Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I may have some bad virus...


  • Please log in to reply
15 replies to this topic

#1 Vivalas

Vivalas

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 06:26 PM

So yeah, my steam account got hijacked, and before trying to recover it, I want to make sure whatever is on my computer is vanquished.

 

Recently my computer has been running slowly, which it never has, and never should. Running Windows Defender I found some virus called RougeJS/Fakecall or something, a remote access program, which I removed, but something still feels off, and randomly the disk drive starts humming really loud (which it never does) and random programs show up as over utilized. Right now I'm running a full Windows Defender scan but suspect it won't help me, and I really want this to be over...



BC AdBot (Login to Remove)

 


#2 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 06:29 PM

Using process monitor I found a suspicious folder called catroot in System32 using insane amounts of file operations, also with eccentric folder names such as "????????????????????" and random alphanumeric hashes/strings, very suspicious.



#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 20 November 2015 - 07:13 PM

Hi Vivalas :)

My name is Aura and I'll be assisting you with your issue.

Using process monitor I found a suspicious folder called catroot in System32 using insane amounts of file operations, also with eccentric folder names such as "????????????????????" and random alphanumeric hashes/strings, very suspicious.


The catroot (and catroot2 folder as well) is totally legitimate, so are the files in it. I suggest you to not mess with it if you don't want to be forced to reinstall Windows or run a Repair Install.

Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      B8oLpa3.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
On a side note, once you recover your Steam account (you can start the process from another computer), I suggest you to enable SteamGuard on it to prevent that situation from occuring again.

https://support.steampowered.com/kb_article.php?ref=4020-ALZM-5519

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 07:30 PM

MiniToolBox by Farbar  Version: 02-11-2015
Ran by Tyr Pett (administrator) on 20-11-2015 at 18:23:39
Running from "C:\Users\Tyr Pett\Desktop"
Microsoft Windows 8.1  (X64)
Model: Inspiron 3847 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
Realtek PCIe GBE Family Controller = Ethernet (Connected)
Dell Wireless 1705 802.11b/g/n (2.4GHZ) = Wi-Fi (Media disconnected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : supreme-pc
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : AC-D1-B8-1D-75-7C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1E-D1-B8-1D-75-7B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wi-Fi:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Dell Wireless 1705 802.11b/g/n (2.4GHZ)
   Physical Address. . . . . . . . . : AC-D1-B8-1D-75-7B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : B0-83-FE-7F-96-49
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1167:91e6:b556:59dc%3(Preferred) 
   IPv4 Address. . . . . . . . . . . : 172.16.0.10(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, November 20, 2015 4:53:02 PM
   Lease Expires . . . . . . . . . . : Sunday, December 20, 2015 4:53:01 PM
   Default Gateway . . . . . . . . . : 172.16.0.1
   DHCP Server . . . . . . . . . . . : 172.16.0.1
   DHCPv6 IAID . . . . . . . . . . . : 61899774
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-63-8C-CD-B0-83-FE-7F-96-49
   DNS Servers . . . . . . . . . . . : 172.16.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{810423BA-42DD-4B6D-B16E-C0F9BE71C1A4}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:2041:1f74:53ef:fff5(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::2041:1f74:53ef:fff5%10(Preferred) 
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 369098752
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-63-8C-CD-B0-83-FE-7F-96-49
   NetBIOS over Tcpip. . . . . . . . : Disabled
1.0.16.172.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial  = 1
refresh = 600 (10 mins)
retry   = 1200 (20 mins)
expire  = 604800 (7 days)
default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  172.16.0.1
 
Name:    google.com
Addresses:  2607:f8b0:4000:808::1003
 173.194.115.41
 173.194.115.36
 173.194.115.32
 173.194.115.37
 173.194.115.46
 173.194.115.39
 173.194.115.33
 173.194.115.38
 173.194.115.35
 173.194.115.34
 173.194.115.40
 
