kybos Posted July 24, 2016 ID:1052421 Share Posted July 24, 2016 I think my wifes PC may be infected. I have an identical computer, which always showed the exact same performance, until recently. The GFX card performance has gone suspiciously down and the latency has gone up. She also installed some free games recently, from sources I have no clue if I can trust. Probably irrelevant: When I open the resource monitor I see the system has a steady outgoing 8k/sec of data, which sits at 50b/sec in my computer instead. The system process also has several connections to changing/strange IPs whereas my computer only has 3 fixed connections for it. What I've done: I've run ESET's online scanner, which found "win32/Bundled.Toolbar.Google.D". I haven't tried cleaning it, as per the guide. I´ve run the Malwarebytes, which found nothing. The logs are attached. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 25, 2016 Root Admin ID:1052696 Share Posted July 25, 2016 Hello @kybos and Someone from our Support Team will be in touch with you shortly to assist you. Thank you Link to post Share on other sites More sharing options...
Staff Ried Posted July 26, 2016 Staff ID:1052842 Share Posted July 26, 2016 Hello Kybos and welcome to Malwarebytes forums. I'm not seeing any malware in the logs, but I am seeing several games that have Firewall access which means communication can be going on behind the scenes, even when the game is not being played. This is normal for games to have this access, I'm just saying that could be part of what you're seeing. Of more note are the errors in the Event Viewer section. Open your Addition. txt and scroll to the bottom. You'll see several of this same type of error: Error: (07/23/2016 06:26:08 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: l2.exe, version: 0.0.0.0, time stamp: 0x54f440f5 Faulting module name: l2.exe, version: 0.0.0.0, time stamp: 0x54f440f5 Exception code: 0xc0000005 Fault offset: 0x0000bc30 Faulting process id: 0x81c Faulting application start time: 0xl2.exe0 Faulting application path: l2.exe1 Faulting module path: l2.exe2 Report Id: l2.exe3 Faulting package full name: l2.exe4 Faulting package-relative application ID: l2.exe5 That l2.exe belongs to one of the games, I can't be certain which one. (that filename is L2.exe not the numeral 12.exe) Trying to search that filename, I get mixed results on which game it belongs to. What are the games she most recently installed? Link to post Share on other sites More sharing options...
kybos Posted July 26, 2016 Author ID:1052854 Share Posted July 26, 2016 Thanks for the reply. I just looked it up in her drive and that's Lineage 2 (the latest one she installed). From what I could find online, the game is free, but I'm not sure if the copy she downloaded is from an authorized / official source or not. The site is http://www.l2ashenvale.com.ar/. Another important thing to mention, which I missed in my first post: before posting here I uninstalled uTorrent from her computer. The L2 binaries for that site / server were provided through a torrent, which is the reason she installed that app. I noticed there were a few mentions about it in the notes for posting in this site. Do you think the PC is virus free? Should I be worried about ESET's scanner finding " win32/Bundled.Toolbar.Google.D"? Thanks for the help! Diego Link to post Share on other sites More sharing options...
Staff Ried Posted July 26, 2016 Staff ID:1052855 Share Posted July 26, 2016 Hi Diego, and you're most welcome. The website comes up as a clean site at Virustotal https://www.virustotal.com/en/url/31938650546275c01756506b8f4f4c4225af161b1b02aaea6afd8e8694348e4b/analysis/1469543135/ Eset likely flagged an installer that was bundled with the Google toolbar - it's not really a big deal but it would be more helpful if I new the file path of what it had detected. Given that you're unsure of where she went and what else may have come onto the machine, let's use a tool that is designed specifically to target unwanted programs and adware and see if anything turns up. Please download AdwCleaner from this link http://www.bleepingcomputer.com/download/adwcleaner/dl/125/ and save it to your desktop. NOTE: DO NOT CLICK any of the Download buttons. Look to the bottom of your browser and select ‘Save’ • Double click on AdwCleaner.exe to run the tool. • Click on Scan. • When it has finished, click the Logs button and a log will automatically open. Please attach that log in your reply. You can also find the log file at C:\AdwCleaner\AdwCleaner[Sn].txt (‘n’ is the scan order number). Link to post Share on other sites More sharing options...
kybos Posted July 26, 2016 Author ID:1052940 Share Posted July 26, 2016 Hello again, I´m attaching the log. I couldn´t run the ESET scanner because it´s showing an error saying It can´t update the virus database. Thanks, Diego. AdwCleaner[S1].txt Link to post Share on other sites More sharing options...
Staff Ried Posted July 27, 2016 Staff ID:1053145 Share Posted July 27, 2016 Hi Diego, Are you using Eset's online scanner? The reason I ask is because I don't see Eset as being installed on this machine. You can go ahead and clean up what AdwCleaner has found - again, nothing serious and certainly nothing that would affect the performance of the machine. What issues remain? Link to post Share on other sites More sharing options...
Staff Ried Posted August 3, 2016 Staff ID:1054426 Share Posted August 3, 2016 Hello kybos, Are you still with me? Link to post Share on other sites More sharing options...
kybos Posted August 3, 2016 Author ID:1054428 Share Posted August 3, 2016 Yes sorry. Attaching the files after cleaning with AdwCleaner. I was using ESETs online scanner indeed, but haven´t run it ever since. When I try to run it now it´s telling me I should run an installer I want to avoid unless I´m told to run it. The initial graphic issue I was seeing was fixed by a Gfx driver upgrade. The only "suspicious" thing I still see is the steady outgoing connection to the network by the system, which is always fixed at 8k/sec whereas my other computer is around 150 bytes/sec. Not sure if this is something to worry about or not. I'm attaching a screenshot of how it looks. AdwCleaner[S4].txt Link to post Share on other sites More sharing options...
kybos Posted August 3, 2016 Author ID:1054432 Share Posted August 3, 2016 Adding some info, which I'm not sure is relevant... MazingerZ is the name of the PC we're evaluating. Most thata seems to be going to itself? Not sure what to make of it. Link to post Share on other sites More sharing options...
Staff Ried Posted August 5, 2016 Staff ID:1054782 Share Posted August 5, 2016 This is what I found by searching: http://www.bing.com/search?q=mazingerZ&qs=n&form=QBRE&pq=mazingerz&sc=8-9&sp=-1&sk=&ghc=1&cvid=BE99DCADCC174BC09CBCD0D9EEFC6409 I don't see it installed, but I do see it may be an App?? Error: (07/23/2016 08:04:35 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: MazingerZ) Description: Package Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy+CortanaUI was terminated because it took too long to suspend. Error: (07/23/2016 08:04:29 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: MazingerZ) Description: Package Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy+App was terminated because it took too long to suspend. Search your machine for MazingerZ and see if anything comes up. Link to post Share on other sites More sharing options...
Staff Ried Posted August 15, 2016 Staff ID:1056566 Share Posted August 15, 2016 Hello kybos, Were you able to locate Mazinger2 on the machine? Link to post Share on other sites More sharing options...
Staff Ried Posted August 15, 2016 Staff ID:1056567 Share Posted August 15, 2016 Hello kybos, Were you able to locate Mazinger2 on the machine? Link to post Share on other sites More sharing options...
Staff Ried Posted August 31, 2016 Staff ID:1059454 Share Posted August 31, 2016 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts