Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Windows Programs hogging up Memory


  • This topic is locked This topic is locked
4 replies to this topic

#1 arcanefax

arcanefax

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 11 November 2015 - 07:40 PM

Hi  all,
 
My computer's memory is somehow being hogged up by a myriad of windows programs (notepad, Console Window host, ctf loader, Windows Installer, Microsoft Distributed Transaction Coordinator Service,
Windows Presentation Host, Host Process for Windows tasks) Even Windows explorer is taking up more then needed. Overall 70% of my memory is taken up(or more), in contrast to the idle 15%. My CPU is also put on a higher load then normal.(about 40%-70&) By ending the processes in task manager, they just start up again. This has been bugging me for a week now, anybody else have this problem?
 
* Another interesting note: This problem starts when I connect to the internet. When i unplug my Ethernet, the problem stops when I end the processes.
 
Here's a FRST report of my computer:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-11-2015
Ran by Public (administrator) on HOMEPC (11-11-2015 15:57:42)
Running from C:\Users\Public.HOMEPC\Downloads
Loaded Profiles: Public (Available Profiles: Public & Guest)
Platform: Windows 8.1 Pro (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-05-28] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13636824 2013-07-26] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-08-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [449168 2012-03-26] (CANON INC.)
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Steam] => C:\Games\Steam\steam.exe [3011152 2015-11-09] (Valve Corporation)
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [55349888 2015-09-04] (Skype Technologies S.A.)
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [GoogleChromeAutoLaunch_4DB1639162346A87789C3C589A87DFE5] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [811848 2015-10-20] (Google Inc.)
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Kenoj] => regsvr32.exe "C:\Users\Public.HOMEPC\AppData\Roaming\MiniWfent\UisiNhiv.dll"
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [4M84xNh46B44] => regsvr32.exe /s "C:\PROGRA~3\4M84xNh46B44.dll"
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-27] ()
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [WtbcREqBA119] => regsvr32.exe /s "C:\PROGRA~3\WtbcREqBA119.dll"
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [winhlp32] => C:\ProgramData\winhlp32.exe [4096 2015-11-02] ()
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Spotify Web Helper] => C:\Users\Public.HOMEPC\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2030912 2015-11-03] (Spotify Ltd)
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Spotify] => C:\Users\Public.HOMEPC\AppData\Roaming\Spotify\Spotify.exe [7736128 2015-11-03] (Spotify Ltd)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{92244407-CE49-4543-A356-58B24E967E0F}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-08-27] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-08-27] (Oracle Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2012-10-01] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-08-27] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2012-10-01] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-08-27] (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Public.HOMEPC\AppData\Roaming\Mozilla\Firefox\Profiles\JjpMmwKu.default
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-08-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-08-27] (Oracle Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-08-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-08-27] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin HKU\S-1-5-21-1230929215-1416684758-364167695-1001: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2015-09-18] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2012-10-01] (Microsoft Corporation)
FF Extension: Avira Browser Safety - C:\Users\Public.HOMEPC\AppData\Roaming\Mozilla\Firefox\Profiles\JjpMmwKu.default\Extensions\abs@avira.com [2015-10-26] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-26]
