bouwew
-
Posts
11 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by bouwew
-
-
# DelFix v1.013 - Logfile created 08/07/2018 at 09:30:27
# Updated 17/04/2016 by Xplode
# Username : bouwe - BOUWE-PC
# Operating System : Windows 10 Enterprise (64 bits)~ Activating UAC ... OK
~ Removing disinfection tools ...
Deleted : C:\FRST
Deleted : C:\Users\bouwe\Downloads\Addition.txt
Deleted : C:\Users\bouwe\Downloads\Fixlog.txt
Deleted : C:\Users\bouwe\Downloads\FRST.txt
Deleted : C:\Users\bouwe\Downloads\FRST64.exe~ Creating registry backup ... OK
~ Cleaning system restore ...
New restore point created !~ Resetting system settings ... OK
########## - EOF - ##########
-
Ok, understood, thanks!!
-
First, thank you for your help, very much appreciated!
Being a techie, I like to know details :)
Do you have any idea what kind of infection was (maybe still is? because the popup was not showing itself anymore before the cleaning-action) present on my system? And how I picked it up?
-
Hi Aura,
Yesterday, when I started my PC for the first time since arriving home, the popup was not there.
Then I followed you advice: run FRST with fixlist.txt. After that I also did not see the popup anymore. 3 starts happened after the cleaning action.
About how many times the popup showed during the start, only once at each start.
-
Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by bouwe (28-06-2018 19:15:41) Run:1
Running from C:\Users\bouwe\Downloads
Loaded Profiles: bouwe (Available Profiles: bouwe)
Boot Mode: Normal
==============================================fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:VirusTotal: C:\Windows\system32\Windows.Management.Service.dll
VirusTotal: C:\Windows\system32\MitigationClient.dll
VirusTotal: C:\Windows\System32\NvAgent.dll
VirusTotal: C:\Windows\System32\HostNetSvc.dllGroupPolicy: Restriction ? <==== ATTENTION
BHO-x32: No Name -> {889D2FEB-5411-4565-8998-1DD2C5261283} -> No File
CHR HKU\S-1-5-21-2300567208-3819779037-3924417142-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hcjjaajflhellmcfcecojihhmdbjmmlm] - hxxps://clients2.google.com/service/update2/crx
Task: {00A0DF23-E096-48CC-89F2-29D09E6BCF4A} - \Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Logon -> No File <==== ATTENTION
Task: {71402D44-EE1D-45FB-8227-DECE09FAA70C} - \Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Unlock -> No File <==== ATTENTION
Task: {7485D0E9-727F-4B06-A1F8-701BAFB8D3D8} - \Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\OnIdle -> No File <==== ATTENTION
Task: {8ECE3D46-EFDE-4AAA-9172-FEA72C3612D3} - \Microsoft\XblGameSave\XblGameSaveTask\Logon -> No File <==== ATTENTION
Task: {E15D0692-401F-477B-A71E-D377FC1D0682} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {E7608BF9-5D90-4445-B224-54E6EAD718BC} - System32\Tasks\{D45CAAB9-6E26-4D1B-9366-F94FF9E25585} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\Primal Pictures\Interactive Thorax and Abdomen\thorax.exe" -d "C:\Program Files (x86)\Primal Pictures\Interactive Thorax and Abdomen"FirewallRules: [{46CCD955-7D02-4812-A316-D7BB61DC7AA2}] => (Allow) C:\Users\bouwe\AppData\Local\Temp\nsj25A5.tmp\QQPCDetector.exe
FirewallRules: [{73425C27-7EB3-4826-A2AB-5A785450D171}] => (Allow) C:\Users\bouwe\AppData\Local\Temp\nsj25A5.tmp\QQPCDetector.exeEmptyTemp:
*****************Processes closed successfully.
Error: (0) Failed to create a restore point.
