Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is swsys.exe ?


  • This topic is locked This topic is locked
20 replies to this topic

#1 l1990b

l1990b

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 02:39 PM

hi

 

In process explorer, there is a process called swsys.exe. Is this process dangerous and should it be removed?

Also, are these working sets values concidered normal, or is there something wrong ?

Physical memory is 77%, and when i close my ie or moz browser it is idle at 56% usage ? The ekrn.exe nod32 software file is constantly 100K working sets and does not change.

 

iexplorer.exe - 195.240K

ekrn.exe -  109.000K

explorer.exe -  84.248K

svchost.exe  - 83.352K

 

Thanks


Edited by l1990b, 04 September 2013 - 02:40 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:36 AM

Posted 04 September 2013 - 02:49 PM

swsys.exe.......Possibly adware.

 

Use these two programs to find and remove adware/ crapware.

AdwCleaner Download

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

 

EDIT:  post the logs of what was found and removed back here...


Edited by buddy215, 04 September 2013 - 02:50 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 02:54 PM

Okay i will do that now.

 

I also found amsvc.exe. I think this is bad as well?



#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,292 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:04:36 AM

Posted 04 September 2013 - 03:11 PM

Do you have or have you ever had any adobe acrobat products?

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 03:17 PM

No. I only have installed adobe flash player. I first scanned with Adwcleaner:

 

 

# AdwCleaner v3.002 - Report created 04/09/2013 at 22:07:28
# Updated 01/09/2013 by Xplode
# Operating System : Windows Vista ™ Ultimate Service Pack 2 (32 bits)
# Username : lal - LAL-PC
# Running from : C:\Users\lal\AppData\Local\Microsoft\Windows\Temporary Internet

Files\Content.IE5\I9WT35XG\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\adawaretb
Folder Deleted : C:\ProgramData\blekko toolbars
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid Player
Folder Deleted : C:\Program Files\adawaretb
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Ilivid Player
Folder Deleted : C:\Users\lal\AppData\Local\Conduit
Folder Deleted : C:\Users\lal\AppData\Local\PackageAware
Folder Deleted : C:\Users\lal\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\lal\AppData\Local\Wajam
Folder Deleted : C:\Users\lal\AppData\LocalLow\adawaretb
Folder Deleted : C:\Users\lal\AppData\LocalLow\boost_interprocess
Folder Deleted : C:\Users\lal\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\lal\AppData\LocalLow\facemoods.com
Folder Deleted : C:\Users\lal\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\lal\AppData\Roaming\registry mechanic
Folder Deleted : C:\Users\lal\AppData\Roaming\Systweak
Folder Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\adawaretb
Folder Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\Smartbar
Folder Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\CT1561552
Folder Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\Extensions\{c9

5a4e8e-816d-4655-8c79-d736da1adb6d}
Folder Deleted : C:\Users\lal\AppData\Local\Google\Chrome\User

Data\Default\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
File Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\Extensions\add

on@defaulttab.com.xpi
File Deleted : C:\END
File Deleted : C:\Windows\system32\conduitEngine.tmp
File Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\.autoreg
File Deleted :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\searchplugins\

search-here.xml

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\facemoods.facemoodsHlpr
Key Deleted : HKLM\SOFTWARE\Classes\facemoods.facemoodsHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1561552
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Default Tab
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\systweak
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App

Management\ARPCache\conduitEngine

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

-\\ Mozilla Firefox v23.0.1 (nl)

[ File :

C:\Users\lal\AppData\Roaming\Mozilla\Firefox\Profiles\ttplndgq.default\prefs.js ]

Line Deleted : user_pref("CT1561552.1000082.isPlayDisplay", "true");
Line Deleted : user_pref("CT1561552.1000082.state",

"{\"state\":\"stopped\",\"text\":\"Danceradio\",\"description\":\"Danceradio\",\"url\

":\"hxxp://101danceradio.com/wmx/classicrockjukebox64k.wmx\"}");
Line Deleted : user_pref("CT1561552.ENABALE_HISTORY",

"{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT1561552.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE",

"{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT1561552.FF19Solved", "true");
Line Deleted : user_pref("CT1561552.FirstTime", "true");
Line Deleted : user_pref("CT1561552.FirstTimeFF3", "true");
Line Deleted : user_pref("CT1561552.GK_HotspotShield_NOTIF_26_02_SENT.enc", "MQ==");
Line Deleted : user_pref("CT1561552.SearchAppState.enc", "Mg==");
Line Deleted : user_pref("CT1561552.UserID", "UN21011544176999109");
Line Deleted : user_pref("CT1561552.addressBarTakeOverEnabledInHidden", "true");
Line Deleted : user_pref("CT1561552.defaultSearch", "false");
Line Deleted : user_pref("CT1561552.enableAlerts", "true");
Line Deleted : user_pref("CT1561552.enableFix404ByUser", "TRUE");
Line Deleted : user_pref("CT1561552.enableSearchFromAddressBar", "true");
Line Deleted : user_pref("CT1561552.firstTimeDialogOpened", "true");
Line Deleted : user_pref("CT1561552.fixPageNotFoundError", "true");
Line Deleted : user_pref("CT1561552.fixPageNotFoundErrorByUser", "true");
Line Deleted : user_pref("CT1561552.fixPageNotFoundErrorInHidden", "true");
Line Deleted : user_pref("CT1561552.fixUrls", true);
Line Deleted : user_pref("CT1561552.homepageuserchanged", true);
Line Deleted : user_pref("CT1561552.hxxp___pinterest_aot_im.isEnabled.enc", "WQ==");
Line Deleted : user_pref("CT1561552.installDate", "26/3/2013 2:12:55");
Line Deleted : user_pref("CT1561552.installId", "conduitinstaller.exe");
Line Deleted : user_pref("CT1561552.installType", "conduitnsisintegration");
Line Deleted : user_pref("CT1561552.installerVersion", "1.3.7.3");
Line Deleted : user_pref("CT1561552.isCheckedStartAsHidden", true);
Line Deleted : user_pref("CT1561552.isEnableAllDialogs",

"{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT1561552.isFirstTimeToolbarLoading", "false");
Line Deleted : user_pref("CT1561552.isToolbarShrinked",

"{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT1561552.keyword", "true");
Line Deleted : user_pref("CT1561552.lastNewTabSettings",

"{\"isEnabled\":false,\"newTabUrl\":\"hxxp://search.conduit.com/?

ctid=CT1561552&octid=CT1561552&SearchSource=15&CUI=UN21011544176999109&SSPV=EB_SSPV&L

ay=1&UM=[...]
Line Deleted : user_pref("CT1561552.lastVersion", "10.16.2.509");
Line Deleted : user_pref("CT1561552.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Line Deleted : user_pref("CT1561552.migrateAppsAndComponents", true);
Line Deleted : user_pref("CT1561552.navigationAliasesJson",

"{\"EB_MAIN_FRAME_URL\":\"hxxp%3A%2F%2Fhelpx.adobe.com%2Fflash-player%2Fkb%

2Funinstall-flash-player-windows.html\",\"EB_MAIN_FRAME_TITLE\":\"%0A%20%20%20%2[...]
Line Deleted : user_pref("CT1561552.openThankYouPage", "false");
Line Deleted : user_pref("CT1561552.openUninstallPage", "true");
Line Deleted : user_pref("CT1561552.revertSettingsEnabled", "false");
Line Deleted : user_pref("CT1561552.search.searchAppId", "128491907208256770");
Line Deleted : user_pref("CT1561552.search.searchCount", "0");
Line Deleted : user_pref("CT1561552.searchInNewTabEnabledByUser", "false");
Line Deleted : user_pref("CT1561552.searchInNewTabEnabledInHidden", "true");
Line Deleted : user_pref("CT1561552.searchUserMode", "1");
Line Deleted : user_pref("CT1561552.selectToSearchBoxEnabled",

"{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT1561552.serviceLayer_service_login_isFirstLoginInvoked",

"{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT1561552.serviceLayer_service_login_loginCount",

"{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT1561552.serviceLayer_service_toolbarGrouping_activeCTID",

"{\"dataType\":\"string\",\"data\":\"CT1561552\"}");
Line Deleted : user_pref

("CT1561552.serviceLayer_service_toolbarGrouping_activeDownloadUrl",

"{\"dataType\":\"string\",\"data\":\"hxxp://HotspotShield.OurToolbar.com//xpi\"}");
Line Deleted : user_pref

