and white cursor for a long time to show my desk after I logged in with password. 


All of what I mentioned here indicates that my PC is infected but not ready for a "break-out"..hope Someone can curb it in the bud, thanks a lot!!


DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16584  BrowserJavaVersion: 10.67.2
Run by THINK at 14:39:20 on 2014-10-23
AV: Avira Desktop *Disabled/Outdated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Outdated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
============== Running Processes ================
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\OO Software\Defrag\oodag.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
q:\Program Files\SogouInput\\SogouInput\\SogouCloud.exe
Q:\Program Files\SogouInput\\SogouInput\Components\SGImeGuard\\SGImeGuard.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
Q:\Program Files\Tencent\QQ\QQProtect\Bin\QQProtect.exe
Q:\Program Files\Tencent\QQ\bin\QQ.exe
Q:\Program Files\Tencent\QQ\bin\TXPlatform.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k rpcss
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k iissvcs
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
============== Pseudo HJT Report ===============
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.hao123.com/?tn=91192494_hao_pg
mStart Page = about:blank
uProxyOverride = local;*.local
BHO: QQDownload IE Left Helper: {00000000-12C9-4305-82F9-43058F20E8D2} - q:\program files\tencent\qqdownload\QQIEHelper01.dll
BHO: IE2EMBHO Class: {0A0DDBD3-6641-40B9-873F-BBDD26D6C14E} - q:\program files\easymule\modules\IE2EM.dll
BHO: ExplorerWnd Helper: {10921475-03CE-4E04-90CE-E2E7EF20C814} - q:\program files\iobit\iobit uninstaller\UninstallExplorer32.dll
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\\BingExt.dll
BHO: WebDetectorBHO Class: {43BEAFD9-E005-483D-A367-146BA6C8A32E} - q:\program files\tudou\飞速tudou\tudouDetector.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: xiamistart Class: {658D2C4F-158A-46FB-8C96-B1C8F56DBBE9} - h:\shark\XiaMiplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: BOC ProcessProtect Class: {776B71E2-B4CC-4C94-BC7C-09103AA690B6} - c:\windows\system32\ProcessProtection.dll
BHO: 迅雷下载支持: {889D2FEB-5411-4565-8998-1DD2C5261283} - q:\program files\thunder network\thunder\bho\XunleiBHO7.99.9.172.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - <orphaned>
BHO: Advanced SystemCare Browser Protection: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - c:\program files\iobit\surfing protection\browerprotect\ASCPlugin_Protection.dll
BHO: XGBHOer Class: {D688CDAC-8854-46AC-A2D0-DD4B6122F3D0} - c:\users\public\documents\xbho.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: AccountProtectBHO Class: {DDD362CF-523B-4BC9-8FDC-58F93B6BC945} - c:\users\think\appdata\roaming\tencent\qq\qqantiphishing\AccountProtect.dll
BHO: 迅雷下载支持组件: {DE05CF4A-7B0A-4775-B5E5-396244938679} - q:\program files\thunder network\thunder\thunder bho platform\np_tdieplat.dll
BHO: BHOImpl Class: {E1499FE7-129D-4B6E-B681-DDF21E14172C} - c:\users\think\documents\itools\plugin\iToolsBHO.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\\BingExt.dll
uRun: [Adobe Acrobat Synchronizer] "q:\program files\adobe.acrobat.x.pro\acrobat\AdobeCollabSync.exe"
uRun: [ctfmon] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: AlwaysShowClassicMenu = dword:0
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: EnableShellExecuteHooks = dword:1
mPolicies-Explorer: OldEnableShellExecuteHooks = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
mPolicies-System: EnableSecureUIAPath = dword:1
IE: &U使用米人下载并收藏 - q:\program files\namirobot\data\du.html
IE: &使用&迅雷下载 - q:\program files\thunder network\thunder\bho\\GetUrl.htm
IE: &使用&迅雷下载全部链接 - q:\program files\thunder network\thunder\bho\\GetAllUrl.htm
IE: &使用&迅雷离线下载 - q:\program files\thunder network\thunder\bho\OfflineDownload.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: 使用旋风下载(&X) - q:\program files\tencent\qqdownload\xfgeturl.htm