CHR Extension: (Google Docs) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-26]
CHR Extension: (Google Drive) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20]
CHR Extension: (YouTube) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (uBlock Origin) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2015-11-03]
CHR Extension: (Google Search) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-26]
CHR Extension: (Google Docs Offline) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-02]
CHR Extension: (ReChat for Twitch™) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipplilmaapjjklilmmaccfemdmhkoacd [2015-10-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-26]
CHR Extension: (Gmail) - C:\Users\Public.HOMEPC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-26]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [121856 2015-08-03] (Advanced Micro Devices) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-05-28] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-03] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2015-08-27] ()
S4 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [997568 2014-06-29] (@ByELDI) [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
S4 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [656664 2014-08-19] (Wacom Technology, Corp.)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [297672 2015-08-03] (Advanced Micro Devices)
S0 amdkmafd; C:\Windows\System32\drivers\amdkmafd.sys [21160 2012-09-22] (Advanced Micro Devices, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [102912 2015-07-15] (Advanced Micro Devices)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
S3 WinDivert1.1; C:\Program Files\KMSpico\WinDivert.sys [35376 2015-08-23] (Basil Projects)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-11 15:57 - 2015-11-11 15:57 - 00015237 _____ C:\Users\Public.HOMEPC\Downloads\FRST.txt
2015-11-11 15:57 - 2015-11-11 15:57 - 00000000 ____D C:\FRST
2015-11-11 15:56 - 2015-11-11 15:57 - 02198528 _____ (Farbar) C:\Users\Public.HOMEPC\Downloads\FRST64.exe
2015-11-11 15:54 - 2015-11-11 15:54 - 00138663 _____ C:\Users\Public.HOMEPC\Downloads\Addition (1).txt
2015-11-10 20:22 - 2015-11-10 20:22 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\LocalLow\BitTorrent
2015-11-10 20:09 - 2015-11-10 20:09 - 00279088 _____ C:\Windows\Minidump\111015-16937-01.dmp
2015-11-08 16:06 - 2015-11-08 16:07 - 00000000 _____ C:\Recovery.txt
2015-11-07 21:33 - 2015-11-07 21:33 - 00006907 _____ C:\Users\Public.HOMEPC\Downloads\fixlist.txt
2015-11-07 21:31 - 2015-11-07 21:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-11-07 21:14 - 2015-11-07 21:14 - 00279088 _____ C:\Windows\Minidump\110715-22859-01.dmp
2015-11-07 21:11 - 2015-11-07 21:11 - 00138663 _____ C:\Users\Public.HOMEPC\Downloads\Addition.txt
2015-11-07 21:08 - 2015-11-07 21:08 - 00006907 _____ C:\Users\Public.HOMEPC\Desktop\fixlist.txt
2015-11-06 00:16 - 2015-11-06 00:16 - 00000000 ___HD C:\ProgramData\CanonIJScan
2015-11-06 00:16 - 2015-11-06 00:16 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\Canon
2015-11-03 22:26 - 2015-11-04 16:50 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\Spotify
2015-11-03 22:26 - 2015-11-04 16:50 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Local\Spotify
2015-11-03 22:26 - 2015-11-03 22:26 - 00232872 _____ (Spotify Ltd) C:\Users\Public.HOMEPC\Downloads\SpotifySetup.exe
2015-11-03 22:26 - 2015-11-03 22:26 - 00001853 _____ C:\Users\Public.HOMEPC\Desktop\Spotify.lnk
2015-11-03 22:26 - 2015-11-03 22:26 - 00001839 _____ C:\Users\Public.HOMEPC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2015-11-03 18:03 - 2015-11-03 18:03 - 00000000 _____ C:\Users\Public.HOMEPC\AppData\Local\{A387F9A5-830A-4B68-B56F-A75874C5A111}
2015-11-02 16:57 - 2015-11-02 16:57 - 00004096 _____ C:\ProgramData\winhlp32.exe
2015-11-02 16:56 - 2015-11-02 16:56 - 00004096 _____ C:\ProgramData\aspnet_wp.dll
2015-11-02 16:54 - 2015-11-02 16:54 - 00004096 _____ C:\ProgramData\WtbcREqBA119.dll
2015-11-02 16:49 - 2015-11-02 16:49 - 00004096 _____ C:\ProgramData\2QV263H7A119.dll
