Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird system behavior/svchost.exe using bandwidth


  • This topic is locked This topic is locked
16 replies to this topic

#1 Rangah

Rangah

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 13 January 2017 - 11:35 AM

I am running a 64bit unactivated Windows 10 machine. The first problem I started noticing was svchost.exe using up all my internet. I have BITS disabled which seemed to be the solution for other users. However, if I stopped the svchost.exe process chain through resource manager while it was using internet, my Windows stopped working properly. The start button didn't work, right clicking on programs like Steam in the taskbar didn't bring up context menus, I'd have to right click the start button to restart or bring up the control panel. If I did that, everything in the control panel looked like a weird mixture of Windows 10 and Windows 7. After stopping the process, it would be back up after a few minutes and keeps downloading until it's finished whatever it's doing. Then everything works as it should. As I was writing this I noticed svchost was using bandwidth again so I stopped it and have a chance to show some screens if needed, will link those at the bottom. Another thing I've recently noticed is I'm getting german ads on websites even though I'm from Latvia. Geolocation websites like whatsmyip.org thought I was in Germany. Google.com redirected me to google.de. What makes me curious is that the sites I visited most often now show normal ads and whatsmyip.org thought I was in Latvia again. Google.com now redirects me to my national .lv domain. But occasionally some less visited sites still show german ads and offer to show the site in german language. Happens on any browser. I don't know if these two things are linked. Would really appreciate some insight on these issues as this is becoming quite frustrating. Thanks in advance.

 

 

 

 

 

 

https://puu.sh/tl2g7/6ed554d50c.png (what comes up after right clicking the start button)

https://puu.sh/tl2f0/3588b7a67c.png (control panel)

https://puu.sh/tl2ib/fd6af184cc.png (control panel system and security)



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 18 January 2017 - 11:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/637273 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 18 January 2017 - 12:48 PM

During this time I've installed Malwarebytes and ran a couple skans with scanning for rootkits enabled, nothing was found. However it blocks sites like stun.voipstunt.com and stun.voipbuster.com every time I use Google Chrome. It blocks about 20 instances at the same time. I'll post some of the reports for those. Today I saw german ads on youtube.com and svchost.exe keeps starting randomly and uses bandwidth.

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Protection Event Date: 1/18/17
Protection Event Time: 7:04 PM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 
Components Version: 
Update Package Version: 
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System
 
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
 
-Website Data-
Domain: stun.voipbuster.com
IP Address: 77.72.169.210
Port: [58381]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
 
(end)
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Protection Event Date: 1/18/17
Protection Event Time: 7:04 PM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 
Components Version: 
Update Package Version: 
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: System
 
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
 
-Website Data-
Domain: stun.voipstunt.com
IP Address: 77.72.169.211
Port: [58381]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
 
(end)
 
Here are the FRST logs:
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-01-2017
Ran by Sandis (administrator) on DESKTOP-S6DUKDK (18-01-2017 19:45:36)
Running from D:\Downloads
Loaded Profiles: Sandis (Available Profiles: defaultuser0 & Sandis)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Micro-Star Int'l Co., Ltd.) C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Program Files (x86)\Bloody6\Bloody6\Bloody6.exe
(Flux Software LLC) C:\Users\Sandis\AppData\Local\FluxSoftware\Flux\flux.exe
(ShareX Team) C:\Program Files\ShareX\ShareX.exe
(Valve Corporation) D:\Steam\Steam.exe
(Valve Corporation) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Valve Corporation) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Windows\System32\LockAppHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1612.3341.0_x64__8wekyb3d8bbwe\Calculator.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeHost.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2634872 2015-08-27] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-07-16] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
HKU\S-1-5-21-3151149046-1325077431-2135836962-1001\...\Run: [Steam] => D:\Steam\steam.exe [2876704 2016-12-20] (Valve Corporation)
HKU\S-1-5-21-3151149046-1325077431-2135836962-1001\...\Run: [Bloody2] => C:\Program Files (x86)\Bloody6\Bloody6\Bloody6.exe [19276288 2016-09-22] ()
HKU\S-1-5-21-3151149046-1325077431-2135836962-1001\...\Run: [f.lux] => C:\Users\Sandis\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
Startup: C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareX.lnk [2016-11-03]
ShortcutTarget: ShareX.lnk -> C:\Program Files\ShareX\ShareX.exe (ShareX Team)
Startup: C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stop bits.lnk [2016-11-03]
ShortcutTarget: stop bits.lnk -> C:\Windows\System32\sc.exe (Microsoft Corporation)
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{cc436e81-e622-4667-a14d-8461aadd220b}: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-3151149046-1325077431-2135836962-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BAB7E9A1-5A11-4D9E-9FD9-3C410FB8A3AA}&mid=357a9318fe5747cf880b015e8463b84e-b01c15ebe00628b35da04aba0091a089a481f6fc&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2016-12-22 15:12:21&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll No File
 
FireFox:
========
FF DefaultProfile: nla1kcc1.default
FF ProfilePath: C:\Users\Sandis\AppData\Roaming\Mozilla\Firefox\Profiles\nla1kcc1.default [2017-01-17]
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-25] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-25] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
 
Chrome: 
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\WidevineCdm\_platform_specific\win_x64\widevinecdmadapter.dll (Google Inc.)
CHR Plugin: (Shockwave Flash) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\PepperFlash\24.0.0.194\pepflashplayer.dll ()
CHR Profile: C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default [2017-01-18]
CHR Extension: (Google prezentācijas) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-03]
CHR Extension: (Google dokumenti) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-03]
CHR Extension: (Google disks) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-03]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-12-22]
CHR Extension: (YouTube) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-03]
CHR Extension: (Google izklājlapas) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-03]
CHR Extension: (Google dokumenti bezsaistē) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-11-03]
CHR Extension: (Chrome interneta veikala maksājumu sistēma) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-03]
CHR Extension: (Gmail) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-03]
CHR Extension: (Chrome Media Router) - C:\Users\Sandis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-03]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 GamingApp_Service; C:\Program Files (x86)\MSI\MSI Gaming APP\GamingApp_Service.exe [23504 2014-12-25] (Micro-Star Int'l Co., Ltd.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1155192 2015-08-27] (NVIDIA Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-08-27] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [5544568 2015-08-27] (NVIDIA Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-07-16] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77416 2016-12-14] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2017-01-11] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2017-01-13] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-01-13] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [250816 2017-01-13] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [91584 2017-01-18] (Malwarebytes)
R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [17280 2013-05-17] ()
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-08-27] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [50472 2015-08-11] (NVIDIA Corporation)
R3 VBAudioVMVAIOMME; C:\Windows\system32\DRIVERS\vbaudio_vmvaio64_win7.sys [41192 2016-12-19] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-18 19:30 - 2017-01-18 19:45 - 00000000 ____D C:\FRST
