Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 Saia

Saia

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 31 August 2016 - 08:13 PM

Hi,

 

Recently, I scanned my computer using Spybot S&D and it found malware that was located in "C:\END." At the same time I noticed that my RAM and CPU were being used significantly more than I remembered when at idle (50%+ and 5+gb ram). Even after Spybot said it "fixed" the malware, the performance issues are still there. Also recently, I found the process that is taking up all of the memory. It is svchost.exe, which I know is a Windows process, but I don't think it should be running at 25 CPU and 1.5gb memory. I appreciate any and all help.

 

Attached File  svchost.png   257.95KB   0 downloads

 

Thanks,

Saia



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 01 September 2016 - 10:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#3 Saia

Saia
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 01 September 2016 - 11:33 PM

Hi nasdaq,

 

Here is the MBAM log:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 9/1/2016

Scan Time: 9:03 PM

Logfile: 9-1-16 MBAM log.txt

Administrator: Yes

 

Version: 2.2.1.1043

Malware Database: v2016.09.02.01

Rootkit Database: v2016.08.15.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Hewitt

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 303186

Time Elapsed: 4 min, 42 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

(end)

 

AdwCleaner log:

 

# AdwCleaner v6.010 - Logfile created 01/09/2016 at 21:13:40
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-01.2 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Hewitt - HEWITT-PC
# Running from : C:\Users\Hewitt\Desktop\adwcleaner_6.010.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
File Found:  C:\Users\Hewitt\AppData\Local\Temp\Utils.dll
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1186 Bytes] - [01/09/2016 21:13:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1259 Bytes] ##########
 
Farbar log:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Hewitt (administrator) on HEWITT-PC (01-09-2016 21:18:05)
Running from C:\Users\Hewitt\Desktop
Loaded Profiles: Hewitt (Available Profiles: Hewitt)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Spotify Ltd) C:\Users\Hewitt\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(SteelSeries ApS) C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
() C:\Users\Hewitt\Desktop\adwcleaner_6.010.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8466136 2015-04-30] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2634872 2015-08-26] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\nvspcap64.dll [1710568 2015-08-26] (NVIDIA Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [296216 2015-03-23] (Intel Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-4038167310-1657603435-1269728446-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2857248 2016-08-23] (Valve Corporation)
HKU\S-1-5-21-4038167310-1657603435-1269728446-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-4038167310-1657603435-1269728446-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50676864 2016-03-01] (Skype Technologies S.A.)
HKU\S-1-5-21-4038167310-1657603435-1269728446-1000\...\Run: [Spotify Web Helper] => C:\Users\Hewitt\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1523312 2016-08-29] (Spotify Ltd)
HKU\S-1-5-21-4038167310-1657603435-1269728446-1000\...\Run: [Spotify] => C:\Users\Hewitt\AppData\Roaming\Spotify\Spotify.exe [6930544 2016-08-29] (Spotify Ltd)
HKU\S-1-5-21-4038167310-1657603435-1269728446-1000\...\MountPoints2: {3bdff0ef-17cb-11e5-b86a-a46fce4b3b9d} - D:\LaunchU3.exe -a
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk [2015-07-01]
ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe (SteelSeries ApS)
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
AutoConfigURL: [S-1-5-21-4038167310-1657603435-1269728446-1000] => hxxp://proxy.lib.berkeley.edu/proxy.pac
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{28A3FAC6-B43A-409F-BBFC-D473E0CA92B2}: [DhcpNameServer] 75.75.75.75 75.75.76.76
ManualProxies: 0hxxp://proxy.lib.berkeley.edu/proxy.pac
 