2015-11-02 16:48 - 2015-11-02 16:48 - 00381952 _____ (Microsoft Corporation) C:\Users\Public.HOMEPC\AppData\Roaming\gnofchod.exe
2015-11-02 16:39 - 2015-11-11 12:38 - 00000000 __RDO C:\Users\Public.HOMEPC\SkyDrive
2015-11-01 23:50 - 2015-11-10 20:09 - 574271861 _____ C:\Windows\MEMORY.DMP
2015-11-01 23:50 - 2015-11-10 20:09 - 00000000 ____D C:\Windows\Minidump
2015-11-01 23:50 - 2015-11-01 23:50 - 00279088 _____ C:\Windows\Minidump\110115-27703-01.dmp
2015-11-01 23:33 - 2015-11-01 23:33 - 00000117 _____ C:\Users\Public.HOMEPC\Downloads\bf3.xyz
2015-10-31 14:44 - 2015-10-31 14:44 - 00000208 _____ C:\Users\Public.HOMEPC\Desktop\Terraria.url
2015-10-27 18:41 - 2015-10-27 18:41 - 00005120 _____ C:\ProgramData\taskhost.exe
2015-10-27 18:39 - 2015-10-27 18:39 - 00004096 _____ C:\ProgramData\4M84xNh46B44.dll
2015-10-27 18:34 - 2015-10-27 18:34 - 00381440 _____ (Microsoft Corporation) C:\Users\Public.HOMEPC\AppData\Roaming\mbuzcvsh.exe
2015-10-27 18:34 - 2015-10-27 18:34 - 00004096 _____ C:\ProgramData\B92WENqn6B44.dll
2015-10-26 22:49 - 2015-10-26 22:49 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\Mozilla
2015-10-26 22:45 - 2015-10-27 15:50 - 00000000 ____D C:\Program Files (x86)\Avira
2015-10-26 15:33 - 2015-10-26 15:33 - 00005120 _____ C:\Users\Public.HOMEPC\AppData\Roaming\tclgrefg.exe
2015-10-26 15:33 - 2015-10-26 15:33 - 00004096 _____ C:\ProgramData\8hBEUWKAFCD4.dll
2015-10-25 22:23 - 2015-10-25 22:23 - 00011425 _____ C:\Users\Public.HOMEPC\Downloads\PSAT Schedule 2015.xlsx
2015-10-24 15:42 - 2015-10-24 15:42 - 00002837 _____ C:\Users\Public.HOMEPC\Unigine_Heaven_Benchmark_4.0_20151024_1641.html
2015-10-24 10:06 - 2015-10-26 23:05 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\MiniWfent
2015-10-24 10:06 - 2015-10-24 10:07 - 00000000 ___HD C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
2015-10-24 10:05 - 2015-10-24 10:05 - 00041067 _____ C:\Users\Public.HOMEPC\Downloads\[kat.cr]rebel.galaxy.gog.torrent
2015-10-23 23:31 - 2015-10-24 15:20 - 00000000 ____D C:\Users\Public.HOMEPC\Heaven
2015-10-23 23:29 - 2015-10-24 15:36 - 01065984 _____ C:\Users\Public.HOMEPC\AppData\Local\file__0.localstorage
2015-10-23 23:29 - 2015-10-23 23:29 - 00002133 _____ C:\Users\Public\Desktop\Heaven Benchmark 4.0.lnk
2015-10-23 23:29 - 2015-10-23 23:29 - 00000000 ____D C:\Program Files (x86)\Unigine
2015-10-23 22:58 - 2015-10-23 23:29 - 258728440 _____ (Unigine Corp. ) C:\Users\Public.HOMEPC\Downloads\Unigine_Heaven-4.0.exe
2015-10-23 22:39 - 2015-10-23 22:39 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wacom
2015-10-23 22:39 - 2015-10-23 22:39 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\WTablet
2015-10-23 22:39 - 2015-10-23 22:39 - 00000000 ____D C:\Program Files\TabletPlugins
2015-10-23 22:39 - 2015-10-23 22:39 - 00000000 ____D C:\Program Files (x86)\TabletPlugins
2015-10-23 22:38 - 2015-10-23 22:38 - 00000000 ____D C:\Program Files\Tablet
2015-10-23 22:38 - 2014-08-19 11:12 - 02006808 _____ (Wacom Technology, Corp.) C:\Windows\system32\WacomMT.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01991448 _____ (Wacom Technology, Corp.) C:\Windows\system32\Pen_Tablet.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01984792 _____ (Wacom Technology, Corp.) C:\Windows\system32\Pen_Touch_Tablet.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01858328 _____ (Wacom Technology, Corp.) C:\Windows\system32\Wintab32.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01614104 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Pen_Tablet.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01610008 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\WacomMT.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01607448 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Pen_Touch_Tablet.dll
2015-10-23 22:38 - 2014-08-19 11:12 - 01493784 _____ (Wacom Technology, Corp.) C:\Windows\SysWOW64\Wintab32.dll
2015-10-23 22:38 - 2014-08-06 10:15 - 00102200 _____ (Wacom Technology) C:\Windows\system32\Drivers\wachidrouter.sys
2015-10-23 22:38 - 2014-08-06 10:15 - 00015160 _____ (Wacom Technology) C:\Windows\system32\Drivers\wacomrouterfilter.sys
