Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple COM Surrogates, Host Process For Windows Tasks, and CTF Loader


  • This topic is locked This topic is locked
22 replies to this topic

#1 Nastika

Nastika

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 16 April 2015 - 08:24 PM

 I noticed multiple COM Surrogates along with a Host Process For Windows Tasks in my task manager. If I mouse over them they immediately disappear from the list and if I am lucky enough to click one and select "End Task" it comes back instantly. These were never there before and started showing fairly recently. I also noticed a CTF Loader in my processes which I have never seen active on this computer before.

 

I conducted a scan with AVG and nothing was detected.

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-04-2015 04
Ran by Feral (administrator) on NASTIKA on 16-04-2015 20:52:02
Running from C:\Users\Feral\Desktop
Loaded Profiles: Feral (Available profiles: Feral & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
(Atheros) C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Pixart Imaging Inc) C:\Windows\System32\TiltWheelMouse.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13776088 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1391472 2014-12-11] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2873744 2012-11-20] (ELAN Microelectronics Corp.)
HKLM\...\Run: [MouseDriver] => C:\WINDOWS\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM\...\Run: [BtPreLoad] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtPreLoad.exe [64640 2012-11-09] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [RadioController] => "C:\Program Files (x86)\RadioController\RfBtnHelper.exe" Start_Run
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [508256 2012-04-23] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3723728 2015-03-25] (AVG Technologies CZ, s.r.o.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer Backup Manager Tray.lnk
ShortcutTarget: Acer Backup Manager Tray.lnk -> C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe (NTI Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-2448701538-655350082-3061898808-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com
HKU\S-1-5-21-2448701538-655350082-3061898808-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
SearchScopes: HKU\S-1-5-21-2448701538-655350082-3061898808-1001 -> DefaultScope {ECE5E7EA-2E9E-4977-B6C7-71BC0B2E67D8} URL = 
SearchScopes: HKU\S-1-5-21-2448701538-655350082-3061898808-1001 -> {ECE5E7EA-2E9E-4977-B6C7-71BC0B2E67D8} URL = 
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll [2012-11-09] (Qualcomm Atheros Commnucations)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-10] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin HKU\S-1-5-21-2448701538-655350082-3061898808-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Feral\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-03-24] (Unity Technologies ApS)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
 
