Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoyed proccess and service "TSvr.exe - Wfini.exe - qksee"


  • Please log in to reply
1 reply to this topic

#1 nnkq

nnkq

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 30 June 2016 - 01:25 AM

Hello, I have some weird chinese proccess (I suspected malware) virus that I cannot delete, even I already deleted them manualy.

Some weird chinese programs tend to appear out of nowhere.

Please help.

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:38 AM

Posted 01 July 2016 - 05:51 PM

Hi,

 

So we will use FRST to remove some items. Looks like you have quite a load on board.

 

Usually Iam only on this site once or twice per day so you may not get a response back from me until the following day.

 

Copy/paste whats below into notepad and save it as fixlist.txt in the same location that you have FRST. Start FRST like before except this time click on the fix button. Machine will reboot to finish process. Upon reboot it will display a fixlog.txt that you can copy/paste in your reply.

CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.135\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.23.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.145\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.123\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.153\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.24.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{91EFB276-CEFE-48EC-BB3A-57795A7B4008}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.149\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.22.3\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.165\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.115\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.30.3\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.22.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\localserver32 -> C:\Users\nank\AppData\Local\Temp\D3C0\temp\3109398756575402309b.exe => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.21.111\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\nank\AppData\Local\Google\Update\1.3.24.7\psuser.dll => No File
Task: {1703794D-365C-4F73-9948-33C1CFAF686C} - System32\Tasks\Superclean => c:\programdata\{0c9aba76-749b-0770-0c9a-aba76749e9d9}\hqghumeaylnlf.exe <==== ATTENTION
Task: {3C18E502-2099-4A50-BA7F-7FA7004B3A31} - \WinTaske -> No File <==== ATTENTION
Task: {952CB890-BA63-4D9D-8782-F552896CAFBB} - System32\Tasks\CardKeep => c:\programdata\{02578133-3660-a7b7-0257-7813336604cc}\3109398756575402309b.exe <==== ATTENTION
Task: {B4682BD1-DF32-4C9F-B280-70028A42E4A7} - \task Update -> No File <==== ATTENTION
Task: {C3111A02-5222-47C2-9312-0495B3978389} - System32\Tasks\At1 => cmd.exe /c del /F /Q "C:\Users\nank\AppData\Local\Temp\ remove.exe" <==== ATTENTION
Task: {F7B15F8B-A4F3-428F-9818-C1618C57E35B} - System32\Tasks\Browser Updater Task(Core) => C:\Program Files\TXQQBrowser\Update\4C8DFA76D59B9C3DBB92B391C92EB9AF\Update\BrowserUpdate.exe [2016-04-25] (Tencent) <==== ATTENTION
Task: C:\Windows\Tasks\At1.job => C:\Windows\system32\cmd.exe</c del /F /Q C:\Users\nank\AppData\Local\Temp\ remove.exe <==== ATTENTION
Task: C:\Windows\Tasks\Bidaily Synchronize Task[pr].job => c:\programdata\{75112f47-cc42-88f0-7511-12f47cc4bd1f}\game of thrones s05e05 hdtv x264-asap[ettv].exe <==== ATTENTION
Task: C:\Windows\Tasks\CardKeep.job => c:\programdata\{02578133-3660-a7b7-0257-7813336604cc}\3109398756575402309b.exe <==== ATTENTION
Task: C:\Windows\Tasks\Superclean.job => c:\programdata\{0c9aba76-749b-0770-0c9a-aba76749e9d9}\hqghumeaylnlf.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:054203E4 [312]
HKLM\...\Run: [gmsd_id_021010173] => [X]
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mystartsearch.com/web/?type=ds&ts=1432578155&z=697dba827a355a7be45f2d1gfzac0o5w2m4b3g0wbz&from=wpc&uid=MAXTORXSTM3250310AS_9RY3SNK0XXXX9RY3SNK0&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1393413665-1399672728-1189657839-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll [2015-12-08] (Internet Download Manager, Tonec Inc.)
CHR StartupUrls: Default -> "hxxp://www.mystartsearch.com/?type=hp&ts=1432578155&z=697dba827a355a7be45f2d1gfzac0o5w2m4b3g0wbz&from=wpc&uid=MAXTORXSTM3250310AS_9RY3SNK0XXXX9RY3SNK0","hxxp://www.yessearches.com/?ts=AHEpA30mCHIoAk..&uid=5AED317F227E7C2E19311540F149742C&ptid=wak&mode=nnnb"
U3 ave3xrom; C:\Windows\system32\Drivers\ave3xrom.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
S3 SliceDisk5; \??\C:\Users\nank\AppData\Local\Temp\HBCD\FindAndMount\slicedisk.sys [X]
2016-06-29 16:26 - 2016-06-30 13:10 - 00000000 ____D C:\Users\nank\AppData\Roaming\qksee
2016-06-29 16:26 - 2016-06-29 16:35 - 00000000 ____D C:\Program Files\{CB0EE1A4-702A-48F9-8B71-B574ADBE532B}
2016-06-29 16:25 - 2016-06-29 16:35 - 00000000 ____D C:\Program Files\{30164995-A919-48BE-914E-EA0821BD4E6F}
2016-06-29 16:25 - 2016-06-29 16:26 - 00000000 ____D C:\Program Files\wqefs8ap
2016-06-29 16:23 - 2016-06-29 16:35 - 00000000 ____D C:\Program Files\{B59FDB69-7AF4-4714-942B-7560A51F463A}
2016-06-29 16:23 - 2016-06-29 16:25 - 00000000 ____D C:\Program Files\qp1pl8yw
2016-06-29 16:23 - 2016-06-29 16:23 - 00000000 ____D C:\ProgramData\DwinpD
2016-06-29 15:23 - 2016-06-30 12:27 - 00000000 ____D C:\Users\nank\AppData\Roaming\TSv
2016-06-29 15:23 - 2016-06-29 16:35 - 00000000 ____D C:\Program Files\{CB773BBB-B72B-43A1-912E-475ECBF65542}
2016-06-29 15:23 - 2016-06-29 15:23 - 00000000 ____D C:\Program Files\TXQQBrowser
2016-06-29 14:56 - 2016-06-29 14:56 - 00000000 ____D C:\Program Files\yessearches-bnd
2016-06-30 12:23 - 2016-06-30 12:26 - 00000000 ____D C:\Program Files\zvngcxkx
Empty Temp:

After the above download and run Adwcleaner and Malwarebytes:

 

1) Please download adwcleaner and save to your desktop.

    http://www.bleepingcomputer.com/download/adwcleaner/

    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the onscreen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

   also looks like you downloaded Malwarebytes but didnt install it?

 

2) Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.

http://data-cdn.mbamupdates.com/v2/mbam/consumer/data/mbam-setup-2.0.3.1025.exe
 

    Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to the following:
        Launch Malwarebytes Anti-Malware
        A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the      scanning and removal capabilities of the program.
    Click Finish.
    On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    With some infections, you may see this message box.
        'Could not load DDA driver'
    Click 'Yes' to this message, to allow the driver to load after a restart.
    Allow the computer to restart. Continue with the rest of these instructions.
    When the scan is complete, click Apply Actions.
    Wait for the prompt to restart the computer to appear, then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply.

 

Lets see how that turns out and we will go from there.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users