Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe connecting to random IPs


  • Please log in to reply
13 replies to this topic

#1 Tatsuyara

Tatsuyara

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 06 November 2015 - 12:12 PM

Recently, every few days, Malwarebytes Anti-Malware(MBAM) had blocked a few connections outgoing to random IPs.

The most recent one belongs to a Russian residential ISP(After checking whois information).

My AV is Avira, I use Anti-Malware, sometimes run RogueKiller and am currently running a SuperAntiSpyware Scan.

Edit: Also, I run Windows 8.1 Enterprise


Edited by Tatsuyara, 06 November 2015 - 12:14 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:41 AM

Posted 06 November 2015 - 02:55 PM

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 08 November 2015 - 02:21 AM

AdwCleaner:

# AdwCleaner v5.018 - Logfile created 08/11/2015 at 12:44:34
# Updated 05/11/2015 by Xplode
# Database : 2015-11-03.2 [Server]
# Operating system : Windows 8.1 Enterprise  (x64)
# Username : Tri - TATSYARA
# Running from : C:\Users\Tri\Downloads\adwcleaner_5.018.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\Tri\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
[-] File Deleted : C:\Users\Tri\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\Tri\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File Deleted : C:\Users\Tri\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1204 bytes] ##########


#4 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 08 November 2015 - 02:25 AM

JRT Log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 8.1 Enterprise x64
Ran by Tri on Sun 11/08/2015 at 15:22:46.65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\WINDOWS\SysWOW64\ai_recyclebin
 