Chrome: 
=======
CHR StartupUrls: Default -> "https://www.google.com/"
CHR Profile: C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-10]
CHR Extension: (YouTube) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-10]
CHR Extension: (Google Search) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-10]
CHR Extension: (AdBlock) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-02-10]
CHR Extension: (Bookmark Manager) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-16]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Google Wallet) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-10]
CHR Extension: (Gmail) - C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-10]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]
R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [231040 2012-11-09] (Qualcomm Atheros Commnucations) [File not signed]
R2 avgfws; C:\Program Files (x86)\AVG\AVG2015\avgfws.exe [1516968 2015-03-25] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3416016 2015-03-25] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [309232 2015-03-25] (AVG Technologies CZ, s.r.o.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-11-21] (Microsoft Corporation)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [469648 2012-11-16] (Acer Incorporated)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [658064 2012-10-23] (Acer Incorporated)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [259136 2012-11-02] (NTI Corporation)
S2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [98160 2013-03-19] (Dritek System INC.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [146944 2015-02-17] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [81536 2012-11-09] (Atheros) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36096 2014-07-21] (Advanced Micro Devices, Inc.)
R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
S2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [199008 2012-06-23] (AppEx Networks Corporation)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [91648 2012-08-21] (Advanced Micro Devices)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [20496 2013-09-04] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [58136 2014-12-03] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [281056 2015-03-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [203544 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [341472 2015-02-03] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [133088 2015-02-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [289248 2015-03-19] (AVG Technologies CZ, s.r.o.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-11-21] (Microsoft Corporation)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2013-03-19] (Dritek System Inc.)
R3 t_mouse.sys; C:\Windows\system32\DRIVERS\t_mouse.sys [6144 2013-04-09] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-16 20:52 - 2015-04-16 20:53 - 00013305 _____ () C:\Users\Feral\Desktop\FRST.txt
2015-04-16 20:51 - 2015-04-16 20:52 - 00000000 ____D () C:\FRST
2015-04-16 20:47 - 2015-04-16 20:47 - 02097664 _____ (Farbar) C:\Users\Feral\Desktop\FRST64.exe
2015-04-16 20:32 - 2015-04-16 20:32 - 00001415 _____ () C:\Users\Feral\Desktop\Subnautica.lnk
2015-04-16 19:01 - 2015-04-16 19:02 - 01577457 _____ () C:\Users\Feral\Downloads\SDT_1_21_1b.swf
2015-04-16 18:59 - 2015-04-16 18:59 - 00000705 _____ () C:\Users\Feral\AppData\Local\recently-used.xbel
2015-04-16 18:25 - 2015-04-16 18:47 - 2256471589 _____ () C:\Users\Feral\Downloads\Subnautica.v1152.zip
2015-04-15 23:25 - 2015-01-05 23:01 - 00072192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndproxy.sys
2015-04-15 23:25 - 2015-01-05 22:59 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wanarp.sys
2015-04-15 23:25 - 2015-01-05 21:12 - 00185856 _____ (Microsoft Corporation) C:\WINDOWS\system32\rascfg.dll
2015-04-15 23:25 - 2015-01-05 21:02 - 00164864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rascfg.dll
2015-04-15 18:15 - 2015-03-23 17:59 - 07476032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-04-15 18:15 - 2015-03-23 17:59 - 01733952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-04-15 18:15 - 2015-03-23 17:59 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\system32\sechost.dll
2015-04-15 18:15 - 2015-03-23 17:58 - 01498872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-04-15 18:15 - 2015-03-23 17:45 - 00257216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sechost.dll
2015-04-15 18:15 - 2015-03-20 00:12 - 00246272 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2015-04-15 18:15 - 2015-03-20 00:10 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2015-04-15 18:15 - 2015-03-20 00:10 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2015-04-15 18:15 - 2015-03-19 23:17 - 00411648 _____ (Microsoft Corporation) C:\WINDOWS\system32\tracerpt.exe
