Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe in temp folder/high CPU usage


  • Please log in to reply
6 replies to this topic

#1 pidjinn

pidjinn

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 19 September 2016 - 08:27 PM

A few days ago, I posted a thread about my computer's high CPU usage, and the theory was that it was related to a hanging update problem. People pointed me in the direction of my svchost process taking up an unnecessarily high level of CPU. But going through the checks, it didn't look like I lacked any of the updates that would be stalling. I looked at the processes, and the one taking the most CPU was located in my temp folder, rather than my system folder, and the date revealed that it had been created when I logged on. I deleted it and everything went smooth, and when I rebooted my computer, it re-created itself.

 

I've since ran scans with avira, spybot s&d, and tdsskiller, and nothing seems to detect any threats. What should I do?

 



BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,757 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:13 AM

Posted 20 September 2016 - 09:02 AM

Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  
 
mbam1_zps98e7fba9.png
 
3)  Click on Settings, you will see a image like the one below.
 
malware%20settings_zpsixkea5sd.png
 
When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits
 
4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.
 
5)  When the scan is complete the results will be displayed.  Click on Delete All.
 
malwarenew_zps34b58fdc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  Copy and paste the log in your topic.
 
 
 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.
 
Note:  The log may be very long.  You may need to break it into parts to post the whole log.
 
Post this in your topic.
 
 
 
Please run AdwCleaner
 
Please download AdwCleaner and install it.
 
When AdwCleaner opens you will see an image like the one below.
 
adwcleaner11_zps48314883.png
 
Click on Scan to start the scan.
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.
 
If there are no malicious programs are found you will receive the following message.
 
adwcleaner%20111_zpsiduqrrrp.png
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.


 

Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Edited by dc3, 20 September 2016 - 09:06 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 pidjinn

pidjinn
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 September 2016 - 10:09 PM

MalwareB:

 

Potential issues:
==============================

LAN Settings: No Settings are Set        <--NOT DETECTING SETTING AUTOMATICALLY


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mbam-check result log version:     2.3.2.0
========================================

User Account type:                 Administrator
DomainComputer:                    No
OS:                                Windows 7 Service Pack 1 Service Pack 1 64 bit Operating System
Current Version and Build:         6.1.7601
mbam-check result log version: 2.3.2.0

Date Log Created: 09/20/16
Time Log Created: 15:22:44


User Information for Local System:
===========================================
User Account: Administrator
    Account Level: Admin
User Account: back door
    Account Level: Limited User
User Account: Guest
    Account Level: Guest
User Account: HomeGroupUser$
    Account Level: Guest
User Account: Will
    Account Level: Admin
Total # of user entries: 5

UAC Settings:
===================
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
    DWORD    1    Status: ON
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
    DWORD    5    Status: ON

AntiVirus Information:
===================
AntiVirus Software Installed:    "Avira Antivirus"

FireWall Information:
===================
NO 3rd Party Firewall Software Installed

AntiSpyware Information:
===================
AntiSpyware Software Installed:    "Avira Antivirus"
AntiSpyware Software Installed:    "Windows Defender"
AntiSpyware Software Installed:    "Spybot - Search and Destroy"

Machine Information
===============================================
Machine ID:    7252a812c6fc16b19c3f30d6a5e82b0a2c10c6e3
System has been up for:     1.59722 Hours
Current Date:    2016-Sep-20 20:22:48.697918
Date Booted:    2016-Sep-20 19:22:48.697918