IE: 使用旋风下载全部链接(&Q) - q:\program files\tencent\qqdownload\xfgetAllurl.htm
IE: 使用旋风极速下载(会员特权)(&J) - q:\program files\tencent\qqdownload\xftopspeed.htm
IE: 使用电驴下载 - q:\program files\easymule\IE2EM.htm
IE: 保存到旋风空间(会员特权)(&K) - q:\program files\tencent\qqdownload\xfofflineonly.htm
IE: 图像发送到 Bluetooth 设备(&B)... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: 导出到 Microsoft Excel(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 导出到 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: 页面发送到 Bluetooth 设备(&B)... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print 2.0\smartprintsetup.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - c:\program files\pplive\pptv\PPLive.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
Trusted Zone: alipay.com
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
Trusted Zone: taobao.com
DPF: HighSpeedDownloadIE - hxxp://st2.dbank.com/netdisk/plugin/1011/DBank_downloadplugin.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2B24B8F5-8FAD-4933-8E6C-3CAAEEA4D217} - hxxp://8021x.noc.stonybrook.edu/tools/xc_loader_activex.ocx
DPF: {45D2E7C0-B894-43CE-B64E-F210DBEC8C94} - hxxp://www.activextest.com/activex/ActiveXScanner.CAB
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://mheller.com/mhLbl.cab
DPF: {9E2CD2C3-4DDA-4473-B904-B8E6D0DBAB86} - hxxp://think.lenovo.com.cn/ThinkEDriver/cab/npdueng.cab
DPF: {BBF51028-5890-4817-A2C4-5F3CFCEBD7EF} - hxxp://8021x.noc.stonybrook.edu/tools/xc_loader_activex.ocx
TCP: NameServer =
TCP: Interfaces\{02A11E56-F72B-4333-B0A5-58A7A6EFC4DB} : DHCPNameServer =
Handler: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - q:\program files\kugou7\KuGoo3DownXControl.ocx
Handler: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - q:\program files\kugou7\KuGoo3DownXControl.ocx
Handler: ms-itss - <Clsid value has no data>
Handler: sacore - <Clsid value has no data>
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Notification Packages =  scecli ACGina
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.104\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
============= SERVICES / DRIVERS ===============
R0 BC;BC;c:\windows\system32\drivers\bc.sys [2014-7-20 24472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2011-3-29 20592]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-15 37352]
R1 DVDHelp;DVD Video Region CSS free Filter Driver;c:\windows\system32\drivers\DVDHelp.sys [2011-2-4 25624]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-9-14 75480]
R1 ProtectorA;ProtectorA;c:\windows\system32\drivers\ProtectorA.sys [2011-1-1 15240]
R1 QQProtect;QQProtect;c:\windows\system32\drivers\QQProtect.sys [2013-8-7 215096]
R1 Su1xDriver;Su1xDriver;c:\windows\system32\drivers\Su1xDriver.sys [2011-3-7 6144]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/04/29 19:35:49];q:\program files\cyberlink\powerdvd10\powerdvd10\navfilter\000.fcl [2010-3-13 87536]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-5 172032]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-15 430160]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2012-12-15 1021008]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-15 97648]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-3-18 98304]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-9-14 1871160]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-9-14 968504]
R2 OODefragAgent;O&O Defrag Agent;c:\program files\oo software\defrag\oodag.exe [2011-1-12 2398536]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-9-10 66848]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2010-12-10 1118208]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2014-10-8 232136]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 intelkmd;intelkmd;c:\windows\system32\drivers\igdpmd32.sys [2009-12-10 4747776]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-7-11 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-14 114904]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-9-14 51928]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2011-4-30 22016]