 
Pinging google.com [173.194.115.39] with 32 bytes of data:
Reply from 173.194.115.39: bytes=32 time=17ms TTL=51
Reply from 173.194.115.39: bytes=32 time=20ms TTL=51
 
Ping statistics for 173.194.115.39:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 20ms, Average = 18ms
1.0.16.172.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial  = 1
refresh = 600 (10 mins)
retry   = 1200 (20 mins)
expire  = 604800 (7 days)
default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  172.16.0.1
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 206.190.36.45
 98.139.183.24
 98.138.253.109
 
 
Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=74ms TTL=42
Reply from 206.190.36.45: bytes=32 time=75ms TTL=42
 
Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 74ms, Maximum = 75ms, Average = 74ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  8...ac d1 b8 1d 75 7c ......Bluetooth Device (Personal Area Network)
  5...1e d1 b8 1d 75 7b ......Microsoft Wi-Fi Direct Virtual Adapter
  4...ac d1 b8 1d 75 7b ......Dell Wireless 1705 802.11b/g/n (2.4GHZ)
  3...b0 83 fe 7f 96 49 ......Realtek PCIe GBE Family Controller
  1...........................Software Loopback Interface 1
  6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 10...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.16.0.1      172.16.0.10     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0    255.255.255.0         On-link       172.16.0.10    266
      172.16.0.10  255.255.255.255         On-link       172.16.0.10    266
     172.16.0.255  255.255.255.255         On-link       172.16.0.10    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       172.16.0.10    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       172.16.0.10    266
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10    306 ::/0                     On-link
  1    306 ::1/128                  On-link
 10    306 2001::/32                On-link
 10    306 2001:0:5ef5:79fb:2041:1f74:53ef:fff5/128
                                    On-link
  3    266 fe80::/64                On-link
 10    306 fe80::/64                On-link
  3    266 fe80::1167:91e6:b556:59dc/128
                                    On-link
 10    306 fe80::2041:1f74:53ef:fff5/128
                                    On-link
  1    306 ff00::/8                 On-link
  3    266 ff00::/8                 On-link
 10    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (11/20/2015 05:13:37 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.FlightSimulator.SimConnect&#x20;,processorArchitecture="x86",publicKeyToken="67c7c14424d61b5b",type="win32",version="10.0.60905.0"1".
Dependent Assembly Microsoft.FlightSimulator.SimConnect&#x20;,processorArchitecture="x86",publicKeyToken="67c7c14424d61b5b",type="win32",version="10.0.60905.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (11/20/2015 10:40:06 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x21c8
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:52:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x28e8
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:32:52 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x1244
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:31:32 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x20f4
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:29:48 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x1d4
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:27:37 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x1d5c
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:26:42 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x260
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:25:46 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x274c
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
Error: (11/20/2015 09:22:44 AM) (Source: Application Error) (User: )
Description: Faulting application name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Faulting module name: WRSA.exe, version: 9.0.6.14, time stamp: 0x5637b8ef
Exception code: 0xc0000005
Fault offset: 0x000e53a9
Faulting process id: 0x2118
Faulting application start time: 0xWRSA.exe0
Faulting application path: WRSA.exe1
Faulting module path: WRSA.exe2
Report Id: WRSA.exe3
Faulting package full name: WRSA.exe4
Faulting package-relative application ID: WRSA.exe5
 
 
System errors:
=============
Error: (11/20/2015 06:11:22 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (11/20/2015 06:11:12 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (11/20/2015 06:11:05 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (11/20/2015 06:10:58 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (11/20/2015 05:16:39 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (11/20/2015 04:52:58 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 4:03:11 PM on ‎11/‎20/‎2015 was unexpected.
 
Error: (11/20/2015 01:23:11 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 12:48:18 PM on ‎11/‎20/‎2015 was unexpected.
 
Error: (11/20/2015 11:30:12 AM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
 
Error: (11/20/2015 08:25:54 AM) (Source: BTHUSB) (User: )
Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
 
Error: (11/19/2015 04:59:52 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 2:26:42 PM on ‎11/‎19/‎2015 was unexpected.
 