2015-04-15 18:15 - 2015-03-19 22:41 - 00369152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tracerpt.exe
2015-04-15 18:15 - 2015-03-19 22:40 - 00950784 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdh.dll
2015-04-15 18:15 - 2015-03-19 22:16 - 00749568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdh.dll
2015-04-15 18:14 - 2015-03-13 00:32 - 24980480 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-04-15 18:14 - 2015-03-13 00:08 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-04-15 18:14 - 2015-03-13 00:07 - 02886144 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-04-15 18:14 - 2015-03-12 23:53 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-04-15 18:14 - 2015-03-12 23:50 - 06025216 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-04-15 18:14 - 2015-03-12 23:42 - 19695616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-04-15 18:14 - 2015-03-12 23:28 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-04-15 18:14 - 2015-03-12 23:26 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-04-15 18:14 - 2015-03-12 23:22 - 02278400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-04-15 18:14 - 2015-03-12 23:17 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-04-15 18:14 - 2015-03-12 23:16 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-04-15 18:14 - 2015-03-12 23:08 - 00720384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-04-15 18:14 - 2015-03-12 23:07 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-04-15 18:14 - 2015-03-12 23:00 - 14397440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-04-15 18:14 - 2015-03-12 22:58 - 00259072 _____ (Microsoft Corporation) C:\WINDOWS\system32\pku2u.dll
2015-04-15 18:14 - 2015-03-12 22:50 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-04-15 18:14 - 2015-03-12 22:49 - 04305408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-04-15 18:14 - 2015-03-12 22:45 - 02358784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-04-15 18:14 - 2015-03-12 22:44 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-04-15 18:14 - 2015-03-12 22:37 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\pku2u.dll
2015-04-15 18:14 - 2015-03-12 22:34 - 12825600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-04-15 18:14 - 2015-03-12 22:33 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-04-15 18:14 - 2015-03-12 22:22 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-04-15 18:14 - 2015-03-12 22:20 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-04-15 18:14 - 2015-03-12 22:16 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-04-15 18:14 - 2015-03-12 22:14 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-04-15 18:13 - 2015-03-04 06:25 - 00377152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
2015-04-15 18:13 - 2015-03-03 23:04 - 00075264 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll
2015-04-15 18:13 - 2015-03-03 22:19 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll
2015-04-15 18:13 - 2015-02-24 04:32 - 00991552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2015-04-15 05:10 - 2015-04-15 05:16 - 00000000 ____D () C:\Users\Feral\Downloads\Subnautica.v1152
2015-04-14 00:41 - 2015-03-14 04:54 - 00133256 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-04-14 00:41 - 2015-03-13 21:56 - 00066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll
2015-04-14 00:41 - 2015-03-13 21:56 - 00052224 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups2.dll
2015-04-14 00:41 - 2015-03-13 21:51 - 00015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wu.upgrade.ps.dll
2015-04-14 00:41 - 2015-03-13 21:37 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSetupUI.dll
2015-04-14 00:41 - 2015-03-13 21:14 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wups.dll
2015-04-14 00:41 - 2015-03-13 20:22 - 03678720 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-04-14 00:41 - 2015-03-13 20:12 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-04-14 00:41 - 2015-03-13 20:12 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-04-14 00:41 - 2015-03-13 20:09 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2015-04-14 00:41 - 2015-03-13 20:08 - 00408064 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-04-14 00:41 - 2015-03-13 20:08 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-04-14 00:41 - 2015-03-13 20:06 - 02373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-04-14 00:41 - 2015-03-13 20:06 - 00891392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-04-14 00:41 - 2015-03-13 20:02 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-04-14 00:41 - 2015-03-13 20:02 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-04-14 00:41 - 2015-03-13 19:59 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-04-14 00:41 - 2015-03-13 19:59 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-04-10 21:02 - 2015-04-10 21:02 - 00000000 ____D () C:\ProgramData\Ubisoft
