Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help SYSWOW64 infection.


  • Please log in to reply
17 replies to this topic

#1 jtayman3

jtayman3

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 October 2015 - 08:37 PM

Hi

I am running windows 10, and my system has been maxing out it's CPU usage with relatively simple tasks.. running websites, even saving files. The screen will freeze for a length of time and the CPU usage maxes out to 100%.

I watch the processes screen on the task manager, and i see "windows host process (RunDll32)(32 bit) is using most of the resources.

So i follow it to it's folder source, and find it is in Windows>SysWow64

I google that and find out it's a potential virus, start reading and the symptoms described are very similar to my problems.

 

So i ask my son if he had anything happen, and sure enough. He says he got an "FBI warning" page that over-rode everything. He said he unplugged the machine and restarted, and he said it went away.

I am assuming this is definitely the source of the problem, but neither Malwarebytes, superAntiSpyware or Norton can find anything.

 

Any advice would be greatly appreciated.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 30 October 2015 - 08:42 PM

Hi jtayman3 :)

My name is Aura and I'll be assisting you with your issue.

I google that and find out it's a potential virus, start reading and the symptoms described are very similar to my problems.


That's a good practice to follow. Before we assume that your rundll32.exe is indeed malicious however, we'll push the investigation a bit further, since there could be multiple reasons as to why this process could be acting up.

So i ask my son if he had anything happen, and sure enough. He says he got an "FBI warning" page that over-rode everything. He said he unplugged the machine and restarted, and he said it went away.


In that case it was most likely a fake page from a browser locker. Usually, shutting down your web browser gets rid of them :)

Alright, let's see what we can learn from your system first. Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the executable file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      B8oLpa3.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 October 2015 - 08:50 PM

Thank you very much for your help.

 

the Autorun files is here
https://www.dropbox.com/sh/si0tfe76gshnofq/AAC2MnhjUDtLyZ2m-z7mXXMQa?dl=0

 

 

the log of the toolbox scan is
 

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by John Tayman (administrator) on 30-10-2015 at 21:45:58
Running from "C:\Users\John Tayman\Desktop"
Microsoft Windows 10 Pro  (X64)
Model: Inspiron 546 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
 
========================= IP Configuration: ================================
 
Realtek PCIe FE Family Controller = Local Area Connection (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : JohnTayman-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : 00-24-E8-29-09-22
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9147:916f:a683:8a47%3(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, October 30, 2015 9:08:34 PM
   Lease Expires . . . . . . . . . . : Saturday, October 31, 2015 9:08:33 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 234890472
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-53-FD-2F-00-24-E8-29-09-22
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{6C679114-C714-46C1-B379-C2CB9C8B2A17}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2482:162e:b67e:18b6(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::2482:162e:b67e:18b6%5(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 117440512
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-53-FD-2F-00-24-E8-29-09-22
   NetBIOS over Tcpip. . . . . . . . : Disabled
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.1
 
Name:    google.com
Addresses:  2607:f8b0:4006:80e::200e
 74.125.226.174
 74.125.226.169
 74.125.226.164
 74.125.226.160
 74.125.226.168
 74.125.226.165
 74.125.226.167
 74.125.226.166
 74.125.226.161
 74.125.226.162
 74.125.226.163
 
 
Pinging google.com [216.58.219.238] with 32 bytes of data:
Reply from 216.58.219.238: bytes=32 time=19ms TTL=54
Reply from 216.58.219.238: bytes=32 time=18ms TTL=54
 
Ping statistics for 216.58.219.238:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 18ms, Maximum = 19ms, Average = 18ms
Server:  UnKnown
Address:  192.168.1.1
 
Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 2001:4998:44:204::a7
 98.138.253.109
 98.139.183.24
 206.190.36.45
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=84ms TTL=42
Reply from 206.190.36.45: bytes=32 time=87ms TTL=42
 
Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 84ms, Maximum = 87ms, Average = 85ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  3...00 24 e8 29 09 22 ......Realtek PCIe FE Family Controller
  1...........................Software Loopback Interface 1
  4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
  5...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.3    276
      192.168.1.3  255.255.255.255         On-link       192.168.1.3    276
    192.168.1.255  255.255.255.255         On-link       192.168.1.3    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.3    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.3    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  5    306 ::/0                     On-link
  1    306 ::1/128                  On-link
  5    306 2001::/32                On-link
  5    306 2001:0:9d38:90d7:2482:162e:b67e:18b6/128
                                    On-link
  3    276 fe80::/64                On-link
  5    306 fe80::/64                On-link
  5    306 fe80::2482:162e:b67e:18b6/128
                                    On-link
  3    276 fe80::9147:916f:a683:8a47/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    276 ff00::/8                 On-link
  5    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (10/30/2015 07:35:05 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (10/30/2015 06:30:39 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (10/30/2015 06:04:24 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: JohnTayman-PC)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (10/28/2015 05:27:11 AM) (Source: Application Error) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.125.0, time stamp: 0x5612a56b
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2be1e
Exception code: 0x40000015
Fault offset: 0x0008d6fd
Faulting process id: 0x8a4
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3
Faulting package full name: mbam.exe4
Faulting package-relative application ID: mbam.exe5
 
Error: (10/27/2015 07:12:45 AM) (Source: Microsoft-Windows-Defrag) (User: )
Description: The volume My Passport (K:) was not optimized because an error was encountered: The specified network resource or device is no longer available. (0x80070037)
 
Error: (10/26/2015 03:32:57 PM) (Source: Application Error) (User: )
Description: Faulting application name: googledrivesync.exe, version: 1.25.523.2491, time stamp: 0x509418e4
Faulting module name: python27.dll, version: 2.7.10150.1013, time stamp: 0x55b99ded
Exception code: 0xc0000005
Fault offset: 0x0009d628
Faulting process id: 0x183c
Faulting application start time: 0xgoogledrivesync.exe0
Faulting application path: googledrivesync.exe1
Faulting module path: googledrivesync.exe2
Report Id: googledrivesync.exe3
Faulting package full name: googledrivesync.exe4
Faulting package-relative application ID: googledrivesync.exe5
 
Error: (10/25/2015 04:43:56 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (10/25/2015 04:00:19 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (10/18/2015 04:49:28 PM) (Source: Application Hang) (User: )
Description: The program explorer.exe version 10.0.10240.16431 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 1728
 
Start Time: 01d1090e9dd73eb9
 
Termination Time: 4294967295
 
Application Path: C:\Windows\explorer.exe
 
Report Id: b7c9ee01-75d9-11e5-8d6d-0024e8290922
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (10/18/2015 03:26:44 PM) (Source: Application Error) (User: )
Description: Faulting application name: Adobe Premiere Pro.exe, version: 9.0.1.36, time stamp: 0x55acd8dd
Faulting module name: MSVCR120.dll, version: 12.0.21005.1, time stamp: 0x524f83ff
Exception code: 0xc0000409
Fault offset: 0x0000000000074a30
Faulting process id: 0x277c
Faulting application start time: 0xAdobe Premiere Pro.exe0
Faulting application path: Adobe Premiere Pro.exe1
Faulting module path: Adobe Premiere Pro.exe2
Report Id: Adobe Premiere Pro.exe3
Faulting package full name: Adobe Premiere Pro.exe4
Faulting package-relative application ID: Adobe Premiere Pro.exe5
 
 
System errors:
=============
Error: (10/30/2015 09:08:39 PM) (Source: Service Control Manager) (User: )
Description: The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error: 
%%1058
 
Error: (10/30/2015 09:05:03 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: 
%%1056
 