 
 
~~~ Chrome
 
 
[C:\Users\Tri\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Tri\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Tri\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Tri\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 11/08/2015 at 15:25:04.72
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#5 buddy215

buddy215

  • Moderator
  • 13,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:41 AM

Posted 09 November 2015 - 06:25 AM

What about the Eset scan results?

 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 November 2015 - 10:04 AM

 

What about the Eset scan results?

 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

 

Eset didn't give any logs



#7 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 November 2015 - 10:10 AM

 

What about the Eset scan results?

 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

 

Emsisoft Emergency Kit - Version 10.0
Last update: 11/9/2015 11:07:58 PM
User account: TATSYARA\Tri
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 11/9/2015 11:08:14 PM
Value: HKEY_USERS\S-1-5-21-3130692504-4102635578-1406965332-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-3130692504-4102635578-1406965332-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
C:\Users\Tri\Downloads\4K YouTube to MP3 2.10.7.1495 + Portable + Patch + 100% Working\4K YouTube to MP3\Patch\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 (B)
C:\Users\Tri\Downloads\4K.Video.Downloader.v3.6.2.1780-BEAN\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 (B)
 
Scanned 75793
Found 4
 
Scan end: 11/9/2015 11:09:45 PM
Scan time: 0:01:31


#8 buddy215

buddy215

  • Moderator
  • 13,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:41 AM

Posted 09 November 2015 - 10:44 AM

You must do this after the Emsisoft scan is completed: QUOTE...When the scan is finished click the Quarantine selected objects button

 

Be sure these two are selected:

C:\Users\Tri\Downloads\4K YouTube to MP3 2.10.7.1495 + Portable + Patch + 100% Working\4K YouTube to MP3\Patch\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
C:\Users\Tri\Downloads\4K.Video.Downloader.v3.6.2.1780-BEAN\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
 

Post the three lists mentioned below using CCleaner after completing the other scans.

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 November 2015 - 10:54 AM

 

You must do this after the Emsisoft scan is completed: QUOTE...When the scan is finished click the Quarantine selected objects button

 

Be sure these two are selected:

C:\Users\Tri\Downloads\4K YouTube to MP3 2.10.7.1495 + Portable + Patch + 100% Working\4K YouTube to MP3\Patch\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
C:\Users\Tri\Downloads\4K.Video.Downloader.v3.6.2.1780-BEAN\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
 

Post the three lists mentioned below using CCleaner after completing the other scans.

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.

 

Startup:

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run IDMan Tonec Inc. C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
Yes HKCU:Run Skype Skype Technologies S.A. "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes HKCU:Run Spotify Web Helper Spotify Ltd "C:\Users\Tri\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
Yes HKCU:Run Steam Valve Corporation "C:\Program Files (x86)\Steam\steam.exe" -silent
Yes HKLM:Run AdobeAAMUpdater-1.0 Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
Yes HKLM:Run avgnt Avira Operations GmbH & Co. KG "C:\Program Files (x86)\Avira\Antivirus\avgnt.exe" /min
Yes HKLM:Run Avira SystrayStartTrigger Avira Operations GmbH & Co. KG C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe
No HKLM:Run LogMeIn Hamachi Ui LogMeIn Inc. "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
No HKLM:Run Malwarebytes Anti-Exploit Malwarebytes Corporation C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
Yes HKLM:Run SoftEther VPN Client UI Helper SoftEther VPN Project at University of Tsukuba, Japan. "C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe" /uihelp
Yes HKLM:Run SunJavaUpdateSched Oracle Corporation "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes Startup Common SoftEther VPN Client Manager Startup.lnk SoftEther VPN Project at University of Tsukuba, Japan. C:\Program Files\SoftEther VPN Client\vpncmgr_x64.exe
Yes Startup User ShareX.lnk ShareX Team G:\Steam\steamapps\common\ShareX\ShareX_Launcher.exe
 
 
 
Scheduled Tasks:
