Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVCHost.exe keep spawning in Windows/temp folder(Claymore CryptoNote CPU Miner)


  • This topic is locked This topic is locked
13 replies to this topic

#1 Jingjue

Jingjue

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 13 February 2015 - 03:19 PM

Hello all,
 
I seem to have the same problem as Mookid and Rombbb.
 
http://www.bleepingcomputer.com/forums/t/564565/claymore-cryptonote-cpu-miner-v34-beta-infection/#entry3611143
http://www.bleepingcomputer.com/forums/t/519446/svchostexe-virus-in-windows-temp-folder-wont-go-away/
 
Before anything else, I sincerely thank all in advance for the assistance, it is very respectable for you guys to help out with your expertise. 
 
i have read through the forums and understand that torrents clients are not allowed. I have since uninstalled them, together with all cracked games. ( however i still see utorrent in the log even though i deleted it. not sure why)
 
I Downloaded the FRST, saved it on my Desktop ran it and this is the Logs as Follows:
-----------------------------------------------------------------------------------------------------------------------------
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-02-2015
Ran by xxxx (administrator) on xxxx-PC on 14-02-2015 04:02:47
Running from C:\Users\xxxx\Desktop
Loaded Profiles: xxxx & UpdatusUser (Available profiles: xxxx & UpdatusUser & DefaultAppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvwmi64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvwmi64.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Nitro PDF Software) C:\Program Files\Nitro\Pro 9\NitroPDFDriverService9x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Dell Inc.) C:\Program Files\Dell\Dell System Manager\DCPSysMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Dell Inc.) C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe
(Dropbox, Inc.) C:\Users\xxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(O2Micro International) C:\Windows\System32\o2flash.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [698712 2013-02-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe [1382568 2013-09-16] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [216928 2013-08-29] (Trend Micro Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292088 2013-02-22] (Intel Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [413827 2009-07-08] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Launcher] => C:\Program Files (x86)\Fuji Xerox\DocuPrint SSW2\Launcher\fxlaunch.exe [2571264 2011-04-06] (Fuji Xerox Co., Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\Run: [DAEMON Tools Lite] => E:\2nd - Program Files\DAEMON Tools lite\DTLite.exe [3675352 2013-10-28] (Disc Soft Ltd)
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\Run: [uTorrent] => "C:\Users\xxxx\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\MountPoints2: {2528c26b-8695-11e3-b84c-2016d89345bd} - F:\setup.exe
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\MountPoints2: {354d15f0-7434-11e3-885c-91ad9d187494} - G:\LaunchU3.exe -a
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\MountPoints2: {5e9f3b43-0e73-11e3-9633-2016d89345bd} - F:\SETUP.EXE
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\MountPoints2: {7fa836e8-398b-11e4-8ce3-2016d89345bd} - G:\IDSaferSetup_SF.exe
Lsa: [Notification Packages] scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell System Manager.lnk
ShortcutTarget: Dell System Manager.lnk -> C:\Program Files\Dell\Dell System Manager\DCPSysMgr.exe (Dell Inc.)
Startup: C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\xxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\xxxx\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe64.dll (Trend Micro Inc.)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe32.dll (Trend Micro Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-2774165845-4238026228-1461358309-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe64.dll (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe32.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\xxxx\AppData\Roaming\Mozilla\Firefox\Profiles\oz1m6rye.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 9\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2774165845-4238026228-1461358309-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\xxxx\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Extension: YouTube Center - C:\Users\xxxx\AppData\Roaming\Mozilla\Firefox\Profiles\oz1m6rye.default\Extensions\jid1-cwbvBTE216jjpg@jetpack.xpi [2014-10-04]
FF Extension: Tamper Data - C:\Users\xxxx\AppData\Roaming\Mozilla\Firefox\Profiles\oz1m6rye.default\Extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi [2014-01-16]