2017-01-11 16:47 - 2017-01-11 16:47 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-01-11 16:46 - 2017-01-18 19:18 - 00091584 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-01-11 16:46 - 2017-01-13 18:41 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-01-11 16:46 - 2017-01-13 18:41 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-01-11 16:46 - 2017-01-13 18:41 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-01-11 16:46 - 2017-01-11 16:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-01-11 16:46 - 2017-01-11 16:46 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-01-11 16:46 - 2017-01-11 16:46 - 00000000 ____D C:\Program Files\Malwarebytes
2017-01-11 16:46 - 2016-12-14 12:55 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-01-02 13:03 - 2017-01-18 16:16 - 00000000 ____D C:\Users\Sandis\Documents\The Witcher 3
2017-01-02 13:03 - 2017-01-02 13:03 - 00000000 ____D C:\ProgramData\Package Cache
2017-01-01 19:13 - 2017-01-01 19:13 - 00000984 _____ C:\Users\Sandis\Desktop\Warband Battle Sizer.lnk
2016-12-23 11:43 - 2016-12-25 22:55 - 00000000 ____D C:\Users\Sandis\Documents\Witcher 2
2016-12-23 11:43 - 2016-12-23 11:43 - 00000000 ____D C:\Users\Sandis\AppData\Local\The Witcher 2
2016-12-22 16:53 - 2016-12-22 16:53 - 00000000 ____D C:\Users\Sandis\AppData\Roaming\AVG
2016-12-22 16:51 - 2016-12-22 16:51 - 00000000 ____D C:\Users\Sandis\AppData\Roaming\TuneUp Software
2016-12-22 16:50 - 2017-01-13 17:30 - 00000000 ____D C:\ProgramData\MFAData
2016-12-22 16:50 - 2016-12-22 16:50 - 00000000 ____D C:\Users\Sandis\AppData\Local\MFAData
2016-12-22 15:49 - 2016-12-22 15:49 - 00000000 ____D C:\Windows\lv
2016-12-22 15:48 - 2016-12-22 15:48 - 00000000 ____D C:\Windows\en
2016-12-22 15:47 - 2016-12-22 15:48 - 00000000 ____D C:\Program Files (x86)\Windows Live
2016-12-22 15:47 - 2016-12-22 15:47 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2016-12-22 15:45 - 2017-01-13 17:50 - 00000000 ____D C:\Users\Sandis\AppData\Local\AvgSetupLog
2016-12-22 15:45 - 2017-01-13 17:50 - 00000000 ____D C:\ProgramData\Avg
2016-12-22 15:45 - 2017-01-13 17:30 - 00000000 ____D C:\Users\Sandis\AppData\Local\Avg
2016-12-22 15:45 - 2016-12-22 15:45 - 00000000 ___HD C:\ProgramData\Common Files
2016-12-22 15:44 - 2016-12-22 15:44 - 00000000 ____D C:\Users\Sandis\AppData\Local\Windows Live
2016-12-22 15:37 - 2016-12-22 15:37 - 00001447 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2016-12-20 20:57 - 2016-12-20 20:57 - 00001745 _____ C:\Users\Sandis\Desktop\MPC-HC x64.lnk
2016-12-20 20:57 - 2016-12-20 20:57 - 00000000 ____D C:\Users\Sandis\AppData\Roaming\MPC-HC
2016-12-20 20:57 - 2016-12-20 20:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MPC-HC x64
2016-12-20 20:57 - 2016-12-20 20:57 - 00000000 ____D C:\Program Files\MPC-HC
2016-12-20 15:17 - 2016-12-20 15:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoHotkey
2016-12-20 15:17 - 2016-12-20 15:17 - 00000000 ____D C:\Program Files\AutoHotkey
2016-12-19 17:26 - 2016-12-19 17:26 - 00003970 _____ C:\Users\Sandis\AppData\Roaming\VoiceMeeterDefault.xml
2016-12-19 16:51 - 2016-12-19 16:51 - 00000000 ____D C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VB Audio
2016-12-19 16:51 - 2016-12-19 16:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VB Audio
2016-12-19 16:51 - 2016-12-19 16:51 - 00000000 ____D C:\Program Files\VB
2016-12-19 16:50 - 2016-12-19 16:50 - 00041192 _____ (Windows ® Win 7 DDK provider) C:\Windows\system32\Drivers\vbaudio_vmvaio64_win7.sys
2016-12-19 16:50 - 2016-12-19 16:50 - 00000000 ____D C:\Program Files (x86)\VB
