Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Processes keep getting injected


  • This topic is locked This topic is locked
19 replies to this topic

#1 Trave160

Trave160

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 20 August 2016 - 07:18 AM

My computer is acting sloppy and lags opening apps or switching tabs, even my mouse feels heavy when am dragging the cursor.

So I used Roguekiller and this is what I keep getting :
 

RogueKiller V12.4.4.0 (x64) [Aug 16 2016] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : TravisLester [Administrator]
Started from : C:\Users\TravisLester\Downloads\Programs\RogueKillerX64_2.exe
Mode : Scan -- Date : 08/20/2016 17:36:03
 
¤¤¤ Processes : 16 ¤¤¤
[Proc.Injected] notepad.exe(10920) -- C:\Windows\System32\notepad.exe[-] -> Found
[Proc.Injected] PING.EXE(10164) -- C:\Windows\System32\PING.EXE[-] -> Found
[Proc.Injected] conhost.exe(6496) -- C:\Windows\System32\conhost.exe[-] -> Found
[Proc.Injected] dllhost.exe(11032) -- C:\Windows\System32\dllhost.exe[7] -> Found
[Proc.Injected] firefox.exe(212) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe[7] -> Found
[Proc.Injected] dllhost.exe(1408) -- C:\Windows\System32\dllhost.exe[7] -> Found
[Proc.Injected] Taskmgr.exe(8368) -- C:\Windows\System32\Taskmgr.exe[7] -> Found
[Proc.Injected] chrome.exe(6444) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Found
[Proc.Injected] chrome.exe(2348) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Found
[Proc.Injected] notepad.exe(9048) -- C:\Windows\System32\notepad.exe[-] -> Found
[Proc.Injected] chrome.exe(10132) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7] -> Found
[Proc.Injected] vlc.exe(7196) -- C:\Program Files (x86)\VideoLAN\VLC\vlc.exe[7] -> Found
[Proc.Injected|VT.Trojan[Backdoor:HEUR]/Win64.AGeneric] rkill_2.exe(3784) -- C:\Users\TravisLester\Downloads\Programs\rkill_2.exe[7] -> Found
[Proc.Injected] conhost.exe(11052) -- C:\Windows\System32\conhost.exe[-] -> Found
[Proc.Injected] rkill_264.exe(10016) -- C:\Users\TravisLester\Downloads\Programs\rkill_264.exe[7] -> Found
[Suspicious.Path|Proc.Injected] utorrentie.exe(2032) -- C:\Users\TravisLester\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe[-] -> Found
 
¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AD9B9E0E-B310-47F5-B641-07646A2A1121} | NameServer : 59.153.100.70 103.230.4.4 ([Bangladesh][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AD9B9E0E-B310-47F5-B641-07646A2A1121} | NameServer : 59.153.100.70 103.230.4.4 ([Bangladesh][-])  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721010CLA630 +++++
--- User ---
[MBR] 220a1cd57e74fbf3ad7a339f82354e97
[BSP] aec103c278ab2a1fe08833d3152f5928 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 102650 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 210948033 | Size: 850866 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WD Elements 10A8 USB Device +++++
--- User ---
[MBR] b9b77c72523e09c8ccaa79ede76a518f
[BSP] c13e2d4368eb099bd8d1ea65c2f1bf42 : Windows Vista/7/8 MBR Code
Partition table:
0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB
1 - Basic data partition | Offset (sectors): 264192 | Size: 416778 MB
2 - Basic data partition | Offset (sectors): 853825536 | Size: 59649 MB
3 - EFI System Partition | Offset (sectors): 975986688 | Size: 350 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 
============================================================================================
 
 
Please help

Edited by Trave160, 20 August 2016 - 07:19 AM.


BC AdBot (Login to Remove)

 


#2 Trave160

Trave160
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 21 August 2016 - 12:03 AM

Hello? isn't this forum active anymore? I need help with this



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 22 August 2016 - 07:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please run the RogueKiller and fix everything that was reported.
Where required the Default settings will be set.

===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Let me know what problems you are having with this computer.

p.s.
We are all helpers and do this on our own time for free.
Do not bump you topic unless I do not reply withing 36 hours.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 28 August 2016 - 08:58 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 01 September 2016 - 08:51 AM

This topic has been re-opened at the request of the person who originally posted.

#6 Trave160

Trave160
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 02 September 2016 - 04:47 AM

Here it is

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 02 September 2016 - 08:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:

HKU\S-1-5-21-2040454022-565477998-2053420067-1001\...\Run: [AdobeBridge] => [X]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [No File]
CHR Extension: (Betternet Unlimited Free VPN Proxy) - C:\Users\TravisLester\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjknjjomckknofjidppipffbpoekiipm [2016-08-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\TravisLester\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-27]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
C:\Users\TravisLester\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjknjjomckknofjidppipffbpoekiipm
C:\Users\TravisLester\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know what problem persists.

#8 Trave160

Trave160
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 02 September 2016 - 11:25 AM

Did all this, yet the problems keep coming back. Am getting this weird flicker on the screen border above with 4 or 6 blue bars. Whenever I restart the PC or sign out or play games they go away


Edited by Trave160, 02 September 2016 - 12:01 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 02 September 2016 - 12:25 PM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#10 Trave160

Trave160
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 04 September 2016 - 11:20 PM

Did that, same problem. Also made Windows more weaker

I think if there are no viruses left, I should do a clean reinstallation



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 05 September 2016 - 08:00 AM

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    If nothing bad is found it may just be that you need to update some drivers.

    Navigate to this page.
    http://secunia.com/vulnerability_scanning/personal/

    Download and install the Secunia PSI.

    Run the application and updates all the programs/drivers that needs to be updated.

    ===
    p.s.

    Secunia will start looking for new updates every time you boot the system.
    This is an overkill. When all is well you can remove it using the Add/Remove programs applet.


#12 Trave160

Trave160
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 07 September 2016 - 10:16 PM

TDDS found nothing, Neither did aswMBR. Here's the report

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 08 September 2016 - 08:57 AM

Do you wish to continue checking the system or will you do a clean reinstall?

#14 Trave160

Trave160
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:02:00 AM

Posted 09 September 2016 - 04:38 AM

Do you wish to continue checking the system or will you do a clean reinstall?

Checking the system, I did an ESET online scanner on my D:/ Drive but everytime I do that the program texts becomes black highlighted and crashes. It found like 5 viruses before it did, I couldn't get the log



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 09 September 2016 - 09:45 AM

Did you run the Secunia tool and updated all the old drivers?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users