FF HKLM\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension
FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension [2014-05-04]
FF HKLM-x32\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2014-05-04]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSuggestURL: Default -> http://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
CHR Profile: C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-01]
CHR Extension: (YouTube) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-08-26]
CHR Extension: (Google Search) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-08-26]
CHR Extension: (EditThisCookie) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2013-08-27]
CHR Extension: (Google Wallet) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (VEGA Conflict) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojnhjmhhejnacfimcjhjbcphfnndhfec [2014-02-15]
CHR Extension: (Gmail) - C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-08-26]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 FXNADB; C:\Program Files (x86)\Fuji Xerox\DocuPrint SSW2\SimpleMonitor for AP\fxksmdb.exe [95744 2011-04-01] () [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S4 mpich2_smpd; C:\Program Files (x86)\MPICH2\bin\smpd.exe [1135616 2007-01-31] () [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2013-05-16] (Hewlett-Packard) [File not signed]
R2 NitroDriverReadSpool9; C:\Program Files\Nitro\Pro 9\NitroPDFDriverService9x64.exe [230920 2014-07-16] (Nitro PDF Software)
S4 NitroUpdateService; C:\Program Files\Nitro\Pro 9\Nitro_UpdateService.exe [417800 2014-07-16] ()
R2 NVWMI; C:\Windows\system32\nvwmi64.exe [1290016 2013-12-04] (NVIDIA Corporation)
R2 O2FLASH; C:\Windows\system32\o2flash.exe [244328 2011-11-16] (O2Micro International)
S4 O2SDIOAssist; C:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] () [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2013-05-16] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-03-18] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-03-01] (Riverbed Technology, Inc.)
S3 TunnelBearMaintenance; C:\Program Files (x86)\TunnelBear\TBear.Maintenance.exe [26048 2014-08-12] ()
S3 wampapache; E:\2nd - Program Files\wamp\bin\apache\apache2.4.4\bin\httpd.exe [24576 2013-06-23] (Apache Software Foundation) [File not signed]
S4 wampmysqld; E:\2nd - Program Files\wamp\bin\mysql\mysql5.6.12\bin\mysqld.exe [12867584 2013-06-23] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [X]
S4 HiPatchService; E:\GAMES\HiPatchService.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [165688 2013-08-26] (Broadcom Corporation.)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-01-26] (Disc Soft Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S3 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [300320 2013-12-04] (NVIDIA Corporation)
R3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_ACCEL.sys [68208 2012-05-21] (STMicroelectronics)
R3 tap-tb-0901; C:\Windows\System32\DRIVERS\tap-tb-0901.sys [38656 2014-08-12] (The OpenVPN Project)
R1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [109072 2013-09-04] (Trend Micro Inc.)
R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [175528 2013-09-04] (Trend Micro Inc.)
R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [46392 2012-08-24] (Trend Micro Inc.)
R1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [77184 2013-09-04] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105744 2012-05-03] (Trend Micro Inc.)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [115488 2014-03-26] (Oracle Corporation)
R3 wbfcvusbdrv; C:\Windows\System32\Drivers\wbfcvusbdrv.sys [17120 2013-03-07] ()
U2 TMAgent; No ImagePath
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-14 04:02 - 2015-02-14 04:02 - 00021786 _____ () C:\Users\xxxx\Desktop\FRST.txt
2015-02-14 03:58 - 2015-02-14 03:27 - 02134016 _____ (Farbar) C:\Users\xxxx\Desktop\FRST64.exe
2015-02-14 03:27 - 2015-02-14 04:02 - 00000000 ____D () C:\FRST
2015-02-14 03:27 - 2015-02-14 03:27 - 02134016 _____ (Farbar) C:\Users\xxxx\Downloads\FRST64.exe
2015-02-14 03:12 - 2015-01-09 11:14 - 00950272 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll
2015-02-14 03:12 - 2015-01-09 11:14 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll
2015-02-14 03:12 - 2015-01-09 11:14 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll
2015-02-14 03:12 - 2015-01-09 10:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdi.dll
2015-02-14 03:10 - 2015-02-14 03:10 - 00304848 _____ () C:\Windows\Minidump\021415-12324-01.dmp
2015-02-13 23:46 - 2015-02-14 00:16 - 04481712 _____ (MetaQuotes Software Corp.) C:\Windows\system32\MetaViewer64.dll
2015-02-13 23:43 - 2015-02-14 00:16 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\MetaQuotes