Error: (10/30/2015 09:05:00 PM) (Source: Service Control Manager) (User: )
Description: The Sync Host_Session1 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (10/30/2015 09:04:33 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (10/30/2015 09:04:32 PM) (Source: Service Control Manager) (User: )
Description: The VIA Karaoke digital mixer Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/30/2015 09:04:31 PM) (Source: Service Control Manager) (User: )
Description: The SQL Server VSS Writer service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/30/2015 09:04:31 PM) (Source: Service Control Manager) (User: )
Description: The Message Queuing service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (10/30/2015 09:04:31 PM) (Source: Service Control Manager) (User: )
Description: The Skype Click to Call PNR Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/30/2015 09:04:31 PM) (Source: Service Control Manager) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/30/2015 09:04:31 PM) (Source: Service Control Manager) (User: )
Description: The Web Deployment Agent Service service terminated unexpectedly.  It has done this 1 time(s).
 
 
Microsoft Office Sessions:
=========================
 
=========================== Installed Programs ============================
 
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.5 - Adobe Systems)
Adobe After Effects CC 2014 (HKLM-x32\...\{2B22C750-5C3B-4738-B621-BA786AC7A494}) (Version: 13.2.0 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 14.0.0.178 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.2.0.129 - Adobe Systems Incorporated)
Adobe Creative Suite 5.5 Web Premium (HKLM-x32\...\{B4749B38-C5BD-4A02-8E9F-C1EF7CCEA651}) (Version: 5.5 - Adobe Systems Incorporated)
Adobe Edge Animate CC 2014.1 (HKLM-x32\...\{344AEC03-4326-11E4-B63C-FE38885BB836}) (Version: 5.0.1 - Adobe Systems Incorporated)
Adobe Fireworks CS6 (HKLM-x32\...\{CA7C485C-7A89-11E1-B2C8-CD54B377BC52}) (Version: 12.0.0 - Adobe Systems Incorporated)
Adobe Flash Player 10 ActiveX (HKLM-x32\...\{B001064C-D061-4BAE-9031-416A838D5536}) (Version: 10.2.153.1 - Adobe Systems Incorporated)
Adobe Flash Player 10 Plugin (HKLM-x32\...\{9C542173-96F0-435D-A95C-468CAAC75EA0}) (Version: 10.2.153.1 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Illustrator CC 2015 (HKLM-x32\...\{5680D629-B263-49CC-821E-3CEBD4507B51}) (Version: 19.1.0 - Adobe Systems Incorporated)
Adobe InDesign CC 2014 (HKLM-x32\...\{CCDCB9C4-72BA-1014-A3F8-D123F2F18BC2}) (Version: 10.2.0.069 - Adobe Systems Incorporated)
Adobe Media Encoder CC 2015 (HKLM-x32\...\{0FAC7130-BEC5-47A5-8813-1D339B8326ED}) (Version: 9.0.1 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2015 (HKLM-x32\...\{38C72D42-0672-43B1-9E05-E7631684F9A1}) (Version: 9.0.1 - Adobe Systems Incorporated)
Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1) (Version: 2.0 Build 230 - Adobe Systems Incorporated.)
Adobe® Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 3.4.3 - Adobe Systems, Incorporated)
