Jump to content

Unknown process "winvmx" using cpu


Recommended Posts

Hi whoambuddha :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few hours to review your logs and get back at you.

Edited by Aura
Link to post
Share on other sites

Thank you for waiting.

Just so you know, one of my colleague recently reported that specific infection on another forum and gave us more information on how to remove it. We'll try a standard FRST fix at first, but I expect it to fail. The reason why we'll run it first is because this fix will also allow me to collect samples so I can forward them to Malwarebytes that will analyse them and hopefully add them to the program's definitions.

warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.

  • Web Optimum v.1.1


If you have an issue when uninstalling a program, please let me know.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

After running the fix above, a file called Upload.zip will be located on your desktop. Upload it to the link below.

http://www.bleepingcomputer.com/submit-malware.php?channel=194

Your next reply should include:

  • Confirmation that you uninstalled the program(s) listed above (if not, which one(s) and why);
  • Copy/pasted content of FRST's fixlog.txt;
  • Confirmation that you uploaded Upload.zip to the link given above;

fixlist.txt

Link to post
Share on other sites

Thank you for the assistance Aura. I followed your instructions and uninstalled the program(I did not install it if that is important), however after FRST finished the upload.zip did not appear on my desktop.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-03-2017
Ran by WhoAm (02-03-2017 20:47:20) Run:1
Running from C:\Users\WhoAm\Downloads
Loaded Profiles: WhoAm (Available Profiles: WhoAm)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

Zip: C:\Program Files (x86)\dataup\dataup.exe;C:\Program Files (x86)\svcvmx\svcvmx.exe;C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe;C:\Windows\SysWOW64\splsrv.exe;C:\Program Files (x86)\winscr\winscr.exe;C:\Users\WhoAm\AppData\Local\Temp\20170302\ct.exe;C:\Program Files (x86)\svcvmx\vmxclient.exe;C:\ProgramData\Comms\jconsole.jar;C:\Users\WhoAm\AppData\Local\Temp\131267676856655617.exe

HKLM-x32\...\Run: [system_jconsole.jar] => C:\Program Files (x86)\Java\jre1.8.0_111\bin\javaw.exe -jar "C:\ProgramData\Comms\jconsole.jar"
HKLM-x32\...\Run: [cpx] => "C:\Program Files (x86)\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\Run: [Umcmedia] => C:\Users\WhoAm\AppData\Local\Umcmedia\qorigjsr.exe [117561 2017-02-19] ()
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\Run: [Arstworks] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\WhoAm\AppData\Local\Umcmedia\rxpwuctq.dll <===== ATTENTION
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\Run: [YzhzPack] => regsvr32.exe C:\Users\WhoAm\AppData\Local\YzhzPack\sbdhyqwc.dll <===== ATTENTION
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\Run: [evyzuf] => rundll32.exe "C:\Users\WhoAm\AppData\Local\evyzuf.dll",evyzuf <===== ATTENTION
HKU\S-1-5-18\...\Run: [] => [X]
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts-x32: Restriction <======= ATTENTION

R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed] <==== ATTENTION
R2 realtek_amd64; C:\Users\WhoAm\AppData\Local\Temp\WS\realtek_amd64.exe [8704 2017-03-02] () [File not signed] <==== ATTENTION
R2 windowsmanagementservice; C:\Users\WhoAm\AppData\Local\Temp\20170302\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed] <==== ATTENTION

Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION

Task: {0485C5AB-BFAF-4AE2-9561-D4B0948232F6} - System32\Tasks\Traffic Exchange v209 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {217E1227-8602-46A2-BB7D-728BFDB71E86} - System32\Tasks\{341F4EE5-B227-4BF4-A3DB-C3C5A766169E} => pcalua.exe -a "C:\Program Files (x86)\Razer\Razer Cortex\unins000.exe"
Task: {2EFCCCFF-1A27-485E-9A57-A8E8306CB9E7} - System32\Tasks\Traffic Exchange v2 - 1 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: {3A8970BF-5886-4258-80C2-C05CB19967E1} - System32\Tasks\Traffic Exchange v209 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {404C7DFC-B4EE-4AC5-9390-030FF305E327} - System32\Tasks\Online Application v209 => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {4757F0AF-812F-4B45-9612-231DA907292E} - System32\Tasks\Online Application v209 Guardian => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {730AEFE6-01E7-4AE2-A6A4-BCA36C68CBCD} - System32\Tasks\Traffic Exchange v209 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {824DFDAC-9941-4D9E-965B-20E47E6EDBCB} - System32\Tasks\Online Application v209 Guard => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe  <==== ATTENTION
Task: {B00189C5-14A0-4C8D-B141-34B5D1B8DCD0} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: {DF0AA594-FBD3-41C3-81B5-BF5D3BE4CDB7} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe  <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209 Guard.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209 Guardian.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application v209.job => C:\Program Files (x86)\Microleaves\Online.io Application\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\Online-Guardian-v2.0.9.exe <==== ATTENTION

HKLM\...\StartupApproved\Run: => "StartCN"
HKLM\...\StartupApproved\Run: => "system_jconsole.jar"
HKLM\...\StartupApproved\Run32: => "system_jconsole.jar"
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\StartupApproved\Run: => "YzhzPack"
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\StartupApproved\Run: => "Arstworks"
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\...\StartupApproved\Run: => "Umcmedia"

C:\Program Files (x86)\cpx
C:\Program Files (x86)\dataup
C:\Program Files (x86)\Microleaves
C:\Program Files (x86)\regtool
C:\Program Files (x86)\svcvmx
C:\Program Files (x86)\qdcomsvc
C:\Program Files (x86)\winscr
C:\ProgramData\1488477913
C:\ProgramData\Comms
C:\ProgramData\mntemp
C:\Users\WhoAm\AppData\Local\{33901F07-89ED-4C76-AAEE-FA8AEB5E464A}
C:\Users\WhoAm\AppData\Local\llssoft
C:\Users\WhoAm\AppData\Local\LumaEmu
C:\Users\WhoAm\AppData\Local\YzhzPack
C:\Users\WhoAm\AppData\Local\Umcmedia
C:\Users\WhoAm\AppData\Local\evyzuf.dll
C:\Users\WhoAm\AppData\Roaming\c
C:\Windows\SysWOW64\splsrv.exe
C:\WINDOWS\System32\drivers\drmkpro64.sys

