[Svchost trying to connect to gen.xyz at startup, infected?]

Thank you for all the help!

Kind regards, bouwew

[Svchost trying to connect to gen.xyz at startup, infected?]

# DelFix v1.013 - Logfile created 08/07/2018 at 09:30:27
# Updated 17/04/2016 by Xplode
# Username : bouwe - BOUWE-PC
# Operating System : Windows 10 Enterprise  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\Users\bouwe\Downloads\Addition.txt
Deleted : C:\Users\bouwe\Downloads\Fixlog.txt
Deleted : C:\Users\bouwe\Downloads\FRST.txt
Deleted : C:\Users\bouwe\Downloads\FRST64.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

 

[Svchost trying to connect to gen.xyz at startup, infected?]

Ok, understood, thanks!!

[Svchost trying to connect to gen.xyz at startup, infected?]

First, thank you for your help, very much appreciated!

 

Being a techie, I like to know details :)

Do you have any idea what kind of infection was (maybe still is? because the popup was not showing itself anymore before the cleaning-action) present on my system? And how I picked it up?

[Svchost trying to connect to gen.xyz at startup, infected?]

Hi Aura,

Yesterday, when I started my PC for the first time since arriving home, the popup was not there.

Then I followed you advice: run FRST with fixlist.txt. After that I also did not see the popup anymore. 3 starts happened after the cleaning action.

About how many times the popup showed during the start, only once at each start.

[Svchost trying to connect to gen.xyz at startup, infected?]

Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018
Ran by bouwe (28-06-2018 19:15:41) Run:1
Running from C:\Users\bouwe\Downloads
Loaded Profiles: bouwe (Available Profiles: bouwe)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

VirusTotal: C:\Windows\system32\Windows.Management.Service.dll
VirusTotal: C:\Windows\system32\MitigationClient.dll
VirusTotal: C:\Windows\System32\NvAgent.dll
VirusTotal: C:\Windows\System32\HostNetSvc.dll

GroupPolicy: Restriction ? <==== ATTENTION

BHO-x32: No Name -> {889D2FEB-5411-4565-8998-1DD2C5261283} -> No File

CHR HKU\S-1-5-21-2300567208-3819779037-3924417142-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hcjjaajflhellmcfcecojihhmdbjmmlm] - hxxps://clients2.google.com/service/update2/crx

Task: {00A0DF23-E096-48CC-89F2-29D09E6BCF4A} - \Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Logon -> No File <==== ATTENTION
Task: {71402D44-EE1D-45FB-8227-DECE09FAA70C} - \Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Unlock -> No File <==== ATTENTION
Task: {7485D0E9-727F-4B06-A1F8-701BAFB8D3D8} - \Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\OnIdle -> No File <==== ATTENTION
Task: {8ECE3D46-EFDE-4AAA-9172-FEA72C3612D3} - \Microsoft\XblGameSave\XblGameSaveTask\Logon -> No File <==== ATTENTION
Task: {E15D0692-401F-477B-A71E-D377FC1D0682} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {E7608BF9-5D90-4445-B224-54E6EAD718BC} - System32\Tasks\{D45CAAB9-6E26-4D1B-9366-F94FF9E25585} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\Primal Pictures\Interactive Thorax and Abdomen\thorax.exe" -d "C:\Program Files (x86)\Primal Pictures\Interactive Thorax and Abdomen"

FirewallRules: [{46CCD955-7D02-4812-A316-D7BB61DC7AA2}] => (Allow) C:\Users\bouwe\AppData\Local\Temp\nsj25A5.tmp\QQPCDetector.exe
FirewallRules: [{73425C27-7EB3-4826-A2AB-5A785450D171}] => (Allow) C:\Users\bouwe\AppData\Local\Temp\nsj25A5.tmp\QQPCDetector.exe