Internet Explorer:
==================
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\ssv.dll [2016-03-15] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\jp2ssv.dll [2016-03-15] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-08-27] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-08-27] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\dtplugin\npDeployJava1.dll [2016-03-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.73.2 -> C:\Program Files (x86)\Java\jre1.8.0_73\bin\plugin2\npjp2.dll [2016-03-15] (Oracle Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-25] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-25] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-27] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-07-28] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-20]
CHR Extension: (Google Docs) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-20]
CHR Extension: (Google Drive) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (uBlock Origin) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-09-01]
CHR Extension: (Google Search) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Google Sheets) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-20]
CHR Extension: (Google Docs Offline) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (AdBlock) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-08-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Gmail) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-20]
CHR Extension: (Chrome Media Router) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-01]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Futuremark SystemInfo Service; C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe [342240 2015-06-03] (Futuremark)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1155192 2015-08-26] (NVIDIA Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-08-26] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [5544568 2015-08-26] (NVIDIA Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-08-26] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [50472 2015-08-10] (NVIDIA Corporation)
R3 ssdevfactory; C:\Windows\System32\DRIVERS\ssdevfactory.sys [32792 2015-06-01] (SteelSeries ApS)
R3 sshid; C:\Windows\System32\DRIVERS\sshid.sys [43616 2015-06-01] (SteelSeries ApS)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-01 21:18 - 2016-09-01 21:18 - 00013794 _____ C:\Users\Hewitt\Desktop\FRST.txt
2016-09-01 21:17 - 2016-09-01 21:18 - 00000000 ____D C:\FRST
2016-09-01 21:17 - 2016-09-01 21:17 - 02397696 _____ (Farbar) C:\Users\Hewitt\Desktop\FRST64.exe
2016-09-01 21:13 - 2016-09-01 21:13 - 00000000 ____D C:\AdwCleaner
2016-09-01 21:11 - 2016-09-01 21:11 - 03826240 _____ C:\Users\Hewitt\Desktop\adwcleaner_6.010.exe
2016-09-01 21:10 - 2016-09-01 21:10 - 00001062 _____ C:\Users\Hewitt\Desktop\9-1-16 MBAM log.txt
2016-08-29 16:28 - 2016-09-01 21:12 - 00000000 ____D C:\Users\Hewitt\AppData\Local\Spotify
2016-08-29 16:28 - 2016-08-29 16:28 - 00001811 _____ C:\Users\Hewitt\Desktop\Spotify.lnk
2016-08-29 16:28 - 2016-08-29 16:28 - 00001797 _____ C:\Users\Hewitt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2016-08-29 16:27 - 2016-09-01 20:59 - 00000000 ____D C:\Users\Hewitt\AppData\Roaming\Spotify
2016-08-29 16:27 - 2016-08-29 16:27 - 00356056 _____ (Spotify Ltd) C:\Users\Hewitt\Downloads\SpotifySetup (1).exe
2016-08-28 00:13 - 2016-08-28 00:13 - 00000000 ____D C:\Users\Hewitt\AppData\Roaming\.mono
2016-08-27 23:28 - 2016-09-01 20:46 - 00000000 ____D C:\Users\Hewitt\AppData\Local\Battle.net
2016-08-27 23:27 - 2016-08-27 23:27 - 00001148 _____ C:\Users\Public\Desktop\Battle.net.lnk
2016-08-27 23:27 - 2016-08-27 23:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battle.net
2016-08-27 23:24 - 2016-08-27 23:29 - 00000000 ____D C:\Users\Hewitt\AppData\Roaming\Battle.net
2016-08-27 23:24 - 2016-08-27 23:24 - 03012080 _____ (Blizzard Entertainment) C:\Users\Hewitt\Downloads\Battle.net-Setup.exe
