Jump to content

Svchost.exe killed, possible infection


MrBiz
 Share

Recommended Posts

I usually keep tight watch and rule on my firewall, but from the other day i realise that the cpu usage would jump to 100% when loading pages then go back down

curious i ran roguekiller (first i ran scans and all came back clean) and got this:

 

RogueKiller V8.7.7 [Nov 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : PatricK [Admin rights]
Mode : Scan -- Date : 11/12/2013 04:27:19
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 3 ¤¤¤
[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [7] -> KILLED [TermProc]
[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [7] -> KILLED [TermProc]
[sVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [7] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6E091E4B)
[Address] IAT @iexplore.exe (RegGetValueW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E20DC5)
[Address] IAT @iexplore.exe (RegOpenKeyExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E2460D)
[Address] IAT @iexplore.exe (RegCloseKey) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E2461D)
[Address] IAT @iexplore.exe (RegQueryValueExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E2462D)
[Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\system32\shlwapi.DLL @ 0x765F46E9)
[Address] IAT @iexplore.exe (GetProcAddress) : KERNEL32.dll -> HOOKED (C:\Program Files\Internet Explorer\IEShims.dll @ 0x6E091E4B)
[Address] IAT @iexplore.exe (RegGetValueW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E20DC5)
[Address] IAT @iexplore.exe (RegOpenKeyExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E2460D)
[Address] IAT @iexplore.exe (RegCloseKey) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E2461D)
[Address] IAT @iexplore.exe (RegQueryValueExW) : api-ms-win-downlevel-advapi32-l1-1-0.dll -> HOOKED (C:\Windows\system32\advapi32.DLL @ 0x75E2462D)
[Address] IAT @iexplore.exe (StrStrIW) : api-ms-win-downlevel-shlwapi-l1-1-0.dll -> HOOKED (C:\Windows\system32\shlwapi.DLL @ 0x765F46E9)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-67S9B1 ATA Device +++++
--- User ---
[MBR] 5985724ba892a5726b4ce24e2f48fbe8
[bSP] eb11fb66582f439466a24426dcc02753 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 76217 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 156299264 | Size: 400620 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_11122013_042719.txt >>
 
of all my roguekiller running on this forum , ive never had a case were svchost was killed as a bad process 
and what are those weird hooks?
 
 
 
Link to post
Share on other sites

Welcome to the forum, see if TDSSKiller finds anything:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

The unsigned files were still detected, the log is clean.

Run ComboFix:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

In normal Mose, my registry was locked

R4b8KnR.png?1

but in safe mode it ran 

 