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task CryptoMonitor_SU EasySync Solutions C:\Program Files\EasySync Solutions\EasySync CryptoMonitor\CryptoMonitor.exe /StartMinimized
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
No Task Optimize Start Menu Cache Files-S-1-5-21-3130692504-4102635578-1406965332-1002
 
 
 
Installed:
.NET Reflector Desktop Red Gate Software Ltd 10/22/2015 6.43 MB 8.5.0.179
.NET Reflector Visual Studio Extension 8.5 Red Gate Software Ltd 10/22/2015 4.00 MB 8.5.0.179
4K Stogram 1.9 Open Media LLC 10/26/2015 1.9.4.944
4K Video Downloader 3.6 Open Media LLC 10/13/2015 3.6.2.1780
4K YouTube to MP3 2.10 Open Media LLC 10/15/2015 2.10.7.1495
4Media Video Converter Ultimate 4Media 7.8.11.20150923
7-Zip 9.20 (x64 edition) Igor Pavlov 10/10/2015 4.53 MB 9.20.00.0
Adobe Illustrator CC 2015 Adobe Systems Incorporated 19.0
Audacity 2.1.1 Audacity Team 10/10/2015 2.1.1
Avira Antivirus Avira Operations GmbH & Co. KG 15.0.13.210
Avira Launcher Avira Operations GmbH & Co. KG 10/28/2015 1.1.48.9049
CCleaner Piriform 5.11
Cities - Skylines R.G. Mechanics, markfiter 11/4/2015
Deluge 1.3.12
EasySync CryptoMonitor EasySync Solutions 11/7/2015 2.0.503.0
Entity Framework 6.1.3 Tools  for Visual Studio 2015 Microsoft Corporation 10/15/2015 143 MB 14.0.40302.0
ESET Online Scanner v3
Evernote v. 5.9.1 Evernote Corp. 10/10/2015 233 MB 5.9.1.8742
Far Cry 4 Complete Edition version 1.0.0 Ubisoft 11/4/2015 1.0.0
FileZilla Client 3.14.0 Tim Kosse 3.14.0
foobar2000 v1.3.8 Peter Pawlowski 1.3.8
Games Microsoft Corporation 10/10/2015 2.0.139.0
GIMP 2.8.14 The GIMP Team 10/10/2015 2.8.14
Google Chrome Google, Inc. 10/10/2015 48.7 MB 66.101.32869
Google Drive Google, Inc. 10/21/2015 34.3 MB 1.25.0523.2491
Google Earth Google 10/10/2015 179 MB 7.1.5.1557
IDM Patch 6.25 build 01 SandySeedings Team 10/13/2015 build 01
IIS 10.0 Express Microsoft Corporation 10/15/2015 37.0 MB 10.0.1734
IIS Express Application Compatibility Database for x64
IIS Express Application Compatibility Database for x86
Internet Download Manager Tonec Inc.
Java 8 Update 60 (64-bit) Oracle Corporation 10/10/2015 101 MB 8.0.600.27
Java SE Development Kit 8 Update 60 (64-bit) Oracle Corporation 10/10/2015 310 MB 8.0.600.27
LogMeIn Hamachi LogMeIn, Inc. 11/1/2015 2.2.0.406
Mail, Calendar, and People 10/10/2015
Malwarebytes Anti-Exploit version 1.07.1.1015 Malwarebytes 10/18/2015 1.07.1.1015
Malwarebytes Anti-Malware version 2.2.0.1024 Malwarebytes 10/17/2015 2.2.0.1024
Maps Microsoft Corporation 10/10/2015 2.1.3230.2048
Mathematica Extras 8.0 (2063897) Wolfram Research, Inc. 11/2/2015 8.0.1
MATLAB Production Server R2015a MathWorks 2.1
Metasploit Rapid7 4.11.4
Microsoft .NET Framework 4.5 Multi-Targeting Pack Microsoft Corporation 10/15/2015 41.8 MB 4.5.50710
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack Microsoft Corporation 10/15/2015 49.3 MB 4.5.50932
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) Microsoft Corporation 10/15/2015 74.5 MB 4.5.50932
Microsoft .NET Framework 4.5.1 SDK Microsoft Corporation 10/15/2015 19.4 MB 4.5.51641
Microsoft .NET Framework 4.5.2 Multi-Targeting Pack Microsoft Corporation 10/15/2015 49.4 MB 4.5.51209
Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (ENU) Microsoft Corporation 10/15/2015 74.4 MB 4.5.51209
Microsoft .NET Framework 4.6 SDK Microsoft Corporation 10/15/2015 20.0 MB 4.6.00081
Microsoft .NET Framework 4.6 Targeting Pack Microsoft Corporation 10/15/2015 40.3 MB 4.6.00081
Microsoft .NET Framework 4.6 Targeting Pack (ENU) Microsoft Corporation 10/15/2015 65.9 MB 4.6.00081
Microsoft .NET Version Manager (x64) 1.0.0-beta5 Microsoft Corporation 10/15/2015 68.0 KB 1.0.10609.0
Microsoft Help Viewer 2.2 Microsoft Corporation 10/15/2015 2.2.23107
Microsoft SQL Server 2012 Command Line Utilities Microsoft Corporation 10/15/2015 876 KB 11.0.2100.60
Microsoft SQL Server 2012 Native Client Microsoft Corporation 10/15/2015 7.19 MB 11.0.2100.60
Microsoft SQL Server 2014 Management Objects Microsoft Corporation 10/15/2015 24.7 MB 12.0.2000.8
Microsoft SQL Server 2014 Management Objects  (x64) Microsoft Corporation 10/15/2015 17.4 MB 12.0.2000.8
Microsoft SQL Server 2014 T-SQL Language Service Microsoft Corporation 10/15/2015 6.65 MB 12.0.2000.8
Microsoft SQL Server 2014 Transact-SQL ScriptDom Microsoft Corporation 10/15/2015 6.17 MB 12.0.2000.8
Microsoft SQL Server Compact 4.0 SP1 x64 ENU Microsoft Corporation 10/15/2015 21.2 MB 4.0.8876.1
Microsoft SQL Server Data Tools - enu (14.0.50616.0) Microsoft Corporation 10/15/2015 29.4 MB 14.0.50616.0
