Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost taking %50 cpu please help me


  • This topic is locked This topic is locked
16 replies to this topic

#1 helpmepleasezz

helpmepleasezz

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 29 November 2016 - 11:44 AM

so even when offline and  online when i run tcpeye - commview isee no outgoing ip's, but it still takes %50 of cpu usage and idk why i think i might be infected.

 

this is the FRST log as requested.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-11-2016
Ran by Vegeta (administrator) on VEGETA (29-11-2016 19:37:00)
Running from C:\Users\Vegeta\Desktop
Loaded Profiles: Vegeta (Available Profiles: Vegeta)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: Arabic (Saudi Arabia)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
() C:\Program Files\EagleGet\EGMonitor.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(SHADOWDEFENDER.COM) C:\Program Files\Shadow Defender\DefenderDaemon.exe
(QFX Software Corporation) C:\Program Files\KeyScrambler\KeyScrambler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Valve Corporation) D:\Steam\Steam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(EagleGet.com) C:\Program Files\EagleGet\EagleGet.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Valve Corporation) D:\Steam\bin\cef\cef.winxp\steamwebhelper.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Launch LCore] => C:\Program Files\Logitech Gaming Software\LCore.exe [7936280 2014-07-03] (Logitech Inc.)
HKLM\...\Run: [Shadow Defender Daemon] => C:\Program Files\Shadow Defender\DefenderDaemon.exe [221880 2015-09-08] (SHADOWDEFENDER.COM)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642304 2013-04-30] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [AMD AVT] => Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files\AMD AVT\bin\kdbsync.exe" aml
HKLM\...\Run: [KeyScrambler] => C:\Program Files\KeyScrambler\keyscrambler.exe [515600 2016-08-01] (QFX Software Corporation)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2650576 2016-11-15] (Malwarebytes Corporation)
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\...\Run: [Steam] => D:\Steam\steam.exe [2860832 2016-10-13] (Valve Corporation)
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6602152 2015-11-16] (Piriform Ltd)
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\...\Run: [eagleget_setup] => C:\Users\Vegeta\AppData\Local\Temp\is-A9CN6.tmp\eagleget_setup.tmp -V <===== ATTENTION
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\...\Run: [EagleGet] => C:\Program Files\EagleGet\EagleGet.exe [1946800 2016-10-13] (EagleGet.com)
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2009-07-14] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\StartupFaster [2013-05-03] ()
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 0.0.0.0
Tcpip\..\Interfaces\{38841448-2F0C-4B5F-973B-CAE0B37BAB33}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{E0147624-ADC9-4714-828A-AC3D8E498734}: [DhcpNameServer] 192.168.1.1 0.0.0.0

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://arabiatx2.travian.com/
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: EGet Class -> {1E871FF8-029C-4732-8AA7-39E3D3872057} -> C:\Program Files\EagleGet\eagleSniffer.dll [2016-10-13] (EagleGet.com)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-05-27] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-06-14] (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2016-05-17] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Vegeta\AppData\Roaming\Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 [2016-11-29]
FF Session Restore: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> is enabled.
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> backup.ftp", "69.65.41.165"
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> backup.ftp_port", 65535
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> backup.socks", "69.65.41.165"
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> backup.socks_port", 65535
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> backup.ssl", "69.65.41.165"
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> backup.ssl_port", 65535
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> ftp", " 176.31.99.80 "
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> ftp_port", 2222
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> http", " 176.31.99.80 "
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> http_port", 2222
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> share_proxy_settings", true
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> socks", " 176.31.99.80 "
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> socks_port", 2222
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> ssl", " 176.31.99.80 "
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> ssl_port", 2222
FF NetworkProxy: Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323 -> type", 0
FF Extension: (EagleGet Free Downloader) - C:\Users\Vegeta\AppData\Roaming\Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323\Extensions\eagleget_ffext@eagleget.com.xpi [2016-10-24]
FF Extension: (British English Dictionary (Updated)) - C:\Users\Vegeta\AppData\Roaming\Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323\Extensions\en-gb@flyingtophat.co.uk [2015-09-22] [not signed]
FF Extension: (KProxy Extension) - C:\Users\Vegeta\AppData\Roaming\Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323\Extensions\jid1-XgC5trUcILmXBw@jetpack.xpi [2016-09-30]
FF Extension: (Adblock Plus) - C:\Users\Vegeta\AppData\Roaming\Mozilla\Firefox\Profiles\dunqrz4j.default-1430075811323\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24]
FF HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files\Internet Download Manager\idmmzcc2.xpi => not found
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\travian.txt [2014-10-01]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-26] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-11-18] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @ngm.nexoneu.com/NxGame -> C:\ProgramData\NexonEU\NGM\npNxGameeu.dll [No File]
FF Plugin: @ogplanet.com/npOGPPlugin -> C:\Windows\system32\npOGPPlugin.dll [2009-11-18] (OGPlanet)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-08-04] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @onlive.com/OnLiveGameClientDetector,version=1.0.0 -> C:\Program Files\OnLive\Plugin\npolgdet.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @tools.google.com/Google Update;version=3 -> C:\Users\Vegeta\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Vegeta\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-06-11] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: BalancedWorlds.com/WebLauncher -> C:\Users\Vegeta\AppData\Local\Balanced Worlds\BWGameEngine\npWebLauncher.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: eagleget.com/EagleGet32 -> C:\Program Files\EagleGet\npEagleget.dll [2016-08-01] (EagleGet)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-11-18] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2016-10-01] (Adobe Systems Inc.)