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
================== Zip: ===================
C:\Program Files (x86)\dataup\dataup.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Program Files (x86)\svcvmx\svcvmx.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Windows\SysWOW64\splsrv.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Program Files (x86)\winscr\winscr.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Users\WhoAm\AppData\Local\Temp\20170302\ct.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Program Files (x86)\svcvmx\vmxclient.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\ProgramData\Comms\jconsole.jar -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
C:\Users\WhoAm\AppData\Local\Temp\131267676856655617.exe -> copied successfully to C:\Users\WhoAm\Desktop\02.03.2017_20.48.55.zip
=========== Zip: End ===========
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\system_jconsole.jar => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Umcmedia => value removed successfully
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Arstworks => value removed successfully
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YzhzPack => value removed successfully
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\Software\Microsoft\Windows\CurrentVersion\Run\\evyzuf => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\Machine => moved successfully
Dataup => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
qdcomsvc => Unable to stop service.
HKLM\System\CurrentControlSet\Services\qdcomsvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\realtek_amd64 => key removed successfully
realtek_amd64 => service removed successfully
windowsmanagementservice => Unable to stop service.
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\gupdate => key removed successfully
gupdate => service removed successfully
HKLM\System\CurrentControlSet\Services\gupdatem => key removed successfully
gupdatem => service removed successfully
drmkpro64 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0847AE0-465A-4D7B-A555-AABB43B550F0}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0485C5AB-BFAF-4AE2-9561-D4B0948232F6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0485C5AB-BFAF-4AE2-9561-D4B0948232F6} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{217E1227-8602-46A2-BB7D-728BFDB71E86} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{217E1227-8602-46A2-BB7D-728BFDB71E86} => key removed successfully
C:\WINDOWS\System32\Tasks\{341F4EE5-B227-4BF4-A3DB-C3C5A766169E} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{341F4EE5-B227-4BF4-A3DB-C3C5A766169E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2EFCCCFF-1A27-485E-9A57-A8E8306CB9E7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EFCCCFF-1A27-485E-9A57-A8E8306CB9E7} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3A8970BF-5886-4258-80C2-C05CB19967E1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3A8970BF-5886-4258-80C2-C05CB19967E1} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 2 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{404C7DFC-B4EE-4AC5-9390-030FF305E327} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{404C7DFC-B4EE-4AC5-9390-030FF305E327} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4757F0AF-812F-4B45-9612-231DA907292E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4757F0AF-812F-4B45-9612-231DA907292E} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guardian => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guardian => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{730AEFE6-01E7-4AE2-A6A4-BCA36C68CBCD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{730AEFE6-01E7-4AE2-A6A4-BCA36C68CBCD} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v209 - 3 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v209 - 3 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{824DFDAC-9941-4D9E-965B-20E47E6EDBCB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{824DFDAC-9941-4D9E-965B-20E47E6EDBCB} => key removed successfully
C:\WINDOWS\System32\Tasks\Online Application v209 Guard => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Online Application v209 Guard => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B00189C5-14A0-4C8D-B141-34B5D1B8DCD0} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B00189C5-14A0-4C8D-B141-34B5D1B8DCD0} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 2 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF0AA594-FBD3-41C3-81B5-BF5D3BE4CDB7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF0AA594-FBD3-41C3-81B5-BF5D3BE4CDB7} => key removed successfully
C:\WINDOWS\System32\Tasks\Traffic Exchange v2 - 3 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Traffic Exchange v2 - 3 => key removed successfully
C:\WINDOWS\Tasks\Online Application v209 Guard.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209 Guardian.job => moved successfully
C:\WINDOWS\Tasks\Online Application v209.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v2 - 1.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v209 - 1.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v209 - 2.job => moved successfully
C:\WINDOWS\Tasks\Traffic Exchange v209 - 3.job => moved successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\StartCN => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\StartCN => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\system_jconsole.jar => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\system_jconsole.jar => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\system_jconsole.jar => value removed successfully
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\system_jconsole.jar => value not found.
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\YzhzPack => value removed successfully
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\YzhzPack => value not found.
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Arstworks => value removed successfully
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Arstworks => value not found.
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Umcmedia => value removed successfully
HKU\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Umcmedia => value not found.
"C:\Program Files (x86)\cpx" => not found.

"C:\Program Files (x86)\dataup" folder move:

Could not move "C:\Program Files (x86)\dataup" => Scheduled to move on reboot.

"C:\Program Files (x86)\Microleaves" => not found.
C:\Program Files (x86)\regtool => moved successfully

"C:\Program Files (x86)\svcvmx" folder move:

Could not move "C:\Program Files (x86)\svcvmx" => Scheduled to move on reboot.

C:\Program Files (x86)\qdcomsvc => moved successfully
C:\Program Files (x86)\winscr => moved successfully
C:\ProgramData\1488477913 => moved successfully
C:\ProgramData\Comms => moved successfully
C:\ProgramData\mntemp => moved successfully
C:\Users\WhoAm\AppData\Local\{33901F07-89ED-4C76-AAEE-FA8AEB5E464A} => moved successfully

"C:\Users\WhoAm\AppData\Local\llssoft" folder move:

Could not move "C:\Users\WhoAm\AppData\Local\llssoft" => Scheduled to move on reboot.

C:\Users\WhoAm\AppData\Local\LumaEmu => moved successfully
C:\Users\WhoAm\AppData\Local\YzhzPack => moved successfully
C:\Users\WhoAm\AppData\Local\Umcmedia => moved successfully
C:\Users\WhoAm\AppData\Local\evyzuf.dll => moved successfully
C:\Users\WhoAm\AppData\Roaming\c => moved successfully
C:\Windows\SysWOW64\splsrv.exe => moved successfully
Could not move "C:\WINDOWS\System32\drivers\drmkpro64.sys" => Scheduled to move on reboot.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 77854939 B
Java, Flash, Steam htmlcache => 354207615 B
Windows/system/drivers => 9317308 B
Edge => 6803589 B
Chrome => 833322825 B
Firefox => 62935401 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
WhoAm => 1985174084 B