("CT1561552.serviceLayer_service_toolbarGrouping_activeToolbarName",

"{\"dataType\":\"string\",\"data\":\"Hotspot Shield\"}");
Line Deleted : user_pref("CT1561552.serviceLayer_service_toolbarGrouping_invoked",

"{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1364260524165");
Line Deleted : user_pref("CT1561552.serviceLayer_services_appsMetadata_lastUpdate",

"1364260523856");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_gottenAppsContextMenu_lastUpdate",

"1364260526979");
Line Deleted : user_pref("CT1561552.serviceLayer_services_location_lastUpdate",

"1370748423219");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_login_10.14.360.10_lastUpdate", "1366881717894");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_login_10.15.2.523_lastUpdate", "1367949936982");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_login_10.16.1.521_lastUpdate", "1368903740930");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_login_10.16.2.509_lastUpdate", "1370748424196");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1364260523867");
Line Deleted : user_pref("CT1561552.serviceLayer_services_searchAPI_lastUpdate",

"1364260523366");
Line Deleted : user_pref("CT1561552.serviceLayer_services_serviceMap_lastUpdate",

"1370748423044");
Line Deleted : user_pref("CT1561552.serviceLayer_services_setupAPI_lastUpdate",

"1364260526697");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_toolbarContextMenu_lastUpdate", "1364260523761");
Line Deleted : user_pref

("CT1561552.serviceLayer_services_toolbarSettings_lastUpdate", "1370755920499");
Line Deleted : user_pref("CT1561552.serviceLayer_services_translation_lastUpdate",

"1370748423984");
Line Deleted : user_pref("CT1561552.settingsINI", true);
Line Deleted : user_pref("CT1561552.shouldFirstTimeDialog", "false");
Line Deleted : user_pref("CT1561552.showToolbarPermission", "false");
Line Deleted : user_pref("CT1561552.smartbar.CTID", "CT1561552");
Line Deleted : user_pref("CT1561552.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT1561552.smartbar.isHidden", true);
Line Deleted : user_pref("CT1561552.smartbar.toolbarName", "Hotspot Shield ");
Line Deleted : user_pref("CT1561552.startPage", "false");
Line Deleted : user_pref("CT1561552.toolbarBornServerTime", "26-3-2013");
Line Deleted : user_pref("CT1561552.toolbarCurrentServerTime", "9-6-2013");
Line Deleted : user_pref("CT1561552.toolbarDisabled", "true");
Line Deleted : user_pref("CT1561552.toolbarLoginClientTime", "Thu Apr 25 2013

14:52:41 GMT+0200");
Line Deleted : user_pref("CT1561552.twitter_v1.8.0_twitter_app_open_t_f.enc",

"ZmFsc2U=");
Line Deleted : user_pref("CT1561552.url_history0001.enc",

"aHR0cDovL3d3dy5oc3NlbGl0ZS5jb20vZmFxOjo6Y2xpY2toYW5kbGVyOjo6MTM2NDI4MTAyMTY3NiwsLGh0

dHA6Ly93d3cuZ29vZ2xlLm5sL3VybD9zYT10JnJjdD1qJnE9Y2FzaW5vJTIwY2hhbmdlJTIw[...]
Line Deleted : user_pref("CT1561552_Firefox.csv", "[{\"from\":\"Abs

Layer\",\"action\":\"loading

toolbar\",\"time\":1370755796926,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromP

rev\":0}]");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?

ctid=CT1561552&SearchSource=2&CUI=UN21011544176999109&UM=1&sspv=TB_FS&q=");
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList",

"hxxp://search.conduit.com/ResultsExt.aspx?

ctid=CT1561552&SearchSource=2&CUI=UN21011544176999109&UM=1&sspv=TB_FS&q=");
Line Deleted : user_pref("smartbar.machineId",

"51UWHOSJVVBOYF41TCPMFLUX0FEHEKLUNVFBHIJI1CPDBEHHKLROT/K0VAYY05EFYWN7SFKWX7BCTFDA7BH+

HG");
Line Deleted : user_pref("smartbar.originalSearchAddressUrl", "");

-\\ Google Chrome v

[ File : C:\Users\lal\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

*************************

AdwCleaner[R0].txt - [13003 octets] - [04/09/2013 21:55:45]
AdwCleaner[S0].txt - [13178 octets] - [04/09/2013 22:07:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [13239 octets] ##########

 

 

superantispyware results are coming.