Akamai NetSession Interface (HKCU\...\Akamai) (Version:  - Akamai Technologies, Inc)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AzureTools.Notifications.VwdExpress (HKLM-x32\...\{78A8DA30-B655-42DA-B6FD-56CF652CEBCE}) (Version: 2.3.20320.1602 - Microsoft Corporation) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build Tools - amd64 (HKLM\...\{F74753A3-C93C-34F5-A199-993CAF602B7D}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools - x86 (HKLM-x32\...\{FB3A15FD-FC67-3A2F-892B-6890B0C56EA9}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools Language Resources - amd64 (HKLM\...\{05198C22-FFCE-374A-B190-9F18CC99DAEA}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools Language Resources - x86 (HKLM-x32\...\{9347889B-C22A-3905-901F-C05D8F73C929}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 2.00 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell System Detect (HKCU\...\9204f5692a8faf3b) (Version: 3.3.2.1 - Dell)
Dropbox (HKCU\...\Dropbox) (Version: 3.10.8 - Dropbox, Inc.)
Entity Framework Designer for Visual Studio 2012 - enu (HKLM-x32\...\{0A1A1D48-DB23-443A-BC7B-49255D138020}) (Version: 11.1.20702.00 - Microsoft Corporation)
Entity Framework Tools for Visual Studio 2013 (HKLM-x32\...\{08AEF86A-1956-4846-B906-B01350E96E30}) (Version: 12.0.20912.0 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
Google Drive (HKLM-x32\...\{9C350701-AC04-48BA-A435-BD5E0D82897E}) (Version: 1.25.0523.2491 - Google, Inc.)
Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.15 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Hauppauge WinTV 7 (HKLM-x32\...\Hauppauge WinTV 7) (Version: v7.0.29124 (CD 2.3f) - Hauppauge Computer Works)
Host OpenAL (HKLM-x32\...\Host OpenAL) (Version: 1.00 - Creative Technology Limited)
IIS 8.0 Express (HKLM\...\{7BF61FA9-BDFB-4563-98AD-FCB0DA28CCC7}) (Version: 8.0.1557 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{9f4f4a9b-eec5-4906-92fe-d1f43ccf5c8d}.sdb) (Version:  - )
IIS Express Application Compatibility Database for x86 (HKLM\...\{fdfba1f3-74ae-4255-9c10-a0f552b4610f}.sdb) (Version:  - )
Install Finalizer (HKLM-x32\...\{8E7BD234-12F4-4FA2-98B0-3508AD421F3C}) (Version: 2.3.20320.1602 - Microsoft Corporation) Hidden
Install Finalizer (HKLM-x32\...\{9182189E-CA6A-4395-BAAA-39F55EDB7127}) (Version: 2.3.20320.1602 - Microsoft Corporation) Hidden
iTunes (HKLM\...\{A535111D-95C8-487F-869E-CE4C239972D2}) (Version: 11.1.1.11 - Apple Inc.)
iWisoft Flash SWF to Video Converter 3.4 (HKLM-x32\...\iWisoft Flash SWF to Video Converter_is1) (Version: 3.4.0 - www.flash-swf-converter.com)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{56E962F0-4FB0-3C67-88DB-9EAA6EEFC493}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5 SDK (HKLM-x32\...\{4AE57014-05C4-4864-A13D-86517A7E1BA4}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM-x32\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM-x32\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft ASP.NET and Web Frameworks 2012.2 (HKLM-x32\...\{71a40c60-27c2-443a-b7c7-6e4f3aad1d5a}) (Version: 2.1.20219.0 - Microsoft Corporation)
Microsoft ASP.NET and Web Tools 2013.1 - Visual Studio Express 2012 for Web (HKLM-x32\...\{CEB3E62B-D8BC-4DC2-838B-C7B547D2C4F6}) (Version: 1.5.50306.0 - Microsoft Corporation)
Microsoft ASP.NET and Web Tools 2013.1 - Visual Studio Express 2013 for Web (HKLM-x32\...\{F9A9C0C6-1465-421C-B707-041875FEF172}) (Version: 2.1.50312.0 - Microsoft Corporation)
Microsoft ASP.NET MVC 3 (HKLM-x32\...\{D32EF103-4016-4C15-BCB0-700C0A7A2309}) (Version: 3.0.50813.0 - Microsoft Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft ASP.NET Web Pages (HKLM-x32\...\{631471BE-DEAB-454B-A9AC-CE3EB42C28B3}) (Version: 1.0.20105.0 - Microsoft Corporation)