Chrome:
=======
CHR DefaultProfile: Profile 6
CHR Session Restore: Profile 6 -> is enabled.
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\54.0.2840.71\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6 [2016-11-29]
CHR Extension: (Google Drive) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-14]
CHR Extension: (YouTube) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-14]
CHR Extension: (Adblock Plus) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-11-21]
CHR Extension: (Google Search) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-03-28]
CHR Extension: (EagleGet Free Downloader) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\kaebhgioafceeldhgjmendlfhbfjefmo [2016-10-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-14]
CHR Extension: (Gmail) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-21]
CHR HKLM\...\Chrome\Extension: [hlfeafapmnniobpffacckpddijdjgpmj] - C:\Program Files\iSkysoft\Video Converter Ultimate\SVRChromePlugin.crx <not found>
CHR HKLM\...\Chrome\Extension: [kaebhgioafceeldhgjmendlfhbfjefmo] - C:\Program Files\EagleGet\addon\eagleget_cext@eagleget.com.crx [2016-10-24]
CHR HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kaebhgioafceeldhgjmendlfhbfjefmo] - C:\Program Files\EagleGet\addon\eagleget_cext@eagleget.com.crx [2016-10-24]
StartMenuInternet: Google Chrome.Vegeta - C:\Users\Vegeta\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 egGetSvc; C:\Program Files\EagleGet\EGMonitor.exe [247472 2016-10-13] ()
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2166040 2016-11-14] (ESET)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [13824 2009-07-14] (Microsoft Corporation)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [155600 2016-11-15] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S4 npggsvc; C:\Windows\system32\GameMon.des [3953632 2012-03-06] (INCA Internet Co., Ltd.) [File not signed]
S4 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75136 2013-06-13] ()
S4 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [107832 2013-06-13] ()
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [134664 2014-10-14] (Sandboxie Holdings, LLC)
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-18] (TeamViewer GmbH)
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27768 2012-10-22] (VIA Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S2 {0CBD4F48-3751-475D-BE88-4F271385B672}; C:\Program Files\Shadow Defender\Service.exe [72888 2015-09-08] (SHADOWDEFENDER.COM)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 CV2K1; C:\Windows\System32\DRIVERS\cv2k1.sys [19560 2012-10-06] (TamoSoft)
R0 diskpt; C:\Windows\System32\drivers\diskpt.sys [335672 2015-09-08] (SHADOWDEFENDER.COM)
R3 eagleGet; C:\Windows\System32\Drivers\eagleGet.sys [62064 2016-10-07] (eagleGet)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [206472 2016-11-14] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [154288 2016-05-12] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [156288 2016-11-14] (ESET)
R2 ekbdflt; C:\Windows\System32\DRIVERS\ekbdflt.sys [122496 2016-11-14] (ESET)
R1 epfw; C:\Windows\System32\DRIVERS\epfw.sys [162952 2016-11-14] (ESET)