2015-02-13 23:39 - 2015-02-13 23:39 - 00478160 _____ (MetaQuotes Software Corp.) C:\Users\xxxx\Downloads\mt5setup.exe
2015-02-13 23:26 - 2015-02-13 23:26 - 00504320 _____ () C:\Users\xxxx\Downloads\CURRFX-USDJPY.xls
2015-02-12 12:33 - 2015-01-23 12:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-12 12:33 - 2015-01-23 12:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-12 12:33 - 2015-01-23 11:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-02-12 12:33 - 2015-01-23 11:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-02-11 20:52 - 2015-02-14 02:20 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\.Tribler
2015-02-11 20:46 - 2015-02-11 20:46 - 51651978 _____ () C:\Users\xxxx\Downloads\Tribler_6.4.3.exe
2015-02-11 18:00 - 2015-02-11 18:00 - 00000165 ____H () C:\Users\xxxx\Desktop\~$Batam.xlsx
2015-02-11 15:38 - 2015-02-04 11:16 - 00894976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-11 15:38 - 2015-02-04 11:16 - 00762368 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-11 15:38 - 2015-02-04 11:16 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-11 15:38 - 2015-02-04 11:16 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-11 15:38 - 2015-02-04 11:16 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-11 15:38 - 2015-02-04 11:16 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-02-11 15:38 - 2015-02-04 11:13 - 01098752 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-11 15:38 - 2015-01-28 07:36 - 01239720 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-02-11 15:38 - 2015-01-14 13:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-11 15:38 - 2015-01-14 13:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-02-11 15:38 - 2015-01-12 11:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-11 15:38 - 2015-01-12 11:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-11 15:38 - 2015-01-12 11:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-11 15:38 - 2015-01-12 10:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-11 15:38 - 2015-01-12 10:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-11 15:38 - 2015-01-12 10:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-11 15:38 - 2015-01-12 10:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-11 15:38 - 2015-01-12 10:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-11 15:38 - 2015-01-12 10:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-11 15:38 - 2015-01-12 10:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-11 15:38 - 2015-01-12 10:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-11 15:38 - 2015-01-12 10:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-11 15:38 - 2015-01-12 10:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-11 15:38 - 2015-01-12 10:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-02-11 15:38 - 2015-01-12 10:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-11 15:38 - 2015-01-12 10:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-02-11 15:38 - 2015-01-12 10:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-11 15:38 - 2015-01-12 10:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-11 15:38 - 2015-01-12 10:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-02-11 15:38 - 2015-01-12 10:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-11 15:38 - 2015-01-12 10:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-11 15:38 - 2015-01-12 10:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-02-11 15:38 - 2015-01-12 10:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-02-11 15:38 - 2015-01-12 10:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-02-11 15:38 - 2015-01-12 10:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-11 15:38 - 2015-01-12 10:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-02-11 15:38 - 2015-01-12 10:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-02-11 15:38 - 2015-01-12 09:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-02-11 15:38 - 2015-01-12 09:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-02-11 15:38 - 2015-01-12 09:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-02-11 15:38 - 2015-01-12 09:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-11 15:38 - 2015-01-12 09:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-11 15:38 - 2015-01-12 09:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-11 15:38 - 2015-01-12 09:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-11 15:38 - 2015-01-12 09:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-02-11 15:38 - 2015-01-12 09:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-11 15:38 - 2015-01-12 09:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-11 15:38 - 2015-01-12 09:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-02-11 