Compatibility Flag Settings:
=================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Users\Will\Downloads\PSO2 Tweaker.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Users\Will\Desktop\vidya\PSO2\PSO2 Tweaker.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Program Files (x86)\Steam\steamapps\common\Cities in Motion 2\CIM2.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Users\Will\Desktop\vidya\Dungeons of Fayte\DoF (Sharp).exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Users\Will\Downloads\GraalSetup.exeREG_SZ        VISTARTM
    C:\Program Files (x86)\Nexus Mod Manager\NexusClient.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Program Files (x86)\MegaDev\MD-Trainers\MT-X\MT-eXperience.exeREG_SZ        RUNASADMIN
    C:\Users\Will\Desktop\vidya\Emulators\PS\PSX\pcsx2-r5875.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Program Files\Nexus Mod Manager\NexusClient.exeREG_SZ        DISABLEUSERCALLBACKEXCEPTION
    C:\Program Files (x86)\GOG\Necropolis\Necropolis.exeREG_SZ        HIGHDPIAWARE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Program Files (x86)\Steam\Steam.exeREG_SZ        ELEVATECREATEPROCESS
    C:\Program Files (x86)\SCHTHACK PSOBB\online.exeREG_SZ        VISTARTM
    C:\Program Files (x86)\SCHTHACK PSOBB\PsoBB.exeREG_SZ        VISTARTM
    SIGN.MEDIA=28562AD4 INSTALL.EXEREG_SZ        WIN95
    C:\Program Files (x86)\Steam\steamapps\common\morrowind\Morrowind Launcher.exeREG_SZ        RUNASADMIN
    C:\Program Files (x86)\Steam\steamapps\common\morrowind\Morrowind.exeREG_SZ        RUNASADMIN
    C:\Program Files (x86)\Steam\steamapps\common\morrowind\MGEgui.exeREG_SZ        RUNASADMIN
    C:\Program Files (x86)\Nexus Mod Manager\NexusClient.exeREG_SZ        RUNASADMIN
    C:\Program Files (x86)\Steam\steamapps\common\skyrim\TESV.exeREG_SZ        VISTASP2
    C:\Program Files (x86)\Livestream Procaster\Procaster.exeREG_SZ        RUNASADMIN
    SIGN.MEDIA=EFDC0 SETUP.EXE    REG_SZ        WINXPSP3
    C:\Program Files (x86)\Koei\Dynasty Warriors 4 Hyper\Launcher.exeREG_SZ        WINXPSP3
    C:\Program Files (x86)\Steam\steamapps\common\Mass Effect\runme.exeREG_SZ        WINXPSP3
    C:\Users\Will\Desktop\New folder\IPS.EXEREG_SZ        WINXPSP3
    C:\Program Files (x86)\Steam\steamapps\common\Deadly Premonition The Director's Cut\DP.exeREG_SZ        VISTARTM
    C:\Users\Will\Desktop\New folder\EMU83.EXEREG_SZ        WINXPSP3
    C:\Program Files (x86)\Steam\steamapps\common\Sonic & All-Stars Racing Transformed\ASN_App_PcDx9_Final.exeREG_SZ        WINXPSP3 RUNASADMIN
    C:\Program Files (x86)\PlayOnline\SquareEnix\Asshy\Ableepa.exeREG_SZ        WINXPSP3
    SIGN.MEDIA=193000 Imation Flash Login.exeREG_SZ        WINXPSP3
    SIGN.MEDIA=EFDC0 START.EXE    REG_SZ        WIN95
    C:\Users\Will\Desktop\New folder\ACEYDUCY\AD.EXEREG_SZ        WIN95 RUNASADMIN
    C:\Users\Will\Downloads\daemon403.exeREG_SZ        WINXPSP2
    C:\Users\Will\Desktop\vidya\GAME\PROGRAMS\UNIVERS2\UNIVERSE.EXEREG_SZ        WIN95
    C:\Program Files (x86)\GOG\Necropolis\Necropolis.exeREG_SZ        HIGHDPIAWARE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers

Malwarebytes Anti-Malware Shell Extension Block Check:
======================================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked:

MBAM Startup Entries:
=====================
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
    Malwarebytes Anti-Malware (cleanup)REG_SZ        "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Malwarebytes Anti-Malware Service and Driver Status:
=======================================================

--------------Driver File Info:--------------
C:\Windows\system32\drivers\mbam.sys
File Size: 27008     BYTES    FileVersion: 0.1.16.0    MD5: [78bff5425e044086e74e78650a359fbb]
C:\Windows\system32\drivers\mwac.sys
File Size: 64896     BYTES    FileVersion: 1.0.6.0    MD5: [452acb7a9914398d9e18cccffcf92208]
C:\Windows\system32\drivers\mbamswissarmy.sys
File Size: 192216    BYTES    FileVersion: 0.3.0.4    MD5: [78488af2ab2111d67b3c4044707a519b]
C:\Windows\system32\drivers\mbamchameleon.sys
File Size: 140672    BYTES    FileVersion: 1.1.22.0    MD5: [1239597bab7eed2bb16d035af87e65d9]

--------------MBAMProtector:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMProtector
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMService:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMService
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMScheduler:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMScheduler
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMChameleon:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMWebAccessControl:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MbamWebAccessControl
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