Microsoft System CLR Types for SQL Server 2014 Microsoft Corporation 10/15/2015 5.69 MB 12.0.2402.11
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 11/4/2015 4.89 MB 8.0.59193
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 11/1/2015 6.83 MB 8.0.61000
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 11/8/2015 12.4 MB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation 10/15/2015 13.2 MB 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Corporation 10/11/2015 5.99 MB 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 10/10/2015 10.2 MB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 10/15/2015 8.78 MB 9.0.30729.6161
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 Microsoft Corporation 11/4/2015 18.2 MB 10.0.40219
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 Microsoft Corporation 11/4/2015 14.9 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 Microsoft Corporation 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Microsoft Corporation 11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 Microsoft Corporation 12.0.30501.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Microsoft Corporation 12.0.30501.0
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 Microsoft Corporation 14.0.23026.0
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 Microsoft Corporation 14.0.23026.0
Microsoft Visual Studio Professional 2015 Microsoft Corporation 10/15/2015 14.0.23107.10
Microsoft Web Deploy 3.6 Microsoft Corporation 10/15/2015 11.7 MB 3.1238.1955
Microsoft XNA Framework Redistributable 3.1 Microsoft Corporation 10/10/2015 10.0 MB 3.1.10527.0
Microsoft XNA Framework Redistributable 4.0 Microsoft Corporation 10/11/2015 10.5 MB 4.0.20823.0
Minecraft Mojang 10/10/2015 1.22 MB 1.0.3.0
mIRC mIRC Co. Ltd. 7.43
Mozilla Firefox 41.0.1 (x86 en-US) Mozilla 41.0.1
Mozilla Maintenance Service Mozilla 38.3.0
Mozilla Thunderbird 38.3.0 (x86 en-US) Mozilla 38.3.0
MSN Food & Drink Microsoft Corporation 10/10/2015 3.0.4.212
MSN Health & Fitness Microsoft Corporation 10/10/2015 3.0.4.212
MSN Money Microsoft Corporation 10/10/2015 3.0.4.212
MSN News Microsoft Corporation 10/10/2015 3.0.4.213
MSN Sports Microsoft Corporation 10/10/2015 3.0.4.212
MSN Travel Microsoft Corporation 10/10/2015 3.0.4.212
MSN Weather Microsoft Corporation 10/10/2015 3.0.4.214
Music Microsoft Corporation 10/10/2015 2.6.320.0
Notepad++ Notepad++ Team 6.8.3
NVIDIA PhysX NVIDIA Corporation 10/15/2015 69.6 MB 9.12.1031
OneNote Microsoft Corporation 10/10/2015 16.0.3030.1024
OpenVPN 2.3.8-I001 2.3.8-I001
paint.net dotPDN LLC 10/10/2015 26.4 MB 4.0.6
Prerequisites for SSDT Microsoft Corporation 10/15/2015 6.94 MB 12.0.2000.8
PuTTY release 0.65 Simon Tatham 10/10/2015 0.65
Python 2.7.10 Python Software Foundation 10/10/2015 57.1 MB 2.7.10150
Reader Microsoft Corporation 10/10/2015 6.3.9654.17044
Rockstar Games Social Club Rockstar Games 1.1.5.8
Saints Row IV Deep Silver Volition
Skype Skype 10/10/2015 3.1.0.1005
Skype™ 7.12 Skype Technologies S.A. 10/10/2015 75.2 MB 7.12.101
SmartWhois TamoSoft 11/1/2015 5.1
SoftEther VPN Client SoftEther VPN Project 10/13/2015 4.19.9582
Source Dedicated Server Valve
Spotify Spotify AB 10/10/2015 1.0.15.133.gf21970bd
Steam Valve Corporation 2.10.91.91
SUPERAntiSpyware SUPERAntiSpyware.com 6.0.1206
TAP-Windows 9.9.2 9.9.2
TeamViewer 10 TeamViewer 10.0.47484
Terraria Re-Logic
The Ship Outerlight Ltd.
TypeScript Tools for Microsoft Visual Studio 2015 1.6.3.0 Microsoft Corporation 1.6.23313.0
Uplay Ubisoft 4.3
VeraCrypt IDRIX 1.16
Video Microsoft Corporation 10/10/2015 2.6.344.0
VLC media player VideoLAN 2.2.1
WATCH_DOGS Ubisoft
WinDirStat 1.1.2
Windows Alarms Microsoft Corporation 10/10/2015 6.3.9654.20335
Windows Calculator Microsoft Corporation 10/10/2015 6.3.9600.20278
Windows Help+Tips Microsoft Corporation 10/10/2015 6.3.9654.20559
Windows Reading List Microsoft Corporation 10/10/2015 6.3.9654.20540
Windows Scan Microsoft Corporation 10/10/2015 6.3.9600.16422
Windows Sound Recorder Microsoft Corporation 10/10/2015 6.3.9600.20280
WinPcap 4.1.3 CACE Technologies 4.1.0.2980
WinRAR 5.21 (64-bit) win.rar GmbH 5.21.0
WinSCP 5.7.5 Martin Prikryl 10/10/2015 5.7.5
Wolfram Mathematica 8 (M-WIN-L 8.0.1 2063990) Wolfram Research, Inc. 11/2/2015 8.0.1
XAMPP Bitnami 5.6.12-0
 


#10 buddy215

buddy215

  • Moderator
  • 13,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:41 AM

Posted 09 November 2015 - 12:09 PM

Suggest disabling these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run IDMan Tonec Inc. C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