15:38 - 2015-01-12 09:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-02-11 15:38 - 2015-01-12 09:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-02-11 15:38 - 2015-01-12 09:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-11 15:38 - 2015-01-12 09:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-02-11 15:38 - 2015-01-12 09:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-02-11 15:38 - 2015-01-12 09:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-02-11 15:38 - 2015-01-12 09:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-02-11 15:38 - 2015-01-12 09:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-11 15:38 - 2015-01-12 09:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-11 15:38 - 2015-01-12 09:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-02-11 15:38 - 2015-01-12 08:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-02-11 15:38 - 2015-01-12 08:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-11 15:38 - 2015-01-10 14:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-02-11 15:38 - 2015-01-10 14:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-02-11 15:36 - 2015-01-15 16:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-11 15:36 - 2015-01-15 16:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-11 15:36 - 2015-01-15 16:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-11 15:36 - 2015-01-15 16:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-11 15:36 - 2015-01-15 16:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-11 15:36 - 2015-01-15 16:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-11 15:36 - 2015-01-15 16:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-11 15:36 - 2015-01-15 16:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-11 15:36 - 2015-01-15 16:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-11 15:36 - 2015-01-15 16:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-11 15:36 - 2015-01-15 16:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-11 15:36 - 2015-01-15 15:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-02-11 15:36 - 2015-01-15 15:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-02-11 15:36 - 2015-01-15 15:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-02-11 15:36 - 2015-01-15 15:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-02-11 15:36 - 2015-01-15 15:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-02-11 15:36 - 2015-01-15 15:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-02-11 15:36 - 2015-01-15 12:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-11 15:36 - 2015-01-13 11:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-11 15:36 - 2015-01-13 10:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-02-11 15:36 - 2014-12-12 13:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-11 15:36 - 2014-12-12 13:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-02-11 15:36 - 2014-11-26 11:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-11 15:36 - 2014-11-26 11:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-02-11 15:35 - 2015-01-14 14:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-11 15:35 - 2015-01-14 14:05 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-02-11 15:35 - 2015-01-14 14:05 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-02-11 15:35 - 2015-01-14 14:04 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-02-11 15:35 - 2015-01-14 13:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-02-11 15:35 - 2015-01-14 13:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-02-11 15:35 - 2015-01-14 13:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-02-11 15:35 - 2015-01-09 10:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-11 15:35 - 2014-12-08 11:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 15:35 - 2014-12-08 10:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-02-09 20:50 - 2015-02-09 20:56 - 00000000 ____D () C:\stuff
2015-02-09 20:46 - 2015-02-09 20:47 - 00000024 _____ () C:\sample.txt
2015-02-09 20:20 - 2015-02-09 20:20 - 00037888 _____ (Soeperman Enterprises Ltd.) C:\Users\xxxx\Downloads\ADSSpy.exe
2015-02-03 17:51 - 2015-02-04 18:26 - 00000000 ____D () C:\Users\xxxx\Desktop\MindMap
2015-02-01 00:42 - 2015-02-01 00:50 - 63889408 _____ () C:\Users\xxxx\Downloads\calibre-2.18.0.msi
2015-02-01 00:31 - 2015-02-01 00:32 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\XMind
2015-02-01 00:30 - 2015-02-01 00:31 - 00000000 ____D () C:\Program Files (x86)\XMind
2015-02-01 00:30 - 2015-02-01 00:30 - 00000993 _____ () C:\Users\xxxx\Desktop\XMind 6.lnk
2015-02-01 00:30 - 2015-02-01 00:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XMind
2015-02-01 00:17 - 2015-02-01 00:29 - 119220575 _____ (XMind Ltd. ) C:\Users\xxxx\Downloads\xmind-windows-3.5.1.201411201906.exe
