Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wuauserv gpsvc trustedinstaller; Control


  • Please log in to reply
2 replies to this topic

#1 Sagenova33

Sagenova33

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 December 2016 - 08:59 AM

Day #10. Casual pc user; Ive been through a modem, 2 routers and now am decent with cmd, auditing, localgroups, ports, and even the basics of registry.I bought bitdefenderbox last friday but thier 3rd party payment company was just as bad as what I assume to be a rootkit or something. Avira didn't pick up anything in a rescue scan and I dont want to download my Antivirus on the infected pc. I could write a novel about what's occired (Yesterday I caught a completely false page while logged into the Citi bank app, googled the number and immediatly called citi who confirmed and wanted the info)


Edited by hamluis, 08 December 2016 - 10:02 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Sagenova33

Sagenova33
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 December 2016 - 09:03 AM

I'm currently on my phone.. pretty much out of ideas. Any help would be much appreciated. Windows 7 x32 samsung. Will log in and post specs now.

#3 Sagenova33

Sagenova33
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 08 December 2016 - 10:44 AM

- <System>
  <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
  <EventID Qualifiers="16384">1003</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-12-08T15:10:17.000000000Z" />
  <EventRecordID>4697</EventRecordID>
  <Correlation />
  <Execution ProcessID="0" ThreadID="0" />
  <Channel>Application</Channel>
  <Computer>Light</Computer>
  <Security />
  </System>
- <EventData>
  <Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
  <Data>1: 022a1afb-b893-4190-92c3-8f69a49839fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 2: 436cef53-8387-4692-bb4a-9492cd82260e, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 3: 57a232fe-0931-48fe-9389-e4586967c661, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 4: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8, 1, 1 [(0 [0xC004E003, 0, 0], [( 1 0xC004F032 0 0 msft:rm/algorithm/bios/4.0 0x00000000 0)(?)( 1 0xC004F032 0 0 msft:rm/algorithm/bios/4.0 0x00000000 0)(?)(?)(?)])(1 )(2 [0x00000000, 0, 1], [(?)( 5 0x00000000 30 32280)( 1 0x00000000 0 0 msft:rm/algorithm/flags/1.0 0x00000000 0)(?)(?)(?)])] 5: 8ec16e01-e86f-415f-b333-1819f4145294, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 6: a0cde89c-3304-4157-b61c-c8ad785d1fad, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 7: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 8: b2c4b9f6-3ee6-4a2a-a361-64ad3b61ded5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 9: bba42084-cacd-4ad4-b606-9f3d6c93b2c5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 10: c619d61c-c2f2-40c3-ab3f-c5924314b0f3, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 11: cfb3e52c-d707-4861-af51-11b27ee6169c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 12: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 13: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]</Data>
  </EventData>
  </Event>
 
- <System>
  <Provider Name="NETLOGON" />
  <EventID Qualifiers="0">3095</EventID>
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-12-08T15:09:12.000000000Z" />
  <EventRecordID>17197</EventRecordID>
  <Channel>System</Channel>
  <Computer>Light</Computer>
  <Security />
  </System>
  <EventData />
  </Event>
 
- <System>
  <Provider Name="NETLOGON" />
  <EventID Qualifiers="0">3095</EventID>
  <Level>2</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2016-12-08T15:09:12.000000000Z" />
  <EventRecordID>17197</EventRecordID>
  <Channel>System</Channel>
  <Computer>Light</Computer>
  <Security />
  </System>
  <EventData />
  </Event>