2015-10-23 22:38 - 2014-08-06 10:15 - 00014136 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\hidkmdf.sys
2015-10-23 22:38 - 2012-04-11 14:34 - 01721576 _____ (Microsoft Corporation) C:\Windows\system32\wdfcoinstaller01009.dll
2015-10-23 22:38 - 2012-04-11 14:34 - 01721576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wdfcoinstaller01009.dll
2015-10-23 21:33 - 2015-10-23 21:34 - 40103880 _____ C:\Users\Public.HOMEPC\Downloads\pentablet_5.3.5-3.exe
2015-10-20 15:33 - 2015-10-20 15:33 - 00001039 _____ C:\Users\Public.HOMEPC\Desktop\Crawl - Shortcut.lnk
2015-10-17 17:52 - 2015-10-17 17:52 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-10-16 23:21 - 2015-10-16 23:21 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Local\SKIDROW
2015-10-16 23:05 - 2015-10-16 23:05 - 00450048 _____ C:\Users\Public.HOMEPC\Downloads\Lespronomsobjetsindirects (1).ppt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-11 15:54 - 2015-08-26 14:37 - 00002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-11-11 15:54 - 2015-08-26 14:36 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-11 15:45 - 2015-08-23 03:54 - 01153750 _____ C:\Windows\WindowsUpdate.log
2015-11-11 15:40 - 2015-08-23 04:02 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1230929215-1416684758-364167695-1001
2015-11-11 15:39 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\system32\sru
2015-11-11 15:14 - 2015-09-26 14:41 - 00000000 ____D C:\Users\Public.HOMEPC\Documents\SimCity 4
2015-11-11 12:39 - 2015-09-19 10:03 - 00004954 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for HOMEPC-Public HOMEPC
2015-11-11 12:38 - 2015-08-26 14:36 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-11 12:38 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\system32\migwiz
2015-11-11 03:10 - 2015-09-13 18:59 - 00000000 ____D C:\Users\Public.HOMEPC\Documents\The Witcher 3
2015-11-10 22:59 - 2015-08-23 03:54 - 00000000 ____D C:\Program Files\KMSpico
2015-11-10 21:21 - 2015-09-12 17:28 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\BitTorrent
2015-11-10 20:14 - 2015-08-23 04:01 - 00865408 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-10 20:09 - 2015-08-26 14:40 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-11-10 20:09 - 2013-08-22 06:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-10 20:09 - 2013-08-22 05:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-11-08 16:16 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\AppReadiness
2015-11-07 21:40 - 2015-08-23 03:50 - 00147542 _____ C:\Windows\PFRO.log
2015-11-07 21:29 - 2015-09-01 06:12 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-11-07 21:22 - 2015-08-23 03:57 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Local\Packages
2015-11-07 21:14 - 2015-08-23 03:56 - 00000000 ____D C:\Users\Public.HOMEPC
2015-11-04 15:47 - 2015-08-26 15:06 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Local\Steam
2015-11-03 23:49 - 2015-08-22 20:29 - 00007618 _____ C:\Users\Public.HOMEPC\AppData\Local\resmon.resmoncfg
2015-11-02 16:39 - 2015-09-09 16:05 - 00000000 __RDO C:\Users\Public.HOMEPC\SkyDrive.old
2015-11-01 22:49 - 2015-09-01 06:13 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-30 11:57 - 2015-08-26 16:45 - 00156028 _____ C:\Windows\DirectX.log
2015-10-27 15:50 - 2015-08-26 14:39 - 00000000 ____D C:\ProgramData\Package Cache
2015-10-24 10:56 - 2015-09-26 14:41 - 00000000 ____D C:\GOG Games
2015-10-24 10:56 - 2015-08-26 20:12 - 00000000 ____D C:\Users\Public.HOMEPC\Documents\My Games
2015-10-24 10:06 - 2015-09-12 17:37 - 00000000 ____D C:\trnts
2015-10-23 23:42 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\LiveKernelReports
2015-10-18 20:34 - 2015-08-26 16:33 - 00000000 ____D C:\Users\Public.HOMEPC\AppData\Roaming\.minecraft
2015-10-18 20:07 - 2015-08-27 17:19 - 00000000 ____D C:\ftb
2015-10-18 16:02 - 2015-08-27 18:25 - 00281688 _____ C:\Windows\SysWOW64\PnkBstrB.xtr
2015-10-18 16:02 - 2015-08-27 18:19 - 00281688 _____ C:\Windows\SysWOW64\PnkBstrB.exe
2015-10-18 14:35 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\system32\NDF
2015-10-16 23:20 - 2015-09-05 22:31 - 00000000 ____D C:\Games
 