Microsoft Help Viewer 2.0 (HKLM-x32\...\Microsoft Help Viewer 2.0) (Version: 2.0.50727 - Microsoft Corporation)
Microsoft Help Viewer 2.1 (HKLM-x32\...\Microsoft Help Viewer 2.1) (Version: 2.1.21005 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.2.173.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities  (HKLM\...\{58FED865-4F13-408D-A5BF-996019C4B936}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM-x32\...\{1B876496-B3A2-4D22-9B12-B608A3FD4B8B}) (Version: 11.1.2902.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (x64) (HKLM\...\{A6BA243E-85A3-4635-A269-32949C98AC7F}) (Version: 11.1.2902.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Express LocalDB  (HKLM\...\{6C026A91-640F-4A23-8B68-05D589CC6F18}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{2F7DBBE6-8EBC-495C-9041-46A772F4E311}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{43A5C316-9521-49C3-B9B6-FCE5E1005DF0}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{D411E9C9-CE62-4DBF-9D92-4CB22B750ED5}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service  (HKLM\...\{BEB0F91E-F2EA-48A1-B938-7857ABF2A93D}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{54C5041B-0E91-4E92-8417-AAA12493C790}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM-x32\...\{04DD7AF4-A6D3-4E30-9BB9-3B3670719234}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (11.1.20905.0) (HKLM-x32\...\{23A3E3F8-91B4-4C5A-9E69-6747CF6D426B}) (Version: 11.1.20905.0 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (12.0.30919.1) (HKLM-x32\...\{0D7FCBFB-F478-4D32-901C-83F0BF5A3501}) (Version: 12.0.30919.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (11.1.20905.0) (HKLM-x32\...\{D2964C0D-477B-4914-B791-1D80E61E85E6}) (Version: 11.1.20905.0 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (12.0.30919.1) (HKLM-x32\...\{6781FF9B-E87D-4A03-9373-A55A288B83FA}) (Version: 12.0.30919.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{4701DEDE-1888-49E0-BAE5-857875924CA2}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{070C38AC-05CE-43DF-9A20-141332F6AB2B}) (Version: 11.1.3366.16 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{05FF8209-C4F1-4C77-BC28-791653156D20}) (Version: 11.1.3366.16 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio Express 2012 for Web - ENU (HKLM-x32\...\{f56bac4b-ef69-49d9-b010-1d7de651418d}) (Version: 11.0.50727.26 - Microsoft Corporation)
Microsoft Visual Studio Express 2013 for Web - ENU (HKLM-x32\...\{3e544097-53d1-4252-98a6-93cc12a6d487}) (Version: 12.0.21005.13 - Microsoft Corporation)
Microsoft Web Deploy 3.5 (HKLM\...\{69A998C5-00A9-42CA-AB4E-C31CFFCD9251}) (Version: 3.1237.1763 - Microsoft Corporation)
Microsoft Web Deploy dbSqlPackage Provider - enu (HKLM-x32\...\{E4C33F5B-1B2F-466E-957E-B274F08151A0}) (Version: 10.3.20225.0 - Microsoft Corporation)
Microsoft Web Platform Installer 5.0 (HKLM\...\{4D84C195-86F0-4B34-8FDE-4A17EB41306A}) (Version: 5.0.50430.0 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{45898170-E68C-4F02-AA35-C2186BF347A3}) (Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{B39A6825-EA20-43EA-AB2D-A6BC0298D9A1}) (Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Norton Security (HKLM-x32\...\NS) (Version: 22.5.4.24 - Symantec Corporation)
PC Pitstop Driver Alert2 2.0.0.0 (HKLM-x32\...\PC Pitstop Driver Alert2_is1) (Version: 2.0.0.0 - PC Pitstop LLC)
PDF Settings CS5 (HKLM-x32\...\{A78FE97A-C0C8-49CE-89D0-EDD524A17392}) (Version: 10.0 - Adobe Systems Incorporated) Hidden