2015-04-10 20:58 - 2015-04-10 20:58 - 00002419 _____ () C:\Users\Public\Desktop\Tom Clancy's Rainbow Six Vegas 2.lnk
2015-04-10 20:58 - 2015-04-10 20:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tom Clancy's Rainbow Six Vegas 2
2015-04-10 18:04 - 2015-04-10 18:04 - 00000000 ____D () C:\WINDOWS\system32\appraiser
2015-04-10 08:33 - 2015-04-10 08:33 - 00000000 ____D () C:\Users\Default\AppData\Roaming\TuneUp Software
2015-04-10 08:33 - 2015-04-10 08:33 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\TuneUp Software
2015-04-10 05:28 - 2015-03-22 18:45 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
2015-04-10 05:28 - 2015-03-22 18:09 - 01111552 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-04-10 05:28 - 2015-03-22 18:09 - 00957440 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-04-10 05:28 - 2015-03-22 18:09 - 00769024 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-04-10 05:28 - 2015-03-22 18:09 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-04-10 05:28 - 2015-03-22 18:09 - 00419328 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-04-10 05:28 - 2015-03-22 18:09 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-04-10 05:28 - 2015-02-20 19:49 - 00780800 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsm.dll
2015-04-10 05:28 - 2014-12-02 19:09 - 00192000 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2015-04-10 05:15 - 2015-04-10 05:15 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\AVG2015
2015-04-10 05:14 - 2015-04-14 00:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-04-10 05:14 - 2015-04-10 05:14 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\TuneUp Software
2015-04-10 05:12 - 2015-04-10 05:14 - 00000000 ____D () C:\ProgramData\AVG2015
2015-04-10 05:12 - 2015-04-10 05:12 - 00000000 ___HD () C:\$AVG
2015-04-10 05:11 - 2015-04-10 05:11 - 00000000 ____D () C:\Program Files (x86)\AVG
2015-04-10 05:09 - 2015-04-16 20:11 - 00000000 ____D () C:\ProgramData\MFAData
2015-04-10 05:09 - 2015-04-10 05:19 - 00000000 ____D () C:\Users\Feral\AppData\Local\Avg2015
2015-04-10 05:09 - 2015-04-10 05:09 - 00000000 ____D () C:\Users\Feral\AppData\Local\MFAData
2015-04-10 04:55 - 2015-04-10 04:55 - 00000000 ____D () C:\Users\Feral\Downloads\AVG Internet Security 2015 15.0.5576 + Serial [TechTools.net]
2015-04-09 02:39 - 2015-04-09 02:39 - 00000000 ____D () C:\ProgramData\Steam
2015-04-09 01:33 - 2015-04-10 21:01 - 00000000 ____D () C:\Users\Feral\Downloads\Rainbow Six Vegas 2
2015-04-09 00:53 - 2015-04-09 02:03 - 00000000 ____D () C:\Users\Feral\Downloads\GMT.KZ_Saints_Row_IV_Game_of_the_Century_Edition_RePack_MAXAGENT
2015-04-08 22:17 - 2015-04-08 22:17 - 00002325 _____ () C:\Users\Feral\Desktop\Skyrim (SKSE).lnk
2015-04-08 22:17 - 2015-04-08 22:17 - 00002325 _____ () C:\Users\Administrator\Desktop\Skyrim (SKSE).lnk
2015-04-05 22:27 - 2015-04-05 22:27 - 00000000 ____D () C:\Users\Feral\Documents\makehuman
2015-04-04 20:50 - 2015-04-05 21:44 - 00000000 ____D () C:\Users\Feral\AppData\Local\Skyrim
2015-04-03 00:11 - 2015-04-03 01:19 - 00000000 ____D () C:\Users\Feral\Documents\Unreal Projects
2015-04-03 00:10 - 2015-04-03 00:10 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\Unreal Engine
2015-04-03 00:09 - 2015-04-03 00:10 - 00000000 ____D () C:\Users\Feral\AppData\Local\UnrealEngine
2015-04-02 23:01 - 2015-04-02 23:01 - 00000000 ____D () C:\Users\Feral\AppData\Local\UnrealEngineLauncher
2015-04-02 22:18 - 2015-04-02 23:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dolby
2015-04-02 22:18 - 2015-04-02 23:00 - 00000000 ____D () C:\Program Files (x86)\Dolby Home Theater v4
2015-04-02 21:39 - 2015-04-02 21:39 - 00001276 _____ () C:\Users\Feral\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Realtek HD Audio Manager.lnk
2015-04-02 21:36 - 2015-04-11 04:16 - 00000000 ____D () C:\Program Files\Epic Games
2015-04-02 00:04 - 2015-04-02 00:04 - 00000000 ____H () C:\WINDOWS\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2015-04-02 00:02 - 2015-04-15 23:28 - 00004177 _____ () C:\WINDOWS\setupact.log
2015-04-02 00:02 - 2015-04-02 21:45 - 00000178 _____ () C:\WINDOWS\setuperr.log
2015-04-01 21:37 - 2015-04-02 02:12 - 00001083 _____ () C:\Users\Feral\Desktop\StarCitizen.lnk
2015-04-01 21:37 - 2015-04-01 21:51 - 00000000 ____D () C:\Program Files\StarCitizen
2015-04-01 21:37 - 2015-04-01 21:37 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StarCitizen
2015-04-01 21:35 - 2015-04-09 02:35 - 00000000 ___HD () C:\WINDOWS\msdownld.tmp
2015-04-01 21:35 - 2015-04-09 02:35 - 00000000 ____D () C:\WINDOWS\SysWOW64\directx
2015-03-30 13:01 - 2015-03-30 13:01 - 00000000 ____D () C:\Users\Feral\AppData\Local\Unity
2015-03-30 12:50 - 2015-03-30 12:50 - 00000299 _____ () C:\Users\Feral\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Recycle Bin.lnk
2015-03-28 07:53 - 2015-03-28 07:55 - 00000000 ___SD () C:\WINDOWS\system32\GWX