==================== Files in the root of some directories =======
 
2015-11-02 16:48 - 2015-11-02 16:48 - 0381952 _____ (Microsoft Corporation) C:\Users\Public.HOMEPC\AppData\Roaming\gnofchod.exe
2015-10-27 18:34 - 2015-10-27 18:34 - 0381440 _____ (Microsoft Corporation) C:\Users\Public.HOMEPC\AppData\Roaming\mbuzcvsh.exe
2015-10-26 15:33 - 2015-10-26 15:33 - 0005120 _____ () C:\Users\Public.HOMEPC\AppData\Roaming\tclgrefg.exe
2015-10-23 23:29 - 2015-10-24 15:36 - 1065984 _____ () C:\Users\Public.HOMEPC\AppData\Local\file__0.localstorage
2015-08-22 20:29 - 2015-11-03 23:49 - 0007618 _____ () C:\Users\Public.HOMEPC\AppData\Local\resmon.resmoncfg
2015-11-03 18:03 - 2015-11-03 18:03 - 0000000 _____ () C:\Users\Public.HOMEPC\AppData\Local\{A387F9A5-830A-4B68-B56F-A75874C5A111}
2015-11-02 16:49 - 2015-11-02 16:49 - 0004096 _____ () C:\ProgramData\2QV263H7A119.dll
2015-10-27 18:39 - 2015-10-27 18:39 - 0004096 _____ () C:\ProgramData\4M84xNh46B44.dll
2015-10-26 15:33 - 2015-10-26 15:33 - 0004096 _____ () C:\ProgramData\8hBEUWKAFCD4.dll
2015-11-02 16:56 - 2015-11-02 16:56 - 0004096 _____ () C:\ProgramData\aspnet_wp.dll
2015-10-27 18:34 - 2015-10-27 18:34 - 0004096 _____ () C:\ProgramData\B92WENqn6B44.dll
2015-08-26 16:00 - 2015-08-26 16:00 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-10-27 18:41 - 2015-10-27 18:41 - 0005120 _____ () C:\ProgramData\taskhost.exe
2015-11-02 16:57 - 2015-11-02 16:57 - 0004096 _____ () C:\ProgramData\winhlp32.exe
2015-11-02 16:54 - 2015-11-02 16:54 - 0004096 _____ () C:\ProgramData\WtbcREqBA119.dll
 
Files to move or delete:
====================
C:\ProgramData\2QV263H7A119.dll
C:\ProgramData\4M84xNh46B44.dll
C:\ProgramData\8hBEUWKAFCD4.dll
C:\ProgramData\aspnet_wp.dll
C:\ProgramData\B92WENqn6B44.dll
C:\ProgramData\taskhost.exe
C:\ProgramData\winhlp32.exe
C:\ProgramData\WtbcREqBA119.dll
 
 
Some files in TEMP:
====================
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-0000000002AD0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-0000000004580000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-00000000049D0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-000000000BAE0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-000000000DC10000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-070F0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-072C0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-08D00000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-08D30000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-0A260000.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-11-03 09:04
 
==================== End of FRST.txt ============================

Edited by Queen-Evie, 11 November 2015 - 09:21 PM.
moved from Windows 8 to Malware Removal Logs. FRST logs are allowed only in MRL forum