Prerequisites for SSDT  (HKLM-x32\...\{35C1D9D6-87C0-46A3-B1B4-EDBCC063221C}) (Version: 11.1.3000.0 - Microsoft Corporation)
Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.24.999 - SAMSUNG Electronics Co., Ltd.)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.5.0.9082 - Microsoft Corporation)
Sony ACID Music Studio 6.0b (HKLM-x32\...\{D4A823CA-D124-456E-9A98-71544A928897}) (Version: 6.0.81 - Sony)
Sothink SWF Catcher (HKLM-x32\...\{49273419-5179-4866-9F71-5CF346F302CF}_is1) (Version: 2.6 - SourceTec Software Co., LTD)
Sothink SWF Decompiler (HKLM-x32\...\{BCDB856C-D247-4DEE-9132-89C02F4D6B8C}_is1) (Version: 7.4 - SourceTec Software Co., LTD)
Sound Blaster X-Fi (HKLM-x32\...\{C93170A0-CBF9-481F-B972-B4FA5AEE0E06}) (Version: 1.0 - Creative Technology Limited)
Spotify (HKCU\...\Spotify) (Version: 1.0.16.104.g3b776c9e - Spotify AB)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1206 - SUPERAntiSpyware.com)
Team Explorer for Microsoft Visual Studio 2013 (HKLM-x32\...\{C9E7751E-88ED-36CF-B610-71A1D262E906}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Uninstall Finalizer (HKLM-x32\...\{28F5A97C-F4EE-4945-AA33-8BBE3F93DB89}) (Version: 2.3.20320.1602 - Microsoft Corporation) Hidden
Uninstall Finalizer (HKLM-x32\...\{39B7F50A-4DEA-44B7-ACDB-8565B45AEAEC}) (Version: 2.3.20320.1602 - Microsoft Corporation) Hidden
Update for  (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Verizon Wireless Software Upgrade Assistant - Samsung(ar) (HKLM-x32\...\{267B6912-6F26-4FFD-9342-8E84A7B26151}) (Version: 2.13.1103 - Samsung Electronics Co., Ltd.)
Verizon Wireless Software Utility Application for Android - Samsung (HKLM-x32\...\{041E914E-7B73-4E8B-967F-B7FFC527FF80}) (Version: 2.14.0106 - Samsung Electronics Co., Ltd.)
Windows Azure Authoring Tools - v2.3 (HKLM\...\{CA53F7A1-A71D-4C7F-ABD2-7BDD26FE0D74}) (Version: 2.3.6491.3 - Microsoft Corporation)
Windows Azure Command Line Tools (HKLM-x32\...\{ED029EC9-3D5B-415D-82F3-4C1258844667}) (Version: 0.8.6 - Microsoft Corporation)
Windows Azure Compute Emulator - v2.3 (HKLM\...\Windows Azure Compute Emulator - v2.3) (Version: 2.3.6491.3 - Microsoft Corporation)
Windows Azure Libraries for .NET – v2.3 (HKLM\...\{C0591F2A-45AD-4189-86A7-C2B1DF3D148D}) (Version: 2.3.0424.070 - Microsoft Corporation)
Windows Azure PowerShell - July 2014 (HKLM-x32\...\{3ECB8AE8-28C5-4C8E-9DEF-5143FB73F97B}) (Version: 0.8.5 - Microsoft Corporation)
Windows Azure Storage Emulator - v3.2 (HKLM-x32\...\Windows Azure Storage Emulator - v3.2) (Version: 3.2.6891.0 - Microsoft Corporation)
Windows Azure Storage Tools - v2.2.2 (HKLM-x32\...\{E7BF94EB-6D51-4813-A717-BEE9AABDF028}) (Version: 2.2.2.0 - Microsoft Corporation)
Windows Azure Tools for Microsoft Visual Studio 2012 - v2.3 (HKLM-x32\...\{d330fe59-916f-4dcd-8de7-fbf00e4525b1}) (Version: 2.3.20320.1602 - Microsoft Corporation)
Windows Azure Tools for Microsoft Visual Studio 2013 - v2.3 (HKLM-x32\...\{7223ffe5-5cbb-45ca-8aa3-a455015ab1cf}) (Version: 2.3.20320.1602 - Microsoft Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 57%
Total physical RAM: 4095.11 MB
Available physical RAM: 1753.3 MB
Total Virtual: 8191.11 MB
Available Virtual: 4916.5 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:930.97 GB) (Free:586.57 GB) NTFS
8 Drive k: (My Passport) (Fixed) (Total:298.02 GB) (Free:51.37 GB) FAT32
 