Required Dependencies:
======================

--------------BFE:--------------
Type:                   32
State:                  4 (The service is running.)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
    DisplayName                   REG_SZ        @%SystemRoot%\system32\bfe.dll,-1001
    Group                         REG_SZ        NetworkProvider
    ImagePath                     REG_EXPAND_SZ    %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
    Description                   REG_SZ        @%SystemRoot%\system32\bfe.dll,-1002
    ObjectName                    REG_SZ        NT AUTHORITY\LocalService
    ErrorControl                  REG_DWORD        1
    Start                         REG_DWORD        2
    Type                          REG_DWORD        32
    DependOnService               REG_MULTI_SZ    RpcSs

    ServiceSidType                REG_DWORD        3
    RequiredPrivileges            REG_MULTI_SZ    SeAuditPrivilege

    FailureActions                REG_BINARY    Binary Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters
    ServiceDll                    REG_EXPAND_SZ    %SystemRoot%\System32\bfe.dll
    ServiceDllUnloadOnStop        REG_DWORD        1
    ServiceMain                   REG_SZ        BfeServiceMain

--------------fltmgr:--------------
Type:                   2
State:                  4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr
    AttachWhenLoaded              REG_DWORD        1
    DisplayName                   REG_SZ        @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
    Group                         REG_SZ        FSFilter Infrastructure
    ImagePath                     REG_EXPAND_SZ    system32\drivers\fltmgr.sys
    Description                   REG_SZ        @%SystemRoot%\system32\drivers\fltmgr.sys,-10000
    ErrorControl                  REG_DWORD        3
    Start                         REG_DWORD        0
    Tag                           REG_DWORD        1
    Type                          REG_DWORD        2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr\Enum
    0                             REG_SZ        Root\LEGACY_FLTMGR\0000
    Count                         REG_DWORD        1
    NextInstance                  REG_DWORD        1


C:\Windows\system32\drivers\fltmgr.sys
File Size: 289664    BYTES    FileVersion: 6.1.7601.17514    MD5: [da6b67270fd9db3697b20fce94950741]
C:\Windows\SysWOW64\mscomctl.ocx
File Size: 1081616   BYTES    FileVersion: 6.1.97.82    MD5: [ecc7d7f0d3446de36045d1d9e964fafe]
C:\Windows\SysWOW64\olepro32.dll
File Size: 90624     BYTES    FileVersion: 6.1.7601.23452    MD5: [307a6d4f7cd94e384ecff05afa30b42c]


MBAM Registry Settings and License Info:
========================================

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware
    ScanReboot                    REG_DWORD        1

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware (Trial)
    TrialId                           There is data here but it is hidden.
    StartDate                     REG_SZ        Sun, 05 Jan 2014 16:55:39 UTC
    EndDate                       REG_SZ        Sun, 19 Jan 2014 16:55:39 UTC

Scheduler Queue:
================


Pending File Rename Operations:
================================
If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.
Pending File Rename Operations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\
    PendingFileRenameOperations    REG_MULTI_SZ    \??\C:\Program Files (x86)\Avira\AntiVir Desktop\aeoffice.dll.tmp



MBAMProtector Registry Values:
==============================



MBAMService Registry Values:
============================



MBAMScheduler Registry Values:
==============================



Terminal Services Status for (null) entries in PM logs and GetUserToken errors:
===============================================================================

--------------TERMService:--------------
Type:                   32
State:                  1 (The service is not running.) (State is stopped)
WIN32_EXIT_CODE:        1077
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0


TermService Start is set to: 3 (Manual Startup)

Proxy Status: No proxy is Set

LAN Settings:
=============

No Settings are Set        <--NOT DETECTING SETTING AUTOMATICALLY

SystemPartition:
================

HKEY_LOCAL_MACHINE\SYSTEM\Setup\
    SystemPartition    REG_SZ        \Device\HarddiskVolume2

Balloon Tips Status:
====================

Enabled

Time Format Settings:
=====================

Should be:
        h:mm:ss tt
        AM
        PM
        :

Currently:
REG_SZ        h:mm:ss tt
REG_SZ        AM
REG_SZ        PM
REG_SZ        :

Language and Regional Settings:
===============================

ACP:     Language is English (United States)
MACCP:     Language is English (United States)
OEMCP:     Language is English (United States)

Startup Folders for Error_Expanding_Variables Check:
====================================================

All Users Startup Folder Exists.
Current User's Startup Folder Exists.