#6 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,292 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:04:36 AM

Posted 04 September 2013 - 03:24 PM

Someone else can confirm but I don't think thats the same .exe for flash updater. The .exe you have is known as the adobe acrobat updater. But could possibly be malware. Other more malware knowledgeable people will be able to assist you in properly identifying that .exe

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 03:26 PM

I see. So what do i do now? Can i just remove the .exe file ?



#8 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:36 AM

Posted 04 September 2013 - 03:33 PM

Super Antispyware may offer more on those two files.

 

If not, submit them here....VirusTotal - Free Online Virus and Malware Scan

 

You had a lot of adware that AdwCleaner removed.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 03:41 PM

I had to restart at both scans. Yes, i thought that as well haha very troublesome results, hope it did clean them.

 

One thing that is also strange, When i search the web, 50% of the times when im click a link or go to a website, it hangs, and when i click it again, then page loading normally.
For example, when i click on the link for adobe.com/software/flash/about, then my adress bar displays this first before going to the website link:

 

http://r.duckduckgo.com/l/?kh=-1&uddg=https%3A%2F%2Fwww.adobe.com%2Fsoftware%2Fflash%2Fabout%2F

 

Same thing when clicking on that link found with google:

 

http://www.google.nl/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CC8QFjAA&url=http%3A%2F%2Fwww.adobe.com%2Fnl%2Fsoftware%2Fflash%2Fabout%2F&ei=z5gnUr26DIPXswbyjoGACA&usg=AFQjCNHV4IlFHKpgwMEZUxDg9BZklm8L5A&bvm=bv.51495398,bs.1,d.d2k

 

What does this mean?

The superantispyware results:

 

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/04/2013 at 10:33 PM

Application Version : 5.6.1032

Core Rules Database Version : 10743
Trace Rules Database Version: 8555

Scan type : Quick Scan
Total Scan Time : 00:15:54

Operating System Information
Windows Vista Ultimate 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned : 529
Memory threats detected : 0
Registry items scanned : 38387
Registry threats detected : 2
File items scanned : 16332
File threats detected : 192

Registry Cleaner Trial
HKU\S-1-5-21-375306312-920584492-1586634212-1000\Software\SoftwareOnline.com
HKU\S-1-5-21-375306312-920584492-1586634212-1010\Software\SoftwareOnline.com