R3 NETwNv32;___ Intel® Wireless WiFi Link 5000 系列适配器驱动程序(适用于 Windows Vista 32 位);c:\windows\system32\drivers\NETwNv32.sys [2011-8-3 7341568]
R3 rasuw;ChinaNet WLAN Adapter;c:\windows\system32\drivers\rasuw.sys [2010-2-4 33280]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S2 AntiVirMailService;Avira Mail Protection;c:\program files\avira\antivir desktop\avmailc.exe [2012-12-15 802384]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-15 430160]
S2 LiveUpdateSvc;LiveUpdate;c:\program files\iobit\liveupdate\LiveUpdate.exe [2014-7-21 2282272]
S3 AdvancedSystemCareService7;Advanced SystemCare Service 7;q:\program files\iobit\advanced systemcare 7\ASCService.exe [2014-7-21 893216]
S3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2010-7-1 6656]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-3-19 482176]
S3 bthav;Bluetooth AV 配置文件;c:\windows\system32\drivers\bthav.sys [2008-7-10 34816]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2012-2-26 45736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2012-2-26 29472]
S3 ImeDictUpdateServiceWR;Microsoft IME Dictionary Update For Web Release;c:\program files\common files\microsoft shared\ime14wr\shared\IMEDICTUPDATE.EXE [2010-2-1 60208]
S3 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2014-9-14 342336]
S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2011-8-24 1230976]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2011-4-30 22016]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-10-5 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-10-5 8320]
S3 p2pfilter;p2pfilter;q:\program files\p2pover\p2pfilter.sys [2005-5-10 4524]
S3 PPTVService;PPTVService;c:\windows\system32\svchost.exe -k PPTVServiceGroup [2008-1-20 21504]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\RegFilter.sys [2014-9-14 32288]
S3 RoxMediaDB10;RoxMediaDB10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxmediadb10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [?]
S3 Tq_91Assistant;Tq_91Assistant;q:\program files\netdragon\91 mobile\iphone\Tq_91Assistant.sys [2011-8-7 15784]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\UrlFilter.sys [2014-9-14 20944]
S3 XLServicePlatform;XLServicePlatform;c:\windows\system32\svchost -k xlserviceplatform --> c:\windows\system32\svchost -k XLServicePlatform [?]
S4 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-3-18 106496]
S4 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-3-18 1680632]
S4 DGPNPSEV;DriverGenius PNP Service;q:\program files\mydrivers\drivergenius2012\DgService.exe [2012-8-16 52664]
S4 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\FileMonitor.sys [2014-9-14 21480]
S4 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files\hp\common\HPSupportSolutionsFrameworkService.exe [2014-7-7 72992]
S4 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-14 196912]
S4 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-5-19 58736]
S4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-9-10 2058776]
=============== Created Last 30 ================
2014-10-16 03:18:59 -------- d-----w- c:\users\think\appdata\local\115ComChrome
2014-10-16 03:17:09 -------- d-----w- c:\programdata\115
2014-10-15 23:21:10 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-15 23:21:10 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-15 23:21:10 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-15 23:20:44 2054656 ----a-w- c:\windows\system32\win32k.sys
2014-10-15 23:10:21 -------- d-----w- c:\windows\system32\MRT
2014-10-15 23:10:05 143360 ----a-w- c:\windows\system32\drivers\fastfat.sys
2014-10-14 19:19:13 -------- d-----w- c:\windows\Downloaded Installations
2014-10-14 06:03:50 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-10-12 17:25:29 -------- d-----w- c:\program files\iPod
2014-10-12 17:25:28 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-10-12 17:20:55 -------- d-----w- c:\program files\Bonjour