MBAM DLL's and Runtime Files:
=============================






























MBAM Registry Settings and License Info (part 2):
==================================================







Context Menu Entries:
=====================

HKEY_CLASSES_ROOT\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt
    (Default):                    REG_SZ        {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\MBAMShlExt
    (Default):                    REG_SZ        {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt
    (Default):                    REG_SZ        MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CLSID
    (Default):                    REG_SZ        {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt\CurVer
    (Default):                    REG_SZ        MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1
    (Default):                    REG_SZ        MBAMShlExt Class
HKEY_CLASSES_ROOT\MBAMExt.MBAMShlExt.1\CLSID
    (Default):                    REG_SZ        {57CE581A-0CB6-4266-9CA0-19364C90A0B3}


HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}
    (Default):                    REG_SZ        IMBAMShlExt
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\ProxyStubClsid32
    (Default):                    REG_SZ        {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib
    (Default):                    REG_SZ        {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
    Version                       REG_SZ        1.0
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}
    (Default):                    REG_SZ        MBAMShlExt Class
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32
    (Default):                    REG_SZ        C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll
    ThreadingModel                REG_SZ        Apartment
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\ProgID
    (Default):                    REG_SZ        MBAMExt.MBAMShlExt.1
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\TypeLib
    (Default):                    REG_SZ        {AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\VersionIndependentProgID
    (Default):                    REG_SZ        MBAMExt.MBAMShlExt

HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
    (Default):                    REG_SZ        MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32
    (Default):                    REG_SZ        C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
    (Default):                    REG_SZ        0
HKEY_CLASSES_ROOT\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
    (Default):                    REG_SZ        C:\Program Files (x86)\Malwarebytes Anti-Malware
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0
    (Default):                    REG_SZ        MBAMExt 1.0 Type Library
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\0\win32
    (Default):                    REG_SZ        C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS
    (Default):                    REG_SZ        0
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\HELPDIR
    (Default):                    REG_SZ        C:\Program Files (x86)\Malwarebytes Anti-Malware


List of MBAM Related Directories:
=================================

===============================================================
END OF FILE

 

 

 

 

 

TDSSKILL did not detect anything

 

AdwClean

 

# AdwCleaner v6.020 - Logfile created 20/09/2016 at 15:49:48
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-20.3 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Will - MATILDA
# Running from : C:\Users\Will\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****
[-] Folder deleted: C:\Users\Will\AppData\Local\PackageAware
[-] Folder deleted: C:\ProgramData\TweakBit
[#] Folder deleted on reboot: C:\ProgramData\Application Data\TweakBit

a
***** [ Files ] *****

[-] File deleted: C:\Users\Will\AppData\Roaming\Mozilla\Firefox\Profiles\narokiey.default\invalidprefs.js


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\Prod.cap
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Prod.cap
[-] Key deleted: HKU\S-1-5-21-163132115-2702653666-3163263229-1000\Software\Softonic
[-] Key deleted: HKU\S-1-5-21-163132115-2702653666-3163263229-1000\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKCU\Software\Softonic
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[-] Key deleted: HKLM\SOFTWARE\TWEAKBIT
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
[-] Key deleted: HKLM\SOFTWARE\CLIENTS\News
[#] Key deleted on reboot: [x64] HKCU\Software\Softonic
[#] Key deleted on reboot: [x64] HKCU\Software\YahooPartnerToolbar
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\CLIENTS\News
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\NextLive
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd


***** [ Web browsers ] *****

[-] Chrome preferences cleaned: "extensions.buenosearch.admin" -  false
[-] Chrome preferences cleaned: "extensions.buenosearch.aflt" -  "babsst"
[-] Chrome preferences cleaned: "extensions.buenosearch.appId" -  "{37EB75F2-7392-4DBE-B5AD-147EC6D7BF5F}"
[-] Chrome preferences cleaned: "extensions.buenosearch.autoRvrt" -  "false"
[-] Chrome preferences cleaned: "extensions.buenosearch.dfltLng" -  "en"
[-] Chrome preferences cleaned: "extensions.buenosearch.excTlbr" -  false
[-] Chrome preferences cleaned: "extensions.buenosearch.ffxUnstlRst" -  true
[-] Chrome preferences cleaned: "extensions.buenosearch.id" -  "8c1c718d0000000000002a7c8f270784"
[-] Chrome preferences cleaned: "extensions.buenosearch.instlDay" -  "16065"
[-] Chrome preferences cleaned: "extensions.buenosearch.instlRef" -  "sst"
[-] Chrome preferences cleaned: "extensions.buenosearch.newTab" -  false
[-] Chrome preferences cleaned: "extensions.buenosearch.prdct" -  "buenosearch"
[-] Chrome preferences cleaned: "extensions.buenosearch.prtnrId" -  "buenosearch"
[-] Chrome preferences cleaned: "extensions.buenosearch.rvrt" -  "false"
[-] Chrome preferences cleaned: "extensions.buenosearch.smplGrp" -  "none"
[-] Chrome preferences cleaned: "extensions.buenosearch.tb_url" -  "hxxp://www.buenosearch.com/?q={searchTerms}&babsrc=TB_ss&mntrId=8C1C2A7C8F270784&affID=128235&tsp=5108"
[-] Chrome preferences cleaned: "extensions.buenosearch.tlbrId" -  "base"
[-] Chrome preferences cleaned: "extensions.buenosearch.tlbrSrchUrl" -  "hxxp://www.buenosearch.com/?q={searchTerms}&babsrc=TB_ss&mntrId=8C1C2A7C8F270784&affID=128235&tsp=5108"
[-] Chrome preferences cleaned: "extensions.buenosearch.vrsn" -  "1.8.28.7"
[-] Chrome preferences cleaned: "extensions.buenosearch.vrsnTs" -  "1.8.28.718:36:16"
[-] Chrome preferences cleaned: "extensions.buenosearch.vrsni" -  "1.8.28.7"
[-] Chrome preferences cleaned: "extensions.smarterwiki.search_surfcanyon" -  false
[-] Chrome preferences cleaned: "extensions.buenosearch.id" -  "8c1c718d0000000000002a7c8f270784"
[-] Chrome preferences cleaned: "extensions.buenosearch.appId" -  "{37EB75F2-7392-4DBE-B5AD-147EC6D7BF5F}"
[-] Chrome preferences cleaned: "extensions.buenosearch.instlDay" -  "16065"
[-] Chrome preferences cleaned: "extensions.buenosearch.vrsn" -  "1.8.28.7"
[-] Chrome preferences cleaned: "extensions.buenosearch.vrsni" -  "1.8.28.7"
[-] Chrome preferences cleaned: "extensions.buenosearch.vrsnTs" -  "1.8.28.718:36:16"
[-] Chrome preferences cleaned: "extensions.buenosearch.prtnrId" -  "buenosearch"
[-] Chrome preferences cleaned: "extensions.buenosearch.prdct" -  "buenosearch"
[-] Chrome preferences cleaned: "extensions.buenosearch.aflt" -  "babsst"
[-] Chrome preferences cleaned: "extensions.buenosearch.smplGrp" -  "none"
[-] Chrome preferences cleaned: "extensions.buenosearch.tlbrId" -  "base"
[-] Chrome preferences cleaned: "extensions.buenosearch.instlRef" -  "sst"
[-] Chrome preferences cleaned: "extensions.buenosearch.dfltLng" -  "en"
[-] Chrome preferences cleaned: "extensions.buenosearch.excTlbr" -  false
[-] Chrome preferences cleaned: "extensions.buenosearch.ffxUnstlRst" -  true
[-] Chrome preferences cleaned: "extensions.buenosearch.admin" -  false
[-] Chrome preferences cleaned: "extensions.buenosearch.autoRvrt" -  "false"
[-] Chrome preferences cleaned: "extensions.buenosearch.rvrt" -  "false"
[-] Chrome preferences cleaned: "extensions.buenosearch.newTab" -  false


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [5464 Bytes] - [20/09/2016 15:49:48]
C:\AdwCleaner\AdwCleaner[S0].txt - [8537 Bytes] - [20/09/2016 15:48:03]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [5610 Bytes] ##########
 

 

 

 

ESET, which caught something that I knew about and was fine with, but I'd rather it get everything worrisome than miss something dangerous

 