========================= Users: ========================================
 
User accounts for \\JOHNTAYMAN-PC
 
Administrator            DefaultAccount           Guest                    
John Tayman              
 
 
**** End of log ****


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 30 October 2015 - 09:37 PM

It seems like you uploaded the Autoruns.zip I made you download. I need you to launch Autoruns.exe, wait for the list to load, then save the file as an .arn file and upload it :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 30 October 2015 - 09:50 PM

Oops. Sorry about that :)

 

https://www.dropbox.com/sh/si0tfe76gshnofq/AAC2MnhjUDtLyZ2m-z7mXXMQa?dl=0

 

It has been a long day, and i'm nodding.

I will pick up your reply in the morning.

thanks again.


Edited by jtayman3, 30 October 2015 - 09:51 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 31 October 2015 - 06:23 AM

It seems that the Autoruns file is corrupt, can you try again please?

Also, you can uninstall the following programs:
  • Adobe AIR - Oudated and vulnerable;
  • Adobe Flash Player 10 ActiveX - Outdated and vulnerable;
  • Adobe Flash Player 10 Plugin - Outdated and vulnerable;
  • PC Pitshop Driver Alert2 2.0.0.0 - See warning below;
warning.gifDriver Updater Warning!
I see that you are using a "Driver Updater" program. I strongly advise you to uninstall it/them and to never use such programs again since they can damage your system at a point where a reinstallation of Windows might be needed.
  • Drivers are "middlemen" between your OS (Windows) and your hardware (computer). They control and facilitate the interaction between Windows and hardware components, to deliver a "message", nothing more;
  • Having all of your drivers up to date, all the time, will not improve the performance of your system, nor your computer. You cannot increase the hardware performance of a component over the current capabilities it have;
  • Driver updates are released to fix a bug or an issue with a previous release of that driver. Not everyone with the same drivers will experience the issue, so if you are having no problems with the drivers you are running, you don't need to update them. "If it's not broken, don't fix it";
  • You can download drivers for free from your computer/laptop manufacturers website, or from the hardware component manufacturers website. You don't need to pay for any of them, if you are being asked to pay for drivers it is likely a scam;
  • Only drivers from the computer/laptop manufacturers website, or the hardware component manufacturers website are considered official (legitimate and working). You should not download drivers from anywhere else;
  • Driver Updaters are a scam, they try to convince you that you need these programs in order to make your system perform well, which is false;
  • It has been tested and proven that these programs will detect outdated drivers on a system that have the most updated drivers from the manufacturer, which shows that they don't work and/or they try to make you install "newer" suspicious drivers;
  • The goal of the distributors of such programs is to make money by making you buy their useless product, or install additional software (PUPs) when you install their program. Your system will perform worse with these programs installed than without;
This being said, such programs could be seen as "pure scam" and should be avoided at all cost.

Here's some articles that talks about Driver Updater programs and why they shouldn't be used:

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 31 October 2015 - 07:18 AM

Will do. I installed that program trying to figure out why the system was running so high.

 

I have re-run the Autorun

https://www.dropbox.com/sh/si0tfe76gshnofq/AAC2MnhjUDtLyZ2m-z7mXXMQa?dl=0

 

I have to run out, it will be several hours before i can get back. Thanks for patience.

 

edit; programs you mentioned are now uninstalled.