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-01-18 18:57 - 2016-11-03 23:12 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-01-18 18:31 - 2016-11-03 17:21 - 01240886 _____ C:\Windows\system32\PerfStringBackup.INI
2017-01-18 18:10 - 2016-07-16 13:36 - 00000000 ____D C:\Windows\CbsTemp
2017-01-18 16:55 - 2016-11-03 18:53 - 00007598 _____ C:\Users\Sandis\AppData\Local\Resmon.ResmonCfg
2017-01-18 14:57 - 2016-07-16 13:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-01-18 14:57 - 2016-07-16 13:47 - 00000000 ____D C:\Windows\AppReadiness
2017-01-17 15:54 - 2016-11-03 19:07 - 00000000 ____D C:\Users\Sandis\Documents\ShareX
2017-01-13 19:37 - 2016-11-03 23:12 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-01-13 18:40 - 2016-11-03 18:15 - 00000000 ____D C:\ProgramData\NVIDIA
2017-01-13 17:56 - 2016-11-03 17:21 - 00000000 ____D C:\Users\Sandis
2017-01-13 17:52 - 2016-11-04 14:59 - 00000000 ____D C:\Users\Sandis\AppData\Roaming\TS3Client
2017-01-13 17:30 - 2016-07-16 08:04 - 00262144 _____ C:\Windows\system32\config\BBI
2017-01-12 19:10 - 2016-11-03 19:12 - 00000000 ____D C:\Users\Sandis\AppData\Roaming\Audacity
2016-12-29 23:19 - 2016-11-03 21:47 - 00000000 ____D C:\Users\Sandis\Documents\Mount&Blade Warband Savegames
2016-12-28 17:17 - 2016-11-12 17:47 - 00000000 ____D C:\Users\Sandis\Documents\gothic3
2016-12-23 11:43 - 2016-11-04 13:12 - 00098163 _____ C:\Windows\DirectX.log
2016-12-22 22:25 - 2016-07-16 13:47 - 00000000 __RHD C:\Users\Public\Desktop
2016-12-22 22:18 - 2016-11-19 16:29 - 00000000 ____D C:\Users\Sandis\AppData\Local\Diagnostics
2016-12-22 22:08 - 2016-12-10 16:28 - 00000000 ____D C:\Users\Sandis\AppData\Local\The Witcher
2016-12-22 19:19 - 2016-07-16 13:47 - 00000000 ___HD C:\Windows\ELAMBKUP
2016-12-22 19:17 - 2016-11-03 17:21 - 00000000 ____D C:\Users\Sandis\AppData\Roaming
2016-12-22 19:17 - 2016-11-03 17:21 - 00000000 ____D C:\Users\Sandis\AppData\LocalLow
2016-12-22 19:17 - 2016-07-16 08:04 - 00000000 ____D C:\Program Files\Common Files
2016-12-22 19:17 - 2016-07-16 08:04 - 00000000 ____D C:\Program Files (x86)\Common Files
2016-12-22 18:34 - 2016-07-16 08:04 - 00032768 _____ C:\Windows\system32\config\ELAM
2016-12-22 17:12 - 2016-11-06 16:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-22 15:47 - 2016-07-16 13:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-12-22 15:45 - 2016-11-03 17:22 - 00000000 ___SD C:\Users\Sandis\AppData\LocalLow\Microsoft
2016-12-22 15:42 - 2016-07-16 13:47 - 00000000 ___SD C:\ProgramData\Microsoft
2016-12-22 15:37 - 2016-07-16 13:47 - 00000938 ___SH C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
2016-12-22 15:37 - 2016-07-16 13:47 - 00000000 ____D C:\Windows\System32\Tasks\Microsoft
2016-12-22 15:28 - 2016-11-03 17:21 - 00000000 ____D C:\Users\Sandis\AppData\Local\Packages
2016-12-20 15:17 - 2016-11-29 14:57 - 00000000 ____D C:\Windows\SHELLNEW
2016-12-19 17:26 - 2016-11-03 17:21 - 00000000 ___RD C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2016-12-19 16:51 - 2016-11-03 17:21 - 00000000 ___RD C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
2016-12-19 16:51 - 2016-07-16 13:45 - 00000000 ____D C:\Windows\INF
2016-12-19 16:51 - 2016-07-16 08:04 - 00000000 ____D C:\Windows\system32\DriverStore
 
