Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RegSvcs.exe keeps coming back


  • This topic is locked This topic is locked
6 replies to this topic

#1 nOmArch

nOmArch

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 15 December 2016 - 08:27 PM

Hi,

 

For the last few days Malwarebytes has been reporting that RegSvcs.exe is a Trojan.Agent.  I select remove and reboot the PC.  On the next scan the file is back!  I have tried Eset online scanner which finds and removes it but it comes back again.  ADWCleaner also finds it, removes it but, again, it comes back.  Kinda out of ideas so I thought I'd ask here.

 

I am running Windows 10 Pro x64

 

I have run the FRST tool and have attached the logs

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 16 December 2016 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: No Name -> {451C804F-C205-4F03-B48E-537EC94937BF} -> No File
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com => not found
FF Plugin: @videolan.org/vlc,version=2.1.3 -> e:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin: @videolan.org/vlc,version=2.1.4 -> e:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> E:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> E:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> E:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> e:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> e:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> e:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> e:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
U0 omllsy; C:\WINDOWS\System32\drivers\vdfamb.sys [79064 2016-12-16] (Malwarebytes)
U3 idsvc; no ImagePath
S3 lvpepf64; \SystemRoot\system32\DRIVERS\lv302a64.sys [X]
S3 LVPr2M64; \SystemRoot\system32\DRIVERS\LVPr2M64.sys [X]
S3 lvrs64; \SystemRoot\system32\DRIVERS\lvrs64.sys [X]
S3 PID_PEPI; \SystemRoot\system32\DRIVERS\LV302V64.SYS [X]
S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\TurboYourPC\Service.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {2A6B3FE6-FF79-4ABA-BA4A-0DE893D28AD1} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {302C5D58-2727-41EA-A60F-A52B3EAB82D9} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {3D9CA96B-3742-472F-A723-23D58E662E91} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {52AC2D74-561F-4C28-BD2B-E2650615E06A} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {6D20CB34-E59B-4720-AE62-71DF816F41E4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {78F366F0-B6B7-4CCB-8054-CF3539ADA2C1} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {80D317F5-594B-4A7C-A974-5B34379D6691} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A77DB88E-3954-44F6-A36F-A8339F5BCECC} - System32\Tasks\ealdksy => C:\Users\nOmArch\ealdksy\pidj.exe [2016-10-09] (AutoIt Team)
Task: {ACF874E1-7199-4599-AF2B-4725BE456B57} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {CD88D37C-D529-49AD-AC3C-3849E56491F3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {DD548E8F-4E87-4657-9B86-DA86B1D352E5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {E1A614EF-3750-459E-84CC-8B1F257DE1A2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {F0CA08B8-CAA7-42D6-89B4-7F9EB9BB6D83} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
2015-04-11 20:51 - 2014-09-11 17:58 - 01498112 _____ () C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\DAQExp.dll
2015-04-11 20:51 - 2014-05-19 16:19 - 00137728 _____ () C:\Program Files (x86)\Common Files\iSkysoft\iSkysoft Helper Compact\CBSCreateVC.dll
AlternateDataStreams: C:\ProgramData\TEMP:054203E4 [149]
AlternateDataStreams: C:\ProgramData\TEMP:05D195EC [171]
C:\Users\nOmArch\ealdksy
C:\WINDOWS\System32\drivers\vdfamb.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 nOmArch

nOmArch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 16 December 2016 - 01:55 PM

Hi,

 

Turned on system restore for C Drive

Created the fixlist.txt file and ran it through FRST.

That completed successfully so I rebooted the PC as instructed.

 

when I rebooted in the GUI a few error messages came up which I have attached as well as the fixlog.txt

 

First hyperscan Malwarebytes ran, it found the regsvcs.exe file again.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 16 December 2016 - 02:30 PM

These files are from Wondershare which I think you removed.

There could be some remnant entries in the registry triggering these errors.

Please run the Farbar Recovery Scan Tool. Enter cbscreatevc.dll;daqexp.dll in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

p.s.

If you did remove Wondershare I see some remnant in your logs.

FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com => not found
FirewallRules: [{82A27CC6-3FC9-4673-AD54-78BA6B7102BB}] => E:\Program Files (x86)\Wondershare\Video Converter Ultimate\VideoConverterUltimate.exe
FirewallRules: [{EE44FF80-4BAB-49BF-A7CF-35B999A5D43E}] => E:\Program Files (x86)\Wondershare\Video Converter Ultimate\VideoConverterUltimate.exe
FirewallRules: [{424C9BEC-2DF8-4B82-84D3-7AD054932866}] => E:\Program Files (x86)\Wondershare\Wondershare\Filmora\Filmora.exe
FirewallRules: [UDP Query User{AB62751D-3C5E-4D8B-A497-0388FC0C412C}E:\program files (x86)\wondershare\video converter ultimate\medialibserver.exe] => E:\program files (x86)\wondershare\video converter ultimate\medialibserver.exe
FirewallRules: [TCP Query User{DEBFABB4-B58B-4DCC-8096-470D39826039}E:\program files (x86)\wondershare\video converter ultimate\medialibserver.exe] => E:\program files (x86)\wondershare\video converter ultimate\medialibserver.exe
FirewallRules: [UDP Query User{9B6D9164-2C8D-4EED-8025-6915B3403D43}E:\program files (x86)\wondershare\video converter ultimate\mediaserver.exe] => E:\program files (x86)\wondershare\video converter ultimate\mediaserver.exe
FirewallRules: [TCP Query User{9A470A30-1EA7-48E5-9052-B2FA368C3399}E:\program files (x86)\wondershare\video converter ultimate\mediaserver.exe] => E:\program files (x86)\wondershare\video converter ultimate\mediaserver.exe
FirewallRules: [UDP Query User{174BAB3B-D178-4CC6-9895-E66C574AFCA9}E:\program files (x86)\wondershare\video converter ultimate\urlreqservice.exe] => E:\program files (x86)\wondershare\video converter ultimate\urlreqservice.exe
FirewallRules: [TCP Query User{52CDA152-D1A1-4032-93FA-21FC9C347604}E:\program files (x86)\wondershare\video converter ultimate\urlreqservice.exe] => E:\program files (x86)\wondershare\video converter ultimate\urlreqservice.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
C:\ProgramData\Wondershare


I can give you a fix to remove these items. Let me know.

#5 nOmArch

nOmArch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 16 December 2016 - 03:22 PM

Hi,

 

S'OK I removed the stray wondershare entries myself.

 

I have also removed the three registry entries that the search found.

 

Interestingly when Malwarebytes removed the regsvcs file this time it didnt want to reboot.

 

so, I'll try rebooting and get back to you with the result.

Attached Files



#6 nOmArch

nOmArch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 16 December 2016 - 04:56 PM

OK, rebooted and its been an hour and a half and no sign of the virus!  Looks like that's done the trick mate!  Thank you so much :)  Is there any way I can add to your rep or something to acknowledge your help?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:50 AM

Posted 17 December 2016 - 07:58 AM

Is there any way I can add to your rep or something to acknowledge your help?

You just did thank you. Glad we could help.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users