2015-01-31 23:35 - 2015-01-31 23:35 - 00001543 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2015-01-31 23:35 - 2015-01-31 23:35 - 00000000 ____D () C:\Program Files\Wireshark
2015-01-31 23:33 - 2015-01-31 23:35 - 29826488 _____ (Wireshark development team) C:\Users\xxxx\Downloads\Wireshark-win64-1.12.3.exe
2015-01-31 22:36 - 2015-01-31 22:58 - 00000000 ____D () C:\EFSTMPWP
2015-01-31 22:28 - 2015-01-31 22:28 - 01877623 _____ () C:\Users\xxxx\Downloads\WinCmdRef.chm
2015-01-31 18:54 - 2015-01-31 18:54 - 00024449 _____ () C:\Users\xxxx\Downloads\106-08-Cash-Flow-Metrics.xlsx
2015-01-28 21:29 - 2015-01-28 21:29 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-28 21:29 - 2015-01-28 21:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-28 21:29 - 2015-01-28 21:29 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-28 03:25 - 2015-01-28 03:26 - 00000000 ____D () C:\Users\xxxx\Desktop\Thumbdrive temp
2015-01-28 03:06 - 2015-01-28 23:10 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-28 03:05 - 2015-01-28 23:10 - 00000000 ____D () C:\Users\xxxx\Desktop\mbar
2015-01-28 02:02 - 2015-01-28 02:02 - 00000000 ____D () C:\ProgramData\APN
2015-01-28 01:59 - 2015-01-28 01:59 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\Oracle
2015-01-28 01:56 - 2015-01-28 01:56 - 00000000 __SHD () C:\Users\xxxx\AppData\Local\EmieBrowserModeList
2015-01-28 00:38 - 2015-02-12 12:30 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-28 00:38 - 2015-01-28 22:47 - 00097496 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-28 00:38 - 2015-01-28 00:38 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-28 00:38 - 2015-01-28 00:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-28 00:38 - 2015-01-28 00:38 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-28 00:38 - 2015-01-28 00:38 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-28 00:38 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-28 00:38 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-27 23:37 - 2015-01-27 23:38 - 00000000 ____D () C:\Users\xxxx\Desktop\Right Side Desktop stuff
2015-01-27 23:08 - 2015-01-27 23:08 - 00003100 _____ () C:\Windows\System32\Tasks\{43A736DA-349A-4FC4-A024-49EAEED0433A}
2015-01-27 23:03 - 2015-01-27 23:03 - 00000219 _____ () C:\Windows\SysWOW64\tmpPrst.tgz
2015-01-27 18:16 - 2015-01-27 18:16 - 00302248 _____ () C:\Windows\Minidump\012715-8143-01.dmp
2015-01-27 18:08 - 2015-01-27 18:09 - 00291606 _____ () C:\Users\xxxx\Downloads\TCPView.zip
2015-01-27 15:01 - 2014-12-19 11:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-27 15:01 - 2014-12-19 09:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-27 15:01 - 2014-12-12 01:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-27 15:01 - 2014-12-06 12:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-27 15:01 - 2014-12-06 11:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-27 15:01 - 2014-12-06 11:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-24 20:58 - 2015-01-24 20:58 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\Full Control
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-14 03:46 - 2013-08-26 15:14 - 00000000 ____D () C:\Users\xxxx
2015-02-14 03:41 - 2013-08-26 16:31 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-14 03:28 - 2009-07-14 12:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-14 03:28 - 2009-07-14 12:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-14 03:26 - 2009-07-14 13:13 - 00862364 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-14 03:25 - 2013-08-27 01:48 - 00000000 ___RD () C:\Users\xxxx\Dropbox
2015-02-14 03:25 - 2013-08-27 01:47 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\Dropbox
2015-02-14 03:25 - 2013-08-26 15:13 - 01936584 _____ () C:\Windows\WindowsUpdate.log
2015-02-14 03:22 - 2013-08-26 16:31 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-14 03:21 - 2013-10-25 22:10 - 00000000 _____ () C:\Windows\DCEBOOT.LOG
2015-02-14 03:21 - 2013-08-26 16:31 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-14 03:21 - 2013-08-26 16:05 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-14 03:21 - 2009-07-14 13:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-14 03:21 - 2009-07-14 12:51 - 00069441 _____ () C:\Windows\setupact.log
2015-02-14 03:20 - 2013-10-25 21:39 - 00025136 _____ (Trend Micro Inc.) C:\Windows\DCEBoot64.exe
2015-02-14 03:18 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\tracing
2015-02-14 03:14 - 2013-08-26 15:50 - 00854978 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-02-14 03:13 - 2013-08-27 01:48 - 00001017 _____ () C:\Users\xxxx\Desktop\Dropbox.lnk