==================== Files in the root of some directories =======
 
2016-12-19 17:26 - 2016-12-19 17:26 - 0003970 _____ () C:\Users\Sandis\AppData\Roaming\VoiceMeeterDefault.xml
2016-11-03 18:53 - 2017-01-18 16:55 - 0007598 _____ () C:\Users\Sandis\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Sandis\AppData\Local\Temp\PidGenX.dll
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-01-17 15:30
 
==================== End of FRST.txt ============================
 

 

Attached Files



#4 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,701 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 AM

Posted 21 January 2017 - 01:14 AM

Greetings!
:welcome:

I am running a 64bit unactivated Windows 10 machine.

Can you explain why your Operating System (OS) is not activated?

Regards,
Valinorum

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#5 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 21 January 2017 - 09:36 AM

Hey! I didn't notice the prebuilt PC I bought roughly 2 months ago didn't come with one. I discovered that only when I turned it on for the first time, and I had already spent all of my budget so couldn't afford dishing out another 100+ euros for an OS. I didn't want to use Linux either. Then I read that WIndows 10 can be used unactivated with only the personalisation features disabled, and the OS .iso can be accquired from Microsoft themselves. I do plan to get a licence key in the near future, but for now it suits my needs just fine.



#6 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,701 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 AM

Posted 21 January 2017 - 12:56 PM

Fair play.
 
  • Step #1 P2P Warning
    **IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
    • µTorrent
    I shall provide you with a few reference links, please read them up to know the risks of having a P2P program.Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file-sharing as a major conduit to spread their wares.

    My recommendation is that you uninstall the programs listed above. If you choose not to remove them, please do not use them until this computer is clean.
 
  • Step #2 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      CreateRestorePoint:
      CloseProcesses:
      EmptyTemp:
      Startup: C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stop bits.lnk [2016-11-03]
      GroupPolicy: Restriction <======= ATTENTION
      SearchScopes: HKU\S-1-5-21-3151149046-1325077431-2135836962-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BAB7E9A1-5A11-4D9E-9FD9-3C410FB8A3AA}&mid=357a9318fe5747cf880b015e8463b84e-b01c15ebe00628b35da04aba0091a089a481f6fc&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2016-12-22 15:12:21&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
      BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.
 
  • Required Log(s):
    • FRST Fix Log
Regards,
Valinorum

Edited by Valinorum, 21 January 2017 - 12:58 PM.
Typo

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#7 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 21 January 2017 - 02:45 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-01-2017
Ran by Sandis (21-01-2017 21:24:31) Run:1
Running from D:\Downloads
Loaded Profiles: Sandis (Available Profiles: defaultuser0 & Sandis)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
Startup: C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stop bits.lnk [2016-11-03]
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-3151149046-1325077431-2135836962-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={BAB7E9A1-5A11-4D9E-9FD9-3C410FB8A3AA}&mid=357a9318fe5747cf880b015e8463b84e-b01c15ebe00628b35da04aba0091a089a481f6fc&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2016-12-22 15:12:21&v=4.3.6.255&pid=wtu&sg=&sap=dsp&q={searchTerms}
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
C:\Users\Sandis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stop bits.lnk => moved successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-3151149046-1325077431-2135836962-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 137199435 B
Java, Flash, Steam htmlcache => 68766733 B
Windows/system/drivers => 22942975 B
Edge => 1256067 B
Chrome => 460500002 B
Firefox => 374878850 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 2408 B
NetworkService => 21589274 B
defaultuser0 => 7296 B
Sandis => 6510034422 B
 
RecycleBin => 1789971 B
EmptyTemp: => 7.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 21:25:34 ====
 
Cheers!


