Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - terpy

Pages: [1]
1
Malware removal help / Re: Found PUM.Dns and Hidden.ADS, among a few others, need help analyzing logs
« on: August 13, 2018, 02:42:57 AM »
Well, it seems my internet speeds are still pretty slow (19mpbs down, 29mpbs up wireless, whereas my phone gets 119 down and 64 up), which might be an issue with my ISP, last time I called them they didn't have any answers for me though. Also, for some reason my search feature still doesn't work - it doesn't search for applications but just folders and random files, but the computer itself seems to be running alright. It was never really that slow, I was just worried because my credit card had been compromised so I wanted to be sure my PC was clean.

Do you have any idea what could be causing my internet speeds to be so low on only my PC?

Thanks again for all the help.

2
Malware removal help / Re: Found PUM.Dns and Hidden.ADS, among a few others, need help analyzing logs
« on: August 12, 2018, 09:30:08 PM »
Hi Curson, thank you for the thorough response! Sorry it took me a while to get back, I had to leave unexpectedly for a day. I've run the fix command, which produced the following log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Shane (12-08-2018 11:33:20) Run:1
Running from C:\Users\Shane\Desktop\Security  Tools
Loaded Profiles: Shane (Available Profiles: Shane & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
S1 netfilter2; system32\drivers\netfilter2.sys [X]
AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Spybot - Search and Destroy (Disabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}
AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
AlternateDataStreams: C:\ProgramData:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\ProgramData:F92137B1307D3B14 [217]
AlternateDataStreams: C:\WINDOWS\SwUSB.exe:AGC

AlternateDataStreams: C:\Users\All Users:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\Users\All Users:F92137B1307D3B14 [217]
AlternateDataStreams: C:\ProgramData\Application Data:482EE99B1E21CE8C [217]
AlternateDataStreams: C:\ProgramData\Application Data:F92137B1307D3B14 [217]
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [286]
[-HKLM\SYSTEM\CurrentControlSet\Services\45837EB55DEAE840]
C:\WINDOWS\system32\drivers\45837EB55DEAE840.sys
CMD: net user 12FA1BE483FC47BA9482 /delete
EmptyTemp:
*****************

Processes closed successfully.
"HKLM\System\CurrentControlSet\Services\netfilter2" => removed successfully
netfilter2 => service removed successfully
"AV: Avast Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}" => removed successfully
"AS: Spybot - Search and Destroy (Disabled - Out of date) {A16C3F68-9280-E053-1818-342707FECF4D}" => removed successfully
"AS: Avast Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}" => removed successfully
"FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}" => removed successfully
C:\ProgramData => ":482EE99B1E21CE8C" ADS removed successfully
C:\ProgramData => ":F92137B1307D3B14" ADS removed successfully
C:\WINDOWS\SwUSB.exe => ":AGC" ADS removed successfully
"C:\Users\All Users" => ":482EE99B1E21CE8C" ADS not found.
"C:\Users\All Users" => ":F92137B1307D3B14" ADS not found.
"C:\ProgramData\Application Data" => ":482EE99B1E21CE8C" ADS not found.
"C:\ProgramData\Application Data" => ":F92137B1307D3B14" ADS not found.
C:\ProgramData\TEMP => ":CB0AACC9" ADS removed successfully
HKLM\SYSTEM\CurrentControlSet\Services\45837EB55DEAE840 => not found
"C:\WINDOWS\system32\drivers\45837EB55DEAE840.sys" => not found

========= net user 12FA1BE483FC47BA9482 /delete =========

The command completed successfully.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24446948 B
Java, Flash, Steam htmlcache => 156997395 B
Windows/system/drivers => 15769326 B
Edge => 1482240 B
Chrome => 415121840 B
Firefox => 8768464 B
Opera => 9691872 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 5438 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
Shane => 1133756826 B
Administrator => 140029 B

RecycleBin => 4684409710 B
EmptyTemp: => 6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:59:13 ====