RecycleBin => 30974410912 B
EmptyTemp: => 31.9 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 02-03-2017 20:54:12)

"C:\Program Files (x86)\dataup" => Could not move
"C:\Program Files (x86)\svcvmx" => Could not move
C:\Users\WhoAm\AppData\Local\llssoft => Is moved successfully
"C:\WINDOWS\System32\drivers\drmkpro64.sys" => Could not move

Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\qdcomsvc => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected

==== End of Fixlog 20:54:17 ====

Link to post
Share on other sites

Sorry, I forgot that FRST changed the way it names the folder. There should be a folder called 02.03.2017_20.48.55.zip.

Also, now are you able to uninstall the two following programs?

Online.io Application
Traffic Exchange

Also, we'll use BlitzBlank to remove 2 folders and one driver that resisted the FRST fix.

9c7f4KC.pngBlitzBlank

  • Download BlitzBlank and save it on your Desktop;
  • Right-click on BlitzBlank.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Script tab in the top left corner, and copy/paste the following in the text area:
    DeleteFolder:
    "C:\Program Files (x86)\dataup"
    "C:\Program Files (x86)\svcvmx"
    DisableDriver:
    C:\WINDOWS\System32\drivers\drmkpro64.sys
    DeleteFile:
    C:\WINDOWS\System32\drivers\drmkpro64.sys
    
  • Once done, click on the Execute button, click on Ok on the warning that will pop-up and the second Ok to reboot your system;

Link to post
Share on other sites

Weird. The file path is correct but I suspect that the file was deleted even though FRST reported that it couldn't. Copy/paste this instead.

DeleteFolder:
"C:\Program Files (x86)\dataup"
"C:\Program Files (x86)\svcvmx"
DisableDriver:
C:\WINDOWS\System32\drivers\drmkpro64.sys

 

Link to post
Share on other sites

Alright, follow the instructions below.

On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive along with the attached fixlist.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (fixlog.txt) on the flash drive. Please copy and paste it to your reply.

fixlist.txt

Edited by Aura
Link to post
Share on other sites

The log as requested.

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-03-2017
Ran by SYSTEM (03-03-2017 10:02:04) Run:2
Running from e:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
REG: REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "cpx" /f
REG: REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "svcvmx" /f
REG: REG DELETE "HKLM\System\CurrentControlSet\Services\Dataup" /f
REG: REG DELETE "HKLM\System\CurrentControlSet\Services\qdcomsvc" /f
REG: REG DELETE "HKLM\System\CurrentControlSet\Services\windowsmanagementservice" /f
REG: REG DELETE "HKLM\System\CurrentControlSet\Services\drmkpro64" /f

R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed] <==== ATTENTION

C:\Program Files (x86)\dataup
C:\Program Files (x86)\svcvmx
C:\WINDOWS\System32\drivers\drmkpro64.sys
*****************


========= REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "cpx" /f =========

The operation completed successfully.


========= End of Reg: =========


========= REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "svcvmx" /f =========

The operation completed successfully.


========= End of Reg: =========


========= REG DELETE "HKLM\System\CurrentControlSet\Services\Dataup" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= REG DELETE "HKLM\System\CurrentControlSet\Services\qdcomsvc" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= REG DELETE "HKLM\System\CurrentControlSet\Services\windowsmanagementservice" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= REG DELETE "HKLM\System\CurrentControlSet\Services\drmkpro64" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

HKLM\System\ControlSet001\Services\drmkpro64 => key removed successfully
drmkpro64 => service removed successfully
C:\Program Files (x86)\dataup => moved successfully
C:\Program Files (x86)\svcvmx => moved successfully
C:\WINDOWS\System32\drivers\drmkpro64.sys => moved successfully

==== End of Fixlog 10:02:05 ====

Link to post
Share on other sites

The infection is still present, alright. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.