R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [52872 2016-11-14] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [71304 2016-11-14] (ESET)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [59968 2016-11-15] ()
S3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2009-03-18] (LogMeIn, Inc.)
R3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [211536 2015-08-18] (QFX Software Corporation)
R3 LGBusEnum; C:\Windows\System32\drivers\LGBusEnum.sys [19720 2009-11-24] (Logitech Inc.)
R3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [39960 2013-05-30] (Logitech Inc.)
R3 LGSUsbFilt; C:\Windows\System32\DRIVERS\LGSUsbFilt.Sys [29976 2013-05-30] (Logitech Inc.)
R3 LGVirHid; C:\Windows\System32\drivers\LGVirHid.sys [14856 2009-11-24] (Logitech Inc.)
S3 LUsbFilt; C:\Windows\System32\Drivers\LUsbFilt.Sys [30360 2011-09-02] (Logitech, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [170200 2016-11-29] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [53120 2016-03-10] (Malwarebytes Corporation)
S3 MotioninJoyXFilter; C:\Windows\System32\DRIVERS\MijXfilt.sys [95304 2012-03-25] (MotioninJoy) [File not signed]
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [161288 2014-10-14] (Sandboxie Holdings, LLC)
R0 speedfan; C:\Windows\System32\speedfan.sys [25240 2011-03-18] (Almico Software)
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [26624 2012-05-10] (The OpenVPN Project)
S3 TsVlb; C:\Windows\System32\DRIVERS\tsvlb.sys [20072 2012-10-06] (TamoSoft)
R1 TsVp; C:\Windows\System32\DRIVERS\tsvp.sys [23696 2012-10-06] (TamoSoft)
S3 VASDeviceDrm; C:\Windows\System32\drivers\vasdDev.sys [1451312 2012-03-19] (ShiningMorning Inc.)
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1841272 2012-10-22] (VIA Technologies, Inc.)
S3 catchme; \??\C:\Users\Vegeta\AppData\Local\Temp\catchme.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 ECSIoDriver_1_1_0_0; \??\C:\Program Files\ECS Motherboard Utility\eDLU\ECSIoDriver.sys [X]
S3 FreshIO; \??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S3 MemAccDrv32; \??\F:\Install\Drivers\MemAccDrv32.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 TEAM; system32\DRIVERS\RtTeam60.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 XDva425; \??\C:\Windows\system32\XDva425.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-29 19:37 - 2016-11-29 19:39 - 00020306 _____ C:\Users\Vegeta\Desktop\FRST.txt
2016-11-29 19:36 - 2016-11-27 19:58 - 01760768 _____ (Farbar) C:\Users\Vegeta\Desktop\FRST.exe
2016-11-29 16:01 - 2016-11-29 19:37 - 00000000 ____D C:\FRST
2016-11-26 22:40 - 2016-11-26 22:40 - 00000000 ____D C:\ProgramData\Riot Games
2016-11-26 22:35 - 2016-11-26 22:35 - 00000000 ____D C:\Riot Games
2016-11-26 22:31 - 2016-11-26 22:37 - 00000000 ____D C:\Users\Vegeta\AppData\Roaming\Riot Games
2016-11-21 19:25 - 2016-11-21 19:25 - 00000000 ____D C:\Users\Vegeta\Documents\Camtasia Studio
2016-11-21 19:21 - 2016-11-21 19:21 - 00000000 ____D C:\Users\Vegeta\.cache
2016-11-18 12:38 - 2016-11-29 19:09 - 00000000 ____D C:\Users\Vegeta\AppData\LocalLow\Mozilla
2016-11-17 23:30 - 2016-11-18 12:38 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-11-15 00:47 - 2016-11-15 00:47 - 00143104 _____ C:\Windows\Minidump\111516-23212-01.dmp
2016-11-14 04:23 - 2016-11-14 04:23 - 00122496 _____ (ESET) C:\Windows\system32\Drivers\ekbdflt.sys