2016-08-27 19:04 - 2016-08-27 23:07 - 00000000 ____D C:\Windows\erdnt
2016-08-27 19:04 - 2016-08-27 19:08 - 00000000 ____D C:\Qoobox
2016-08-27 18:52 - 2016-08-27 19:01 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-08-27 18:17 - 2016-08-27 18:27 - 00007598 _____ C:\Users\Hewitt\AppData\Local\Resmon.ResmonCfg
2016-08-25 20:25 - 2016-08-25 20:25 - 00000000 ____D C:\Users\Hewitt\AppData\LocalLow\Blizzard Entertainment
2016-08-24 22:54 - 2016-08-24 22:55 - 00390242 _____ C:\TDSSKiller.3.1.0.11_24.08.2016_22.54.27_log.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-01 21:16 - 2015-06-20 21:46 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-01 21:10 - 2015-08-07 18:41 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-01 21:03 - 2015-06-30 20:31 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-09-01 21:00 - 2015-06-20 21:52 - 00000000 ____D C:\Users\Hewitt\AppData\Roaming\Skype
2016-09-01 20:59 - 2015-06-20 21:52 - 00000000 ____D C:\Program Files (x86)\Steam
2016-09-01 20:59 - 2015-06-20 21:46 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-01 20:54 - 2009-07-13 22:13 - 00798426 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-01 20:54 - 2009-07-13 21:45 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-01 20:54 - 2009-07-13 21:45 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-01 20:54 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-09-01 20:47 - 2015-06-20 21:42 - 00000000 ____D C:\ProgramData\NVIDIA
2016-09-01 20:47 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-01 20:21 - 2009-07-13 22:08 - 00032624 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-09-01 19:57 - 2015-06-30 20:20 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-08-27 23:33 - 2015-11-30 15:56 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-08-27 23:33 - 2015-07-05 22:51 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-08-27 23:31 - 2015-06-30 20:34 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-08-27 23:29 - 2015-07-16 17:25 - 00000000 ____D C:\Program Files (x86)\Diablo III Public Test
2016-08-27 23:29 - 2015-06-30 21:34 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-08-27 23:19 - 2015-06-20 21:05 - 00000000 ____D C:\Users\Hewitt
2016-08-27 23:16 - 2015-06-20 21:46 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-27 23:16 - 2015-06-20 21:46 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-08-27 23:11 - 2015-06-20 21:46 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-08-27 23:11 - 2015-06-20 21:46 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-08-27 23:10 - 2015-08-07 18:41 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-08-27 23:10 - 2015-08-07 18:41 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-08-27 23:10 - 2015-08-07 18:41 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-08-27 23:08 - 2016-04-05 15:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
2016-08-27 23:08 - 2016-04-05 15:54 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2016-08-27 23:08 - 2016-01-18 16:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2016-08-27 23:08 - 2015-08-07 18:41 - 00000000 ____D C:\Windows\system32\Macromed
2016-08-27 23:08 - 2015-06-30 21:37 - 00000000 ____D C:\Program Files (x86)\Heroes of the Storm
2016-08-27 23:08 - 2015-06-30 20:35 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2016-08-27 23:08 - 2015-06-30 20:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-27 23:08 - 2015-06-30 20:31 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-27 23:08 - 2015-06-20 21:07 - 00000000 ____D C:\w7lxe-v10.exe
2016-08-27 23:07 - 2015-08-07 18:41 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-08-27 23:07 - 2015-06-30 21:44 - 00000000 ____D C:\Program Files (x86)\Diablo III
2016-08-27 23:07 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration
2016-08-24 22:13 - 2015-07-01 18:25 - 00000000 ____D C:\Users\Hewitt\AppData\Local\SteelSeries Engine 3 Client
 
