Jump to content

Possible infection


Recommended Posts

I think my wifes PC may be infected.  I have an identical computer, which always showed the exact same performance, until recently.  The GFX card performance has gone suspiciously down and the latency has gone up.  She also installed some free games recently, from sources I have no clue if I can trust.

Probably irrelevant:

When I open the resource monitor I see the system has a steady outgoing 8k/sec of data, which sits at 50b/sec in my computer instead.  The system process also has several connections to changing/strange IPs whereas my computer only has 3 fixed connections for it.

What I've done:

I've run ESET's online scanner, which found "win32/Bundled.Toolbar.Google.D".  I haven't tried cleaning it, as per the guide.

I´ve run the Malwarebytes, which found nothing.  The logs are attached.

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Staff

Hello Kybos and welcome to Malwarebytes forums.

I'm not seeing any malware in the logs, but I am seeing several games that have Firewall access which means communication can be going on behind the scenes, even when the game is not being played.  This is normal for games to have this access, I'm just saying that could be part of what you're seeing.

Of more note are the errors in the Event Viewer section.  Open your Addition. txt and scroll to the bottom. You'll see several of this same type of error:

 

Error: (07/23/2016 06:26:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: l2.exe, version: 0.0.0.0, time stamp: 0x54f440f5
Faulting module name: l2.exe, version: 0.0.0.0, time stamp: 0x54f440f5
Exception code: 0xc0000005
Fault offset: 0x0000bc30
Faulting process id: 0x81c
Faulting application start time: 0xl2.exe0
Faulting application path: l2.exe1
Faulting module path: l2.exe2
Report Id: l2.exe3
Faulting package full name: l2.exe4
Faulting package-relative application ID: l2.exe5

 

That l2.exe belongs to one of the games, I can't be certain which one. (that filename is L2.exe not the numeral 12.exe)

Trying to search that filename, I get mixed results on which game it belongs to.  What are the games she most recently installed?

Link to post
Share on other sites

Thanks for the reply.

I just looked it up in her drive and that's Lineage 2 (the latest one she installed).  From what I could find online, the game is free, but I'm not sure if the copy she downloaded is from an authorized / official source or not.  The site is http://www.l2ashenvale.com.ar/.

Another important thing to mention, which I missed in my first post: before posting here I uninstalled uTorrent from her computer.  The L2 binaries for that site / server were provided through a torrent, which is the reason she installed that app.  I noticed there were a few mentions about it in the notes for posting in this site.

Do you think the PC is virus free?  Should I be worried about ESET's scanner finding " win32/Bundled.Toolbar.Google.D"?

Thanks for the help!

Diego

Link to post
Share on other sites

  • Staff

Hi Diego, and you're most welcome. :)

The website comes up as a clean site at Virustotal  https://www.virustotal.com/en/url/31938650546275c01756506b8f4f4c4225af161b1b02aaea6afd8e8694348e4b/analysis/1469543135/

Eset likely flagged an installer that was bundled with the Google toolbar - it's not really a big deal but it would be more helpful if I new the file path of what it had detected.

Given that you're unsure of where she went and what else may have come onto the machine, let's use a tool that is designed specifically to target unwanted programs and adware and see if anything turns up.

Please download AdwCleaner from this link http://www.bleepingcomputer.com/download/adwcleaner/dl/125/ and save it to your desktop.

NOTE: DO NOT CLICK any of the Download buttons. Look to the bottom of your browser and select ‘Save’

• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• When it has finished, click the Logs button and a log will automatically open. Please attach that log in your reply.

You can also find the log file at C:\AdwCleaner\AdwCleaner[Sn].txt (‘n’ is the scan order number).

Link to post
Share on other sites

  • Staff

Hi Diego,

Are you using Eset's online scanner?  The reason I ask is because I don't see Eset as being installed on this machine.

You can go ahead and clean up what AdwCleaner has found - again, nothing serious and certainly nothing that would affect the performance of the machine.

What issues remain?

 

Link to post
Share on other sites

Yes sorry.  Attaching the files after cleaning with AdwCleaner.

I was using ESETs online scanner indeed, but haven´t run it ever since.  When I try to run it now it´s telling me I should run an installer I want to avoid unless I´m told to run it.

The initial graphic issue I was seeing was fixed by a Gfx driver upgrade.  The only "suspicious" thing I still see is the steady outgoing connection to the network by the system, which is always fixed at 8k/sec whereas my other computer is around 150 bytes/sec.  Not sure if this is something to worry about or not.

I'm attaching a screenshot of how it looks.

AdwCleaner[S4].txt

Capture.PNG

Link to post
Share on other sites

  • Staff

This is what I found by searching:

http://www.bing.com/search?q=mazingerZ&qs=n&form=QBRE&pq=mazingerz&sc=8-9&sp=-1&sk=&ghc=1&cvid=BE99DCADCC174BC09CBCD0D9EEFC6409

I don't see it installed, but I do see it may be an App??

 

Error: (07/23/2016 08:04:35 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: MazingerZ)
Description: Package Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy+CortanaUI was terminated because it took too long to suspend.

Error: (07/23/2016 08:04:29 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: MazingerZ)
Description: Package Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy+App was terminated because it took too long to suspend.

Search your machine for MazingerZ and see if anything comes up.

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.