Bitsjobs cmd prompt random pop ups

nicpo · 12 Aug 2016

RKILL found nothing then closed

Rkill 2.8.4 by Lawrence Abrams (Grinler)
BleepingComputer.com - News, Reviews, and Technical Support
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesnt - A brief introduction to the program - Anti-Virus, Anti-Malware, and Privacy Software

Program started at: 08/13/2016 03:15:03 AM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* gagp30kx [Missing Service]
* IEEtwCollectorService [Missing Service]
* IoQos [Missing Service]
* nv_agp [Missing Service]
* TimeBroker [Missing Service]
* uagp35 [Missing Service]
* uliagpkx [Missing Service]
* WcsPlugInService [Missing Service]
* wpcfltr [Missing Service]
* WSService [Missing Service]

* agp440 [Missing ImagePath]

* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 down.baidu2016.com
127.0.0.1 123.sogou.com
127.0.0.1 http://www.czzsyzgm.com
127.0.0.1 http://www.czzsyzxl.com
127.0.0.1 union.baidu2019.com
127.0.0.1 platform.wondershare.com

Program finished at: 08/13/2016 03:16:49 AM
Execution time: 0 hours(s), 1 minute(s), and 46 seconds(s)

JRK -

File System: 1

Successfully deleted: C:\Users\Alex\Appdata\LocalLow\company (Folder)

Registry: 3

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_AD2529C7DB5B63D28C2336238 5276129 (Registry Value)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A8C3BAA-AA11-45DB-9228-8F22C27379D1} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{6A8C3BAA-AA11-45DB-9228-8F22C27379D1} (Registry Key)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13/08/2016 at 3:23:00.03
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

rest coming......

simrick · 12 Aug 2016

Thanks. So far nothing major.
I'll be back in the morning.

nicpo · 12 Aug 2016

Final rkill before reboot -

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* gagp30kx [Missing Service]
* IEEtwCollectorService [Missing Service]
* IoQos [Missing Service]
* nv_agp [Missing Service]
* TimeBroker [Missing Service]
* uagp35 [Missing Service]
* uliagpkx [Missing Service]
* WcsPlugInService [Missing Service]
* wpcfltr [Missing Service]
* WSService [Missing Service]

* agp440 [Missing ImagePath]

* AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
* WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

* vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
* vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 down.baidu2016.com
127.0.0.1 123.sogou.com
127.0.0.1 http://www.czzsyzgm.com
127.0.0.1 http://www.czzsyzxl.com
127.0.0.1 union.baidu2019.com
127.0.0.1 platform.wondershare.com

Program finished at: 08/13/2016 04:51:12 AM
Execution time: 0 hours(s), 0 minute(s), and 18 seconds(s)

nicpo · 12 Aug 2016

ADWcleaner log after reboot

# AdwCleaner v5.201 - Logfile created 13/08/2016 at 04:49:21
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-12.4 [Server]
# Operating system : Windows 10 Home (X64)
# Username : Alex - ALEX
# Running from : C:\Users\Alex\Downloads\adwcleaner_5.201.exe
# Option : Clean
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp

***** [ Web browsers ] *****

[-] [C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www1.delta-search.com/?affID=120519&babsrc=HP_ss&mntrId=F82F5E95AE021070
[-] [C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN68053831623824720&UM=2
[-] [C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxps://uk.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_freaudedtr_16_09&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dgb%26pa%3DWincy %26cd%3D2XzuyEtN2Y1L1Qzu0D0AyD0D0EtB0C0D0AyB0F0D0E0A0CyCtN0D0Tzu0StCyDtBtDtN1L2XzutAtFtCzztFtCtFtCtN 1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StDtDyBtCtD0F0E0DtGtC0FzyyDtGyB0D0EtAtGyBzz0CtCtGyB0ByB0EyBtAyC0C0EyD yB0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0Azy0DtByE0C0BtGyDtCtD0AtGyEzyyBtCtGzz0FtDtBtGzy0DyEtBtAtBtAyE0FyBtC yD2QtN0A0LzuyE%26cr%3D784703646%26a%3Dwncy_freaudedtr_16_09%26os_ver%3D10.0%26os%3DWindows%2B10%2BHo me
[-] [C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : khnpeclbnipcdacdkhejifenadikeghk
[-] [C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : lfmhcpmkbdkbgbmkjoiopeeegenkdikp
[-] [C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://www1.delta-search.com/?affID=120519&babsrc=HP_ss&mntrId=F82F5E95AE021070

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

simrick · 13 Aug 2016

Did MBAR or TDSSKiller find anything? Have you flushed the DNS cache? Ran Ccleaner on all browsers to clear everything? Running ESET online scan now?

Superfly · 13 Aug 2016

@simrick, what I can't fathom is how it could still be happening with BITS disabled..
Bitsadmin will only run if an error occurs with a (non-WU) download... but his queue is clear anyways. Very strange.

nicpo · 13 Aug 2016

The problem has gone. I had no logs for MBAR, Everything else done apart from ESAT scan

simrick · 13 Aug 2016

Superfly said:

@simrick, what I can't fathom is how it could still be happening with BITS disabled..
Bitsadmin will only run if an error occurs with a (non-WU) download... but his queue is clear anyways. Very strange.

Very strange... He needs to enable it now though, right?

nicpo said:

The problem has gone. I had no logs for MBAR, Everything else done apart from ESAT scan

Oh! Good news indeed!

The ESET Online Scan will give you the final all-clear.

nicpo · 13 Aug 2016

You're all a great brunch :) thanks

Superfly · 13 Aug 2016

simrick said:

Very strange... He needs to enable it now though, right?

Yep!

nicpo said:

You're all a great brunch :) thanks

Glad!

:)