Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

scvhost.exe consuming cpu


  • Please log in to reply
22 replies to this topic

#1 guder42

guder42

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 27 February 2016 - 12:57 PM

Hello, I've seen this in a few entries, please help...

 

svchost.exe (netsvcs) consumes the available RAM. Sometimes I can close it in the resource monitor and it will remain active at a much lower RAM consumption without locking up the computer, sometimes I can only close it once then it comes back and trying to close it results in an access denied message.

 

The computer is an Inspiron 530 with 4GB RAM. I'm not sure what other information to include, I stopped having any real computer savvy around the time Pentiums came out.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-02-2016
Ran by guder (administrator) on GUDER-PC (27-02-2016 11:36:52)
Running from C:\Users\guder\Desktop\Fix File
Loaded Profiles: guder (Available Profiles: guder & Normal Mode)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(HP) C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
(HP) C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\Polar\Daemon\polard.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
() C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_306.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2531472 2014-12-12] (NVIDIA Corporation)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [CPMonitor] => C:\Program Files (x86)\Roxio 2011\5.0\CPMonitor.exe [84464 2010-07-13] ()
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-20] (AVAST Software)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [594992 2016-01-29] (Oracle Corporation)
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1403304 2016-01-28] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Run: [Polar FlowSync] => [X]
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1403304 2016-01-28] (Garmin Ltd. or its subsidiaries)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-12-20] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Content Manager Assistant for PlayStation®.lnk [2015-12-27]
ShortcutTarget: Content Manager Assistant for PlayStation®.lnk -> C:\Program Files (x86)\Sony\Content Manager Assistant\CMA.exe (Sony Computer Entertainment Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Polar WebSync.lnk [2013-03-31]
ShortcutTarget: Polar WebSync.lnk -> C:\Program Files (x86)\Polar\WebSync\WebSync.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{5AFC3C2B-2BD2-4C68-8F1F-A2A4C1C211C6}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A5F12504-9CFF-4A0F-AD47-EBFAB85E7B96}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-63747084-386810426-4154813512-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-63747084-386810426-4154813512-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-12-20] (AVAST Software)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-02-27] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-20] (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-02-27] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\guder\AppData\Roaming\Mozilla\Firefox\Profiles\9q6hit0o.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_306.dll [2016-02-24] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-24] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-02-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-02-27] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 -> C:\Program Files (x86)\Winamp Detect\npwachk.dll [2013-07-23] (Nullsoft, Inc.)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-12-12] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-12-12] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-24] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-24] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2013-12-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2013-12-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2013-12-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2013-12-28] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2013-12-28] (Apple Inc.)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-21]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-12-20]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-20]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [457200 2009-06-02] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-20] (AVAST Software)
R2 BOT4Service; C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [32240 2010-07-14] ()
S2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [803856 2016-01-28] (Garmin Ltd. or its subsidiaries)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2014-12-12] (NVIDIA Corporation)
R2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [136192 2009-10-15] (HP) [File not signed]
R2 HPM1210RcvFaxSrvc; C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [362296 2010-05-11] (HP)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1701520 2014-12-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19823248 2014-12-12] (NVIDIA Corporation)
R2 Polar Daemon; C:\Program Files (x86)\Polar\Daemon\polard.exe [419536 2012-12-12] ()
S3 RoxMediaDB13; C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [1099248 2010-07-16] (Sonic Solutions)
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-12-20] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28144 2015-12-20] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-12-20] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-12-20] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-12-20] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1065208 2016-01-22] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [464256 2016-01-22] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [155304 2015-12-20] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-12-20] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 HP1210FAX; C:\Windows\System32\Drivers\HPM1210FAX.sys [16384 2011-04-15] ()