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:37 PM

Posted 15 November 2015 - 10:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Kenoj] => regsvr32.exe "C:\Users\Public.HOMEPC\AppData\Roaming\MiniWfent\UisiNhiv.dll"
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [4M84xNh46B44] => regsvr32.exe /s "C:\PROGRA~3\4M84xNh46B44.dll"
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [Chrome] => C:\ProgramData\taskhost.exe [5120 2015-10-27] ()
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [WtbcREqBA119] => regsvr32.exe /s "C:\PROGRA~3\WtbcREqBA119.dll"
HKU\S-1-5-21-1230929215-1416684758-364167695-1001\...\Run: [winhlp32] => C:\ProgramData\winhlp32.exe [4096 2015-11-02] ()
S4 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [997568 2014-06-29] (@ByELDI) [File not signed]
S3 WinDivert1.1; C:\Program Files\KMSpico\WinDivert.sys [35376 2015-08-23] (Basil Projects)
C:\Program Files\KMSpico
C:\ProgramData\2QV263H7A119.dll
C:\ProgramData\4M84xNh46B44.dll
C:\ProgramData\8hBEUWKAFCD4.dll
C:\ProgramData\aspnet_wp.dll
C:\ProgramData\B92WENqn6B44.dll
C:\ProgramData\taskhost.exe
C:\ProgramData\winhlp32.exe
C:\ProgramData\WtbcREqBA119.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-0000000002AD0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-0000000004580000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-00000000049D0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-000000000BAE0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-000000000DC10000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-070F0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-072C0000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-08D00000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-08D30000.dll
C:\Users\Public.HOMEPC\AppData\Local\Temp\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-0A260000.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

I need to see the Addition.txt file created by the Farbar tool.
Please Attach the file for my review.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Let me know what problem persists.

#3 arcanefax

arcanefax
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:37 PM

Posted 18 November 2015 - 12:08 AM

Hi nasdaq, sorry for taking a long time to reply to you.

 

I happened to use the Farbar tool, but accidentally did it twice, replacing the older Fixlog.txt. I hope the newer one is enough information for you.

I also attatched addition.txt as well.

 

After running malwarebytes, it detected 6 threats. I deleted them all and restarted. It looks like it fixed the problem; my computer is running without the jerks it used to have. I'll attatch the log to the post as well.

 

Thanks sir

 

Edit: appears that the post won't take the malwarebytes logs, since they are xml files.

Attached Files


Edited by arcanefax, 18 November 2015 - 12:10 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:37 PM

Posted 18 November 2015 - 09:19 AM

Glad to see that all is well.

I suggest your clean these PUP (Potentially Unwanted Program) installed without your consent.

Remove these processes in blold via the Control Panel > Programs and Features applet.
KMSpico v9.3.1 (HKLM\...\KMSpico_is1) (Version: 9.3.1 - )
Reimage Repair (HKLM\...\Reimage Repair) (Version: 1.8.2.6 - Reimage) <==== ATTENTION

This is an old version of Java that should also be installed.
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


CustomCLSID: HKU\S-1-5-21-1230929215-1416684758-364167695-1001_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\recovery.dll () <==== ATTENTION
Task: {3050E2F1-1A35-4E58-A6EB-37E948B2B46F} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2015-08-19] (Reimage®) <==== ATTENTION
Task: {6F567FE6-AF6E-4E1C-9EA5-EE928904CF88} - System32\Tasks\Reimage Reminder => C:\Program Files\Reimage\Reimage Repair\ReimageReminder.exe [2015-11-10] (Reimage ltd.) <==== ATTENTION
Task: {8A73B7C5-3D3B-4EC8-84AD-62894F89CE52} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-06-29] (@ByELDI)
DNS Servers: Media is not connected to internet.
FirewallRules: [{B216B6B4-D287-47CB-9D16-4B085E8CEEC5}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{9A8A26E2-50B7-44C7-89E0-E5FC95A950E6}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{A04383E1-F056-460D-9147-726FAE54CB31}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{45984268-FD0F-463D-B24E-8DFA7B5F1B55}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{D6983F86-2A4E-4448-9CD3-ED1FF6D9E5DE}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{95191E22-469A-433F-AA35-7FF211A0BDD2}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:37 PM

Posted 24 November 2015 - 09:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users