 
Microsoft Office Sessions:
=========================
Error: (11/20/2015 05:13:37 PM) (Source: SideBySide)(User: )
Description: Microsoft.FlightSimulator.SimConnect&#x20;,processorArchitecture="x86",publicKeyToken="67c7c14424d61b5b",type="win32",version="10.0.60905.0"C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\Kiosk.exe
 
Error: (11/20/2015 10:40:06 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a921c801d123b21ca09fbcC:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exe5a688fc8-8fa5-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:52:18 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a928e801d123ab6f3d495fC:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exead108575-8f9e-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:32:52 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a9124401d123a8b87fd10dC:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exef64e2a97-8f9b-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:31:32 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a920f401d123a888693367C:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exec63b8595-8f9b-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:29:48 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a91d401d123a84abacf32C:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exe888e5a10-8f9b-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:27:37 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a91d5c01d123a7fc79ed2fC:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exe3a433d0d-8f9b-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:26:42 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a926001d123a7dbeb5982C:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exe19b3227a-8f9b-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:25:46 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a9274c01d123a7ba699af7C:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exef840d007-8f9a-11e5-8283-acd1b81d757c
 
Error: (11/20/2015 09:22:44 AM) (Source: Application Error)(User: )
Description: WRSA.exe9.0.6.145637b8efWRSA.exe9.0.6.145637b8efc0000005000e53a9211801d123a74de73ebbC:\Program Files\Webroot\WRSA.exeC:\Program Files\Webroot\WRSA.exe8bba061e-8f9a-11e5-8283-acd1b81d757c
 