2014-10-09 19:35:54 396136 ----a-w- c:\windows\system32\itpcoin82.dll
2014-10-08 23:26:26 -------- d-----w- c:\users\think\appdata\local\zoldowner
2014-10-08 23:20:04 -------- d-----w- c:\users\think\appdata\local\SlimWare Utilities Inc
2014-10-08 23:11:26 348016 ----a-w- c:\windows\system32\drivers\SynTP.sys
2014-10-08 23:11:26 175856 ----a-w- c:\windows\system32\SynTPAPI.dll
2014-10-08 23:11:26 143088 ----a-w- c:\windows\system32\SynTPCo14.dll
2014-10-08 23:11:25 540400 ----a-w- c:\windows\system32\SynCOM.dll
2014-10-08 23:11:25 1048576 ----a-w- c:\windows\system32\syndata.bin
2014-10-08 23:10:13 40936 ----a-w- c:\windows\system32\drivers\point32.sys
2014-10-08 23:09:19 81600 ----a-w- c:\windows\system32\NicInstY.dll
2014-10-08 23:09:19 232136 ----a-w- c:\windows\system32\drivers\e1y6032.sys
2014-10-08 23:08:41 60712 ----a-w- c:\windows\system32\ibmpmctl.exe
2014-10-02 17:18:00 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-28 00:55:50 -------- d-----w- c:\users\think\appdata\local\ShooterDownloader
==================== Find3M  ====================
2014-10-23 17:08:46 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-14 06:03:16 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 15:11:20 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-01 15:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-26 14:51:14 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-26 14:51:14 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-19 22:44:32 1810432 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 22:38:15 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-09-19 22:37:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-19 22:36:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 22:35:46 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 22:34:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 22:34:22 11776 ----a-w- c:\windows\system32\mshta.exe
2014-09-17 17:52:50 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-09-17 03:10:38 297984 ----a-w- c:\windows\system32\gdi32.dll
2014-09-16 16:56:02 66560 ----a-w- c:\windows\system32\packager.dll
2014-09-11 03:44:39 0 ----a-w- c:\windows\system32\nsyF3B8.tmp
2014-08-27 01:48:56 638400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-08-27 01:48:56 37376 ----a-w- c:\windows\system32\cdd.dll
2014-08-27 01:48:29 82432 ----a-w- c:\windows\system32\consent.exe
2014-08-27 01:48:29 332800 ----a-w- c:\windows\system32\msihnd.dll
2014-08-27 01:48:29 33280 ----a-w- c:\windows\system32\appinfo.dll
2014-08-27 01:48:29 2263552 ----a-w- c:\windows\system32\msi.dll
2014-08-27 01:48:29 1993728 ----a-w- c:\windows\system32\authui.dll
2014-08-27 01:43:09 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2014-08-27 01:42:15 506880 ----a-w- c:\windows\system32\qedit.dll
2014-08-27 01:42:03 1401344 ----a-w- c:\windows\system32\msxml6.dll
2014-08-27 01:42:03 1248768 ----a-w- c:\windows\system32\msxml3.dll
2014-08-27 01:41:50 502784 ----a-w- c:\windows\system32\usp10.dll
2014-08-27 01:41:36 915392 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-08-27 01:41:36 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2014-08-27 01:40:19 876032 ----a-w- c:\windows\system32\wer.dll
2014-08-19 05:50:16 3695208 ----a-w- c:\windows\system32\SogouPY.ime
2014-07-28 18:52:00 6112072 ----a-w- c:\windows\system32\usbaaplrc.dll
2014-07-28 18:52:00 45056 ----a-w- c:\windows\system32\drivers\usbaapl.sys
============= FINISH: 14:41:01.32 ===============
Attached File  attach.txt   12.29KB   0 downloads




BC AdBot (Login to Remove)



#2 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,557 posts
  • Gender:Male
  • Local time:06:34 AM

Posted 28 October 2014 - 03:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553062 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,557 posts
  • Gender:Male
  • Local time:06:34 AM

Posted 28 October 2014 - 04:41 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users