2015-02-14 03:13 - 2013-08-27 01:47 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-14 03:10 - 2014-01-03 13:02 - 887748172 _____ () C:\Windows\MEMORY.DMP
2015-02-14 03:10 - 2014-01-03 13:02 - 00000000 ____D () C:\Windows\Minidump
2015-02-14 03:10 - 2010-11-21 11:47 - 00244286 _____ () C:\Windows\PFRO.log
2015-02-14 02:59 - 2014-09-23 02:26 - 00000000 ____D () C:\Users\xxxx\.idlerc
2015-02-14 02:42 - 2013-09-22 15:04 - 00000000 ____D () C:\Users\xxxx\Documents\Outlook Files
2015-02-14 00:18 - 2013-10-25 21:39 - 00236080 _____ (Trend Micro Inc.) C:\Windows\RegBootClean64.exe
2015-02-13 14:17 - 2014-12-30 22:22 - 00000000 ____D () C:\Users\xxxx\Desktop\Stoc Calculus
2015-02-12 04:09 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\rescache
2015-02-12 03:33 - 2014-12-31 08:38 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-12 03:33 - 2014-05-07 08:26 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-12 03:32 - 2014-01-23 14:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-02-12 03:32 - 2013-08-27 10:27 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-12 03:27 - 2009-07-14 12:45 - 00446512 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-12 03:26 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-02-12 03:09 - 2013-08-27 18:18 - 00000000 ____D () C:\ProgramData\Package Cache
2015-02-12 03:08 - 2009-07-14 10:34 - 00000478 _____ () C:\Windows\win.ini
2015-02-12 03:06 - 2013-08-26 16:38 - 00000000 ____D () C:\Windows\system32\MRT
2015-02-12 03:01 - 2013-08-26 16:38 - 116773704 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-02-11 21:50 - 2013-12-05 02:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AspenTech
2015-02-11 21:50 - 2013-12-05 02:25 - 00000000 ____D () C:\ProgramData\AspenTech
2015-02-11 21:50 - 2013-12-05 02:21 - 00000017 ____H () C:\Windows\SysWOW64\servdat.slm
2015-02-11 21:50 - 2013-08-27 10:27 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-02-11 21:50 - 2009-07-14 10:34 - 00017551 _____ () C:\Windows\system32\Drivers\etc\services
2015-02-11 21:49 - 2013-12-05 02:21 - 00000219 _____ () C:\Windows\SysWOW64\lsprst7.tgz
2015-02-11 21:49 - 2013-12-05 02:21 - 00000205 _____ () C:\Windows\SysWOW64\lsprst7.dll
2015-02-11 21:29 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\Help
2015-02-11 18:04 - 2014-06-21 14:45 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\Nitro PDF
2015-02-11 15:28 - 2009-07-14 13:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-02-09 18:03 - 2014-09-19 14:47 - 00001062 _____ () C:\Users\xxxx\Desktop\Bitcoin - Shortcut.lnk
2015-02-08 17:58 - 2014-12-30 22:24 - 00000000 ____D () C:\Users\xxxx\Desktop\Investment Banking
2015-02-08 17:10 - 2014-12-30 22:23 - 00000000 ____D () C:\Users\xxxx\Desktop\Business Capstone
2015-02-07 20:00 - 2014-12-21 13:53 - 00000000 ____D () C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-02-07 18:05 - 2013-08-29 15:50 - 00000000 _____ () C:\sparkraw.log
2015-02-07 15:22 - 2013-08-26 16:31 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-07 15:22 - 2013-08-26 16:31 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-07 15:22 - 2013-08-26 16:31 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-07 11:36 - 2013-08-26 16:31 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-07 11:36 - 2013-08-26 16:31 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-06 19:40 - 2013-08-26 16:31 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-06 16:07 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-03 01:29 - 2014-11-26 21:02 - 00000000 ____D () C:\Program Files (x86)\TunnelBear
2015-02-02 18:21 - 2013-11-15 09:51 - 00000000 ____D () C:\Users\xxxx\Desktop\TVMO
2015-01-31 23:26 - 2014-01-26 20:12 - 00007668 _____ () C:\Users\xxxx\AppData\Local\Resmon.ResmonCfg
2015-01-28 22:25 - 2013-08-27 18:55 - 00000000 ____D () C:\Users\xxxx\Documents\MATLAB
2015-01-28 03:37 - 2013-10-02 01:43 - 00000000 ____D () C:\Users\xxxx\.VirtualBox
2015-01-28 03:03 - 2009-07-14 13:08 - 00032582 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-28 03:02 - 2013-08-26 16:31 - 00000000 ____D () C:\Program Files\Google
2015-01-28 03:02 - 2013-08-26 16:31 - 00000000 ____D () C:\Program Files (x86)\Google
2015-01-28 02:00 - 2014-01-16 12:30 - 00272296 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2015-01-28 02:00 - 2013-10-21 23:28 - 00176552 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2015-01-28 02:00 - 2013-10-21 23:28 - 00176552 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2015-01-28 02:00 - 2013-10-09 15:42 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-28 01:55 - 2013-08-26 16:31 - 00000000 ____D () C:\Users\xxxx\AppData\Local\Google
2015-01-28 01:55 - 2013-08-26 16:31 - 00000000 ____D () C:\ProgramData\Google
2015-01-27 14:59 - 2014-01-16 00:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
 