  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
    drmkpro64.sys;dataup.exe;svcvmx.exe;qdcomsvc.exe;splsrv.exe;ct.exe;winscr.exe;vmxclient.exe
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;

Link to post
Share on other sites

Farbar Recovery Scan Tool (x64) Version: 01-03-2017
Ran by WhoAm (03-03-2017 10:50:26)
Running from C:\Users\WhoAm\Downloads
Boot Mode: Normal

================== Search Registry: "drmkpro64.sys;dataup.exe;svcvmx.exe;qdcomsvc.exe;splsrv.exe;ct.exe;winscr.exe;vmxclient.exe" ===========


===================== Search result for "drmkpro64.sys" ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drmkpro64]
"ImagePath"="system32\drivers\drmkpro64.sys"


===================== Search result for "dataup.exe" ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dataup]
"ImagePath"="C:\Program Files (x86)\dataup\dataup.exe"


===================== Search result for "svcvmx.exe" ==========

[HKEY_USERS\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{24B06EAD-57F5-408F-968C-9A33C9F931F6}]
"AppId"="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\svcvmx\svcvmx.exe"

[HKEY_USERS\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\svcvmx\svcvmx.exe"="0x534143500100000000000000070000002800000000AE0D00000000000100000000000000000003060001000033504C2B57DFD101000000000000000002000000280000000000000000000000000000000000000000000000000000002F000000000000000100000001000000"


===================== Search result for "qdcomsvc.exe" ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qdcomsvc]
"ImagePath"=""C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe" /svc"


===================== Search result for "ct.exe" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5d04f46-b4b2-4202-a191-f780421b4200}]
"AppName"="imjpdct.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unsecapp.exe:wbemtest.exe:winmgmt.exe:wmic.exe:bfsvc.exe:Twunk_16.exe:Twunk_32.exe:wuauclt.exe:wsqmcons.exe:sapisvr.exe:WinSAT.exe:p2phost.exe:SearchProtocolHost.exe:WerFault.exe:drvinst.exe:ehshell.exe:UI0Detect.exe:ehtray.exe:HelpPane.exe:mrt.exe:SearchFilterHost.exe:mobsync.exe:Narrator.exe:SLUI.exe:taskmgr.exe:PresentationSettings.exe:vds.exe:sdclt.exe:irftp.exe:DFDWiz.exe:SndVol.exe:makecab.exe:msfeedssync.exe:unregmp2.exe:DeviceProperties.exe:rstrui.exe:MdRes.exe:netsh.exe:printui.exe:mcupdate.exe:4mmdat.sys:61883.sys:ACPI.sys:amdk7.sys:amdk8.sys:ASYNCMAC.SYS:atapi.sys:AVC.SYS:cdfs.sys:cdrom.sys:circlass.sys:cmbatt.sys:crusoe.sys:CSC.Sys:dc21x4vm.sys:disk.sys:dot4.sys:dot4usb.sys:drmkaud.sys:ecache.sys:fdc.sys:floppy.sys:hdaudbus.sys:HDAudio.sys:HIDBTH.SYS:HIDIR.SYS:i8042prt.sys:intelppm.sys:irenum.SYS:IRSIR.SYS:kbdclass.sys:kbdhid.sys:LOOP.SYS:mf.sys:monitor.sys:mouclass.sys:mouhid.sys:msisadrv.sys:msiscsi.sys:NDISWAN.SYS:nsiproxy.sys:ohci1394.sys:pci.sys:pciide.sys:powerfil.sys:processr.sys:rasl2tp.sys:raspppoe.sys:RASPPTP.SYS:RDPCDD.SYS:rfcomm.sys:sbp2port.sys:sdbus.sys:serenum.sys:serial.sys:sermouse.sys:sffdisk.sys:sffp_mmc.sys:smbios.sys:swenum.sys:tdx.sys:termdd.sys:tpm.sys:tunmp.sys:tunnel.sys:umbus.sys:update.sys:usb8023.sys:USBAudio.sys:USBCCGP.SYS:usbcir.sys:USBEHCI.sys:usbhub.sys:USBOHCI.sys:usbprint.sys:USBUHCI.sys:viac7.sys:wacompen.sys:wceusbsh.sys:winusb.sys:ws2ifsl.sys:xnacc.sys"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5d04f46-b4b2-4202-a191-f780421b4200}]
"AppName"="imjpdct.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Interactive Services detection]
"EventMessageFile"="%SystemRoot%\System32\UI0Detect.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect]
"DisplayName"="@%SystemRoot%\system32\ui0detect.exe,-101"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect]
"ImagePath"="%SystemRoot%\system32\UI0Detect.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect]
"Description"="@%SystemRoot%\system32\ui0detect.exe,-102"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowsmanagementservice]
"ImagePath"="C:\Users\WhoAm\AppData\Local\Temp\20170302\ct.exe"

