Jump to content

Slower than normal PC, need help analyzing some possible threats discovered


Recommended Posts

Hello, this is my first time posting here so I hope I hit all of the points. Lately my computer has been running slower than usual (especially my internet, using ATT 100mpbs fiber and usually getting 10-50 down/up, strangely my upload is usually higher than download which I haven't seen in my past internet plans) and for some reason my search function is acting strangely (seems to be only searching for files/folders but not applications, might not be related), so over the past few days I've been running some scans and attempting to fix it myself but am unsure about these threats that Roguekiller recently picked up (PUM.Dns and Hidden.ADS). I'll attach my FRST, addition and roguekiller logs here. I've also included a malwarebytes log that I ran a few days ago, upon hindsight I should have asked about the threat it picked up before removing it, but what's done is done, I suppose. 
 
I usually run several virus scans each week using Bitdefender, ESET, and IOLO's malware killer. For system optimization tools I generally run Avira and Iolo System Mechanic every couple days. I've also tried using UnhackMe, Emsisoft Anti-Malware, HitmanPro, Housecall, and adwcleaner, among a few others I'm probably forgetting. I was doing a lot of googling the past week or so and wanted to see what the different programs would pick up. I ran an ESET scan earlier today that came back with clean. UnhackMe found a few unwanted services/files, but I can't seem to find any logs for it. Again, upon hindsight I should have saved those, because I know it makes your job more difficult not knowing what they may have found.
 
Some notes regarding my FRST logs:
  • Upon reviewing them myself, the last two entries in the installed programs section in the additions.txt seem pretty suspect, with them being in other characters. 
  • Any idea why Avast is still showing up in my security center, even though I uninstalled it quite a while ago? It's not listed in the installed programs section and Revo Uninstaller can't find it either, so I'm not sure what data is still on my PC from them.
  • My bitdefender firewall is normally turned on, I just turned it off temporarily for the scan to run. 
  • I'm unsure of what the first account listed under "accounts" on the additions.txt file is or when it was even created.
  • In the FRST.txt drivers section, I'm not entirely sure how the CYREN Inc. drivers got there. I googled the company and it seems they work in cloud security, but I don't remember installing that. Could it have come bundled with something?
  • Same as above but with the GrdKey (Aktiv Co.) and netfilter2 entries

 

If there's anything else you need, just let me know. Again, sorry for running all these scans before coming here first. I hope that doesn't mess things up too badly.

Here is the RogueKiller log, I'll attach the rest to save space:

RogueKiller V12.12.30.0 (x64) [Aug  6 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : Shane [Administrator]
Started from : C:\Users\Shane\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 08/08/2018 00:44:44 (Duration : 09:19:27)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f9447a42-403d-498e-8f23-f462e8222b89} | DhcpNameServer : 10.204.0.1 ([])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DBC82562-F866-4112-961F-B0EAF59A5F61} : v2.28|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\Shane\AppData\Local\Temp\HouseCall\tmase\nmap\nmap.exe|Name=nmap4trend|Desc=nmap4trend|EmbedCtxt=nmap4trend|Edge=TRUE|Defer=App| [-] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[Hidden.ADS][Stream] C:\ProgramData:482EE99B1E21CE8C -> Found
[Hidden.ADS][Stream] C:\ProgramData:F92137B1307D3B14 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA200 +++++
--- User ---
[MBR] 4c75434087abc4d8e5c9dd16c7bc894f
[BSP] cd51738a01e463ec516757a7f9380826 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 1906927 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 3906105344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
--- User ---
[MBR] 9316104665a782f81734208e2c0e3e52
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8192 | Size: 30432 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

mbyteslog.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Hello @terpy and :welcome:

I'm sorry it looks like your topic was overlooked for some reason. At this time due to the time involved I'd like to get new logs and scans please.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.