VirusTotal: C:\Windows\system32\Windows.Management.Service.dll => https://www.virustotal.com/file/26c79610c914a17d85a834b90d524d1a37a8877af078af6390ffdc6caf83a6a1/analysis/1529178783/
VirusTotal: C:\Windows\system32\MitigationClient.dll => https://www.virustotal.com/file/4bcf6a6f16ecbe0c4a05bdba325a0f8d02042fc229079e7a7338835473d55970/analysis/1529262677/
VirusTotal: C:\Windows\System32\NvAgent.dll => https://www.virustotal.com/file/af274902db313367da5991fcfb383dbdcdd3d045cc7e32fb929fd66ecfb795f8/analysis/1529194982/
VirusTotal: C:\Windows\System32\HostNetSvc.dll => https://www.virustotal.com/file/3148f5342b758f483e7dbf6772ffd29c299cb7bf861b4c6b6c2be887b9b4cb8c/analysis/1530106623/
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283} => not found
"HKU\S-1-5-21-2300567208-3819779037-3924417142-1001\SOFTWARE\Google\Chrome\Extensions\hcjjaajflhellmcfcecojihhmdbjmmlm" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{00A0DF23-E096-48CC-89F2-29D09E6BCF4A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00A0DF23-E096-48CC-89F2-29D09E6BCF4A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Logon" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71402D44-EE1D-45FB-8227-DECE09FAA70C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71402D44-EE1D-45FB-8227-DECE09FAA70C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Unlock" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7485D0E9-727F-4B06-A1F8-701BAFB8D3D8}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7485D0E9-727F-4B06-A1F8-701BAFB8D3D8}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\OnIdle" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8ECE3D46-EFDE-4AAA-9172-FEA72C3612D3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8ECE3D46-EFDE-4AAA-9172-FEA72C3612D3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\XblGameSave\XblGameSaveTask\Logon" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E15D0692-401F-477B-A71E-D377FC1D0682}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E15D0692-401F-477B-A71E-D377FC1D0682}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E7608BF9-5D90-4445-B224-54E6EAD718BC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E7608BF9-5D90-4445-B224-54E6EAD718BC}" => removed successfully
C:\WINDOWS\System32\Tasks\{D45CAAB9-6E26-4D1B-9366-F94FF9E25585} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D45CAAB9-6E26-4D1B-9366-F94FF9E25585}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{46CCD955-7D02-4812-A316-D7BB61DC7AA2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{73425C27-7EB3-4826-A2AB-5A785450D171}" => removed successfully=========== EmptyTemp: ==========
BITS transfer queue => 8675328 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 59260315 B
Java, Flash, Steam htmlcache => 43689 B
Windows/system/drivers => 1257698 B
Edge => 7501470 B
Chrome => 21754373 B
Firefox => 0 B
Opera => 0 BTemp, IE cache, history, cookies, recent:
Default => 7168 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 44566 B
NetworkService => 0 B
bouwe => 8570801 BRecycleBin => 0 B
EmptyTemp: => 102.2 MB temporary data Removed.================================
The system needed a reboot.==== End of Fixlog 19:20:14 ====
-
Threat Scan report added.
-
After some more reading I realize I have not attached the MWB Threat Scan log.
I will include it when I'm back at home.
-
Dear Aura,
Yes, I am here :)
I have been busy, now I finally have some free time, while I away from home, to check my topic.
As I write this, I am away from home, I'm working too far away from home to travel back every day. For your information, I will be back at home on Friday or Saturday of this week, I don't know yet, it depends on my schedule. I will let you know when I know it for sure.
I have read your post, I understand it and I will act accordingly.
Sorry, I'm confused by your last remark; you are asking for my logs. But, these are attached to my initial post, correct?
Or, am I missing something?
-
Hi,
Recently, during every startup of my PC, a message from Malwarebytes pops up.
I have performed a system scan but no virus is found.
I wonder, is my PC infected?
This is the export:
Malwarebytes
www.malwarebytes.com-Log Details-
Protection Event Date: 6/21/18
Protection Event Time: 7:35 PM
Log File: 8080b34a-7579-11e8-8755-ac220b4cd7ab.json
Administrator: Yes-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5530
License: Premium-System Information-
OS: Windows 10 (Build 17692.1000)
CPU: x64
File System: NTFS
User: System-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0-Website Data-
Category: Phishing
Domain: gen.xyz
IP Address: 13.57.153.101
Port: [49732]
Type: Outbound
File: C:\Windows\System32\svchost.exe(end)
Kind regards,
Bouwe Westerdijk
-
I can confirm this issue.
I have encountered this issue repeatedly when running both Qbittorrent and Tixati (seperately). I was reading some posts on other forums describing the same issue before I arrived at this post in this forum.
I've seen it happen when running 3.04 and now when running 3.05 (lifetime subscription).
Svchost trying to connect to gen.xyz at startup, infected?
in Resolved Malware Removal Logs
Posted
Thank you for all the help!
Kind regards, bouwew