Messages

31

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 08, 2015, 05:37:16 PM »

Hi Heantrad,

Then I should delete the folders you told me to right?
I checked the directions that the old thread had and they exist, and some of the folders are full, should I just delete all of them? (or copy them out of Steam, in case Steam doesn't create them again).
Also, as Steam utilizes webkit, resetting Chrome (and unistalling it) should reset Steam's browser too right?

I don't really know Steam Browser myself, so I advice you to follow the advice posted in Steam forum and to ask relating questions there as well.

Just thought of it, could it be that the proxy server you helped me to delete was Mozilla's update server?, as now I've seen that the version I have is really old and in the update tab it says that the update server hasn't been found.

Firefox don't need a proxy to update,  so no.

Regards.

I'll make a post asking for every folder that I need for resetting Steam's browser.
Meanwhile, I remembered that in CCleaner there's an option to clean Steam, do you think it will clean up the browser too or just temporary files Steam creates?
So, I used Delfix as Ron told me for cleaning all the tools used, and I think it didn't work, this is what happened.

So, I used the Delfix tool (sorry that it took me so long) and it didn't do anything I think.
I runned the program, and it detected some programs, however, I didn't read the intruction of rebooting the sistem and I runned the tool again, then I restarted the PC and nothing got deleted, at least that's what seems, FRST stills there, Javara stills there and I think everything that showed on the log stills there.
I can't send you the log, because I didn't know I messed it up and I didn't do it right, so I didn't save it.
When I run the tool again, the log appears blank (I mean, it doesn't detect any programs installed).
Is possible to delete all the programs I installed during the malware removal manually or I needed the tool?
I've alredy replied to my post on Malwarebytes' forum with the same explanation, but I asked you too in case this error could harm the computer.

32

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 07, 2015, 04:22:11 PM »

Hi Heantrad,

CCleaner has detected some registry keys that can be deleted, should I delete any of those? (I have all of the search options actived)

I strongly advice you not to use CCleaner "Registry Cleaner. It could cause harm to your system.

Also, it's normal that I can freely acces to Windows' folder?, I mean, I can freely enter System32, I thought those folders were protected.

It's perfectly normal. The system files and folders are protected again modification/deletion, not browsing.

Alright, I got a responde alredy, in the images below I show them to you, the guy sended me to another thread and the folders he says I must delete are diferent (probably because it's outdated, it's from 2014), but he tells me to directly delete the folders, as I thought I should do the first time, I shouldn't do that right?
Also, now that I remember, Steam let's you reset your cookies directly from the parameters.

I don't really known Steam Browser so I assume the folders will be recreated. You can go ahead.

Regards.

Then I should delete the folders you told me to right?
I checked the directions that the old thread had and they exist, and some of the folders are full, should I just delete all of them? (or copy them out of Steam, in case Steam doesn't create them again).
Also, as Steam utilizes webkit, resetting Chrome (and unistalling it) should reset Steam's browser too right?
Just thought of it, could it be that the proxy server you helped me to delete was Mozilla's update server?, as now I've seen that the version I have is really old and in the update tab it says that the update server hasn't been found.

33

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 06, 2015, 08:21:51 PM »

Hi Heantrad,

Yes, you should.
For more information, I suggest you to open a new thread on the Steam Forum.

Regards.

Alright, I opened a thread on the Steam forums for more information.
Meanwhile, I have a pair of questions.
CCleaner has detected some registry keys that can be deleted, should I delete any of those? (I have all of the search options actived)
Also, it's normal that I can freely acces to Windows' folder?, I mean, I can freely enter System32, I thought those folders were protected.
Alright, I got a responde alredy, in the images below I show them to you, the guy sended me to another thread and the folders he says I must delete are diferent (probably because it's outdated, it's from 2014), but he tells me to directly delete the folders, as I thought I should do the first time, I shouldn't do that right?
Also, now that I remember, Steam let's you reset your cookies directly from the parameters.

34

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 05, 2015, 09:47:46 PM »

Hi Heantrad,

Don't delete these folders, only their contents.

Regards.