R3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-04-15] (Marvell Semiconductor, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2014-12-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-27 11:36 - 2016-02-27 11:36 - 00000000 ____D C:\FRST
2016-02-27 11:35 - 2016-02-27 11:36 - 00000000 ____D C:\Users\guder\Desktop\Fix File
2016-02-27 11:11 - 2016-02-27 11:11 - 00000000 ____D C:\Users\guder\AppData\Roaming\Sun
2016-02-27 11:11 - 2016-02-27 11:11 - 00000000 ____D C:\Users\guder\.oracle_jre_usage
2016-02-27 11:08 - 2016-02-27 11:08 - 00000000 ____D C:\Users\guder\AppData\LocalLow\Oracle
2016-02-27 11:02 - 2016-02-27 11:02 - 00000000 ____D C:\Users\guder\Documents\PS Vita
2016-02-27 11:02 - 2016-02-27 11:02 - 00000000 ____D C:\Users\guder\AppData\Roaming\Sony Corporation
2016-02-27 09:34 - 2016-02-27 10:52 - 00000000 ____D C:\ComboFix
2016-02-27 09:34 - 2011-06-26 00:45 - 00256000 _____ C:\Windows\PEV.exe
2016-02-27 09:34 - 2010-11-07 11:20 - 00208896 _____ C:\Windows\MBR.exe
2016-02-27 09:34 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-02-27 09:34 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-02-27 09:34 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-02-27 09:34 - 2000-08-30 18:00 - 00098816 _____ C:\Windows\sed.exe
2016-02-27 09:34 - 2000-08-30 18:00 - 00080412 _____ C:\Windows\grep.exe
2016-02-27 09:34 - 2000-08-30 18:00 - 00068096 _____ C:\Windows\zip.exe
2016-02-27 09:33 - 2016-02-27 09:34 - 00000000 ____D C:\Qoobox
2016-02-27 09:30 - 2016-02-27 10:32 - 00000000 ____D C:\Windows\erdnt
2016-02-27 09:27 - 2016-02-27 09:27 - 05658013 ____R (Swearware) C:\Users\Normal Mode\Downloads\ComboFix.exe
2016-02-27 08:43 - 2016-02-27 08:43 - 00000000 ____D C:\Users\Normal Mode\Desktop\Old Firefox Data
2016-02-24 11:51 - 2016-02-24 11:51 - 00001890 _____ C:\Users\Public\Desktop\Garmin Express.lnk
2016-02-24 11:51 - 2016-02-24 11:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
2016-02-24 11:42 - 2016-02-24 11:42 - 19022528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2016-02-17 05:30 - 2016-02-24 11:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-07 10:38 - 2016-02-07 10:52 - 349992093 _____ C:\Users\Normal Mode\Downloads\Engage_360_CVT_Tire_CSI_Mod_Videos_1433945832411.zip
2016-01-31 19:17 - 2016-01-31 19:17 - 46884536 _____ (Charter) C:\Users\Normal Mode\Downloads\Charter_TV_setup(1).exe
2016-01-31 19:17 - 2016-01-31 19:17 - 00000000 ____D C:\Users\Normal Mode\AppData\LocalLow\CHARTER
2016-01-31 19:17 - 2016-01-31 19:17 - 00000000 ____D C:\Users\Normal Mode\AppData\Local\Charter
2016-01-31 19:16 - 2016-01-31 19:16 - 46884536 _____ (Charter) C:\Users\Normal Mode\Downloads\Charter_TV_setup.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-27 11:27 - 2014-01-19 09:30 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-27 11:27 - 2014-01-19 09:30 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-27 11:12 - 2013-07-19 10:46 - 00000000 ____D C:\Program Files (x86)\Java
2016-02-27 11:12 - 2009-07-13 22:45 - 00019792 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-27 11:12 - 2009-07-13 22:45 - 00019792 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-27 11:11 - 2014-01-21 01:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-02-27 11:11 - 2012-07-06 16:43 - 00000000 ____D C:\Users\guder
2016-02-27 11:10 - 2014-01-21 01:53 - 00278624 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2016-02-27 11:10 - 2014-01-21 01:52 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-02-27 11:09 - 2014-01-21 01:53 - 00000000 ____D C:\ProgramData\Oracle
2016-02-27 11:00 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-27 10:59 - 2013-03-22 17:25 - 00000000 ____D C:\ProgramData\NVIDIA
2016-02-27 10:45 - 2009-07-13 23:08 - 00032576 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-02-27 10:42 - 2012-07-15 18:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-27 10:25 - 2009-07-13 20:34 - 00000215 _____ C:\Windows\system.ini
2016-02-27 10:02 - 2015-05-02 09:55 - 00000000 ____D C:\Users\Normal Mode\AppData\Roaming\Spotify
2016-02-27 10:00 - 2015-05-02 09:56 - 00000000 ____D C:\Users\Normal Mode\AppData\Local\Spotify
2016-02-27 09:06 - 2015-09-06 08:35 - 00007596 _____ C:\Users\guder\AppData\Local\Resmon.ResmonCfg
2016-02-27 08:52 - 2012-07-13 04:59 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-02-24 16:17 - 2014-02-02 07:19 - 00000000 ____D C:\Users\Normal Mode\Desktop\gifs
2016-02-24 11:55 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2016-02-24 11:54 - 2014-08-08 16:18 - 00000000 ____D C:\ProgramData\Package Cache
2016-02-24 11:52 - 2014-08-08 16:19 - 00000000 ____D C:\Program Files (x86)\Garmin
2016-02-24 11:51 - 2014-08-08 16:19 - 00003554 _____ C:\Windows\System32\Tasks\GarminUpdaterTask
2016-02-24 11:43 - 2012-07-15 18:23 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-02-24 11:43 - 2012-07-15 18:23 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-02-24 11:43 - 2012-07-15 18:23 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-02-24 11:22 - 2014-01-19 09:30 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-24 11:22 - 2014-01-19 09:30 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-02-24 11:15 - 2012-07-13 04:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-24 08:24 - 2012-09-30 23:22 - 00000000 ____D C:\Users\Normal Mode\AppData\Roaming\vlc
2016-02-17 20:32 - 2015-03-21 12:23 - 00000000 ____D C:\Users\Normal Mode\Downloads\PopcornTime
2016-02-15 22:16 - 2009-07-13 23:13 - 00006206 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-01 05:34 - 2014-09-05 23:21 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-01-31 23:24 - 2016-01-24 20:19 - 00000000 ____D C:\Users\Normal Mode\Desktop\Service Quality
2016-01-31 12:09 - 2015-12-20 16:27 - 00009337 _____ C:\Users\Normal Mode\Desktop\Star Trek collection references.xlsx