Adware.Tracking Cookie
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\GHLZFMN1.txt [ /ad-serverparc.nl ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\72QX2ZXT.txt [ /imrworldwide.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\5L08WW91.txt [ /atdmt.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\V67Y9NHV.txt [ /tribalfusion.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\4ATWZ8BP.txt [ /server.cpmstar.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\DA5ON40S.txt [ /xiti.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\58G4F62T.txt [ /c1.atdmt.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\KB0USZJZ.txt [ /www.elitepvpers.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\A9PXS73F.txt [ /www.burstnet.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\9B0Y7OQZ.txt [ /oracle.112.2o7.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\PCFBFHUQ.txt [ /c.atdmt.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\USMNI0KS.txt [ /adtech.de ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\PPG121O7.txt [ /adlegend.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\588PSEBK.txt [ /estat.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\S2I655J3.txt [ /ads.p161.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\XBNFVT9H.txt [ /revsci.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\U7XCNBDS.txt [ /apmebf.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\90UR74T6.txt [ /graphics-cards.findthebest.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\BDCF8H2X.txt [ /adform.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\UWPAOTXY.txt [ /account.ankama.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\VM9L386D.txt [ /bs.serving-sys.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\ZYUZSLSW.txt [ /statcounter.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\9AR3QOC1.txt [ /findthebest.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\8B38LE17.txt [ /www.warez-bb.org ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\RWEAT3LV.txt [ /elitepvpers.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\804U0CQT.txt [ /www.googleadservices.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\BS8I5OD1.txt [ /zanox.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\TEFJJ0VU.txt [ /media6degrees.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\DHMOOB3F.txt [ /adnetwork.vn ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\RTGID3KT.txt [ /serving-sys.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\JYKEYAWK.txt [ /mediaplex.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\YB6CYP22.txt [ /adformdsp.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\YZ1P8GUZ.txt [ /advertising.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\RNBCKJBN.txt [ /accounts.eamythic.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\L8NJ3GSH.txt [ /saymedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\J7WO8U0C.txt [ /collective-media.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\FGC4Z5MK.txt [ /warez-bb.org ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\TFYOIHX6.txt [ /interclick.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\JT23S2WI.txt [ /ad.zanox.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\BUAQE1QS.txt [ /ru4.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\VUQXB8C9.txt [ /invitemedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\ADPRQ57R.txt [ /kontera.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\6T738TPO.txt [ /www.googleadservices.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\M81IFTBJ.txt [ /fastclick.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\7E2QBT7H.txt [ /burstnet.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\4W7213T7.txt [ /demandmedia.trc.taboola.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\6358U1EI.txt [ /solvemedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\15I54UIS.txt [ /pro-market.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\9A9OC9I5.txt [ /ads.pubmatic.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\LSBJ7J7W.txt [ /www.googleadservices.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\Z01D2GTF.txt [ /specificclick.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\KNWPQKAF.txt [ /track.adform.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\2VQYV53U.txt [ /adtechus.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\JWF3ZC34.txt [ /rambler.ru ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\JDCBBC4N.txt [ /casalemedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\NGRFZUW2.txt [ /yadro.ru ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\QIUG2O0D.txt [ /salespidermedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\FH4M6687.txt [ /www.googleadservices.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\6JN5LV08.txt [ /weborama.fr ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\DUR6SANG.txt [ /lucidmedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\7DPTTNR9.txt [ /eaeacom.112.2o7.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\MCV17BR3.txt [ /in.getclicky.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\Y1K3QO9K.txt [ /ad.yieldmanager.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\6AHU3IUD.txt [ /ad.360yield.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\RAYKSPCT.txt [ /amazon-adsystem.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\4WEY989A.txt [ /sso-en.bestofmedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\JZPBI0MA.txt [ /realmedia.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\6Y1N9OW8.txt [ /doubleclick.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\AP1JUE7S.txt [ /h.atdmt.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\7CG0L7PK.txt [ /account.tera-europe.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\AR1KEX1T.txt [ /ads.creative-serving.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\2Q1SV60V.txt [ /ads.undertone.com ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\IX1393M8.txt [ /server.adformdsp.net ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\QJ7A0ERX.txt [ /ffddela.solution.weborama.fr ]