C:\FRST\Quarantine\C\Program Files (x86)\Windows Network Accelerater\v3\vxmclient.exe    a variant of Win32/Adware.Dowsserve.E application    cleaned by deleting
C:\FRST\Quarantine\C\Program Files (x86)\Windows Network Accelerater\v3\winvxm.exe    a variant of Win32/Adware.Dowsserve.C application    cleaned by deleting
C:\FRST\Quarantine\C\Program Files (x86)\Windows Network Accelerater\v5\winvxm.exe    a variant of Win32/Adware.Dowsserve.C application    cleaned by deleting
C:\FRST\Quarantine\C\ProgramData\InstallMate\{D91987AD-2C8E-4F5F-ADB4-64AC02FAA55B}\_Setupx.dll    a variant of Win32/InstalleRex.T potentially unwanted application    cleaned by deleting
C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting (after the next restart)
C:\Program Files (x86)\Avira\AntiVir Desktop\apnstub.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    cleaned by deleting (after the next restart)
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting (after the next restart)
C:\Program Files (x86)\Cheat Engine 6.5.1\standalonephase1.dat    a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application    cleaned by deleting
C:\Program Files (x86)\uTorrent\uTorrent.exe    a variant of Win32/Bunndle potentially unsafe application    cleaned by deleting
C:\Users\Will\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1OFDK9ES\svchost[1].exe    Win64/CoinMiner.J trojan    cleaned by deleting
C:\Users\Will\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\38L30PQM\lsass[1].exe    Win64/CoinMiner.J trojan    cleaned by deleting
C:\Users\Will\Desktop\vidya\Gametools\S&All Stars RT DELTA10FY.EXE    a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application    cleaned by deleting
C:\Windows\System32\config\systemprofile\AppData\Roaming\Origin\update.vbe    VBS/Kryptik.DC trojan    cleaned by deleting
 



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,757 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:13 AM

Posted 21 September 2016 - 07:46 AM

emsisoft%201_zpsoqojjiws.png
Please download Emsisoft Emergency Kit and save it to your desktop. 
 
Double click on Emsisoft Emergency Kit file on your desktop.  emsisoft%203_zpsoox6uxmj.png 
 
When the installation starts you see a image like the one below, click on Install.
 
Emsisoft%207_zpsmbuolk9r.png
 
The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
 
When the update is complete, click on MALWARE SCAN under Scan.  When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes.
 
Emsisoft%20scan_zpsifqyozhf.png
 
Emsisoft Emergency Kit will start scanning.
 
When the scan is completed click on Quarantine.
 
When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.  Copy the log and paste it in your topic.
 
 
 
Please save the log in Notepad on your desktop, and post the contents in your next reply.
 
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

  • Edited by dc3, 21 September 2016 - 07:50 AM.

    Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

     

     

     

     


    #5 pidjinn

    pidjinn
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:07:13 PM

    Posted 21 September 2016 - 10:51 PM

    Emsisoft Emergency Kit - Version 11.9
    Last update: 9/21/2016 10:28:04 PM
    User account: Matilda\Will
    Computer name: MATILDA
    OS version: Windows 7x64 Service Pack 1

    Scan settings:

    Scan type: Malware Scan
    Objects: Rootkits, Memory, Traces, Files

    Detect PUPs: On
    Scan archives: Off
    ADS Scan: On
    File extension filter: Off
    Advanced caching: On
    Direct disk access: Off

    Scan start:    9/21/2016 10:29:38 PM
    C:\Users\Will\AppData\Roaming\getrighttogo     detected: Application.AppInstall (A)

    Scanned    94977
    Found    1

    Scan end:    9/21/2016 10:50:48 PM
    Scan time:    0:21:10

    C:\Users\Will\AppData\Roaming\getrighttogo     Application.AppInstall (A)

    Quarantined    1
     



    #6 dc3

    dc3

      Bleeping Treehugger


    • Members
    • 30,757 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Sierra Foothills of Northern Ca.
    • Local time:10:13 AM

    Posted 22 September 2016 - 08:57 AM

    How is the computer running now?


    Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

     

     

     

     


    #7 pidjinn

    pidjinn
    • Topic Starter

    • Members
    • 13 posts
    • OFFLINE
    •  
    • Local time:07:13 PM

    Posted 22 September 2016 - 01:58 PM

    Everything would load slowly, from games to videos to websites, stuff that normally worked fine. I'm reasonably sure it had to do with the fake svchost in my temp folder which was taking high CPU usage in task manager




    1 user(s) are reading this topic

    0 members, 1 guests, 0 anonymous users