 
CodeIntegrity Errors:
===================================
  Date: 2015-06-03 04:12:01.182
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:01.138
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:01.087
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:01.043
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:01.000
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:00.956
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:00.914
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:00.872
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:00.826
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-06-03 04:12:00.777
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\WINDOWS\System32\wow64.dll because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
Aces High (remove only) (HKLM-x32\...\Aces High) (Version: Version 2.32 Patch 2 - Hitech Creations, Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.3.0.151 - Adobe Systems Incorporated)
Adobe Flash Professional CC 2015 (HKLM-x32\...\{31390329-FFF0-11E4-85AD-AF2C4143F080}) (Version: 15.0 - Adobe Systems Incorporated)
AirBuccaneers (HKLM-x32\...\Steam App 223630) (Version:  - LudoCraft Ltd.)
AirPort (HKLM-x32\...\{AA68AAAE-41F0-40B5-8896-5947F5FD6889}) (Version: 5.6.1.2 - Apple Inc.)
alien_crossfire (HKLM\...\{fa451eea-8a73-486b-9ea0-9628c2c2c3ad}.sdb) (Version:  - )
alpha_centauri (HKLM\...\{fe81cd48-2ed2-4e7d-886c-b65767350095}.sdb) (Version:  - )
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon)
America's Army 3 (HKLM-x32\...\Steam App 13140) (Version:  - U.S. Army)
Analyseur et SDK MSXML 4.0 SP2 (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Arma 2 (HKLM-x32\...\Steam App 33910) (Version:  - Bohemia Interactive)
AssaultCube v1.2.0.2 (HKLM-x32\...\AssaultCube) (Version: 1.2.0.2 - )
Avidemux 2.6 - 64 bits (HKLM-x32\...\Avidemux 2.6 - 64 bits (64-bit)) (Version: 2.6.10.150607 - )
Battle for Wesnoth 1.12.4 (HKLM-x32\...\Battle for Wesnoth 1.12.4) (Version: 1.12.4 - )
Battleground Europe (HKLM-x32\...\{BCA70BBE-EACC-49F4-AC9A-1DFE4E55F739}_is1) (Version: 1.34.10.255 - Playnet Inc.)
BattlEye Uninstall (HKLM-x32\...\BattlEye for A2) (Version:  - )
BitTorrent (HKCU\...\BitTorrent) (Version: 7.9.5.41203 - BitTorrent Inc.)
BlitzPlus 1.47 (HKLM-x32\...\BlitzPlus_is1) (Version:  - Blitz Research Ltd)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
BYOND (HKLM-x32\...\BYOND) (Version: 508.1299 - BYOND)
Cheat Engine 6.4 (HKLM-x32\...\Cheat Engine 6.4_is1) (Version:  - Cheat Engine)
Cities Skylines (HKLM-x32\...\Cities Skylines_is1) (Version: 1.0 - Релиз от R.G. Steamgames)
Civilization III (HKLM-x32\...\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}) (Version:  - )
Command Modern Air Naval Operations (HKLM-x32\...\Command Modern Air Naval Operations1.00) (Version: 1.00 - Matrix Games)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dangerous Waters (HKLM-x32\...\Dangerous Waters_is1) (Version: 1.0 - Strategy First Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.7.5.60 - Dell Inc.)
Dell Customer Connect (HKLM-x32\...\{FEFDCDCF-C49C-45D0-AAF8-5345858ADEC7}) (Version: 1.2.1.0 - Dell Inc.)
Dell Data Services (HKLM\...\{815D96BA-2FC6-4F61-9BE3-2CFE446E8ECF}) (Version: 1.2.7.0 - Dell Inc.)
Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.2.2.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{BC8233D8-59BA-4D40-92B9-4FDE7452AA8B}) (Version: 3.0.3999.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{B1714996-891A-43D2-8B83-CCFB2EC53978}) (Version: 2.3.3800.0 - Dell Inc.)
Dell Product Registration (HKLM-x32\...\{24F2AD94-CC1B-4294-B184-D4D31A3186A7}) (Version: 2.42.0012 - Aviata Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.1.6664.93 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{287348C8-8B47-4C36-AF28-441A3B7D8722}) (Version: 1.0.2.57295 - Dell)
Dell Update (HKLM-x32\...\{DB82968B-57A4-4397-81A5-ECAB21B5DFCD}) (Version: 1.7.1015.0 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
Democracy 3 (HKLM-x32\...\GOGPACKDEMOCRACY3_is1) (Version: 2.0.0.3 - GOG.com)
Door Kickers (HKLM-x32\...\1207666463_is1) (Version: 2.0.0.1 - GOG.com)
Dropbox 20 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 0.9.0 - Dropbox, Inc.)
Dual-Core Optimizer (HKLM-x32\...\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}) (Version: 1.1.4.0169 - AMD)
Explorer Suite IV (HKLM\...\Explorer Suite_is1) (Version:  - )
Factorio version 0.11.19 (HKLM\...\Factorio_is1) (Version:  - )
Finale 2014d DEMO (HKLM-x32\...\Finale 2014) (Version: 2014.4.5030.0 - MakeMusic)
GameTracker Lite (HKLM-x32\...\GameTracker Lite) (Version:  - ClanServers Hosting LLC.)