==================== Files in the root of some directories =======

2013-01-19 01:44 - 2013-01-19 01:44 - 2174976 _____ (Advanced Micro Devices Inc.) C:\Program Files (x86)\Common Files\atimpenc.dll
2015-09-06 08:35 - 2016-02-27 09:06 - 0007596 _____ () C:\Users\guder\AppData\Local\Resmon.ResmonCfg
2015-12-01 07:07 - 2010-03-30 10:12 - 0024772 _____ () C:\ProgramData\P1210DEF.css
2015-12-01 07:07 - 2015-12-01 07:07 - 0014621 _____ () C:\ProgramData\P1210OS.HTM
2015-12-01 07:07 - 2010-03-30 10:12 - 0002944 _____ () C:\ProgramData\P1210SIG.GIF

Some files in TEMP:
====================
C:\Users\guder\AppData\Local\temp\jre-8u73-windows-au.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-01-09 00:39

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 27 February 2016 - 04:04 PM

Hello guder42 and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
   
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Are you with us ?
Sincerely
:hello:

Edited by olgun52, 27 February 2016 - 04:04 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 27 February 2016 - 05:11 PM

Hi guder42,

 

Step 1:
 FRST Script:
 Please download this attached  Attached File  Fixlist.txt   1.83KB   3 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.

 

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 guder42

guder42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 27 February 2016 - 07:44 PM

Hello, thank you very much for your help.

 

I see from the log that Windows Defender is enabled, I will disable that from now.

 

Here is the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-02-2016
Ran by guder (2016-02-27 17:51:59) Run:1
Running from C:\Users\guder\Desktop\Fix File
Loaded Profiles: guder (Available Profiles: guder & Normal Mode)
Boot Mode: Normal
==============================================

fixlist content:
*****************

start
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Run: [Polar FlowSync] => [X]
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-63747084-386810426-4154813512-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-63747084-386810426-4154813512-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-63747084-386810426-4154813512-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF ProfilePath: C:\Users\guder\AppData\Roaming\Mozilla\Firefox\Profiles\9q6hit0o.default
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys
C:\Users\Normal Mode\Downloads\Charter_TV_setup(1).exe
C:\Users\Normal Mode\AppData\Roaming\vlc
C:\ProgramData\boost_interprocess
2015-09-06 08:35 - 2016-02-27 09:06 - 0007596 _____ () C:\Users\guder\AppData\Local\Resmon.ResmonCfg
2015-12-01 07:07 - 2010-03-30 10:12 - 0024772 _____ () C:\ProgramData\P1210DEF.css
2015-12-01 07:07 - 2015-12-01 07:07 - 0014621 _____ () C:\ProgramData\P1210OS.HTM
2015-12-01 07:07 - 2010-03-30 10:12 - 0002944 _____ () C:\ProgramData\P1210SIG.GIF
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Emptytemp:
end

*****************

HKU\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Polar FlowSync => value removed successfully
HKU\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoInternetOpenWith => value removed successfully
HKU\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoChangeStartMenu => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-63747084-386810426-4154813512-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-63747084-386810426-4154813512-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
FF ProfilePath: C:\Users\guder\AppData\Roaming\Mozilla\Firefox\Profiles\9q6hit0o.default => FRST is scripted not to move this directory.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
tsusbhub => service removed successfully
VGPU => service removed successfully
Synth3dVsc => service removed successfully
C:\Users\Normal Mode\Downloads\Charter_TV_setup(1).exe => moved successfully
C:\Users\Normal Mode\AppData\Roaming\vlc => moved successfully
C:\ProgramData\boost_interprocess => moved successfully
C:\Users\guder\AppData\Local\Resmon.ResmonCfg => moved successfully
C:\ProgramData\P1210DEF.css => moved successfully
C:\ProgramData\P1210OS.HTM => moved successfully
C:\ProgramData\P1210SIG.GIF => moved successfully
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`26hfm" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart" => key removed successfully

========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

The operation completed successfully.



