Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Increased Ping from 6-11.


  • Please log in to reply
5 replies to this topic

#1 Lorbster

Lorbster

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 19 December 2016 - 06:09 AM

Starting two months ago from the time from 6-11, my computer has increased in ping when directly connected to the router. Ran wireshark to see what the traffic going through the computer, but I had no idea what I was looking at. Not sure as to what would be the cause.
I've called my ISP and they said nothing is wrong with the line when I insist something is up. I'm reaching out to maybe there is a virus in my computer that could cause such a thing.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 AM

Posted 20 December 2016 - 11:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this old version of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-1380142817-1622158828-245997027-1000\...\Run: [Google Update] => C:\Users\user\AppData\Local\Google\Update\1.3.32.7\GoogleUpdateCore.exe [601752 2016-12-16] (Google Inc.)
HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "\SearchProtect"
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1380142817-1622158828-245997027-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll No File
FF Plugin: @Apple.com/iTunes,version=1.0 -> D:\iTunes\Mozilla Plugins\npitunes.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\user\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.2.464\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\55.0.2883.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\user\AppData\Local\Google\Chrome\Application\55.0.2883.87\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.2.0\\npsitesafety.dll => No File
CHR Plugin: (Java Deployment Toolkit 7.0.510.13) - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll => No File
CHR Plugin: (Java(TM) Platform SE 7 U51) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll => No File
CHR Plugin: (iTunes Application Detector) - D:\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Extension: (BetterTTV) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-30]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
S4 HiPatchService; C:\Program Files\Hi-Rez Studios\HiPatchService.exe [X]
S3 iPod Service; "C:\Program Files\iPod\bin\iPodService.exe" [X]
S3 ose; "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" [X]
S2 RalinkRegistryWriter; "C:\Program Files\NETGEAR\WNDA4100\Service\RaRegistry.exe" [X]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S2 WNDA6200; C:\Program Files\NETGEAR\A6200\WifiService.exe [X]
S3 wpscloudsvr; "C:\Users\user\AppData\Local\kingsoft\WPS Office\wpscloudsvr.exe" LocalService [X]
U0 aswVmm; no ImagePath
S3 athur; system32\DRIVERS\athur.sys [X]
S1 bbrowserboost; \??\C:\Windows\system32\drivers\bbrowserboost.sys [X]
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S2 BDPaHlp; \??\C:\Program Files\Baidu\BrowserProtect\4.2.2.390\drivers\x86\BDPaHlp.sys [X]
S3 catchme; \??\C:\Users\user\AppData\Local\Temp\catchme.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
U3 GrooveAuditService; no ImagePath
U3 GrooveInstallerService; no ImagePath
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 vtany; \??\C:\Windows\vtany.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files\Razer\Razer Game Booster\Driver\WinRing0.sys [X]
S3 XDva409; \??\C:\Windows\system32\XDva409.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{00020906-0000-4b30-A977-D214852036FF}\localserver32 -> "C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\wps.exe" => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32 ->  => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\localserver32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\wps.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{00024512-0000-0000-C000-000000000046}\InprocServer32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\refedit.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.27.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.23.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\localserver32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\wpp.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\localserver32 -> "C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\wpp.exe" => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\localserver32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\et.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\localserver32 -> "C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\et.exe" => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32 ->  => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\localserver32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\et.exe /Automation => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{4D4E0078-1386-4536-BD05-3E1013F17116}\InprocServer32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\oledefaulthandler.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.31.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{67F4D210-BFC2-4ADD-9A2A-C9B9E1F42C4F}\InprocServer32 -> C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\qingshellext.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 ->  => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.26.9\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.22.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-1380142817-1622158828-245997027-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.7\psuser.dll => No File
Task: {7AD2F3C1-4E18-4B9D-8054-DD2149E1C26D} - \{0A040D47-7D04-087F-7D11-0C080D0D1109} -> No File <==== ATTENTION

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 Lorbster

Lorbster
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 20 December 2016 - 10:41 PM

Ping has seemed to drop a from 120 average to 70-60, so there is a start. Thanks for the help so far.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 AM

Posted 21 December 2016 - 08:55 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#5 Lorbster

Lorbster
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 21 December 2016 - 11:13 PM