3
Malware removal help / Found PUM.Dns and Hidden.ADS, among a few others, need help analyzing logs
« on: August 10, 2018, 06:26:42 AM »
Hello, this is my first time posting here so I hope I hit all of the points. Lately my computer has been running slower than usual (especially my internet, using ATT 100mpbs fiber and usually getting 10-50 down/up, strangely my upload is usually higher than download which I haven't seen in my past internet plans) and for some reason my search function is acting strangely (seems to be only searching for files/folders but not applications, might not be related), so over the past few days I've been running some scans and attempting to fix it myself but am unsure about these threats that Roguekiller recently picked up (PUM.Dns and Hidden.ADS). I'll attach my FRST, addition and roguekiller logs here. I've also included a malwarebytes log that I ran a few days ago, upon hindsight I should have asked about the threat it picked up before removing it, but what's done is done, I suppose.
 
I usually run several virus scans each week using Bitdefender, ESET, and IOLO's malware killer. For system optimization tools I generally run Avira and Iolo System Mechanic every couple days. I've also tried using UnhackMe, Emsisoft Anti-Malware, HitmanPro, Housecall, and adwcleaner, among a few others I'm probably forgetting. I was doing a lot of googling the past week or so and wanted to see what the different programs would pick up. I ran an ESET scan earlier today that came back with clean. UnhackMe found a few unwanted services/files, but I can't seem to find any logs for it. Again, upon hindsight I should have saved those, because I know it makes your job more difficult not knowing what they may have found.

[edit] It's also worth noting, a few weeks ago a fraudulent charge was made on a credit card that I had thought was deactivated (Got a new one in the mail to replace my chip, called customer service to have the old one deactivated but apparently there must have been a glitch in the system or something, because it remained active). This is what initially sparked my flux of anti-virus scans. It's hard to pinpoint the problem to my PC though, it could easily be my phone, an RFID reader or a number of things. Strangely, all the thief bought was two tickets to Universal Studios. Weird.

Some notes regarding my FRST logs:
  • Upon reviewing them myself, the last two entries in the installed programs section in the additions.txt seem pretty suspect, with them being in other characters.
  • Any idea why Avast is still showing up in my security center, even though I uninstalled it quite a while ago? It's not listed in the installed programs section and Revo Uninstaller can't find it either, so I'm not sure what data is still on my PC from them.
  • My bitdefender firewall is normally turned on, I just turned it off temporarily for the scan to run.
  • I'm unsure of what the first account listed under "accounts" on the additions.txt file is or when it was even created.
  • In the FRST.txt drivers section, I'm not entirely sure how the CYREN Inc. drivers got there. I googled the company and it seems they work in cloud security, but I don't remember installing that. Could it have come bundled with something?
  • Same as above but with the GrdKey (Aktiv Co.) and netfilter2 entries


If there's anything else you need, just let me know. Again, sorry for running all these scans before coming here first. I hope that doesn't mess things up too badly.

Here is the RogueKiller log, I'll attach the rest to save space:

RogueKiller V12.12.30.0 (x64) [Aug  6 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : Shane [Administrator]
Started from : C:\Users\Shane\Downloads\RogueKiller_portable64.exe
Mode : Scan -- Date : 08/08/2018 00:44:44 (Duration : 09:19:27)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f9447a42-403d-498e-8f23-f462e8222b89} | DhcpNameServer : 10.204.0.1 ([])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DBC82562-F866-4112-961F-B0EAF59A5F61} : v2.28|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|App=C:\Users\Shane\AppData\Local\Temp\HouseCall\tmase\nmap\nmap.exe|Name=nmap4trend|Desc=nmap4trend|EmbedCtxt=nmap4trend|Edge=TRUE|Defer=App| [-] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[Hidden.ADS][Stream] C:\ProgramData:482EE99B1E21CE8C -> Found
[Hidden.ADS][Stream] C:\ProgramData:F92137B1307D3B14 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA200 +++++
--- User ---
[MBR] 4c75434087abc4d8e5c9dd16c7bc894f
[BSP] cd51738a01e463ec516757a7f9380826 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 1906927 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 3906105344 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
--- User ---
[MBR] 9316104665a782f81734208e2c0e3e52
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8192 | Size: 30432 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

Pages: [1]