========= End of Reg: =========

EmptyTemp: => 360.2 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:52:41 ====

 

 

Here is the ComboFix result:

 

ComboFix 16-02-23.01 - guder 02/27/2016  18:06:35.2.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.4094.2471 [GMT -6:00]
Running from: c:\users\guder\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2016-01-28 to 2016-02-28  )))))))))))))))))))))))))))))))
.
.
2016-02-28 00:35 . 2016-02-28 00:35    --------    d-----w-    c:\users\Normal Mode\AppData\Local\temp
2016-02-28 00:35 . 2016-02-28 00:35    --------    d-----w-    c:\users\Default\AppData\Local\temp
2016-02-27 23:42 . 2016-02-27 23:42    --------    d-----w-    c:\windows\SysWow64\config\systemprofile\.oracle_jre_usage
2016-02-27 17:36 . 2016-02-27 23:56    --------    d-----w-    C:\FRST
2016-02-27 17:11 . 2016-02-27 17:11    --------    d-----w-    c:\program files (x86)\Common Files\Java
2016-02-27 17:11 . 2016-02-27 17:11    --------    d-----w-    c:\users\guder\.oracle_jre_usage
2016-02-27 17:02 . 2016-02-27 17:02    --------    d-----w-    c:\users\guder\AppData\Roaming\Sony Corporation
2016-02-27 15:56 . 2016-02-28 00:35    --------    d-----w-    c:\users\guder\AppData\Local\temp
2016-02-24 17:42 . 2016-02-24 17:42    19022528    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2016-02-01 01:17 . 2016-02-01 01:17    93392    ----a-r-    c:\users\Normal Mode\AppData\Roaming\Microsoft\Installer\{4f13c5c9-280c-4d18-9f42-e5c1ea46dead}\ARPPRODUCTICON.exe
2016-02-01 01:17 . 2016-02-01 01:17    --------    d-----w-    c:\users\Normal Mode\AppData\Local\Charter
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-02-27 17:10 . 2014-01-21 07:52    97888    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2016-02-24 17:43 . 2012-07-16 00:23    796864    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2016-02-24 17:43 . 2012-07-16 00:23    142528    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-01-26 09:18 . 2016-01-26 09:18    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.464.dll
2016-01-25 11:58 . 2016-01-25 11:58    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.6260.dll
2016-01-22 19:18 . 2012-07-13 10:59    464256    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2016-01-22 19:18 . 2012-07-13 10:59    1065208    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2016-01-17 11:31 . 2016-01-17 11:31    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.4676.dll
2016-01-15 08:45 . 2016-01-15 08:45    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.2444.dll
2015-12-23 09:28 . 2015-12-23 09:28    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.4212.dll
2015-12-21 22:40 . 2015-12-21 22:40    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.2804.dll
2015-12-20 23:15 . 2012-07-13 10:59    97648    ----a-w-    c:\windows\system32\drivers\aswmonflt.sys
2015-12-20 23:14 . 2015-12-20 23:14    386096    ----a-w-    c:\windows\system32\aswBoot.exe
2015-12-20 23:14 . 2014-07-31 23:56    155304    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2015-12-20 23:14 . 2014-07-31 23:56    28656    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2015-12-20 23:14 . 2013-10-31 00:38    273784    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2015-12-20 23:14 . 2013-10-31 00:38    65224    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2015-12-20 23:14 . 2012-07-13 10:59    93528    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2015-12-20 23:14 . 2015-12-20 23:14    43112    ----a-w-    c:\windows\avastSS.scr
2015-12-20 23:14 . 2015-05-21 00:34    28144    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-01-19 07:44 . 2013-01-19 07:44    2174976    ----a-w-    c:\program files (x86)\Common Files\atimpenc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2016-01-28 1403304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"CPMonitor"="c:\program files (x86)\Roxio 2011\5.0\CPMonitor.exe" [2010-07-14 84464]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-12-20 7021880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2016-01-30 594992]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2016-01-28 1403304]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Content Manager Assistant for PlayStation®.lnk - c:\program files (x86)\Sony\Content Manager Assistant\CMA.exe [2015-9-1 3784312]
Polar WebSync.lnk - c:\program files (x86)\Polar\WebSync\WebSync.exe -normal [2013-2-26 6227512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Garmin Device Interaction Service;Garmin Device Interaction Service;c:\program files (x86)\Garmin\Device Interaction Service\GarminService.exe;c:\program files (x86)\Garmin\Device Interaction Service\GarminService.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [x]
R3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys;c:\windows\SYSNATIVE\DRIVERS\lvbflt64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys;c:\windows\SYSNATIVE\Drivers\Sahdad64.sys [x]
S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys;c:\windows\SYSNATIVE\Drivers\Saibad64.sys [x]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys;c:\windows\SYSNATIVE\Drivers\SaibVdAd64.sys [x]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 GfExperienceService;NVIDIA GeForce Experience Service;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [x]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
S2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [x]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe;c:\windows\SYSNATIVE\HPSIsvc.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Polar Daemon;Polar Daemon;c:\program files (x86)\Polar\Daemon\polard.exe;c:\program files (x86)\Polar\Daemon\polard.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S2 Update service;Update service;c:\program files (x86)\Popcorn Time\Updater.exe;c:\program files (x86)\Popcorn Time\Updater.exe [x]
S3 HP1210FAX;HP1210MFP FAX;c:\windows\system32\Drivers\HPM1210FAX.sys;c:\windows\SYSNATIVE\Drivers\HPM1210FAX.sys [x]
S3 mvusbews;USB EWS Device;c:\windows\system32\Drivers\mvusbews.sys;c:\windows\SYSNATIVE\Drivers\mvusbews.sys [x]
S3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2016-02-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 17:43]
.
2016-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-19 07:59]
.
2016-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-19 07:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-12-20 23:14    873304    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-12-13 2824504]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-12-13 2531472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\guder\AppData\Roaming\Mozilla\Firefox\Profiles\7jhazq25.default-1456596040438\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.**ˆ]
"0"=hex:43,3a,5c,55,73,65,72,73,5c,67,75,64,65,72,5c,44,6f,77,6e,6c,6f,61,64,
   73,5c,55,72,62,61,6e,69,7a,65,64,2e,32,30,31,31,2e,37,32,30,70,2e,42,6c,75,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-02-27  18:39:30
ComboFix-quarantined-files.txt  2016-02-28 00:39
.
Pre-Run: 10,732,257,280 bytes free
Post-Run: 10,405,085,184 bytes free
.
- - End Of File - - 7436CECFFFDE35B071AF3430A0F3CBB3
A36C5E4F47E84449FF07ED3517B43A31
 