2016-11-05 10:29 - 2016-11-05 10:29 - 00143104 _____ C:\Windows\Minidump\110516-32682-01.dmp
2016-11-03 07:47 - 2016-11-03 07:47 - 00000000 ____D C:\Users\Vegeta\AppData\Local\dummy.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-29 19:37 - 2014-10-14 14:06 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-11-29 19:16 - 2012-06-08 22:32 - 00000000 ____D C:\ProgramData\TEMP
2016-11-29 19:07 - 2013-08-04 05:16 - 00000000 ____D C:\Program Files\CommView
2016-11-29 16:25 - 2009-07-14 07:34 - 00014544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-11-29 16:25 - 2009-07-14 07:34 - 00014544 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-11-29 16:18 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\system32\inetsrv
2016-11-29 16:15 - 2009-07-14 07:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-11-28 23:58 - 2009-07-14 07:53 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-11-28 20:40 - 2014-10-17 17:57 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-11-27 20:15 - 2016-10-10 22:37 - 00002503 _____ C:\Users\Vegeta\Desktop\movies to watch.txt
2016-11-27 11:57 - 2012-11-29 22:43 - 00000000 ____D C:\Users\Vegeta\AppData\Roaming\LolClient
2016-11-26 09:16 - 2014-07-02 07:34 - 00002147 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-26 09:16 - 2014-07-02 07:34 - 00002135 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-11-26 09:04 - 2012-06-08 21:14 - 00000000 ____D C:\Windows\system32\Macromed
2016-11-21 20:10 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\system32\NDF
2016-11-21 20:09 - 2016-07-25 19:01 - 00000000 ____D C:\Users\Vegeta\AppData\Local\ElevatedDiagnostics
2016-11-21 19:21 - 2012-06-09 00:57 - 00000000 ____D C:\Users\Vegeta
2016-11-21 16:07 - 2016-03-18 21:08 - 00000000 ____D C:\Users\Vegeta\AppData\Local\Popcorn-Time
2016-11-20 10:22 - 2014-12-09 07:27 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-11-16 15:51 - 2014-08-29 13:18 - 00000000 ____D C:\Program Files\Common Files\Steam
2016-11-16 06:52 - 2014-10-17 17:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2016-11-16 06:52 - 2014-10-17 17:56 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2016-11-15 00:47 - 2016-09-14 02:55 - 212566913 _____ C:\Windows\MEMORY.DMP
2016-11-15 00:47 - 2012-12-11 00:20 - 00000000 ____D C:\Windows\Minidump
2016-11-14 23:45 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\inf
2016-11-14 04:22 - 2016-05-12 10:48 - 00052872 _____ (ESET) C:\Windows\system32\Drivers\EpfwLWF.sys
2016-11-14 04:22 - 2015-07-13 07:14 - 00206472 _____ (ESET) C:\Windows\system32\Drivers\eamonm.sys
2016-11-14 04:22 - 2015-07-13 07:14 - 00162952 _____ (ESET) C:\Windows\system32\Drivers\epfw.sys
2016-11-14 04:22 - 2015-07-13 07:14 - 00156288 _____ (ESET) C:\Windows\system32\Drivers\ehdrv.sys
2016-11-14 04:22 - 2015-07-13 07:14 - 00071304 _____ (ESET) C:\Windows\system32\Drivers\epfwwfp.sys
2016-11-11 03:27 - 2012-06-21 15:20 - 00000000 ____D C:\Users\Vegeta\AppData\Local\CrashDumps
2016-11-10 08:13 - 2009-07-14 07:46 - 00001515 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-11-05 04:38 - 2015-08-04 02:24 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-10-30 12:29 - 2012-06-08 22:46 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