2015-03-28 07:53 - 2015-03-28 07:53 - 00000000 ___SD () C:\WINDOWS\SysWOW64\GWX
2015-03-28 07:53 - 2015-03-14 04:20 - 01385256 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
2015-03-28 07:53 - 2015-03-14 04:13 - 01124352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll
2015-03-27 18:36 - 2015-03-27 18:36 - 00000000 ____D () C:\Users\Feral\AppData\Local\EpicGamesLauncher
2015-03-27 18:34 - 2015-04-02 23:01 - 00000000 ____D () C:\ProgramData\Epic
2015-03-26 04:44 - 2015-03-26 04:45 - 20335869 _____ () C:\Users\Feral\Downloads\Nikola.Tesla.eBook.Collection.zip
2015-03-25 11:21 - 2015-03-25 11:21 - 00281056 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgidsdrivera.sys
2015-03-21 07:49 - 2015-03-25 12:33 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\Spore
2015-03-21 07:49 - 2015-03-21 07:50 - 00000000 ____D () C:\Users\Feral\Documents\My Spore Creations
2015-03-21 07:49 - 2015-03-21 07:49 - 00000000 ____D () C:\Users\Feral\AppData\Local\SKIDROW
2015-03-21 07:49 - 2015-03-21 07:49 - 00000000 ____D () C:\Users\Feral\AppData\Local\Game Updater
2015-03-21 07:21 - 2015-03-21 07:21 - 00001686 _____ () C:\Users\Public\Desktop\Spore.lnk
2015-03-21 07:21 - 2015-03-21 07:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spore
2015-03-21 06:52 - 2015-03-21 06:52 - 00000000 ____D () C:\Users\Feral\AppData\Local\Setup Integrity Check
2015-03-19 16:05 - 2015-03-19 16:05 - 00289248 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgwfpa.sys
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-16 19:56 - 2015-02-10 04:51 - 00000912 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-16 19:02 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-04-16 18:23 - 2015-02-10 10:30 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\vlc
2015-04-16 17:39 - 2015-02-16 21:50 - 01318189 _____ () C:\WINDOWS\WindowsUpdate.log
2015-04-16 17:39 - 2015-02-10 04:44 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2448701538-655350082-3061898808-1001
2015-04-16 17:26 - 2015-02-10 04:51 - 00000908 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-16 00:14 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\rescache
2015-04-15 23:33 - 2014-11-21 04:44 - 00863592 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-04-15 23:28 - 2013-08-22 10:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-04-15 23:25 - 2012-07-26 03:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-04-15 23:13 - 2013-08-20 02:57 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-04-15 21:26 - 2015-02-10 10:10 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-04-15 21:23 - 2015-02-10 10:10 - 128913832 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-04-15 17:56 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-04-15 05:06 - 2014-05-30 10:32 - 00000000 ____D () C:\Users\Feral\Desktop\Clutter
2015-04-14 00:31 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-04-13 19:24 - 2014-11-21 12:03 - 00792056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-04-13 19:24 - 2014-11-21 12:03 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-11 04:54 - 2015-02-10 10:40 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\HexChat
2015-04-10 21:31 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\AppCompat
2015-04-10 21:09 - 2015-02-10 04:36 - 00000000 ____D () C:\Users\Feral\AppData\Local\VirtualStore
2015-04-10 21:09 - 2013-08-20 11:57 - 00000000 ____D () C:\Users\Feral\Documents\my games
2015-04-10 20:59 - 2015-02-12 02:37 - 00066194 _____ () C:\WINDOWS\DirectX.log
2015-04-10 20:43 - 2015-02-16 12:42 - 00000000 ____D () C:\Program Files (x86)\Ubisoft
2015-04-10 18:04 - 2014-11-21 11:56 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
2015-04-10 05:19 - 2013-08-22 09:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-04-10 05:14 - 2012-07-26 04:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP
2015-04-09 02:40 - 2015-03-07 21:58 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\deluge
2015-04-03 03:54 - 2015-02-12 02:39 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\SpaceEngineers
2015-04-03 01:10 - 2015-02-15 16:46 - 00000132 _____ () C:\Users\Feral\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-04-02 22:18 - 2013-03-19 19:55 - 00000000 ____D () C:\Dolby PCEE4
2015-04-02 21:38 - 2014-11-21 04:34 - 00006930 _____ () C:\WINDOWS\PFRO.log
2015-04-02 01:02 - 2015-02-16 21:49 - 00000000 ____D () C:\WINDOWS\SysWOW64\RTCOM
2015-04-01 21:35 - 2013-09-07 01:22 - 00000000 ____D () C:\Games
2015-03-27 18:44 - 2014-12-25 01:54 - 00000000 ____D () C:\Users\Feral\Downloads\N64 Roms
2015-03-22 04:26 - 2013-08-22 11:36 - 00000000 ____D () C:\WINDOWS\system32\NDF
2015-03-21 21:19 - 2015-03-07 21:50 - 00000000 ____D () C:\Users\Feral\AppData\Roaming\BitTorrent
2015-03-19 06:22 - 2014-12-14 22:38 - 00001413 _____ () C:\Users\Feral\Desktop\Man Rules.txt
 