#5 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 27 February 2016 - 08:00 PM

Good job.

 

:Run CFScript:
Please start by opening Notepad and copy/paste the text in the box into the window:

RegLock::
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ]
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ\OpenWithList]
HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.**ˆ]
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

 

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

============================================================================================

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

======================================================================

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

"information and logs"

In your next post I need the following

  • Report from Combofix
  • Adwcleaner Log
  • Mbam Log

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 guder42

guder42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 27 February 2016 - 10:36 PM

Seems faster already, certainly on the reboot.

 

ComboFix:

 

ComboFix 16-02-23.01 - guder 02/27/2016  19:09:40.3.4 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.4094.1448 [GMT -6:00]
Running from: c:\users\guder\Desktop\ComboFix.exe
Command switches used :: c:\users\guder\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2016-01-28 to 2016-02-28  )))))))))))))))))))))))))))))))
.
.
2016-02-24 17:42 . 2016-02-24 17:42    19022528    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2016-02-01 01:17 . 2016-02-01 01:17    93392    ----a-r-    c:\users\Normal Mode\AppData\Roaming\Microsoft\Installer\{4f13c5c9-280c-4d18-9f42-e5c1ea46dead}\ARPPRODUCTICON.exe
2016-02-01 01:17 . 2016-02-01 01:17    --------    d-----w-    c:\users\Normal Mode\AppData\Local\Charter
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-02-27 17:10 . 2014-01-21 07:52    97888    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2016-02-24 17:43 . 2012-07-16 00:23    796864    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2016-02-24 17:43 . 2012-07-16 00:23    142528    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-01-26 09:18 . 2016-01-26 09:18    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.464.dll
2016-01-25 11:58 . 2016-01-25 11:58    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.6260.dll
2016-01-22 19:18 . 2012-07-13 10:59    464256    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2016-01-22 19:18 . 2012-07-13 10:59    1065208    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2016-01-17 11:31 . 2016-01-17 11:31    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.4676.dll
2016-01-15 08:45 . 2016-01-15 08:45    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.2444.dll
2015-12-23 09:28 . 2015-12-23 09:28    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.4212.dll
2015-12-21 22:40 . 2015-12-21 22:40    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{676D6BB6-A927-493A-99F6-9833EE187EF9}\offreg.2804.dll
2015-12-20 23:15 . 2012-07-13 10:59    97648    ----a-w-    c:\windows\system32\drivers\aswmonflt.sys
2015-12-20 23:14 . 2015-12-20 23:14    386096    ----a-w-    c:\windows\system32\aswBoot.exe
2015-12-20 23:14 . 2014-07-31 23:56    155304    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2015-12-20 23:14 . 2014-07-31 23:56    28656    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2015-12-20 23:14 . 2013-10-31 00:38    273784    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2015-12-20 23:14 . 2013-10-31 00:38    65224    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2015-12-20 23:14 . 2012-07-13 10:59    93528    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2015-12-20 23:14 . 2015-12-20 23:14    43112    ----a-w-    c:\windows\avastSS.scr
2015-12-20 23:14 . 2015-05-21 00:34    28144    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2013-01-19 07:44 . 2013-01-19 07:44    2174976    ----a-w-    c:\program files (x86)\Common Files\atimpenc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2016-01-28 1403304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"CPMonitor"="c:\program files (x86)\Roxio 2011\5.0\CPMonitor.exe" [2010-07-14 84464]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-12-20 7021880]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2016-01-30 594992]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2016-01-28 1403304]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Content Manager Assistant for PlayStation®.lnk - c:\program files (x86)\Sony\Content Manager Assistant\CMA.exe [2015-9-1 3784312]
Polar WebSync.lnk - c:\program files (x86)\Polar\WebSync\WebSync.exe -normal [2013-2-26 6227512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Garmin Device Interaction Service;Garmin Device Interaction Service;c:\program files (x86)\Garmin\Device Interaction Service\GarminService.exe;c:\program files (x86)\Garmin\Device Interaction Service\GarminService.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatch13.exe [x]