C:\Users\lal\AppData\Roaming\Microsoft\Windows\Cookies\YEWF6P4R.txt [ /demandmedia.trc.taboola.com ]
C:\USERS\LAL\Cookies\72QX2ZXT.txt [ Cookie:lal@imrworldwide.com/ ]
C:\USERS\LAL\Cookies\5L08WW91.txt [ Cookie:lal@atdmt.com/ ]
C:\USERS\LAL\Cookies\4ATWZ8BP.txt [ Cookie:lal@server.cpmstar.com/ ]
C:\USERS\LAL\Cookies\58G4F62T.txt [ Cookie:lal@c1.atdmt.com/ ]
C:\USERS\LAL\Cookies\KB0USZJZ.txt [ Cookie:lal@www.elitepvpers.com/ ]
C:\USERS\LAL\Cookies\A9PXS73F.txt [ Cookie:lal@www.burstnet.com/ ]
C:\USERS\LAL\Cookies\9B0Y7OQZ.txt [ Cookie:lal@oracle.112.2o7.net/ ]
C:\USERS\LAL\Cookies\PCFBFHUQ.txt [ Cookie:lal@c.atdmt.com/ ]
C:\USERS\LAL\Cookies\USMNI0KS.txt [ Cookie:lal@adtech.de/ ]
C:\USERS\LAL\Cookies\PPG121O7.txt [ Cookie:lal@adlegend.com/ ]
C:\USERS\LAL\Cookies\588PSEBK.txt [ Cookie:lal@estat.com/ ]
C:\USERS\LAL\Cookies\XBNFVT9H.txt [ Cookie:lal@revsci.net/ ]
C:\USERS\LAL\Cookies\U7XCNBDS.txt [ Cookie:lal@apmebf.com/ ]
C:\USERS\LAL\Cookies\90UR74T6.txt [ Cookie:lal@graphics-cards.findthebest.com/ ]
C:\USERS\LAL\Cookies\UWPAOTXY.txt [ Cookie:lal@account.ankama.com/ ]
C:\USERS\LAL\Cookies\VM9L386D.txt [ Cookie:lal@bs.serving-sys.com/ ]
C:\USERS\LAL\Cookies\ZYUZSLSW.txt [ Cookie:lal@statcounter.com/ ]
C:\USERS\LAL\Cookies\9AR3QOC1.txt [ Cookie:lal@findthebest.com/ ]
C:\USERS\LAL\Cookies\8B38LE17.txt [ Cookie:lal@www.warez-bb.org/ ]
C:\USERS\LAL\Cookies\RWEAT3LV.txt [ Cookie:lal@elitepvpers.com/ ]
C:\USERS\LAL\Cookies\804U0CQT.txt [ Cookie:lal@www.googleadservices.com/pagead/conversion/1008325104/ ]
C:\USERS\LAL\Cookies\BS8I5OD1.txt [ Cookie:lal@zanox.com/ ]
C:\USERS\LAL\Cookies\TEFJJ0VU.txt [ Cookie:lal@media6degrees.com/ ]
C:\USERS\LAL\Cookies\DHMOOB3F.txt [ Cookie:lal@adnetwork.vn/ ]
C:\USERS\LAL\Cookies\JYKEYAWK.txt [ Cookie:lal@mediaplex.com/ ]
C:\USERS\LAL\Cookies\YB6CYP22.txt [ Cookie:lal@adformdsp.net/ ]
C:\USERS\LAL\Cookies\L8NJ3GSH.txt [ Cookie:lal@saymedia.com/ ]
C:\USERS\LAL\Cookies\J7WO8U0C.txt [ Cookie:lal@collective-media.net/ ]
C:\USERS\LAL\Cookies\FGC4Z5MK.txt [ Cookie:lal@warez-bb.org/ ]
C:\USERS\LAL\Cookies\BUAQE1QS.txt [ Cookie:lal@ru4.com/ ]
C:\USERS\LAL\Cookies\6T738TPO.txt [ Cookie:lal@www.googleadservices.com/pagead/conversion/995896528/ ]
C:\USERS\LAL\Cookies\M81IFTBJ.txt [ Cookie:lal@fastclick.net/ ]
C:\USERS\LAL\Cookies\7E2QBT7H.txt [ Cookie:lal@burstnet.com/ ]
C:\USERS\LAL\Cookies\4W7213T7.txt [ Cookie:lal@demandmedia.trc.taboola.com/demandmedia-ehow/ ]
C:\USERS\LAL\Cookies\6358U1EI.txt [ Cookie:lal@solvemedia.com/ ]
C:\USERS\LAL\Cookies\Z01D2GTF.txt [ Cookie:lal@specificclick.net/ ]
C:\USERS\LAL\Cookies\KNWPQKAF.txt [ Cookie:lal@track.adform.net/ ]
C:\USERS\LAL\Cookies\2VQYV53U.txt [ Cookie:lal@adtechus.com/ ]
C:\USERS\LAL\Cookies\JWF3ZC34.txt [ Cookie:lal@rambler.ru/ ]
C:\USERS\LAL\Cookies\JDCBBC4N.txt [ Cookie:lal@casalemedia.com/ ]
C:\USERS\LAL\Cookies\QIUG2O0D.txt [ Cookie:lal@salespidermedia.com/ ]
C:\USERS\LAL\Cookies\FH4M6687.txt [ Cookie:lal@www.googleadservices.com/pagead/conversion/995112258/ ]
C:\USERS\LAL\Cookies\6JN5LV08.txt [ Cookie:lal@weborama.fr/ ]
C:\USERS\LAL\Cookies\DUR6SANG.txt [ Cookie:lal@lucidmedia.com/ ]
C:\USERS\LAL\Cookies\MCV17BR3.txt [ Cookie:lal@in.getclicky.com/ ]
C:\USERS\LAL\Cookies\4WEY989A.txt [ Cookie:lal@sso-en.bestofmedia.com/ ]
C:\USERS\LAL\Cookies\JZPBI0MA.txt [ Cookie:lal@realmedia.com/ ]
C:\USERS\LAL\Cookies\AP1JUE7S.txt [ Cookie:lal@h.atdmt.com/ ]
C:\USERS\LAL\Cookies\7CG0L7PK.txt [ Cookie:lal@account.tera-europe.com/ ]
C:\USERS\LAL\Cookies\YEWF6P4R.txt [ Cookie:lal@demandmedia.trc.taboola.com/ ]
.doubleclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
www.googleadservices.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.conrad.122.2o7.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.estat.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.xiti.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.xiti.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
sso-en.bestofmedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
sso-en.bestofmedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.c1.atdmt.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.server.cpmstar.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.server.cpmstar.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.exoclick.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
www3.enoratraffic.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.sscdn.banners.advidi.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.sscdn.banners.advidi.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.sscdn.banners.advidi.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.tpgpost.122.2o7.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.qnsr.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
o1.qnsr.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
www.qsstats.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.media.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.microsoftsto.112.2o7.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.solvemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
track.adform.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
pubads.g.doubleclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.casalemedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.serving-sys.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
pubads.g.doubleclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.media6degrees.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.lucidmedia.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.fastclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.apmebf.com [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.fastclick.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
track.adform.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.adform.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]
.oracle.112.2o7.net [ C:\USERS\LAL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\TTPLNDGQ.DEFAULT\COOKIES.SQLITE ]