Edited by jtayman3, 31 October 2015 - 07:35 AM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 31 October 2015 - 07:44 AM

Thank you :) Follow the instructions below please.

zcMPezJ.pngAdwCleaner - Scan Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, click on the Logfile button to open the scan log;
  • Please copy/paste the content of the log that will open in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 31 October 2015 - 01:45 PM

# AdwCleaner v5.015 - Logfile created 31/10/2015 at 14:35:37
# Updated 26/10/2015 by Xplode
# Database : 2015-10-29.1 [Server]
# Operating system : Windows 10 Pro  (x64)
# Username : John Tayman - JOHNTAYMAN-PC
# Running from : C:\Users\John Tayman\Desktop\adwcleaner_5.015.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil
 
***** [ Files ] *****
 
File Found : C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\elicpjhcidhpjomhibiffojpinpmmpil
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask
[C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : search.conduit.com
[C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
[C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : elicpjhcidhpjomhibiffojpinpmmpil
 
*************************
 
C:\AdwCleaner[R1].txt - [16464 bytes] - [01/08/2013 21:09:56]
C:\AdwCleaner[R2].txt - [1172 bytes] - [02/08/2013 11:57:48]
C:\AdwCleaner[S1].txt - [16622 bytes] - [01/08/2013 21:11:34]
C:\AdwCleaner[S2].txt - [1170 bytes] - [02/08/2013 11:58:41]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1732 bytes] ##########


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 31 October 2015 - 04:03 PM

Follow the instructions below please.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 31 October 2015 - 04:22 PM

This is the JRT result.

Running the others now.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 10 Pro x64
Ran by John Tayman on Sat 10/31/2015 at 17:10:21.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Users\John Tayman\Appdata\Local\cre
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Users\John Tayman\Appdata\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil
 
[C:\Users\John Tayman\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\John Tayman\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
elicpjhcidhpjomhibiffojpinpmmpil
 
[C:\Users\John Tayman\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\John Tayman\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
  elicpjhcidhpjomhibiffojpinpmmpil,
  icpgjfneehieebagbmdbhnlpiopdcmna
]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 10/31/2015 at 17:15:01.90
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#12 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 31 October 2015 - 04:39 PM

AdwareCleaner

 

# AdwCleaner v5.015 - Logfile created 31/10/2015 at 17:31:16
# Updated 26/10/2015 by Xplode
# Database : 2015-10-29.1 [Server]
# Operating system : Windows 10 Pro  (x64)
# Username : John Tayman - JOHNTAYMAN-PC
# Running from : C:\Users\John Tayman\Desktop\adwcleaner_5.015.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\elicpjhcidhpjomhibiffojpinpmmpil
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\John Tayman\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : elicpjhcidhpjomhibiffojpinpmmpil
 
*************************
 
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner[R1].txt - [16464 bytes] - [01/08/2013 21:09:56]
C:\AdwCleaner[R2].txt - [1172 bytes] - [02/08/2013 11:57:48]
C:\AdwCleaner[S1].txt - [16622 bytes] - [01/08/2013 21:11:34]
C:\AdwCleaner[S2].txt - [1170 bytes] - [02/08/2013 11:58:41]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [1355 bytes] ##########


#13 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 31 October 2015 - 05:23 PM

Malwarebytes
 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10/31/2015
Scan Time: 5:42 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2015.10.31.05
Rootkit Database: v2015.10.28.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: John Tayman
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395749
Time Elapsed: 28 min, 27 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 01 November 2015 - 10:59 AM

Good logs! Does the rundll32.exe process still uses a lot of CPU? If it does, follow the instructions below please.
  • Right-click on the taskbar and select Task Manager;
  • From there, go to the Details tab and click once on the CPU column to order the processes by CPU usage (from the highest to the lowest);
  • Let me know what is the top process (with the CPU usage);
  • Now, right-click on any columns and select Select columns and check Command line in the list (at the bottom);
  • Find the rundll32.exe process, and write the Command line column info in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 jtayman3

jtayman3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 01 November 2015 - 01:02 PM

Things are running much smoother this morning. Thank you very much for your help.

 

So what was it, and do you know how to avoid it in the future?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users