==================== Files in the root of some directories =======
 
2016-08-27 18:17 - 2016-08-27 18:27 - 0007598 _____ () C:\Users\Hewitt\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Hewitt\AppData\Local\Temp\libeay32.dll
C:\Users\Hewitt\AppData\Local\Temp\msvcr120.dll
C:\Users\Hewitt\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Hewitt\AppData\Local\Temp\sqlite3.dll
C:\Users\Hewitt\AppData\Local\Temp\utils.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-07 17:21
 
==================== End of FRST.txt ============================
 
I have also attached the Addition.txt as you request.
 
Thanks again,
Saia

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 02 September 2016 - 08:24 AM


Do you still need this proxy?
AutoConfigURL: [S-1-5-21-4038167310-1657603435-1269728446-1000] => hxxp://proxy.lib.berkeley.edu/proxy.pac
ManualProxies: 0hxxp://proxy.lib.berkeley.edu/proxy.pac

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
C:\Users\Hewitt\AppData\Local\Temp\utils.dll
Hosts:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 73 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218073F0}) (Version: 8.0.730.2 - Oracle Corporation)
===

Please post the log and llet me know what problem persists.

#5 Saia

Saia
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 02 September 2016 - 10:36 AM

Yes I still need that proxy if it won't be causing an issue. 

 

Here is the fixlist log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016
Ran by Hewitt (02-09-2016 08:19:50) Run:1
Running from C:\Users\Hewitt\Desktop
Loaded Profiles: Hewitt (Available Profiles: Hewitt)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
C:\Users\Hewitt\AppData\Local\Temp\utils.dll
Hosts:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
Synth3dVsc => service removed successfully
tsusbhub => service removed successfully
VGPU => service removed successfully
"C:\Users\Hewitt\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]" => not found.
C:\Users\Hewitt\AppData\Local\Temp\utils.dll => moved successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 29941369 B
Java, Flash, Steam htmlcache => 201363886 B
Windows/system/drivers => 1312440 B
Edge => 0 B
Chrome => 853229445 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 35152 B
systemprofile32 => 33460 B
LocalService => 66228 B
NetworkService => 1147448 B
Hewitt => 185787480 B
 
RecycleBin => 0 B
EmptyTemp: => 1.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 08:20:01 ====
 
I updated java as well. So far, svchost.exe is still take about 1.5gb ram and 25 cpu according to the task manager. 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 02 September 2016 - 12:23 PM


I was just asking about the proxy. If you need it keep it.
On the other hand the Microsoft Updates may be objecting to it.


Errors on your Addition.txt

Error: (09/01/2016 09:14:41 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


Please ensure that the TIME and DATE are correct on the computer.

===

If that fails look at this topic.

http://answers.microsoft.com/en-us/windows/forum/all/event-id-8-and-11-crypt32-error/bb7b24a1-f6e9-446d-920c-884d17b3da4c?auth=1

Try the suggested fix.

===

Keep me posted.

#7 Saia

Saia
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 05 September 2016 - 03:51 PM

The time and date are correct on my computer and I looked at the topic you linked, but I'm not sure if I got the fix to work. My application log for CAPI2 has an event ID of 4107. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 06 September 2016 - 07:10 AM

Try the fix me on this link.

https://support.microsoft.com/en-ca/kb/2328240

#9 Saia

Saia
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 06 September 2016 - 09:52 PM

Which fix me should I use? The download button brings me to a page with a list of various Microsoft Fix Me's. 



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 07 September 2016 - 08:38 AM


Use the one for your operating system. Under this heading.
For Windows 7, Windows Vista, Windows XP, Windows Server 2008 or Windows Server 2008 R2

#11 Saia

Saia
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 08 September 2016 - 10:23 PM

When I click the download button, it redirects me to this article: https://support.microsoft.com/en-ca/kb/2970908. It states that "Fix It" has been retired.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 09 September 2016 - 09:37 AM

There is a tool to suggested at the bottom of the article.
https://support.microsoft.com/en-ca/kb/2970908
What is a Microsoft easy fix solution?

Download the .msi file and run it. Follow the instructions on the page.

p.s.
It is mentioned to run the .diagcab for Windows 7 and later.
Run an easy fix solution with the extension: .diagcab (Windows 7 and later versions)

I hope that the download .msi file includes this cab file. I do not see a separate link for it.

If all fails then I suggest that you start a new topic in the Windows 7 Forum and expert with that operating system should be able to help you better than I can. This is not my forte.

http://www.bleepingcomputer.com/forums/f/167/windows-7/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users