Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RogueKiller Log


  • This topic is locked This topic is locked
7 replies to this topic

#1 drwbns

drwbns

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 02 April 2017 - 08:50 PM

Thanks for any help. I had a popup virus that I removed but I want to be sure my system is clean.

 

RogueKiller V12.10.2.0 (x64) [Mar 27 2017] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Andrew [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/02/2017 16:30:33 (Duration : 01:43:47)
 
¤¤¤ Processes : 5 ¤¤¤
[Proc.Svchost] svchost.exe(4812) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Svchost] svchost.exe(2932) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Svchost] svchost.exe(4408) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Svchost] svchost.exe(8280) -- C:\Windows\System32\svchost.exe[7] -> Found
[Proc.Injected] nl2f23tl.exe(10612) -- C:\Users\Andrew\Downloads\nl2f23tl.exe[-] -> Found
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Adw.DNSUnlocker][File] C:\Users\Andrew\AppData\Local\NPE\Info20170402120325.xml -> Found
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:12 PM

Posted 03 April 2017 - 08:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run the RogueKiller tool and fix these 2 entries.

[Proc.Injected] nl2f23tl.exe(10612) -- C:\Users\Andrew\Downloads\nl2f23tl.exe[-] -> Found
[Adw.DNSUnlocker][File] C:\Users\Andrew\AppData\Local\NPE\Info20170402120325.xml -> Found


As for svchost.exe I need more information before suggesting anything.

===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

p.s.
Let me know what problems you are presently having with this computer.

#3 drwbns

drwbns
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 03 April 2017 - 02:19 PM

[Proc.Injected] nl2f23tl.exe(10612) -- C:\Users\Andrew\Downloads\nl2f23tl.exe[-] -> Found
[Adw.DNSUnlocker][File] C:\Users\Andrew\AppData\Local\NPE\Info20170402120325.xml -> Found

 

I realized after I posted that the first one is gmer and the second entry is part of Norton Power Eraser. I think they are just false alarms. Here are the frst logs

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:12 PM

Posted 04 April 2017 - 07:26 AM

I see traces of Bitdefender in you logs. Did you install anything for them in February?

If not add these lines in bold to the Fixlist.txt file before saving it.
R3 gzflt; C:\windows\System32\DRIVERS\gzflt.sys [178384 2017-02-08] (BitDefender LLC)
S3 Trufos; C:\windows\System32\DRIVERS\Trufos.sys [442848 2017-02-08] (BitDefender S.R.L.)
C:\windows\System32\DRIVERS\gzflt.sys
C:\windows\System32\DRIVERS\Trufos.sys


No malware was found. Run this fix to clean invalid items.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-02]
S3 VSStandardCollectorService140; "C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe" [X]
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2017\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-C049A3632EA7}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2017\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2017\Inventor Server\Bin\TestServer.dll => No File
Task: {6D124FEE-9CEB-43EB-86AD-F2CC30C86078} - \WPD\SqmUpload_S-1-5-21-21190151-3884468490-1477696220-1001 -> No File <==== ATTENTION


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 drwbns

drwbns
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 04 April 2017 - 02:28 PM

Roguekiller is reporting some detections but I'm not sure if they are false alarms. I don't remember installing bitdefender, I perhaps did but it doesn't ring a bell. Here's the logs. Everything seems ok so far.  I ran another FRST and am also attaching the new logs from that scan. Is it normal that FRST runs a bcdedit command through a temp batch file as well as a second batch file with some Chinese text? The bcdedit command is:

bcdedit /enum {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9} >"C:\Users\Andrew\AppData\Local\Temp\bcd" 2> 1 

The chinese text is:

换敤楤⁴支畮摻晥畡瑬⁽∾㩃啜敳獲䅜摮敲屷灁䑰瑡屡潌慣屬敔灭扜摣•㸲㄀ 

The Chinese text translates to "For the purpose of being used for the purpose of the use of the product.". Probably not the best google translation. FRST is also running mod_frst.exe. Comodo is catching it and asking me what to do. I think by a Comodo timeout, the FRST commands were blocked. 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Andrew (04-04-2017 11:15:22) Run:2
Running from C:\Users\Andrew\Downloads
Loaded Profiles: Andrew (Available Profiles: Andrew)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-02]
S3 VSStandardCollectorService140; "C:\Program Files (x86)\Microsoft Visual Studio 14.0\Team Tools\DiagnosticsHub\Collector\StandardCollector.Service.exe" [X]
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2017\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-C049A3632EA7}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2017\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2017\Inventor Server\Bin\TestServer.dll => No File
Task: {6D124FEE-9CEB-43EB-86AD-F2CC30C86078} - \WPD\SqmUpload_S-1-5-21-21190151-3884468490-1477696220-1001 -> No File <==== ATTENTION
R3 gzflt; C:\windows\System32\DRIVERS\gzflt.sys [178384 2017-02-08] (BitDefender LLC)
S3 Trufos; C:\windows\System32\DRIVERS\Trufos.sys [442848 2017-02-08] (BitDefender S.R.L.)
C:\windows\System32\DRIVERS\gzflt.sys
C:\windows\System32\DRIVERS\Trufos.sys

End
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully
C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\VSStandardCollectorService140 => key removed successfully
VSStandardCollectorService140 => service removed successfully
HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741} => key removed successfully
HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-C049A3632EA7} => key removed successfully
HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3} => key removed successfully
HKU\S-1-5-21-21190151-3884468490-1477696220-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6D124FEE-9CEB-43EB-86AD-F2CC30C86078} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6D124FEE-9CEB-43EB-86AD-F2CC30C86078} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-21190151-3884468490-1477696220-1001 => key removed successfully
gzflt => Unable to stop service.
HKLM\System\CurrentControlSet\Services\gzflt => key removed successfully
gzflt => service removed successfully
HKLM\System\CurrentControlSet\Services\Trufos => key removed successfully
Trufos => service removed successfully
C:\windows\System32\DRIVERS\gzflt.sys => moved successfully
C:\windows\System32\DRIVERS\Trufos.sys => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 2775414 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 74261399 B
Java, Flash, Steam htmlcache => 132231604 B
Windows/system/drivers => 66838058 B
Edge => 9022 B
Chrome => 447623749 B
Firefox => 229376 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 491312 B
LocalService => 0 B
NetworkService => 0 B
Andrew => 445606649 B

RecycleBin => 0 B
EmptyTemp: => 1.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:16:00 ====

Attached Files


Edited by drwbns, 04 April 2017 - 10:39 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:12 PM

Posted 05 April 2017 - 07:18 AM



FRST is also running mod_frst.exe. Comodo is catching it and asking me what to do. I think by a Comodo timeout, the FRST commands were blocked.


mod_frst.exe. is part of the Farbar tool.

What I suggest is that you remove everything associated with it.

Download Delfix from this site.
https://www.bleepingcomputer.com/download/delfix/

DelFix is a tool developed by Xplode, the makers of AdwCleaner, which can remove all portable virus cleaning and disinfection tools you’ve ever used. It will also reset the restore points of your computer systems making it even safer.

The program makes some other adjustments to your PC too which include:

Activate UAC: It activates the user account control after cleaning the log files and the unnecessary clutter in your PC.
Remove disinfection tools: Removes the tool you’ve ever used to disinfect your PC.
Create registry backup: The program creates a registry backup and stores it under % windir% \ ERUNT \ DelFix.
Purge system restore: Deletes all your older restore points and creates a fresh one.
Reset system settings: It resets the system settings after the removal process is completed.


Just download the program and run it on your computer system.
There is a default check-mark on feature ‘Remove disinfection tools’ and you need to check other feature manually before running the program should you wish to.
Wait for a few minutes and your computer system will be free of all unnecessary files.