==================== Files in the root of some directories =======

2012-09-23 04:53 - 2013-06-13 20:50 - 0022328 _____ () C:\Users\Vegeta\AppData\Roaming\PnkBstrK.sys
2014-07-14 01:48 - 2014-10-01 19:27 - 0000600 _____ () C:\Users\Vegeta\AppData\Roaming\winscp.rnd
2013-09-20 10:10 - 2013-09-20 10:10 - 0156976 _____ () C:\Users\Vegeta\AppData\Local\ars.cache
2013-09-20 10:23 - 2013-09-20 10:23 - 23832201 _____ () C:\Users\Vegeta\AppData\Local\census.cache
2012-10-28 00:46 - 2015-07-07 02:24 - 0004096 _____ () C:\Users\Vegeta\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-08-18 03:16 - 2013-08-18 03:16 - 0000036 _____ () C:\Users\Vegeta\AppData\Local\housecall.guid.cache
2014-02-23 19:54 - 2014-07-14 02:35 - 0000600 _____ () C:\Users\Vegeta\AppData\Local\PUTTY.RND
2012-09-28 07:44 - 2015-10-19 22:37 - 0007606 _____ () C:\Users\Vegeta\AppData\Local\Resmon.ResmonCfg
2015-03-07 21:55 - 2015-01-06 21:55 - 0000032 ____R () C:\ProgramData\hash.dat
2014-02-04 00:18 - 2014-02-04 01:32 - 0000354 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
2014-02-04 00:31 - 2014-02-04 00:31 - 0000094 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Files to move or delete:
====================
C:\ProgramData\hash.dat
C:\Users\Default\NTUSER (2).DAT


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2012-06-09 00:21

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 30 November 2016 - 03:34 AM

bump



#3 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 02 December 2016 - 08:10 AM

Bump day 3 please help



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:47 AM

Posted 03 December 2016 - 09:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This version of EagleGet may be problematic.
EagleGet version 2.0.4.16 (HKLM\...\{F6D8142A-B30B-454B-9EE0-08A7B997DFE4}_is1) (Version: 2.0.4.16 - EagleGet)

I suggest you send to the file to VilrusTotal for an analysis.
https://www.virustotal.com/

If found to be compromised remove it using the Control Panel > Progams > Programs and Features.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @ngm.nexoneu.com/NxGame -> C:\ProgramData\NexonEU\NGM\npNxGameeu.dll [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @onlive.com/OnLiveGameClientDetector,version=1.0.0 -> C:\Program Files\OnLive\Plugin\npolgdet.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @tools.google.com/Google Update;version=3 -> C:\Users\Vegeta\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: BalancedWorlds.com/WebLauncher -> C:\Users\Vegeta\AppData\Local\Balanced Worlds\BWGameEngine\npWebLauncher.dll [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\54.0.2840.71\PepperFlash\pepflashplayer.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-14]
CHR Extension: (Chrome Media Router) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-21]
CHR HKLM\...\Chrome\Extension: [hlfeafapmnniobpffacckpddijdjgpmj] - C:\Program Files\iSkysoft\Video Converter Ultimate\SVRChromePlugin.crx <not found>
S3 catchme; \??\C:\Users\Vegeta\AppData\Local\Temp\catchme.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 ECSIoDriver_1_1_0_0; \??\C:\Program Files\ECS Motherboard Utility\eDLU\ECSIoDriver.sys [X]
S3 FreshIO; \??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S3 MemAccDrv32; \??\F:\Install\Drivers\MemAccDrv32.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 TEAM; system32\DRIVERS\RtTeam60.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 XDva425; \??\C:\Windows\system32\XDva425.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
Task: {BECDE5BB-83CA-45D8-888E-959A56F7681B} - System32\Tasks\0614iUpdateInfo => C:\ProgramData\Avg_Update_0614i\0614i_AVG-Secure-Search-Update.exe [2014-07-02] ()
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [350]
AlternateDataStreams: C:\ProgramData\TEMP:24051EFF [116]
AlternateDataStreams: C:\ProgramData\TEMP:5F7539FF [95]
AlternateDataStreams: C:\ProgramData\TEMP:737FFF57 [316]
FirewallRules: [{4ABA02B2-5C21-492C-B9C4-53CB8FAAFB31}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{61848645-4845-4E48-91F9-261FF59FEF3E}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
C:\Program Files\KMSpico

reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features Applet.
Use the Farbar tool from now on to report problems.

HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)

How is the computer running now?

#5 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 03 December 2016 - 11:31 AM

this a famous free internet files downloader and fast as IDM , i used it since it's free and popular as IDM.

 

i haven't updated it but here the scan : https://www.virustotal.com/en/file/7206c8a34d7abdf8447225728e3dbc96c52135f9314b2d3dac15bf206dd829c1/analysis/1480781597/ 

 

i updated it now to 2.0.4.18 and deleted hijackthis.