#8 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,701 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 AM

Posted 21 January 2017 - 11:05 PM

  • Step #3 ESET Online Scanner
    Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.
    • Download esetsmartinstaller_enu.exe by clicking here.
    • Right-click on the program and choose Run as administrator.
    • Accept their terms and condition and proceed.
    • Install Add-On/Active X if prompted.
    • From the Computer Scan Setting check the following box --
      • Enable detection for potentially unwanted programs
    • Click on Advanced Setting --
      • Check the box beside Remove Found Threats;
      • Check the box beside Scan archives
      • Check the box beside Scan for potentially unsafe applications
      • Check the box beside Enable Anti-Stealth Technology
    • Click on Start and wait for the virus signature database to update.
    • The online scan will begin automatically and can take several hours.
      • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
    • After the Scan finishes --
      • If no threats were found:
        • Put a checkmark in Uninstall application on close.
        • Close the program and report that nothing was found
      • If threats were found:
        • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
        • Copy and Paste contents of the log file in your next reply.
    Note: Enable your security programs afterwards.
 

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#9 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 January 2017 - 10:51 AM

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=2d5170701ba67742903ba5f8a59279c8
# end=init
# utc_time=2017-01-22 01:11:21
# local_time=2017-01-22 03:11:21 (+0200, FLE Standard Time)
# country="Latvia"
# osver=6.2.9200 NT 
Update Init
Update Download
Update Finalize
Updated modules version: 32148
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=2d5170701ba67742903ba5f8a59279c8
# end=updated
# utc_time=2017-01-22 01:20:51
# local_time=2017-01-22 03:20:51 (+0200, FLE Standard Time)
# country="Latvia"
# osver=6.2.9200 NT 
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=2d5170701ba67742903ba5f8a59279c8
# engine=32148
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2017-01-22 03:42:23
# local_time=2017-01-22 05:42:23 (+0200, FLE Standard Time)
# country="Latvia"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 72085 16430359 0 0
# scanned=319410
# found=3
# cleaned=3
# scan_time=8491
sh=F148E91A8DDEB0964B8FA6520FD3BC20AB092404 ft=1 fh=c149475ad66a82d1 vn="a variant of Win32/HackTool.Patcher.N potentially unsafe application (cleaned by deleting)" ac=C fn="D:\game_setup_faili\Mount_BLade\mount&blade-uniloader\mount&blade-uniloader.exe"
sh=A70969ADD60CFADB68B83007AA6D91FC3ED3E4D2 ft=0 fh=0000000000000000 vn="a variant of Win32/HackTool.Patcher.A potentially unsafe application (deleted)" ac=C fn="D:\game_setup_faili\Sony Vegas Movie Studio HD Platinum 10.0.179 + Keygen [RH]\SV.MST.HD.PE.10.0.179_[RH].rar"
sh=DF292AAA8CD929B293F6943CE0DCC09666471B6D ft=1 fh=b85accf146c4baae vn="a variant of Win32/HackTool.Patcher.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\game_setup_faili\Sony Vegas Movie Studio HD Platinum 10.0.179 + Keygen [RH]\SV.MST.HD.PE.10.0.179_[RH]\Sony Vegas Movie Studio HD Platinum 10.0.179\Keygen\Patch (Extra included)\Patch_Vegas.Movie.Studio.HD.Platinum.10.0.exe"
 
If it helps, I'm pretty sure those files were present on my old computer for several years and on this one since day 1 as well.


#10 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,701 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 AM

Posted 22 January 2017 - 10:54 AM

Log looks good. How is your system running?

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#11 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 January 2017 - 11:03 AM

Seems good for now. Visited a couple sites and no foreign ads, there don't seem to be any random bandwidth usages either. Thank you very much for you help, I truly appreciate it. 



#12 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,701 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 AM

Posted 22 January 2017 - 11:08 AM

Perusing your logs, I see no infection currently present in your system. Unless you are having any issue(s), the machine appears to be Malware-free as we speak.