==================== Files in the root of some directories =======
 
2015-02-15 16:46 - 2015-04-03 01:10 - 0000132 _____ () C:\Users\Feral\AppData\Roaming\Adobe PNG Format CS6 Prefs
2015-04-16 18:59 - 2015-04-16 18:59 - 0000705 _____ () C:\Users\Feral\AppData\Local\recently-used.xbel
2015-03-15 01:57 - 2015-03-15 01:57 - 0000000 _____ () C:\Users\Feral\AppData\Local\{04E2A703-516D-458A-99B0-96E7F5743FD1}
2013-03-19 19:55 - 2013-03-19 19:55 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some content of TEMP:
====================
C:\Users\Feral\AppData\Local\Temp\CH.dll
C:\Users\Feral\AppData\Local\Temp\npp.6.7.5.Installer.exe
C:\Users\Feral\AppData\Local\Temp\xmlUpdater.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-14 18:58
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 21 April 2015 - 06:22 PM

Hi Nastika-

 

 

My name is Johnny Computer and I will be helping you clean up your system. 

 

PLEASE NOTE:  Logs are often long, complicated, and time consuming to analyze

 

Please give me some time to look over your logs and I will be back with further instructions A.S.A.P.        :) 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#3 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 24 April 2015 - 07:25 AM

 
Hi Nastika-
 
 


 



Hello and    :welcome:   to BLEEPING COMPUTER

My name is Johnny Computer and I will be helping you with your malware related computer issues today    

Before we move on, please read the following points carefully.

 

 

 

IMPORTANT-----> Post all logfiles as a reply rather than as an attachment. If you can not post all log files in one reply, feel free to use more posts.

 

 

- First, I would like to inform you that most of us here at Bleeping Computer are volunteers. The logs you will be asked to submit can take time to analyze. Please try to match our   commitment to you with your patience toward us. 
 
-  Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.

-  Perform everything in the correct order. Sometimes one step requires the previous one.

-  If you have any problems while following my instructions, Stop and ask any questions you may have.

-  Please stay with me until I have notified you that your system is All Clean. Absence of symptoms does not necessarily mean your machine is clean. 

-  If I don't hear from you within 3 days
 from this initial or any subsequent post, then this thread will be closed.

IMPORTANT NOTE :
 Please do not delete, download or install anything unless instructed to do so.

IMPORTANT NOTE:  DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
--------------------------------------------------------------------------------
 

Going over your logs I noticed that you have or have had Bit Torrent installed.
 
  Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
-  They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
-  Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
-  The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
 
It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall Bit Torrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

  
 
--------------------------------------------------
 
   :step1:   Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on I agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

-------------------------------------------------

 

:step2:

logo.png
Please download Powelikscleaner (by ESET) and save it to your Desktop.

  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

1.png
2.png

 

 ----------------------------------------------------
 
IN YOUR NEXT REPLY I NEED:
 
1.)  Your ADWCleaner log
2.)  Your ESET cleaner log
3.)  How is your computer running now?  Are the multiple process still present?
 
 


Edited by Johnny Computer, 24 April 2015 - 05:43 PM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#4 Nastika

Nastika
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 24 April 2015 - 05:54 PM

# AdwCleaner v4.202 - Logfile created 24/04/2015 at 18:29:23
# Updated 23/04/2015 by Xplode
# Database : 2015-04-23.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Feral - NASTIKA
# Running from : C:\Users\Feral\Desktop\adwcleaner_4.202.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gighmmpiobklfepjocnamgkkbiglidom_0.localstorage
File Found : C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gighmmpiobklfepjocnamgkkbiglidom_0.localstorage-journal
File Found : C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
File Found : C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
Folder Found : C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Local AppWizard-Generated Applications
Key Found : [x64] HKCU\Software\Local AppWizard-Generated Applications
Key Found : HKU\.DEFAULT\Software\Local AppWizard-Generated Applications
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v0.0.0.0
 