[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\50\52C64B7E]
"@%SystemRoot%\system32\ui0detect.exe,-101"="Interactive Services Detection"

[HKEY_USERS\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Classes\Local Settings\MuiCache\50\52C64B7E]
"@%SystemRoot%\system32\ui0detect.exe,-101"="Interactive Services Detection"


===================== Search result for "vmxclient.exe" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\vmxclient.exe]

[HKEY_USERS\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\35abc517_0]
""="{2}.\\?\hdaudio#func_01&ven_10ec&dev_0290&subsys_103c22a8&rev_1000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\singlelineouttopo/00010001
\Device\HarddiskVolume4\Program Files (x86)\svcvmx\vmxclient.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E9FE2A0D-909B-4868-A792-D268678259D2}]
"AppId"="{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\svcvmx\vmxclient.exe"

[HKEY_USERS\S-1-5-21-4090259154-390589803-1840079571-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\svcvmx\vmxclient.exe"="0x5341435001000000000000000700000028000000009810000000000001000000000000000000000A0021000033504C2B57DFD1010000000000000000020000002800000000000000000000000000000000000000000000000000000020000000000000000100000001000000"

====== End of Search ======

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-03-2017
Ran by SYSTEM (03-03-2017 11:55:57) Run:3
Running from e:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
REG: REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "cpx" /f
REG: REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "svcvmx" /f
REG: REG DELETE "HKLM\System\ControlSet001\Services\Dataup" /f
REG: REG DELETE "HKLM\System\ControlSet001\Services\qdcomsvc" /f
REG: REG DELETE "HKLM\System\ControlSet001\Services\windowsmanagementservice" /f
REG: REG DELETE "HKLM\System\ControlSet001\Services\drmkpro64" /f
REG: REG DELETE "HKLM\System\ControlSet001\Services\splsrv" /f

R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed] <==== ATTENTION
R2 windowsmanagementservice; C:\Users\WhoAm\AppData\Local\Temp\20170302\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] <==== ATTENTION
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2012-01-31] () [File not signed] <==== ATTENTION

C:\Program Files (x86)\winscr
C:\Program Files (x86)\dataup
C:\Program Files (x86)\svcvmx
C:\Program Files (x86)\qdcomsvc
C:\Users\WhoAm\AppData\Local\Temp\20170302
C:\Windows\SysWOW64\splsrv.exe
C:\WINDOWS\System32\drivers\drmkpro64.sys
*****************


========= REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "cpx" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= REG DELETE "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "svcvmx" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= REG DELETE "HKLM\System\ControlSet001\Services\Dataup" /f =========

The operation completed successfully.


========= End of Reg: =========


========= REG DELETE "HKLM\System\ControlSet001\Services\qdcomsvc" /f =========

The operation completed successfully.


========= End of Reg: =========


========= REG DELETE "HKLM\System\ControlSet001\Services\windowsmanagementservice" /f =========

The operation completed successfully.


========= End of Reg: =========


========= REG DELETE "HKLM\System\ControlSet001\Services\drmkpro64" /f =========

The operation completed successfully.


========= End of Reg: =========


========= REG DELETE "HKLM\System\ControlSet001\Services\splsrv" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

Dataup => service not found.
qdcomsvc => service not found.
windowsmanagementservice => service not found.
drmkpro64 => service not found.
C:\Program Files (x86)\winscr => moved successfully
C:\Program Files (x86)\dataup => moved successfully
C:\Program Files (x86)\svcvmx => moved successfully
C:\Program Files (x86)\qdcomsvc => moved successfully
C:\Users\WhoAm\AppData\Local\Temp\20170302 => moved successfully
C:\Windows\SysWOW64\splsrv.exe => moved successfully
C:\WINDOWS\System32\drivers\drmkpro64.sys => moved successfully

==== End of Fixlog 11:55:59 ====

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.