R3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys;c:\windows\SYSNATIVE\DRIVERS\lvbflt64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RoxMediaDB13;RoxMediaDB13;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe;c:\program files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 Sahdad64;HDD Filter Driver;c:\windows\System32\Drivers\Sahdad64.sys;c:\windows\SYSNATIVE\Drivers\Sahdad64.sys [x]
S0 Saibad64;Volume Filter Driver;c:\windows\System32\Drivers\Saibad64.sys;c:\windows\SYSNATIVE\Drivers\Saibad64.sys [x]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 SaibVdAd64;Virtual Disk Driver;c:\windows\system32\Drivers\SaibVdAd64.sys;c:\windows\SYSNATIVE\Drivers\SaibVdAd64.sys [x]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe;c:\program files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 BOT4Service;BOT4Service;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe;c:\program files (x86)\Roxio\BackOnTrack\App\BService.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 GfExperienceService;NVIDIA GeForce Experience Service;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [x]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
S2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [x]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe;c:\windows\SYSNATIVE\HPSIsvc.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Polar Daemon;Polar Daemon;c:\program files (x86)\Polar\Daemon\polard.exe;c:\program files (x86)\Polar\Daemon\polard.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S2 Update service;Update service;c:\program files (x86)\Popcorn Time\Updater.exe;c:\program files (x86)\Popcorn Time\Updater.exe [x]
S3 HP1210FAX;HP1210MFP FAX;c:\windows\system32\Drivers\HPM1210FAX.sys;c:\windows\SYSNATIVE\Drivers\HPM1210FAX.sys [x]
S3 mvusbews;USB EWS Device;c:\windows\system32\Drivers\mvusbews.sys;c:\windows\SYSNATIVE\Drivers\mvusbews.sys [x]
S3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2016-02-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-16 17:43]
.
2016-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-19 07:59]
.
2016-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-19 07:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-12-20 23:14    873304    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-12-13 2824504]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-12-13 2531472]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\guder\AppData\Roaming\Mozilla\Firefox\Profiles\7jhazq25.default-1456596040438\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.**ˆ\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-63747084-386810426-4154813512-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.**ˆ]
"0"=hex:43,3a,5c,55,73,65,72,73,5c,67,75,64,65,72,5c,44,6f,77,6e,6c,6f,61,64,
   73,5c,55,72,62,61,6e,69,7a,65,64,2e,32,30,31,31,2e,37,32,30,70,2e,42,6c,75,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2016-02-27  19:20:54
ComboFix-quarantined-files.txt  2016-02-28 01:20
ComboFix2.txt  2016-02-28 00:39
.
Pre-Run: 10,232,737,792 bytes free
Post-Run: 10,152,300,544 bytes free
.
- - End Of File - - B268298DFFDC732F1EE221987A4CFCA5
A36C5E4F47E84449FF07ED3517B43A31
 

 

ADWCleaner:

 

# AdwCleaner v5.036 - Logfile created 27/02/2016 at 19:39:08
# Updated 22/02/2016 by Xplode
# Database : 2016-02-27.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : guder - GUDER-PC
# Running from : C:\Users\guder\Desktop\adwcleaner_5.036.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269

***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [767 bytes] - [27/02/2016 19:39:08]
C:\AdwCleaner\AdwCleaner[S1].txt - [819 bytes] - [27/02/2016 19:37:38]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [911 bytes] ##########
 

 

Mbam:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/27/2016
Scan Time: 7:49 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.27.05
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: guder

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 472820
Time Elapsed: 58 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Bundler, C:\Users\Normal Mode\Downloads\Software_Update.exe, Quarantined, [fbb62144b6e31a1c0ff4a3f991702dd3],

Physical Sectors: 0
(No malicious items detected)


(end)

 

Pretty exciting stuff, I'm glad you know how this works!



#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 28 February 2016 - 02:05 PM

Pretty exciting stuff, I'm glad you know how this works!

I'm not sure exactly what you mean and Is the problem solved ?

=======================================================

 

Are you use Popcorn Time and Roxio softwares ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 guder42

guder42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 28 February 2016 - 03:39 PM

 

Pretty exciting stuff, I'm glad you know how this works!

I'm not sure exactly what you mean and Is the problem solved ?

=======================================================

 

Are you use Popcorn Time and Roxio softwares ?