EmptyTemp:
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.
VirusTotal: C:\Windows\system32\Windows.Management.Service.dll => https://www.virustotal.com/file/26c79610c914a17d85a834b90d524d1a37a8877af078af6390ffdc6caf83a6a1/analysis/1529178783/
VirusTotal: C:\Windows\system32\MitigationClient.dll => https://www.virustotal.com/file/4bcf6a6f16ecbe0c4a05bdba325a0f8d02042fc229079e7a7338835473d55970/analysis/1529262677/
VirusTotal: C:\Windows\System32\NvAgent.dll => https://www.virustotal.com/file/af274902db313367da5991fcfb383dbdcdd3d045cc7e32fb929fd66ecfb795f8/analysis/1529194982/
VirusTotal: C:\Windows\System32\HostNetSvc.dll => https://www.virustotal.com/file/3148f5342b758f483e7dbf6772ffd29c299cb7bf861b4c6b6c2be887b9b4cb8c/analysis/1530106623/
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283} => not found
"HKU\S-1-5-21-2300567208-3819779037-3924417142-1001\SOFTWARE\Google\Chrome\Extensions\hcjjaajflhellmcfcecojihhmdbjmmlm" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{00A0DF23-E096-48CC-89F2-29D09E6BCF4A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00A0DF23-E096-48CC-89F2-29D09E6BCF4A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Logon" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71402D44-EE1D-45FB-8227-DECE09FAA70C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71402D44-EE1D-45FB-8227-DECE09FAA70C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\Unlock" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7485D0E9-727F-4B06-A1F8-701BAFB8D3D8}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7485D0E9-727F-4B06-A1F8-701BAFB8D3D8}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\Campaigns\{3D2E6D6C-D655-43CB-B39B-D2B876D9E480}\ExperienceTargeted\OnIdle" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8ECE3D46-EFDE-4AAA-9172-FEA72C3612D3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8ECE3D46-EFDE-4AAA-9172-FEA72C3612D3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\XblGameSave\XblGameSaveTask\Logon" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E15D0692-401F-477B-A71E-D377FC1D0682}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E15D0692-401F-477B-A71E-D377FC1D0682}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E7608BF9-5D90-4445-B224-54E6EAD718BC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E7608BF9-5D90-4445-B224-54E6EAD718BC}" => removed successfully
C:\WINDOWS\System32\Tasks\{D45CAAB9-6E26-4D1B-9366-F94FF9E25585} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{D45CAAB9-6E26-4D1B-9366-F94FF9E25585}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{46CCD955-7D02-4812-A316-D7BB61DC7AA2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{73425C27-7EB3-4826-A2AB-5A785450D171}" => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8675328 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 59260315 B
Java, Flash, Steam htmlcache => 43689 B
Windows/system/drivers => 1257698 B
Edge => 7501470 B
Chrome => 21754373 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 7168 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 44566 B
NetworkService => 0 B
bouwe => 8570801 B

RecycleBin => 0 B
EmptyTemp: => 102.2 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 19:20:14 ====

[Svchost trying to connect to gen.xyz at startup, infected?]

Threat Scan report added.

bouwew_TS_report.txt

[Svchost trying to connect to gen.xyz at startup, infected?]

After some more reading I realize I have not attached the MWB Threat Scan log.

I will include it when I'm back at home.

[Svchost trying to connect to gen.xyz at startup, infected?]

Dear Aura,

 

Yes, I am here :)

I have been busy, now I finally have some free time, while I away from home, to check my topic.

As I write this, I am away from home, I'm working too far away from home to travel back every day. For your information, I will be back at home on Friday or Saturday of this week, I don't know yet, it depends on my schedule. I will let you know when I know it for sure.

 

I have read your post, I understand it and I will act accordingly.

 

Sorry, I'm confused by your last remark; you are asking for my logs. But, these are attached to my initial post, correct?

Or, am I missing something?

 

[Svchost trying to connect to gen.xyz at startup, infected?]

Hi,

 

Recently, during every startup of my PC, a message from Malwarebytes pops up.

I have performed a system scan but no virus is found.

I wonder, is my PC infected?

This is the export:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/21/18
Protection Event Time: 7:35 PM
Log File: 8080b34a-7579-11e8-8755-ac220b4cd7ab.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5530
License: Premium

-System Information-
OS: Windows 10 (Build 17692.1000)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Phishing
Domain: gen.xyz
IP Address: 13.57.153.101
Port: [49732]
Type: Outbound
File: C:\Windows\System32\svchost.exe

 

(end)

Kind regards,

Bouwe Westerdijk

 

FRST.txt

Addition.txt

[MBAM 3.04 causing tcpip.sys BSOD]

I can confirm this issue.

I have encountered this issue repeatedly when running both Qbittorrent and Tixati (seperately). I was reading some posts on other forums describing the same issue before I arrived at this post in this forum.

I've seen it happen when running 3.04 and now when running 3.05 (lifetime subscription).