Yes HKCU:Run Skype Skype Technologies S.A. "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes HKCU:Run Spotify Web Helper Spotify Ltd "C:\Users\Tri\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
Yes HKCU:Run Steam Valve Corporation "C:\Program Files (x86)\Steam\steam.exe" -silent
Yes HKLM:Run AdobeAAMUpdater-1.0 Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
Yes HKLM:Run SunJavaUpdateSched Oracle Corporation "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes Startup User ShareX.lnk ShareX Team G:\Steam\steamapps\common\ShareX\ShareX_Launcher.exe
 
Disable These Tasks:

Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

Update Mozilla Firefox 41.0.1 (x86 en-US) Mozilla 41.0.1

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 09 November 2015 - 07:40 PM

 

Suggest disabling these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run IDMan Tonec Inc. C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
Yes HKCU:Run Skype Skype Technologies S.A. "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes HKCU:Run Spotify Web Helper Spotify Ltd "C:\Users\Tri\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
Yes HKCU:Run Steam Valve Corporation "C:\Program Files (x86)\Steam\steam.exe" -silent
Yes HKLM:Run AdobeAAMUpdater-1.0 Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
Yes HKLM:Run SunJavaUpdateSched Oracle Corporation "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes Startup User ShareX.lnk ShareX Team G:\Steam\steamapps\common\ShareX\ShareX_Launcher.exe
 
Disable These Tasks:

Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

Update Mozilla Firefox 41.0.1 (x86 en-US) Mozilla 41.0.1

 

Done



#12 buddy215

buddy215

  • Moderator
  • 13,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:41 AM

Posted 10 November 2015 - 06:07 AM

Okay...the only thing I see that you haven't confirmed is this:

You must do this after the Emsisoft scan is completed: QUOTE...When the scan is finished click the Quarantine selected objects button

 

Be sure these two are selected:

C:\Users\Tri\Downloads\4K YouTube to MP3 2.10.7.1495 + Portable + Patch + 100% Working\4K YouTube to MP3\Patch\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
C:\Users\Tri\Downloads\4K.Video.Downloader.v3.6.2.1780-BEAN\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
 
If you have done that then please tell me if you are still seeing attempts by your computer to contact a Russian server. If those two
items found in downloads installed or attempted to install then MBAM may have stopped the install or removed. You can check MBAM's
scan logs to see if they mention Kazy. Let me know if MBAM removed Kazy or not.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 Tatsuyara

Tatsuyara
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:41 PM

Posted 10 November 2015 - 07:01 AM

 

Okay...the only thing I see that you haven't confirmed is this:

You must do this after the Emsisoft scan is completed: QUOTE...When the scan is finished click the Quarantine selected objects button

 

Be sure these two are selected:

C:\Users\Tri\Downloads\4K YouTube to MP3 2.10.7.1495 + Portable + Patch + 100% Working\4K YouTube to MP3\Patch\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
C:\Users\Tri\Downloads\4K.Video.Downloader.v3.6.2.1780-BEAN\Patch.exe detected: Gen:Variant.Adware.Kazy.621447 ( B)
 
If you have done that then please tell me if you are still seeing attempts by your computer to contact a Russian server. If those two
items found in downloads installed or attempted to install then MBAM may have stopped the install or removed. You can check MBAM's
scan logs to see if they mention Kazy. Let me know if MBAM removed Kazy or not.

 

MBAM doesn't seem to report Kazy, but I have done the two steps mentioned above.

So far it's clear, MBAM hasn't blocked any outgoing connections, however, is it possible to check myself through tools what IPs svchost is connecting to? thanks



#14 buddy215

buddy215

  • Moderator
  • 13,121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:41 AM

Posted 10 November 2015 - 07:23 AM

Tracking using only the IP address works usually for legit sites. Criminals and others would be using proxies or other means to hide their

geo location.

 

Check out TCPView for Windows. But if you are infected with something serious or a rootkit, the connections may also be hidden. Finding

that info would require advanced knowledge of using other means.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users