 
-\\ Google Chrome v42.0.2311.90
 
[C:\Users\Feral\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Found [Extension] : gighmmpiobklfepjocnamgkkbiglidom
 
*************************
 
AdwCleaner[R0].txt - [1622 bytes] - [24/04/2015 18:29:23]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1681 bytes] ##########
 
 
[2015.04.24 18:50:20.545] - Begin
[2015.04.24 18:50:20.574] - 
[2015.04.24 18:50:20.575] -     ....................................
[2015.04.24 18:50:20.576] -   ..::::::::::::::::::....................
[2015.04.24 18:50:20.579] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2015.04.24 18:50:20.582] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.4
[2015.04.24 18:50:20.584] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Mar 25 2015
[2015.04.24 18:50:20.586] -  .::EE:::::::::::::SS:.EE..........TT......
[2015.04.24 18:50:20.589] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2015.04.24 18:50:20.590] -   ..::::::::::::::::::....................    1992-2015. All rights reserved.
[2015.04.24 18:50:20.590] -     ....................................
[2015.04.24 18:50:20.591] - 
[2015.04.24 18:50:20.591] - --------------------------------------------------------------------------------
[2015.04.24 18:50:20.591] - 
[2015.04.24 18:50:20.592] - INFO: OS: 6.2.9200 SP0
[2015.04.24 18:50:20.593] - INFO: Product Type: Workstation
[2015.04.24 18:50:20.593] - INFO: WoW64: True
[2015.04.24 18:50:20.594] - INFO: Machine guid: 5F6A616E-DAD1-43D2-9E16-45D84BE8A3CE 
[2015.04.24 18:50:20.594] - 
[2015.04.24 18:50:27.967] - INFO: Scanning for system infection...
[2015.04.24 18:50:27.967] - --------------------------------------------------------------------------------
[2015.04.24 18:50:27.967] - 
[2015.04.24 18:50:27.967] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.04.24 18:50:27.968] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.04.24 18:50:27.969] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.04.24 18:50:27.969] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.04.24 18:50:27.969] - INFO: Processing classes...
[2015.04.24 18:50:27.969] - INFO: Processing clsid [\Registry\User\S-1-5-21-2448701538-655350082-3061898808-1001\SOFTWARE\Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}]
[2015.04.24 18:50:27.970] - INFO: Processing clsid [\Registry\User\S-1-5-21-2448701538-655350082-3061898808-1001\SOFTWARE\Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}]
[2015.04.24 18:50:27.970] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.04.24 18:50:27.972] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.04.24 18:50:27.973] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.04.24 18:50:27.973] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.04.24 18:50:27.973] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.04.24 18:50:27.973] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.04.24 18:50:27.974] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.04.24 18:50:27.974] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.04.24 18:50:27.974] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.04.24 18:50:27.974] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.04.24 18:50:27.976] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.04.24 18:50:27.977] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.04.24 18:50:27.977] - INFO: (XSW) Scanning for XSW variant...
[2015.04.24 18:50:27.983] - INFO: (XSW) Processing users subkeys...
[2015.04.24 18:50:27.987] - INFO: Win32/Poweliks not found
[2015.04.24 18:51:43.709] - End
 

 

 

There's a third COM surrogate now and the CTF Loader isn't showing in my processes anymore. Other than that nothing has changed.



#5 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 25 April 2015 - 09:22 AM

 

Hi Nastika-

 

After running the tools we have and reviewing your logs I can tell you that the issues they show are minor and it is very unlikely that you have any malware on your system.  The multiple processes you are seeing are likely the result of a software issue.  Let’s see if we can track it down.

 

Can you tell me if you remember installing any programs or files around the time you started experiencing the multiple processes?  Also, can you tell me if you are doing anything specific when you see the multiple process appear or are they there all the time?

 

Thanks :)

 

 

  

 

 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#6 Nastika

Nastika
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 25 April 2015 - 11:02 AM

I don't think I installed anything at the time they showed up. They show up when I start the computer. I have owned this computer for over a year and the only thing I might have installed since they started showing up is a game and none of those start when the computer starts.