 
 

♣ Removal of Tools and Quarantined Files ♣


 

Despite the tools we have used are clean, they are powerful removal tools and made in a way so that they carry out any commands given to them without (most cases) asking for a confirmation. In the hands of an inept person, they can make the machine un-bootable -- a scenario we do not wish to see. Also, we need to remove the quarantined files/folders from your system as a dormant malware can be as bad as an active one if given the proper environment. I shall now give you the guidelines to remove the tools and the quarantined files from your system.
  • Cleanup with Delfix
    Please download DelFix by Xplode to your Desktop.
    Download Link
    • Double-click to run the program;
      • Note: Windows Vista/7/8/8.1/10 users right-click and choose Run as administrator
    • Make sure that all the boxes are checked;
    • Click Run;
    • A log will be opened after the operation is finished;
    • Copy and Paste it in your next reply
 
 

♣ Prevention and Future Guidelines ♣


 

Prevention is better than cure -- goes the old saying. As much as we love to see you visit our site, we do not want to see you having your PC infected by malwares again.
  • Keep Windows up-to-date.
    It is extremely important that you keep your operating system (Windows) updated when updates are made available. It is set to alert you, so be sure not to ignore these notices and to allow the updates to install. Many of these are critical security packages which could very possibly be the difference between your picking up a future infiltration and simply passing right by it unharmed.
  • Run antivirus software and keep it up-to-date, too.
    Antivirus software is your safety net if all other protections fail. The first line of defense is smart computing, of course, but everyone needs a backup. I'd recommend Microsoft Security Essentials or avast!, both of which are excellent, as well as free. Once they're installed, check periodically to ensure they have been successfully updating as well. An out-of-date antivirus is not a happy antivirus!
  • Keep your web browser plugins and other programs updated also.
    This tip is rarely shared by technicians and its importance is not widely recognized, but it's absolutely critical. Programs such as Java, Adobe Flash Player and Adobe Reader, Internet Explorer, and myriad other such web-exposed items are deeply vulnerable to attack, which can quickly lead to a hopelessly infected system no matter what protection you currently have installed. The reason is that these programs are ubiquitous, but are also not perfect and are extremely complex... and as such, security vulnerabilities are discovered and exploited by hackers hoping to gain control over your machine. By performing every update for these programs as soon as it's made available, you will greatly reduce your exposure to dangerous internet threats.

    A great way to do this is to install the Filehippo Update Checker and run it regularly. Also, try not to ignore any notifications you receive regarding updates to programs already installed on your PC.

    No scripts is an excellent security device too. I like it but it is not for everyone because it requires you to take action if you want to see some things (pop ups, banners etc.) on sites you visit.

    Download NoSript by Giorgio Maone.

    Note: Sometimes you will get a site telling you that you need to install Java when actually all you need to do is enable the site through the no script icon down on the right hand side of your computer.
  • And last of all, surf smart.
    It doesn't matter how well the autopilot system works if the pilot keeps flying the plane into mountain ranges. Don't forget that no matter how much you have protecting yourself, your security ultimately begins and ends with you. Don't visit dangerous or questionable web sites, avoid suspicious links on Facebook and emails/email attachments you're unsure about, and just generally keep your wits about you, and you'll be much safer. Also, avoid illegal downloads, cracks, "warez", and all other too-good-to-be-true internet offerings: they're typically laden with malware. Be smart and you can avoid most threats lurking about the darker corners of the internet! And for even more tips, see our article How Did I Get Infected in the First Place? and Keep Your Computer Safe Online.

Regards,
Valinorum

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#13 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 January 2017 - 11:18 AM

The Delfix download link you posted doesn't seem to be working. 



#14 Valinorum

Valinorum

    Shadow Hide The Hunter


  • Malware Response Instructor
  • 1,701 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 AM

Posted 22 January 2017 - 11:19 AM

My apology. Here is the link: https://www.bleepingcomputer.com/download/delfix/

Geek U Graduate

I close my topic(s) with no replies for more than 4 days. PM me or Moderators to reactivate. All helps are provided via forum ergo do not PM me for help.

 


#15 Rangah

Rangah
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 January 2017 - 11:26 AM

# DelFix v1.010 - Logfile created 22/01/2017 at 18:23:44
# Updated 26/04/2015 by Xplode
# Username : Sandis - DESKTOP-S6DUKDK
# Operating System : Windows 10 Pro  (64 bits)
 
~ Activating UAC ... OK
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
 
New restore point created !
 
~ Resetting system settings ... OK
 
########## - EOF - ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users