ComboFix 13-11-12.01 - PatricK 11/12/2013  10:43:33.3.2 - x86 NETWORK
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2813.2009 [GMT -5:00]
Running from: c:\users\PatricK\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-12 to 2013-11-12  )))))))))))))))))))))))))))))))
.
.
2013-11-12 15:53 . 2013-11-12 15:53 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-11-12 15:53 . 2013-11-12 15:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-11-12 10:31 . 2013-11-12 10:31 -------- d-----w- c:\program files\AdTrustMedia
2013-11-12 10:31 . 2013-11-12 10:31 -------- d-----w- c:\programdata\Adtrustmedia
2013-11-12 09:57 . 2013-11-12 09:57 -------- d-----w- c:\users\PatricK\AppData\Local\CrashDumps
2013-11-06 20:55 . 2013-11-06 20:55 -------- d-----w- c:\program files\Foxit Software
2013-11-06 16:27 . 2013-11-06 16:27 -------- d-----w- c:\program files\iPod
2013-11-06 16:27 . 2013-11-06 16:28 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-10-31 23:05 . 2013-10-31 23:05 -------- d-----w- c:\programdata\Norton
2013-10-31 23:04 . 2013-11-08 02:27 -------- d-----w- c:\users\PatricK\AppData\Local\NPE
2013-10-19 22:59 . 2013-10-19 22:59 -------- d-----w- c:\users\PatricK\AppData\Roaming\AVAST Software
2013-10-19 22:56 . 2013-10-19 22:56 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-10-19 22:56 . 2013-11-08 12:51 403440 ----a-w- c:\windows\system32\drivers\aswsp.sys
2013-10-19 22:56 . 2013-10-19 22:56 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-10-19 22:56 . 2013-10-19 22:56 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-10-19 22:56 . 2013-10-19 22:56 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-10-19 22:56 . 2013-10-19 22:56 70384 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-10-19 22:56 . 2013-10-19 22:56 35656 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-10-19 22:56 . 2013-10-19 22:56 79720 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-10-19 22:56 . 2013-10-19 22:56 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-10-19 22:56 . 2013-10-19 22:56 43152 ----a-w- c:\windows\avastSS.scr
2013-10-19 22:55 . 2013-10-19 22:55 -------- d-----w- c:\program files\AVAST Software
2013-10-19 22:51 . 2013-10-19 22:51 -------- d-----w- c:\programdata\AVAST Software
2013-10-13 17:15 . 2013-10-13 17:15 -------- d-----w- c:\programdata\Kaspersky Lab
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-17 14:13 . 2013-09-15 00:10 75992 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-09-24 10:54 . 2013-01-17 00:51 85464 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-09-24 10:54 . 2013-01-17 00:51 44752 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-09-24 10:54 . 2013-01-17 00:51 582936 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2013-09-24 10:54 . 2013-01-17 00:51 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-09-24 10:53 . 2013-01-25 03:43 36000 ----a-w- c:\windows\system32\cmdcsr.dll
2013-09-24 10:53 . 2013-01-25 03:43 354240 ----a-w- c:\windows\system32\guard32.dll
2013-09-24 10:53 . 2013-01-25 03:42 280792 ----a-w- c:\windows\system32\cmdvrt32.dll
2013-09-24 10:53 . 2013-01-25 03:42 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-09-14 00:48 . 2013-10-08 17:22 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2013-09-13 06:00 . 2013-09-11 04:00 4751752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-08 02:07 . 2013-10-08 17:22 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-08 02:03 . 2013-10-08 17:22 231424 ----a-w- c:\windows\system32\mswsock.dll
2013-09-04 01:15 . 2013-10-08 17:22 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-09-04 01:14 . 2013-10-08 17:22 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-09-04 01:14 . 2013-10-08 17:22 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-09-04 01:14 . 2013-10-08 17:22 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-09-04 01:14 . 2013-10-08 17:22 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2013-09-04 01:14 . 2013-10-08 17:22 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-09-04 01:14 . 2013-10-08 17:22 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-30 10:24 . 2013-08-30 10:24 11701760 ----a-w- c:\program files\Common Files\lpuninstall.exe
2013-08-29 01:51 . 2013-10-08 17:21 3969472 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-29 01:51 . 2013-10-08 17:21 3914176 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-29 01:50 . 2013-10-08 17:21 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-08-29 01:50 . 2013-10-08 17:21 619520 ----a-w- c:\windows\system32\tdh.dll
2013-08-29 01:48 . 2013-10-08 17:21 640512 ----a-w- c:\windows\system32\advapi32.dll
2013-08-28 01:04 . 2013-10-08 17:21 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-28 00:57 . 2013-10-08 17:21 434688 ----a-w- c:\windows\system32\scavengeui.dll
2013-08-24 23:28 . 2013-07-06 11:39 10920680 ----a-r- c:\windows\system32\SpoonUninstall.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}]
2013-10-21 14:15 717480 ----a-w- c:\program files\AdTrustMedia\PrivDog\1.7.0.12\trustedads.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-10-19 22:56 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 543432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-11-11 1576152]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2013-07-14 508048]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-10-19 3567800]
"PrivDogService"="c:\program files\AdTrustMedia\PrivDog\1.7.0.12\trustedadssvc.exe" [2013-10-21 515240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-03-20 280576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe -p -name=LastPass -ffuuid support@lastpass.com [2013-8-30 11701760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
"DontSetAutoplayCheckbox"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
"DontSetAutoplayCheckbox"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-14 00:51 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-01-21 22:22 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2012-02-01 17:36 50592 ----a-w- c:\users\PatricK\AppData\Roaming\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-11-02 05:29 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2010-04-12 08:40 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 08:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2013-06-06 22:06 1641896 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2010-05-20 20:27 762736 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XFastUSB]
2012-03-13 22:47 5019360 ----a-w- c:\program files\XFastUSB\XFastUsb.exe
.
R0 aswRvrt;avast! Revert; [x]
R0 aswVmm;avast! VM Monitor; [x]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\PATRICK\DESKTOP\MARVIN GAYE\NEW FOLDER (2)\RUN\a2ddax86.sys [x]
R1 AntiLog32;AntiLog32;c:\windows\system32\drivers\AntiLog32.sys [x]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-10-19 774392]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-11-08 403440]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2013-09-24 582936]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\MBAE.sys [2013-08-01 44632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-10-19 35656]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-10-19 70384]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2003-04-19 8192]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [2013-10-01 5087584]
R3 cleanhlp;cleanhlp;c:\users\PatricK\Desktop\Marvin Gaye\New folder (2)\Run\cleanhlp32.sys [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-09-24 131288]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-07-13 214016]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS [2013-06-02 29760]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2013-11-12 108032]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-04-16 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\DRIVERS\SndTVideo.sys [2009-04-16 3768]
R3 SRS_AE_Service;SRS Audio Essentials;c:\windows\system32\drivers\SRS_AE_i386.sys [2011-08-01 404256]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-04-01 1343400]
R3 wmamp3DriverV32;wmamp3DriverV32;c:\windows\system32\drivers\wmamp3DriverV32.sys [2011-11-29 23608]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-09-06 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-09-06 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-09-06 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-09-06 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-09-06 25704]
R3 XDva359;XDva359;c:\windows\system32\XDva359.sys [x]
S0 AsrRamDisk;AsrRamDisk;c:\windows\system32\DRIVERS\AsrRamDisk.sys [2012-08-09 33104]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2013-09-24 20072]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2013-09-24 44752]
S1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2012-03-13 14656]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-07-11 116608]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2013-05-31 209016]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-12 10:16 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.48\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-22 21:20]
.
2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-22 21:20]
.
2013-11-12 c:\windows\Tasks\Malwarebytes Anti-Exploit.job
- c:\program files\Malwarebytes Anti-Exploit\mbae-loader.exe [2013-10-04 14:47]
.
2013-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 7b2b8afb-34c0-441d-b86a-3a094700fa20.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2013-01-04 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task da11de66-f5ca-41ef-9136-00d77d575775.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{2F5C139F-79BD-4C84-A95A-E7140525BC55} - {5B06364D-FF00-4BD5-9D01-4379952513F2} - c:\program files\AdTrustMedia\PrivDog\1.7.0.12\trustedads.dll
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ComodoFSChrome - c:\program files\AdTrustMedia\PrivDog\FinalizeSetup.exe
SafeBoot-54954009.sys
SafeBoot-73335756.sys
SafeBoot-93415949.sys
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1260953176-3201969857-2580422920-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5*!]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1260953176-3201969857-2580422920-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*5*!\OpenWithList]
@Class="Shell"
"a"="uTorrent.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(956)
c:\program files\K-Lite Codec Pack\Filters\LAV\swscale-lav-2.dll
c:\windows\System32\pnidui.dll
c:\windows\System32\netshell.dll
.
Completion time: 2013-11-12  10:56:25
ComboFix-quarantined-files.txt  2013-11-12 15:56
.
Pre-Run: 39,290,056,704 bytes free
Post-Run: 39,184,531,456 bytes free
.
- - End Of File - - E7F8527B15FBE1E3DD2732D62964D1CC
A36C5E4F47E84449FF07ED3517B43A31
Link to post
Share on other sites