 

 

Hi, I mean that it is very interesting to watch these tools work on a system as complicated as a modern computer. However it is too much information for a casual/functional user as myself to know, so I am very appreciative that specialists like you are available.

 

No, it is certainly not better on memory usage, I am at about 93% consumed right now. Although it does seem to my opinion that my computer is restarting faster, this could just be hopefulness ;-) the actual function of the computer comes almost to a complete stop from the RAM consumed by svchost.exe (netsvcs). I did notice that it appeared I could sometimes use Resource Monitor to manually (right-click then End Process) stop this process, it will return to full memory usage as just svchost.exe without the (netsvcs) extension, this one I cannot close and gives the access denied error.

 

Yes, I use Roxio for video editing and Popcorn Time for missed episodes.

 

Thanks
 



#9 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 28 February 2016 - 10:00 PM

Okay,thank you.

 

PC seems clean. Your problem ,I guess, caused to superposition software,

Adwcleaner saw as harmful Roxio  software the driver and remove. You can try,if for you very important not, removing software

 

''bittorrent\updates\7.9.1_31141.exe''
You should also remove the BitTorrent software. İt is constantly updated. This is wrong.

=============================================================================================

D:\Setup.exe

 this file which belongs the software?

===================================

 

Please do the following for me

Please download SystemLook from one of the links below and save it to your Desktop.
Download 1
Download 2

  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
:folderfind
{622121ED-57AF-449B-8B84-56C3EA4A6B82}
{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}
{F36129E6-818E-4815-8C0E-BEE4B71C2591}
{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}

:regfind
{622121ED-57AF-449B-8B84-56C3EA4A6B82}
{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}
{F36129E6-818E-4815-8C0E-BEE4B71C2591}
{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan.
  • Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Edited by olgun52, 28 February 2016 - 10:21 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 guder42

guder42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 29 February 2016 - 07:01 AM

D:\ is the DVD RW drive, and it is empty right now. I can't remember the last thing I loaded from there, probably a year or more.

 

Here is the log from SystemLook:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 05:46 on 29/02/2016 by guder
Administrator - Elevation successful

========== folderfind ==========

Searching for "{622121ED-57AF-449B-8B84-56C3EA4A6B82}"
No folders found.

Searching for "{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}"
No folders found.

Searching for "{F36129E6-818E-4815-8C0E-BEE4B71C2591}"
No folders found.

Searching for "{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}"
No folders found.

========== regfind ==========

Searching for "{622121ED-57AF-449B-8B84-56C3EA4A6B82}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{622121ED-57AF-449B-8B84-56C3EA4A6B82}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{622121ED-57AF-449B-8B84-56C3EA4A6B82}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{622121ED-57AF-449B-8B84-56C3EA4A6B82}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"

Searching for "{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3F8BC6CA-E1F6-4AB3-8A53-6A4B5DCE6230}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"

Searching for "{F36129E6-818E-4815-8C0E-BEE4B71C2591}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{F36129E6-818E-4815-8C0E-BEE4B71C2591}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{F36129E6-818E-4815-8C0E-BEE4B71C2591}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{F36129E6-818E-4815-8C0E-BEE4B71C2591}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"

Searching for "{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{71EF3D36-60E7-4B1A-8B48-27B8C2EF4DC7}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=D:\Setup.exe|Name=Roxio Streamer Discovery Service|"

-= EOF =-

 

Thank you



#11 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 29 February 2016 - 12:48 PM

FRST Script:
 Please download this attached  Attached File  Fixlist.txt   3.31KB   4 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

How is the machine running now and CPU ?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 guder42

guder42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 01 March 2016 - 08:16 AM

It seemed to be running faster after the reboot, no delay in starting the web browser for example, but then the memory process started again after a couple of minutes. I attached an image of the Resource Monitor. Just before I took image it dropped from 93% to 65%

 

Here is the Fixlog file:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-02-2016
Ran by guder (2016-03-01 06:41:15) Run:2
Running from C:\Users\guder\Desktop\Fix File
Loaded Profiles: guder (Available Profiles: guder & Normal Mode)
Boot Mode: Normal
==============================================