==================== Files in the root of some directories =======
 
2013-08-29 22:05 - 2013-08-29 22:05 - 0000036 _____ () C:\Users\xxxx\AppData\Local\housecall.guid.cache
2014-01-26 20:12 - 2015-01-31 23:26 - 0007668 _____ () C:\Users\xxxx\AppData\Local\Resmon.ResmonCfg
 
Files to move or delete:
====================
C:\Users\xxxx\AppData\Roaming\Origin\update.vbe
 
 
Some content of TEMP:
====================
C:\Users\xxxx\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpppwbzb.dll
C:\Users\xxxx\AppData\Local\Temp\DVDBrowserWizardDLL.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-04 14:52
 
==================== End Of Log ============================

Attached Files


Edited by nasdaq, 28 February 2015 - 10:23 AM.


BC AdBot (Login to Remove)

 


#2 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 17 February 2015 - 02:21 PM

Bump. Hi would anyone be kind to help ? =(



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 18 February 2015 - 09:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Do you know what this is?
CHR Extension: (VEGA Conflict) - C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojnhjmhhejnacfimcjhjbcphfnndhfec [2014-02-15]

If not then add the following lines to the fix below.
CHR Extension: (VEGA Conflict) - C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojnhjmhhejnacfimcjhjbcphfnndhfec [2014-02-15]
C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojnhjmhhejnacfimcjhjbcphfnndhfec


===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKU\S-1-5-21-2774165845-4238026228-1461358309-1000\...\Run: [uTorrent] => "C:\Users\Gavin\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED
Toolbar: HKU\S-1-5-21-2774165845-4238026228-1461358309-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR DefaultSuggestURL: Default -> http://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [X]
S4 HiPatchService; E:\GAMES\HiPatchService.exe [X]
U2 TMAgent; No ImagePath
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
Task: {5D79D55A-09E2-4478-82E9-FA27A3A25353} - System32\Tasks\Origin => C:\Users\Gavin\AppData\Roaming\Origin\update.vbe [2015-01-10] () <==== ATTENTION
AlternateDataStreams: C:\sample.txt:secret.txt
AlternateDataStreams: C:\stuff:hide.txt
AlternateDataStreams: C:\Windows:nlsPreferences
C:\Users\Gavin\AppData\Roaming\Origin\update.vbe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#4 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 20 February 2015 - 12:47 PM

Security Check:
--------------------------------------------------------------------------------
Results of screen317's Security Check version 0.99.96
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Trend Micro Titanium Maximum Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 8 Update 31
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox 34.0.5 Firefox out of Date!
Google Chrome (40.0.2214.111)
Google Chrome (40.0.2214.115)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamscheduler.exe
Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro AMSP AMSP_LogServer.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Attached Files


Edited by nasdaq, 20 February 2015 - 01:28 PM.


#5 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 20 February 2015 - 12:55 PM

As for how my computer is running these days, i have personally tried to clear some file after i found out about it, and since then, the SVChost.exe have not been popping out any more.
Actually this is the second occurrence. The first time, after trying to get rid of it, it stopped popping out for a few months, and i thought it was solved. Then recently it started popping out again which is why i then seek professional help.

 

By the way, Thank you once again Nasdaq !



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 20 February 2015 - 01:29 PM

Looking good.

Ignore this, you have the latest version.
Java 8 Update 31
Java version 32-bit out of Date!

Glad we could help.

#7 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 21 February 2015 - 10:15 AM

Hi Nasdaq,

 

Erm... so does that mean my computer is fully cleaned ?

Cause i am kinda afraid it might pop up again like the last time.
Is there a way to see if they still have a backdoor  or something like that ?

 

i tried looking for outbound TCP connections and tried to remove some of time, but not sure if i did it right.

 

Best regards,

Jingjue



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 21 February 2015 - 02:18 PM

No one can be 100% sure that your computer is clean.

Run this online scan and remove every that will be found.

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png

#9 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 22 February 2015 - 04:45 AM

Hi Nasdaq,

 

This is the logs as posted.

Thanks

Attached Files


Edited by Jingjue, 22 February 2015 - 04:45 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 22 February 2015 - 09:23 AM

You should run it again and clean everything that is found.

#11 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 22 February 2015 - 02:53 PM

Dear Nasdaq,

 

Alright, Will do, they are cleaned. Thank you so much !

 Nasdaq + 1 Good Karma =)

 

Hope you will have a Bullish run. haha



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 23 February 2015 - 09:25 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#13 Jingjue

Jingjue
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 25 February 2015 - 04:26 AM

Alright !  Thank you !

All the best to you. Greatly appreciated your help.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,939 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 25 February 2015 - 09:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users