#7 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 27 April 2015 - 09:59 AM

Hi Nastika-

 

Please  follow the instructions under the:

 

 

2. Use Shift + Restart - works in Windows 8 & 8.1

 

heading in the link below to boot your computer into Safe Mode with networking and then check and see if the multiple processes are still present.  Then post back and let me know how it went.

 

http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81

 

Thanks :)


Edited by Johnny Computer, 27 April 2015 - 10:00 AM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#8 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 30 April 2015 - 05:56 PM

Hi Nastika-

 

As stated in my Welcome Speech:

-  If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

 

 

It has been three days since my last post.  Are you still with me?  If so please follow the instructions in my previous post.

 

Thanks :)


Edited by Johnny Computer, 30 April 2015 - 05:56 PM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#9 Nastika

Nastika
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 02 May 2015 - 02:33 PM

They still show up under background processes while in safe mode with networking.



#10 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 04 May 2015 - 06:33 AM

 

Hi Nastika-

 

Ok, lets try this.  Please click the link below and follow the instructions to perform a “Clean Boot” for Windows 8.1.  Then check and see if those processes still remain.

 

https://support.microsoft.com/en-us/kb/929135

 

 

Thanks

 

 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#11 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 07 May 2015 - 07:33 AM

Hi Nastika-

 

As stated in my Welcome Speech:

 

-  If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

 

 

It has been three days since my last post.  Are you still with me?  If so please follow the instructions in my previous post or the thread will be closed.

 

Thanks  :)

 

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#12 Nastika

Nastika
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 07 May 2015 - 12:38 PM

Sorry for the lack of replies. I try to get on asap but have been busy.

 

The processes are still there after the "clean boot".



#13 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 11 May 2015 - 09:06 AM

Hi Nastika-

First, I apologize for the delayed response. Normally you will not have to wait quite so long in between responses.

Next, let me explain what we have been doing. The multiple processes you are seeing can be normal or they can be malicious. In your case they are normal, which I have suspected since the beginning, but it is always good to check just to be sure, which is what we have been doing. We will conduct one more scan just to make sure you are clean and then tend to a few more clean up related issues but at this point I can tell you those processes are nothing to you have to worry about.

----------------------------------------------------

  :step1:  PLEASE DO THE FOLLOWING:

 

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your currently installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to right-click on either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: EOLS3.gif
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: EOLS4.gif
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


-------------------------------------------------

IN YOUR NEXT REPLY I NEED:

1.) Your ESET log


Thanks :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#14 Nastika

Nastika
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 11 May 2015 - 08:50 PM

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=192c72ed11b44b49abf7ea3b7059d6e8
# engine=23798
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-05-12 01:40:12
# local_time=2015-05-11 09:40:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 8390804 0 0
# scanned=297781
# found=4
# cleaned=0
# scan_time=12393
sh=B20B0BD8E5CDD280C5DC922FFD896DF50D208CB7 ft=1 fh=59ddf8c2c6946d84 vn="a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application" ac=I fn="C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe"
sh=860EFD5893E4DD4E820227B7DEAD144F974456AC ft=1 fh=c0b9ed8dfe12ffb8 vn="a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application" ac=I fn="C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat"
sh=DB1FDDF35C36B7E2F6AD3CA81F2ACA9856385893 ft=1 fh=981ca8a346561a3c vn="a variant of Win32/GameHack.F potentially unsafe application" ac=I fn="C:\Users\Feral\Desktop\Clutter\Vegas 2 Trainer\Rainbow Six Vegas Trainer.exe"
sh=3FF1559F45D691BA28E78E745EFA6752B73EDE1E ft=1 fh=ac9c1d80264f64c1 vn="MSIL/GameHack.EO potentially unsafe application" ac=I fn="C:\Users\Feral\Downloads\GrandTheftAutoV+14Tr-LNG_v1.0\GrandTheftAutoV+14Tr-LNG_v1.01.exe"


#15 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:06:37 PM

Posted 12 May 2015 - 01:06 PM

 
Hi Nastika-
 

Download Security Check by screen317 from here or here.
-  Save it to your Desktop.
-  Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
-  A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
 
 -------------------------------------------------
 
IN YOUR NEXT REPLY I NEED:
 
1.)  Your Security Check log
 
 
Thanks  :)

 

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users