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:49166        127.0.0.1:49167        ESTABLISHED
  TCP    127.0.0.1:49167        127.0.0.1:49166        ESTABLISHED
  TCP    192.168.0.3:49169      52.88.223.32:443       ESTABLISHED
  TCP    192.168.0.3:49353      54.230.86.213:443      TIME_WAIT
  TCP    192.168.0.3:49359      104.20.60.209:443      TIME_WAIT
  TCP    192.168.0.3:49360      104.20.60.209:443      ESTABLISHED
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:49152             [::]:0                 LISTENING
  TCP    [::]:49153             [::]:0                 LISTENING
  TCP    [::]:49154             [::]:0                 LISTENING
  TCP    [::]:49155             [::]:0                 LISTENING
  TCP    [::]:49156             [::]:0                 LISTENING
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    0.0.0.0:55101          *:*
  UDP    0.0.0.0:59377          *:*
  UDP    127.0.0.1:1900         *:*
  UDP    127.0.0.1:59376        *:*
  UDP    192.168.0.3:68         *:*
  UDP    192.168.0.3:68         *:*
  UDP    192.168.0.3:1900       *:*
  UDP    [::]:500               *:*
  UDP    [::]:4500              *:*
  UDP    [::1]:1900             *:*
  UDP    [::1]:59375            *:*
 
 
 
 
 
 
 
I found Chinese calligraphy in my registry so I deleted.
- System
    - Provider
      [ Name] Microsoft-Windows-DNS-Client       [ Guid] {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}
      EventID 1014       Version 0       Level 3       Task 0       Opcode 0       Keywords 0x4000000000000000     - TimeCreated
      [ SystemTime] 2016-12-08T10:19:48.260532900Z
      EventRecordID 17026       Correlation     - Execution
      [ ProcessID] 1260       [ ThreadID] 1248
      Channel System       Computer Light     - Security
      [ UserID] S-1-5-20
- EventData
    QueryName www.blackviper.com     AddressLength 16     Address 02000035D1122F3E0000000000000000
 
    [ Name] Microsoft-Windows-Security-SPP       [ Guid] {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}       [ EventSourceName] Software Protection Platform Service
    - EventID 1003
      [ Qualifiers] 16384
      Version 0       Level 4       Task 0       Opcode 0       Keywords 0x80000000000000     - TimeCreated
      [ SystemTime] 2016-12-08T15:50:48.000000000Z
      EventRecordID 4709       Correlation     - Execution
      [ ProcessID] 0       [ ThreadID] 0
      Channel Application       Computer Light       Security
- EventData
 
 
 
  - Provider
      [ Name] Microsoft-Windows-Security-SPP       [ Guid] {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}       [ EventSourceName] Software Protection Platform Service
    - EventID 1003
      [ Qualifiers] 16384
      Version 0       Level 4       Task 0       Opcode 0       Keywords 0x80000000000000     - TimeCreated
      [ SystemTime] 2016-12-08T15:50:48.000000000Z
      EventRecordID 4709       Correlation     - Execution
      [ ProcessID] 0       [ ThreadID] 0
      Channel Application       Computer Light       Security
- EventData
      55c92734-d682-4d71-983e-d6ec3f16059f       1: 022a1afb-b893-4190-92c3-8f69a49839fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 2: 436cef53-8387-4692-bb4a-9492cd82260e, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 3: 57a232fe-0931-48fe-9389-e4586967c661, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 4: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8, 1, 1 [(0 [0xC004E003, 0, 0], [( 1 0xC004F032 0 0 msft:rm/algorithm/bios/4.0 0x00000000 0)(?)( 1 0xC004F032 0 0 msft:rm/algorithm/bios/4.0 0x00000000 0)(?)(?)(?)])(1 )(2 [0x00000000, 0, 1], [(?)( 5 0x00000000 30 32280)( 1 0x00000000 0 0 msft:rm/algorithm/flags/1.0 0x00000000 0)(?)(?)(?)])] 5: 8ec16e01-e86f-415f-b333-1819f4145294, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 6: a0cde89c-3304-4157-b61c-c8ad785d1fad, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 7: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 8: b2c4b9f6-3ee6-4a2a-a361-64ad3b61ded5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 9: bba42084-cacd-4ad4-b606-9f3d6c93b2c5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 10: c619d61c-c2f2-40c3-ab3f-c5924314b0f3, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 11: cfb3e52c-d707-4861-af51-11b27ee6169c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 12: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )] 13: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]

Edited by Sagenova33, 08 December 2016 - 10:58 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users