 

also about the svchost i've found it's because of wuauserv  and  winmgmt  stopped both services and now it seems to be low in the CPU regard.

 

FARBAR needed an update before the fix but i didn't update it if it influences anything? anyway here's the log

 

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 27-11-2016
Ran by Vegeta (03-12-2016 19:19:01) Run:2
Running from C:\Users\Vegeta\Desktop
Loaded Profiles: Vegeta (Available Profiles: Vegeta)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @ngm.nexoneu.com/NxGame -> C:\ProgramData\NexonEU\NGM\npNxGameeu.dll [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @onlive.com/OnLiveGameClientDetector,version=1.0.0 -> C:\Program Files\OnLive\Plugin\npolgdet.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: @tools.google.com/Google Update;version=3 -> C:\Users\Vegeta\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-3283370383-1801242209-1039628941-1002: BalancedWorlds.com/WebLauncher -> C:\Users\Vegeta\AppData\Local\Balanced Worlds\BWGameEngine\npWebLauncher.dll [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\54.0.2840.71\PepperFlash\pepflashplayer.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-14]
CHR Extension: (Chrome Media Router) - C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-21]
CHR HKLM\...\Chrome\Extension: [hlfeafapmnniobpffacckpddijdjgpmj] - C:\Program Files\iSkysoft\Video Converter Ultimate\SVRChromePlugin.crx <not found>
S3 catchme; \??\C:\Users\Vegeta\AppData\Local\Temp\catchme.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 ECSIoDriver_1_1_0_0; \??\C:\Program Files\ECS Motherboard Utility\eDLU\ECSIoDriver.sys [X]
S3 FreshIO; \??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S3 MemAccDrv32; \??\F:\Install\Drivers\MemAccDrv32.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 TEAM; system32\DRIVERS\RtTeam60.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 XDva425; \??\C:\Windows\system32\XDva425.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
Task: {BECDE5BB-83CA-45D8-888E-959A56F7681B} - System32\Tasks\0614iUpdateInfo => C:\ProgramData\Avg_Update_0614i\0614i_AVG-Secure-Search-Update.exe [2014-07-02] ()
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [350]
AlternateDataStreams: C:\ProgramData\TEMP:24051EFF [116]
AlternateDataStreams: C:\ProgramData\TEMP:5F7539FF [95]
AlternateDataStreams: C:\ProgramData\TEMP:737FFF57 [316]
FirewallRules: [{4ABA02B2-5C21-492C-B9C4-53CB8FAAFB31}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{61848645-4845-4E48-91F9-261FF59FEF3E}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
C:\Program Files\KMSpico

reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"C:\Windows\system32\GroupPolicy\Machine" => not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA}" => key removed successfully.
HKCR\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} => key not found.
"HKCR\PROTOCOLS\Handler\livecall" => key removed successfully.
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.
"HKCR\PROTOCOLS\Handler\msnim" => key removed successfully.
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922" => key removed successfully.
"HKLM\Software\MozillaPlugins\@ngm.nexoneu.com/NxGame" => key removed successfully.
"HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully.
"HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\Software\MozillaPlugins\@onlive.com/OnLiveGameClientDetector,version=1.0.0" => key removed successfully.
C:\Program Files\OnLive\Plugin\npolgdet.dll => not found.
"HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\Software\MozillaPlugins\@tools.google.com/Google Update;version=3" => key removed successfully.
C:\Users\Vegeta\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll => not found.
"HKU\S-1-5-21-3283370383-1801242209-1039628941-1002\Software\MozillaPlugins\BalancedWorlds.com/WebLauncher" => key removed successfully.
C:\Users\Vegeta\AppData\Local\Balanced Worlds\BWGameEngine\npWebLauncher.dll => not found.
C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Program Files\Google\Chrome\Application\54.0.2840.71\PepperFlash\pepflashplayer.dll => not found.
C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\hlfeafapmnniobpffacckpddijdjgpmj" => key removed successfully.
catchme => service removed successfully.
EagleXNt => service removed successfully.
ECSIoDriver_1_1_0_0 => service removed successfully.
FreshIO => service removed successfully.
IntcAzAudAddService => service removed successfully.
MemAccDrv32 => service removed successfully.
Synth3dVsc => service removed successfully.
taphss6 => service removed successfully.
TEAM => service removed successfully.
tsusbhub => service removed successfully.
VGPU => service removed successfully.
XDva425 => service removed successfully.
xhunter1 => service removed successfully.
"C:\Users\Vegeta\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BECDE5BB-83CA-45D8-888E-959A56F7681B}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BECDE5BB-83CA-45D8-888E-959A56F7681B}" => key removed successfully.
C:\Windows\System32\Tasks\0614iUpdateInfo => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0614iUpdateInfo" => key removed successfully.
C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully..
C:\ProgramData\TEMP => ":24051EFF" ADS removed successfully..
C:\ProgramData\TEMP => ":5F7539FF" ADS removed successfully..
C:\ProgramData\TEMP => ":737FFF57" ADS removed successfully..
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4ABA02B2-5C21-492C-B9C4-53CB8FAAFB31} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{61848645-4845-4E48-91F9-261FF59FEF3E} => value removed successfully.
C:\Program Files\KMSpico => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14527606 B
Java, Flash, Steam htmlcache => 69602752 B
Windows/system/drivers => 420 B
Edge => 0 B
Chrome => 0 B
Firefox => 388698166 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
LocalService => 0 B
NetworkService => 0 B
dah1 => 0 B
Vegeta => 6576001 B