RogueKiller V12.8.6.0 [Dec 19 2016] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : user [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 12/21/2016 19:35:22 (Duration : 00:26:25)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 39 ¤¤¤
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{075A24FD-4418-4841-9C3A-55CD5FFDE375} (C:\ProgramData\NexonUS\NGM\nxgameus.dll) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{795602D7-7885-4E92-91DF-778E89D29F50} (C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\office6\addons\datamastershellext\datamastershellext.dll) -> Found
[Suspicious.Path] HKEY_CLASSES_ROOT\CLSID\{9E21141C-E51F-4fc1-949E-757AF5EFF420} (C:\ProgramData\NexonUS\NGM\nxgameus.dll) -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Baidu -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Tencent -> Found
[PUP] HKEY_USERS\S-1-5-21-1380142817-1622158828-245997027-1000\Software\Baidu -> Found
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://api.youqian.baidu.com/v1/nav?soft=12&uid=50123297&guid=258521103f1a9d04d38470076dc16d28&vd=1328247658  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7B65AB1D-54D4-4F12-AC3C-182DCEFA4F0F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3DB77EF6-6D2E-4113-9DB2-4E8F4788C1C9} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {808CE493-74F2-4B93-8307-96AD57B55E04} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\TERA-Launcher.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CA610037-FA04-4BDF-B4C0-2CA859802E5E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\TERA-Launcher.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A78F309E-C7D7-4626-995B-B3749B28F86C} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\TL.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5D5FD528-C619-4050-8C7B-A6D5FD6A9B34} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\TL.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0E77C8B8-B399-4695-8475-15E588852095} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\Binaries\TERA.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {65AC8892-1028-40F3-8864-A9830BA903D3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\Binaries\TERA.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6F2FB116-8618-48F9-BA1A-DB168AA83A09} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\dndclient.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AE9DD111-CF41-4A6E-B996-18D64B461A60} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\dndclient.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {83928C68-0828-4107-B145-6591A0F82E96} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\TurbineLauncher.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6DAE98C8-7312-4DBC-BE1B-D0C7619AE560} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\TurbineLauncher.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2759382D-36F8-4926-ACD5-7270485AC91A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {38ED78BF-B9A6-4BCE-AB4D-4534D1E7B69A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0E9DE39A-C772-4592-8F3B-9E54C667F889} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Nexon\Library\vindictus\appdata\en-US\NMService.exe|Name=Nexon Messenger Core| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {13D482D6-D1D3-47DB-8256-5D0D48E9A9A8} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Nexon\Library\vindictus\appdata\en-US\NMService.exe|Name=Nexon Messenger Core| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7B65AB1D-54D4-4F12-AC3C-182DCEFA4F0F} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3DB77EF6-6D2E-4113-9DB2-4E8F4788C1C9} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {808CE493-74F2-4B93-8307-96AD57B55E04} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\TERA-Launcher.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CA610037-FA04-4BDF-B4C0-2CA859802E5E} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\TERA-Launcher.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A78F309E-C7D7-4626-995B-B3749B28F86C} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\TL.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5D5FD528-C619-4050-8C7B-A6D5FD6A9B34} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\TL.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0E77C8B8-B399-4695-8475-15E588852095} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\Binaries\TERA.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {65AC8892-1028-40F3-8864-A9830BA903D3} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\HappyCloud\Cache\TERA\Client\Binaries\TERA.exe|Name=TERA| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6F2FB116-8618-48F9-BA1A-DB168AA83A09} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\dndclient.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AE9DD111-CF41-4A6E-B996-18D64B461A60} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\dndclient.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {83928C68-0828-4107-B145-6591A0F82E96} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\TurbineLauncher.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6DAE98C8-7312-4DBC-BE1B-D0C7619AE560} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Turbine\DDO Unlimited\TurbineLauncher.exe|Name=Dungeons and Dragons Online| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2759382D-36F8-4926-ACD5-7270485AC91A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {38ED78BF-B9A6-4BCE-AB4D-4534D1E7B69A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\ProgramData\NexonUS\NGM\NGM.exe|Name=Nexon Game Manager| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {0E9DE39A-C772-4592-8F3B-9E54C667F889} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Nexon\Library\vindictus\appdata\en-US\NMService.exe|Name=Nexon Messenger Core| [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {13D482D6-D1D3-47DB-8256-5D0D48E9A9A8} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Nexon\Library\vindictus\appdata\en-US\NMService.exe|Name=Nexon Messenger Core| [x] -> Found
 
¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] \WpsExternal_user_20160206001107 -- C:\Users\user\AppData\Local\Kingsoft\WPS Office\ksolaunch.exe (/wpscloudlaunch /run_plugin /plugin_name=ktaskschdtool /plugin_entry=ktaskschdtool.dll /task=wpsexternal /launchtask /ver=1.0) -> Found
[Suspicious.Path] \WpsNotifyTask_user -- C:\Users\user\AppData\Local\Kingsoft\WPS Office\10.1.0.5458\wtoolex\wpsnotify.exe (-from=task) -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www.facebook.com/] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.facebook.com/|http://www.reddit.com/] -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HDS728080PLA380              40Y9028LEN ATA Device +++++
--- User ---
[MBR] 6b20ac843e846d70399df9603c530a83
[BSP] 9ee25bd1fff6c7188e4cccd17109ba6f : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 76222 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:42 AM

Posted 22 December 2016 - 08:43 AM

Run the RogueKiller tool and delete/clean everything.

If the entries are needed they will be recreated.

Post the log and let me know if the problem persists.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users