===

Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Let me know what problem persists.

#7 drwbns

drwbns
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 05 April 2017 - 09:46 AM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/5/17
Scan Time: 7:16 AM
Logfile: 
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1666
License: Free

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: PC\Andrew

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 451765
Time Elapsed: 22 min, 21 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [1686], [340933],1.0.1666

Module: 5
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\EXECUTIONGUARD.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\DEFMAN.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\COMMON.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SHSCANNER.DLL, No Action By User, [1686], [340933],1.0.1666

Registry Key: 9
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SpyHunter 4 Service, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\esgiguard, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.WiperSoft, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AB1C8C91-4D8E-4C28-80E7-FD135FB90515}}_is1, No Action By User, [2227], [340923],1.0.1666
PUP.Optional.SpyHunter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SpyHunter, No Action By User, [1686], [345850],1.0.1666
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1FA308C1-D208-4295-9F32-046BA95ACB61}, No Action By User, [1686], [332366],1.0.1666
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGSCANNER, No Action By User, [1686], [331708],1.0.1666
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SpyHunter4Startup, No Action By User, [1686], [331711],1.0.1666
PUP.Optional.SpyHunter, HKLM\SOFTWARE\ENIGMASOFTWAREGROUP\SpyHunter, No Action By User, [1686], [331803],1.0.1666
PUP.Optional.WiperSoft, HKU\S-1-5-21-21190151-3884468490-1477696220-1001\SOFTWARE\WiperSoft, No Action By User, [2227], [340919],1.0.1666

Registry Value: 3
PUP.Optional.SpyHunter, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1FA308C1-D208-4295-9F32-046BA95ACB61}|PATH, No Action By User, [1686], [332366],1.0.1666
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGSCANNER|IMAGEPATH, No Action By User, [1686], [331708],1.0.1666
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGIGUARD|IMAGEPATH, No Action By User, [1686], [331706],1.0.1666

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 10
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Downloads, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Data, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\defs, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\mon, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\USERS\ANDREW\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYHUNTER, No Action By User, [1686], [331712],1.0.1666
PUP.Optional.WiperSoft, C:\USERS\ANDREW\APPDATA\ROAMING\WIPERSOFT, No Action By User, [2227], [340918],1.0.1666
PUP.Optional.WiperSoft, C:\PROGRAM FILES\WIPERSOFT, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\WIPERSOFT, No Action By User, [2227], [340917],1.0.1666