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Ok then, i ran adwcleaner every 3 days and never got this (usually powercuts happens, so i wonder if its restoring stuff, also when power cuts the bios is reset because i have to put in time and date everytime it restarts)

 

# AdwCleaner v3.012 - Report created 12/11/2013 at 21:37:26
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : PatricK - PATRICK-PC
# Running from : C:\Users\PatricK\Desktop\Marvin Gaye\torrent\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\PatricK\AppData\Roaming\NCH Software
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\Applications\iMesh_V11_en_Setup.exe
Key Deleted : HKLM\SOFTWARE\Classes\Applications\iMeshV11.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iMesh_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iMesh_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iMesh_V11_en_Setup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iMesh_V11_en_Setup_RASMANCS
Key Deleted : HKCU\Software\NCH Software
Key Deleted : HKLM\Software\NCH Software
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\PatricK\AppData\Roaming\Mozilla\Firefox\Profiles\0\prefs.js ]
 
 
-\\ Google Chrome v31.0.1650.48
 
[ File : C:\Users\PatricK\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1434 octets] - [12/11/2013 21:35:47]
AdwCleaner[s0].txt - [1375 octets] - [12/11/2013 21:37:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1435 octets] ##########
 
 
 
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.11.13.05
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16428
PatricK :: PATRICK-PC [administrator]
 
Protection: Enabled
 
11/12/2013 9:46:04 PM
mbam-log-2013-11-12 (21-46-04).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 275589
Time elapsed: 16 minute(s), 5 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
Link to post
Share on other sites

also when power cuts the bios is reset because i have to put in time and date everytime it restarts

That shouldn't happen, most likely cmos battery is bad.

How is it??

MrC

So far so good, except trustedinstaller.exe (located in C:\Windows\servicing) was using too much cpu (and it usually never runs) this is after i updated windows, but seems ok now

the bios thing is the same (also today it took 1 minute to give the regular bios beep) when the power cuts , I'll have to open the pc again on day 

also google chrome jumps in cpu usage for couple of second when you load a page (which affect music playing) - which is google fault , seem like which each new update it has more bugs  

 

hopefully these svchost.exe entries are fine 

L7W7cLf.png?1

Link to post
Share on other sites

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.77  

 Windows 7 Service Pack 1 x86 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Disabled!  

avast! Antivirus   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:````````` 

 SpywareBlaster 5.0    

 SUPERAntiSpyware     

 Malwarebytes Anti-Malware version 1.75.0.1300  

 CCleaner     

 Google Chrome 31.0.1650.48  

 Google Chrome 31.0.1650.57  

````````Process Check: objlist.exe by Laurent````````  

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbamgui.exe  

 Comodo Firewall cmdagent.exe 

 Malwarebytes' Anti-Malware mbamscheduler.exe   

 Malwarebytes Anti-Exploit mbae.exe   

 AVAST Software Avast AvastSvc.exe  

 AVAST Software Avast avastui.exe  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 1% 

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Looks Good......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.