fixlist content:
*****************

start
FirewallRules: [TCP Query User{ADCCD9DB-103B-409D-ACB9-1DEDCD31FC7C}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31141.exe] => (Block) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31141.exe
FirewallRules: [UDP Query User{40487A1A-7CF8-41A8-B48A-2318B2197A61}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31141.exe] => (Block) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31141.exe
FirewallRules: [TCP Query User{49A7D683-4F49-4D53-ACED-0F4E1864CEE4}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe] => (Allow) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe
FirewallRules: [UDP Query User{8357D1B1-3DBC-479A-BB43-2638E17E09C5}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe] => (Allow) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe
FirewallRules: [TCP Query User{6410D247-EF0E-48DC-A70D-B1AC4AB4B07E}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe] => (Block) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe
FirewallRules: [UDP Query User{54C131AC-2A74-4171-9530-39A18FD59FCD}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe] => (Block) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe
FirewallRules: [TCP Query User{3A1ED8AE-F957-49F8-BA05-2D7CF23CB279}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_31897.exe] => (Allow) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_31897.exe
FirewallRules: [UDP Query User{86660909-E8E0-476F-8AD5-272A164EFA0E}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_31897.exe] => (Allow) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_31897.exe
FirewallRules: [TCP Query User{1C5D0F08-139E-4F4D-956E-6F2389EAD877}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_32241.exe] => (Allow) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_32241.exe
FirewallRules: [UDP Query User{84FF75D7-1480-4B78-81E0-8B9A6E51F6EC}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_32241.exe] => (Allow) C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_32241.exe
FirewallRules: [TCP Query User{3B45EE10-6FEB-4353-973C-64C040D83819}C:\users\normal mode\downloads\bittorrent.exe] => (Allow) C:\users\normal mode\downloads\bittorrent.exe
FirewallRules: [UDP Query User{9DC2B949-18BD-44A7-B1C3-274F4AA82078}C:\users\normal mode\downloads\bittorrent.exe] => (Allow) C:\users\normal mode\downloads\bittorrent.exe
FirewallRules: [TCP Query User{22EDF6E8-8A5D-49E3-A67E-D6675903B701}C:\program files (x86)\bittorrent\bittorrent.exe] => (Allow) C:\program files (x86)\bittorrent\bittorrent.exe
FirewallRules: [UDP Query User{9FD8A678-881B-43A2-B9E9-4562A40E4600}C:\program files (x86)\bittorrent\bittorrent.exe] => (Allow) C:\program files (x86)\bittorrent\bittorrent.exe
FirewallRules: [TCP Query User{B5FEEF00-C975-4EDB-92B3-4D4F9B2449AF}C:\users\normal mode\appdata\roaming\bittorrent\bittorrent.exe] => (Block) C:\users\normal mode\appdata\roaming\bittorrent\bittorrent.exe
FirewallRules: [UDP Query User{D197F15F-33FF-40D0-BB13-C8978CB19648}C:\users\normal mode\appdata\roaming\bittorrent\bittorrent.exe] => (Block) C:\users\normal mode\appdata\roaming\bittorrent\bittorrent.exe
Emptytemp:
end

*****************

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{ADCCD9DB-103B-409D-ACB9-1DEDCD31FC7C}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31141.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{40487A1A-7CF8-41A8-B48A-2318B2197A61}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31141.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{49A7D683-4F49-4D53-ACED-0F4E1864CEE4}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{8357D1B1-3DBC-479A-BB43-2638E17E09C5}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{6410D247-EF0E-48DC-A70D-B1AC4AB4B07E}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{54C131AC-2A74-4171-9530-39A18FD59FCD}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.1_31396.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{3A1ED8AE-F957-49F8-BA05-2D7CF23CB279}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_31897.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{86660909-E8E0-476F-8AD5-272A164EFA0E}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_31897.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{1C5D0F08-139E-4F4D-956E-6F2389EAD877}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_32241.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{84FF75D7-1480-4B78-81E0-8B9A6E51F6EC}C:\users\normal mode\appdata\roaming\bittorrent\updates\7.9.2_32241.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{3B45EE10-6FEB-4353-973C-64C040D83819}C:\users\normal mode\downloads\bittorrent.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9DC2B949-18BD-44A7-B1C3-274F4AA82078}C:\users\normal mode\downloads\bittorrent.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{22EDF6E8-8A5D-49E3-A67E-D6675903B701}C:\program files (x86)\bittorrent\bittorrent.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9FD8A678-881B-43A2-B9E9-4562A40E4600}C:\program files (x86)\bittorrent\bittorrent.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{B5FEEF00-C975-4EDB-92B3-4D4F9B2449AF}C:\users\normal mode\appdata\roaming\bittorrent\bittorrent.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D197F15F-33FF-40D0-BB13-C8978CB19648}C:\users\normal mode\appdata\roaming\bittorrent\bittorrent.exe => value removed successfully
EmptyTemp: => 403.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 06:41:49 ====

 

Thank you

Attached Files



#13 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 01 March 2016 - 08:42 AM

I have not seen there a problem

 

SecurityCheck
Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 guder42

guder42
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 01 March 2016 - 09:12 AM

Good afternoon, Sir!

 

Log attached, thanks.

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
avast! Antivirus   
 Antivirus up to date!  (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 73  
 Java version 32-bit out of Date!
 Adobe Flash Player 20.0.0.306  
 Adobe Reader XI  
 Mozilla Firefox (44.0.2)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:25 PM

Posted 01 March 2016 - 09:32 AM

Good afternoon

 Windows Firewall Enabled!  
 Windows Firewall Disabled!
Please check. Is it open or is it closed?

Edited by olgun52, 01 March 2016 - 09:33 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users