Inside the Overlay HTML Cache folder there's a folder called AppCache, should I delete it too (it's empty)?
Also, the cookies folders are empty and the HTML Cache folder doesn't even exist.

35

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 05, 2015, 08:05:15 PM »

Hi Heantrad,

Please try to delete the following directories content :

C:\Program Files\Steam\config\Cookies
C:\Program Files\Steam\config\Overlay Cookies
C:\Program Files\Steam\config\HTML Cache
C:\Program Files\Steam\config\Overlay HTML Cache

Regards.

Before I delete them, will Steam create the folders again (after using the his browser, opening Steam again...) or will I need to create the folders again or reinstall Steam?

36

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 05, 2015, 05:26:43 PM »

Hi Heantrad,

Then I should leave the PUMs there right? (they probably appeared because Ron told me to reset all my browsers).

Yes.

Also, should I delete any of those DNS entries?

No, you need them to access Internet.

And Ron told me to delete all the system restores I had, it's because the infection can pass from a restoration to my PC again or just to avoid using them by mistake?

If you use a restore point were your computer was infected, the infection will indeed pass to your computer again.

Does Steam's browser reset along Internet Explorer?, as they use the same engine.

Not anymore. Steam's browser uses WebKit now.

Does Java still install adware? As I needed to unistall it during Ron's cleanup and not I'm doubting about installing it again.

Java doesn't install adwares. Ron makes you uninstall old and flawed versions of Java.

Well, the sound problem happened again, this time the general volume went up to the max.

Sorry, I still have no clue.

Is puush.me a bad webpage? VirusTotal says it has two positive results, but Norton Safeweb says it's safe.

It's safe.

Regards.

So, how can I reset Steam's browser?
Also, when I reseted all the browsers Steam's one algo got kind of reset I think, as for example the 'Watched' videos got reseted.

37

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: October 01, 2015, 06:57:25 PM »

Hi Heantrad,

Also, I found this http://answers.microsoft.com/en-us/windows/forum/windows_7-pictures/volume-mixer-does-not-retain-settings-for/558434e7-fe84-48e0-9385-474594c52e50 , could any of those solutions work if the volume mixer keeps resetting?

You can try those solutions but don't use the "System Restore" one. It will revert your computer to an earlier state, so Ron work will be useless.

RogueKiller did detect something, I'll leave here the log (I haven't deleted anything yet).
The home page of IE seems to be this (Safeweb Norton and VirusTotal say it's safe) https://www.google.es/?gfe_rd=cr&ei=7UUMVrreAs2q8wed_L0g&gws_rd=ssl

PUM stands for Potentially Unwanted Modification. In your case, thoses entries are perfectly legit and necessary to access Internet.
For more information, please read RogueKiller Documentation.

Also, it's me or there's now more DNS entries than before?

The "CurrentControlSet" keys are the ones that matter.

Regards.

Then I should leave the PUMs there right? (they probably appeared because Ron told me to reset all my browsers).
Also, should I delete any of those DNS entries?
And Ron told me to delete all the system restores I had, it's because the infection can pass from a restoration to my PC again or just to avoid using them by mistake?
Does Steam's browser reset along Internet Explorer?, as they use the same engine.
Does Java still install adware? As I needed to unistall it during Ron's cleanup and not I'm doubting about installing it again.
Well, the sound problem happened again, this time the general volume went up to the max.
Is puush.me a bad webpage? VirusTotal says it has two positive results, but Norton Safeweb says it's safe.
Now, after that I think there's only left the Program Files folder and the Nvidia Drivers.

38

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 30, 2015, 09:49:15 PM »

Hi Heantrad,

Also, when I did the scan with ESET Online Scaner it detected that the installers of CCleaner had adware, is that true?

CCleaner installer don't contains any adware.

And a weird thing that has been happening, for some reason the volumes at the volume mixer keep reseting at the maximun without an aparent reason, what could be causing it?

I'm sorry but I have no clue.

What are the shortcuts .ink? SAS! has a option to follow them, but I don't know if it's a good decision to make it do it or it will make that SAS! analyzes less files.

.lnk files are Shell Links.
If you enable SAS! to follow them, it will then scan the files "linked" to them. It won't make it analyzes less files.

Regards.