File: 89
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\EXECUTIONGUARD.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\DEFMAN.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SPYHUNTER4.EXE, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\COMMON.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SHSCANNER.DLL, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\SPYHUNTER\SH4SERVICE.EXE, No Action By User, [1686], [340933],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Data\dns.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Data\proxy.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\defs\2017040401.def, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\defs\cmp_2017040301.def, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_085152.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_103805.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_105642.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_114340.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_120454.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_144211.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_195122.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170402_200657.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20170404_111714.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\mon\autoexec.bat.bk, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\mon\hosts.bk, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\mon\system.ini.bk, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\mon\win.ini.bk, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\German.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Romanian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Brazilian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Chinese(Simplified).lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Chinese(Traditional).lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\cos.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Croatian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Czech.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Danish.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Dutch.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\English.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\EsgScanner.inf, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\EsgScanner.sys, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Finnish.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\French.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\gas.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\gil.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Greek.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Indonesian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Italian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Japanese.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\license.txt, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Lithuanian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\native.exe, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Norwegian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Polish.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Portuguese.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\purl.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Russian.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\scanlog.log, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Slovene.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Spanish.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.com, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\supportlog.txt, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Swedish.lng, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\unkcache.dat, No Action By User, [1686], [331702],1.0.1666
PUP.Optional.SpyHunter, C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter\SpyHunter Emergency Startup.lnk, No Action By User, [1686], [331712],1.0.1666
PUP.Optional.SpyHunter, C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter\SpyHunter.lnk, No Action By User, [1686], [331712],1.0.1666
PUP.Optional.SpyHunter, C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter\Uninstall.lnk, No Action By User, [1686], [331712],1.0.1666
PUP.Optional.SpyHunter, C:\USERS\ANDREW\DESKTOP\SPYHUNTER.LNK, No Action By User, [1686], [331703],1.0.1666
PUP.Optional.WiperSoft, C:\PROGRAM FILES\WIPERSOFT\WIPERSOFT-INST.EXE, No Action By User, [2227], [340923],1.0.1666
PUP.Optional.SpyHunter, C:\USERS\ANDREW\APPDATA\ROAMING\ENIGMA SOFTWARE GROUP\SH_INSTALLER.EXE, No Action By User, [1686], [345850],1.0.1666
PUP.Optional.WiperSoft, C:\PROGRAM FILES\WIPERSOFT\WIPERSOFT.EXE, No Action By User, [2227], [340923],1.0.1666
PUP.Optional.WiperSoft, C:\USERS\ANDREW\APPDATA\ROAMING\WIPERSOFT\SIGNATURES.DAT, No Action By User, [2227], [340918],1.0.1666
PUP.Optional.WiperSoft, C:\Users\Andrew\AppData\Roaming\WiperSoft\whitelist.dat, No Action By User, [2227], [340918],1.0.1666
PUP.Optional.WiperSoft, C:\Users\Andrew\AppData\Roaming\WiperSoft\wipersoft.dat, No Action By User, [2227], [340918],1.0.1666
PUP.Optional.WiperSoft, C:\Users\Andrew\AppData\Roaming\WiperSoft\wipersoft.eni, No Action By User, [2227], [340918],1.0.1666
PUP.Optional.WiperSoft, C:\Users\Andrew\AppData\Roaming\WiperSoft\WiperSoft.Scan.log, No Action By User, [2227], [340918],1.0.1666
PUP.Optional.WiperSoft, C:\PROGRAM FILES\WIPERSOFT\INSTALL.DAT, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\CrashRpt1403.dll, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\crashrpt_lang.ini, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\CrashSender1403.exe, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\license_en.txt, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\offreg.dll, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\OpenSans-Bold.ttf, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\OpenSans-Light.ttf, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\OpenSans-Regular.ttf, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\Program Files\WiperSoft\OpenSans-Semibold.ttf, No Action By User, [2227], [340915],1.0.1666
PUP.Optional.WiperSoft, C:\USERS\ANDREW\DESKTOP\WIPERSOFT.LNK, No Action By User, [2227], [340921],1.0.1666
PUP.Optional.SpyHunter, C:\USERS\ANDREW\DOWNLOADS\SPYHUNTER-INSTALLER.EXE, No Action By User, [1686], [345850],1.0.1666
PUP.Optional.WiperSoft, C:\USERS\ANDREW\DOWNLOADS\WIPERSOFT-INSTALLER.EXE, No Action By User, [2227], [340923],1.0.1666
PUP.Optional.SpyHunter, C:\WINDOWS\SYSTEM32\DRIVERS\ESGSCANNER.SYS, No Action By User, [1686], [331708],1.0.1666
PUP.Optional.SpyHunter, C:\WINDOWS\SYSTEM32\TASKS\SPYHUNTER4STARTUP, No Action By User, [1686], [331709],1.0.1666
PUP.Optional.WiperSoft, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\WIPERSOFT\WIPERSOFT.LNK, No Action By User, [2227], [340917],1.0.1666
PUP.Optional.WiperSoft, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WiperSoft\WiperSoft Uninstall.lnk, No Action By User, [2227], [340917],1.0.1666

Physical Sector: 0
(No malicious items detected)


(end)

Is it just spyhunter that's causing the svchost alert? Thanks!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:12 PM

Posted 06 April 2017 - 06:35 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users