RecycleBin => 0 B
EmptyTemp: => 457.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:20:07 ====


Edited by helpmepleasezz, 03 December 2016 - 11:33 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:47 AM

Posted 04 December 2016 - 07:47 AM

also about the svchost i've found it's because of wuauserv and winmgmt stopped both services and now it seems to be low in the CPU regard.

Repair the 2 services.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 05 - Repair WMI
    17 - Repair Windows Updates
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?


#7 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 04 December 2016 - 09:28 AM

there wasn't any error messages i think i let it repair them  and restarted , now svchost no longer takes %50 cpu but it's been 30 min so far so it's early to tell.

 

do u want me to redo the scan to see if there was any errors?

 

 

thank you a lot man <33.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:47 AM

Posted 04 December 2016 - 09:38 AM

Wait a few hours and let me know how things are.

#9 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 04 December 2016 - 09:54 AM

Wait a few hours and let me know how things are.

 

 

it got back to using %50 with 100k memory.

 

 

capture322.jpg

 

capture323.jpg

 

 

 

it only stops when i disable them from Servieces.msc  , i should probably just disable them permanently.

 

do you see my logs as clean?


Edited by helpmepleasezz, 04 December 2016 - 09:57 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:47 AM

Posted 05 December 2016 - 08:37 AM

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

#11 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 07 December 2016 - 09:12 AM

Hi, sorry for being late i'll do it now .. and yes the problem is still on it goes out for an hour or two and comes back unless i disable them (and they get reenabled)

 

i'm scanning it now - edit : it's attached since it says content too long

Attached Files


Edited by helpmepleasezz, 07 December 2016 - 10:08 AM.


#12 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 10 December 2016 - 07:24 PM

bump



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:47 AM

Posted 11 December 2016 - 08:37 AM


Sorry about this.
I normally answer within 30 hours. Do not hesitate to PM me.

Lets make sure you have all the latest drivers for all of you programs.
Update all.

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)
Follow the instructions on this page.


http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/

===

Secunia is NOW OWNED BY Flexera Software


Navigate to this page.
http://learn.flexerasoftware.com/SVM-EVAL-Personal-Software-Inspector

Download and run the Flexera Software Personal Software Inspector.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:47 AM

Posted 17 December 2016 - 08:53 AM

Are you still with me?

#15 helpmepleasezz

helpmepleasezz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 18 December 2016 - 04:29 AM

Are you still with me?

yes just wait please i'll do it today or tomorrow

 

i updates the programs that appeared and rescanned and now it shows %100 score , i still haven't updated windows due to fear of going to windows 10 . but i'll scan updates and update later today, updated everything and now  seems to be good at %0-5 cpu usage.

 

will report if it comes back


Edited by helpmepleasezz, 18 December 2016 - 06:30 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users