 



#10 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 04:05 PM

edit: This is exactly what i see in 1 of the 2 iexplorer.exe process, the command line written here:

 

http://forum.bullguard.com/forum/5/Multiple-iexploreexe-in-task-m_81639.html

 

Except mines says:

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:145409

 

I saw it in Process explorer. When im using the internet, there are 2 or sometimes even more iexplorer.exe running. Why ?



#11 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:36 AM

Posted 04 September 2013 - 04:09 PM

What did Virus Total say about those files? Did any of the security programs identify them?

 

amsvc.exe may be a file name used by a keylogger. What are the chances that you or another user intentionally installed a keylogger?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 buddy215

buddy215

  • Moderator
  • 13,192 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:36 AM

Posted 04 September 2013 - 04:13 PM

I don't use IE or Windows but it is possible that each tab or IE Window you open could have its own process identity. 


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 04:21 PM

amsvc has dissapeared from the tree, so i can not scan it. And iexplorer.exe is clean as well of virustotal.

 

I only have 1 tab opened, but process explorer lists 3 of them:

 

1 120K

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:79999

C:\Users\lal\Desktop\

 

2  100K

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:80085

C:\Users\lal\Desktop\

 

3. Original: 30K

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\lal\Desktop\

 

Security tab group displays:

NT AUTHORITY\Authenticated users

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\NTLM Authentication

NT AUTHORITY\This organization

 

Does this mean anything ?

More info: http://blogs.msdn.com/b/askie/archive/2009/03/20/how-to-i-determine-which-ie-tabs-go-to-which-iexplore-exe-process-when-using-internet-explorer-8.aspx?Redirected=true But i still do not know if it is a virus or not.


Edited by l1990b, 04 September 2013 - 04:24 PM.


#14 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,292 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:04:36 AM

Posted 04 September 2013 - 04:29 PM

I can confirm that at least in windows 7 while the OP uses vista. Each open tab in IE carries it's own process ID.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#15 l1990b

l1990b
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 04 September 2013 - 04:30 PM

Here someone says:

 

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUrsnif.gen!K&ThreatID=-2147316104

(http://forum.sysinternals.com/multiple-iexplore-processes-spawned-by-svchost_topic28135.html)

This maleware seems to steal personal data. So change all your account passwords (email, forum logon, social websites) and and reinstall Windows after backing up all your personal data.

 

I guess i change my data now!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users