GitHub (HKCU\...\5f7eb300e2ea4ebf) (Version: 3.0.7.1 - GitHub, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.86 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.15 - Google Inc.) Hidden
Gunpoint Exclusive Edition 1.0 (HKLM-x32\...\Gunpoint Exclusive Edition 1.0) (Version: 1.0 - Focus Home Interactive)
GWX3 files for SH3 Commander 3.2 (HKLM-x32\...\{F33E8E65-2FCC-4F6B-9191-3B9F68392866}_is1) (Version:  - )
Gyazo 3.1.6 (HKLM-x32\...\{6DB8C365-E719-4BA5-9594-10DFC244D3FD}_is1) (Version:  - Nota Inc.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3412 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Java 8 Update 65 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418065F0}) (Version: 8.0.650.17 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.203 - McAfee, Inc.)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{67F42018-F647-4D3C-BE62-F8CB4FE2FCD5}) (Version: 3.5.67.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Moonbase Alpha (HKLM-x32\...\Steam App 39000) (Version:  - Virtual Heroes)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
MUSHclient (remove only) (HKLM-x32\...\MUSHclient) (Version:  - )
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.3 - Notepad++ Team)
NVIDIA PhysX v8.10.29 (HKLM-x32\...\{D56B0E27-4A3E-46C9-B5C1-D93D580C099C}) (Version: 8.10.29 - NVIDIA Corporation)
Open Broadcaster Software (HKLM-x32\...\Open Broadcaster Software) (Version:  - )
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
OpenTTD 1.5.2 (HKLM-x32\...\OpenTTD) (Version: 1.5.2 - OpenTTD)
Paintball2 Alpha build 40 (HKLM-x32\...\Paintball2) (Version: Alpha build 40 - Digital Paint)
Papers Please version 1.1.60-S (HKLM-x32\...\Papers Please_is1) (Version: 1.1.60-S - )
PlanetSide 2 (HKCU\...\SOE-PlanetSide 2) (Version: 1.0.3.183 - Sony Online Entertainment)
PowerISO (HKLM-x32\...\PowerISO) (Version: 6.3 - Power Software Ltd)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.989 - Even Balance, Inc.)
Python 3.4 PyYAML-3.11 (HKCU\...\PyYAML-py3.4) (Version:  - )
Python 3.4.3 (HKLM-x32\...\{CCD588A7-8D55-49F1-A30C-47FAB40889ED}) (Version: 3.4.16490 - Python Software Foundation)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.304 - Qualcomm Atheros Communications)
RAR Password Unlocker 4.2.0.0 (HKLM-x32\...\{B789FA51-6A71-408F-92DE-EDE4A517B8F9}_is1) (Version:  - Password Unlocker Studio)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7016 - Realtek Semiconductor Corp.)
Red Faction Guerrilla (HKLM-x32\...\{A357EF4C-2B6F-4980-ACA9-B1E42A74D7F3}) (Version: 1.00.0000 - Volition Inc.) Hidden
Red Faction Guerrilla (HKLM-x32\...\InstallShield_{A357EF4C-2B6F-4980-ACA9-B1E42A74D7F3}) (Version: 1.00.0000 - Volition Inc.)
ROBLOX Player for Tyr Pett (HKCU\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
ROBLOX Studio for Tyr Pett (HKCU\...\{2922D6F1-2865-4EFA-97A9-94EEAB3AFA14}) (Version:  - ROBLOX Corporation)
Robocraft version 0.3.290 (HKCU\...\{9F101691-69D3-422E-BB5C-8CAD7110781B}_is1) (Version: 0.3.290 - Freejam)
Rodina (HKLM-x32\...\{6205AFEF-A443-48AA-8380-74AED8688586}) (Version: 1.1.5 - Elliptic Games)
SH3 Commander 3.2 (HKLM-x32\...\SH3 Commander_is1) (Version: 3.2 - JoneSoft)
Sid Meier's Alpha Centauri (HKLM-x32\...\GOGPACKSIDMEIERSALPHACENTAURI_is1) (Version: 2.0.2.23 - GOG.com)
Skype™ 7.14 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.14.104 - Skype Technologies S.A.)
Source Filmmaker (HKLM-x32\...\Steam App 1840) (Version:  - Valve)
Space Engineers (HKLM-x32\...\Steam App 244850) (Version:  - Keen Software House)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SWAT 4 (HKLM-x32\...\{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}) (Version: 1.0.31763 - Sierra Entertainment, Inc.) Hidden
SWAT 4 (HKLM-x32\...\InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8}) (Version: 1.0.31763 - Sierra Entertainment, Inc.)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version:  - Valve)
The Masterplan (HKLM-x32\...\VGhlTWFzdGVycGxhbg==_is1) (Version: 1 - )
Tremulous 1.1.0 (HKLM-x32\...\Tremulous) (Version:  - )
Windforge (HKLM-x32\...\V2luZGZvcmdl_is1) (Version: 1 - )
Windows Essentials Codec Pack 5.0 (HKLM-x32\...\Windows Essentials Codec Pack) (Version: 5.0 - Windows Essentials Codec Pack)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinRAR 5.21 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
World of Warships (HKCU\...\{1EAC1D02-C6AC-4FA6-9A44-96258C37C814na}_is1) (Version:  - Wargaming.net)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 58%
Total physical RAM: 8108.94 MB
Available physical RAM: 3387.78 MB
Total Virtual: 22188.94 MB
Available Virtual: 2742.03 MB
 
========================= Partitions: =====================================
 
1 Drive c: (OS) (Fixed) (Total:921.9 GB) (Free:622.17 GB) NTFS
3 Drive e: (DISK1) (CDROM) (Total:0.6 GB) (Free:0 GB) CDFS
4 Drive x: (WINRETOOLS) (Fixed) (Total:0.73 GB) (Free:0.46 GB) NTFS
5 Drive y: (PBR Image) (Fixed) (Total:8.23 GB) (Free:0.73 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\SUPREME-PC
 
Administrator            Christina                Guest                    
Tyr Pett                 
 
 
**** End of log ****
 
 
Will get the other log soon, thanks for the quick reply.


#5 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 07:42 PM

http://www.mediafire.com/download/84z2v9yfhydsaf7/SUPREME-PC.arn



#6 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 07:55 PM

Another suspicious thing proc mon found was various suspicious files in drive K:\ (which I don't even have) and also in some \device directory, which shows up there if it helps.

 

 

Said \device directory contains multiple files with weird names including some with chinese characters


Edited by Vivalas, 20 November 2015 - 07:56 PM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 20 November 2015 - 08:39 PM

Did you have Webroot installed at any point on your system? I don't see it listed as an installed program, but it trigger events in your Event Viewer, since one of its executable fails to launch properly.

Might have answered my question with this entry in Autoruns. Delete it please (right-click on it and select Delete. Autoruns must be launched as an Admin in order for that to work).
UmpJh3D.png

Also, if you take a look in your Task Manager, can you see what program(s)/process(es) is/are at the top of the Disk Usage column?

Edited by Aura, 20 November 2015 - 08:39 PM.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 09:36 PM

Yeah, it was my antivirus for some time until it expired, but I left it up and had no protection, I couldn't uninstall it so I just deleted the .exe from Programs and assume there are some remnants left. Also, whenever my disk is high it's always a different program, sometimes Webroot, sometimes other things, can't really remember the names of them. 



#9 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 20 November 2015 - 09:37 PM

I deleted the autorun, but what is this gathernetworkinfo.vbs script I have in here?
 



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 20 November 2015 - 09:40 PM

Please run the Webroot Cleanup Tool to remove every bit of it.

http://www.webroot.com/prodCheck/?pc=64150&origrc=1&oc=221&mjv=7&rel=6&bld=38&lang=en&loc=AUS&kc=ppc%60lkik%5E%5Eafhgpewgfa&opi=2&omj=6&omn=1&osl=en

gathernetworkinfo.vbs is a legitimate Windows file. It comes in the default install. I know the name is sketchy but it's legit :P

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 21 November 2015 - 10:21 AM

Do you mean WRUpgradeTool? Only thing I can find on the page, I guess the question now is if there is actually still malware on my system or if RogueJS/Fakecall.D was the only thing. My windows defender scan found some adware and browserhijacks but not really anything else serious.


Edited by Vivalas, 21 November 2015 - 10:21 AM.


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 21 November 2015 - 11:50 AM

Yes, use the WRUpgradeTool. Backdoor and stealer trojans are harder to detect in that section, because we can only rely on automated scans. If you want a more in-depth check-up of your system, you'll have to go in the Malware Removal area. If you wish, I can post the instructions on how to proceed.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 21 November 2015 - 12:00 PM

I would like that, yes, I ran the tool



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 21 November 2015 - 04:17 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Vivalas

Vivalas
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 22 November 2015 - 03:41 PM

I actually think the malware is gone now, thinking that Fakecall was the only thing on my system, thanks though.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users