SAS! hasn't detected anything.
Also, I found this http://answers.microsoft.com/en-us/windows/forum/windows_7-pictures/volume-mixer-does-not-retain-settings-for/558434e7-fe84-48e0-9385-474594c52e50 , could any of those solutions work if the volume mixer keeps resetting?

RogueKiller did detect something, I'll leave here the log (I haven't deleted anything yet).
The home page of IE seems to be this (Safeweb Norton and VirusTotal say it's safe) https://www.google.es/?gfe_rd=cr&ei=7UUMVrreAs2q8wed_L0g&gws_rd=ssl
Also, it's me or there's now more DNS entries than before?

39

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 30, 2015, 06:39:41 PM »

Hi Heantrad,

It's legit.

Regards.

Alright, I'm still doing scans, MBAM says it's clean, now there's only left SAS!, MSE and RogueKiller.
Also, when I did the scan with ESET Online Scaner it detected that the installers of CCleaner had adware, is that true?
And a weird thing that has been happening, for some reason the volumes at the volume mixer keep reseting at the maximun without an aparent reason, what could be causing it?
What are the shortcuts .ink? SAS! has a option to follow them, but I don't know if it's a good decision to make it do it or it will make that SAS! analyzes less files.

40

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 30, 2015, 03:03:36 PM »

Hi Heantrad,

You are welcome.

Regards.

Alright, so Ron has finished with me, so I'm doing a full scan with every antispyware I have.
AdwCleaner has detected this task, I searched for info and it seems that a virus can do that, is it legit or not?
I'll update if any program I have detects anything more.

41

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 28, 2015, 04:59:22 PM »

Hi Heantrad,

Could it be that Panda USB vaccine has created the autorun file? As in the PC I use on that class has it.

This is certainly the case.

Also, for curiosity, is hotmail/outlook that bad?

Not at all. I think it's a pretty good solution for end-user.

Regards.

Alright, then I'll keep the autorun, thanks.

42

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 25, 2015, 02:47:57 PM »

Hi Heantrad,

I unistalled them because I thought that the trojan might have created them, it's okay anyways right?

Yes.

So, if I execute the file, what would happen

Absolutely nothing since Windows cannot interpret it.

So, I use an USB pen for computing class and today, when I used the USB, I saw it had a file called autorun, I've searched for info and I saw that some virus use that to install virus trough a USB, what should I do?

AutoRun could be subverted by malwares for propagation purposes but, most of the time, the instruction on the autorun.inf file are perfectly legit.
For more information, please read Creating an AutoRun-Enabled Application.

Regards.

Could it be that Panda USB vaccine has created the autorun file? As in the PC I use on that class has it.
Also, for curiosity, is hotmail/outlook that bad?

43

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 24, 2015, 05:32:07 PM »

Hi Heantrad,

Sorry, I didn't see the log at first sight.
The new lines are liked to ESet Smart Security driver, so they are legit.

I checked the file you attached.
It's not a valid PE file (exe file) and therefore it poses no threat.

Regards.

I unistalled them because I thought that the trojan might have created them, it's okay anyways right?
So, if I execute the file, what would happen
So, I use an USB pen for computing class and today, when I used the USB, I saw it had a file called autorun, I've searched for info and I saw that some virus use that to install virus trough a USB, what should I do?

44

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 24, 2015, 01:51:09 PM »

Hi Heantrad,

So today I did a scan with RogueKiller because Ron is making me install a lot of things and this was detected.
Any idead of what can it be? (I haven't deleted it yet).

Could you please post RogueKiller log ? I'm sure Ron won't make you install something unsafe.

Also, the svchost.exe process keeps appearing, it doesn't show in this report because I exported it to json format by mistake and I did another scan in txt format.

This is a bug on our side. Don't worry about that.

And, it's normal that the rootkit section appears totally blank?, in older version it appeared a lot of files in green for information purposes, has it been updated?

Yes. RogueKiller doesn't display legit hooks anymore.

So... Microsoft Security Essentials detected this... I'm going to delete it and the things that RogueKiller detected too...
Also, I've seen the scheluded tasks to be sure that the Trojan hasn't created one and I found why the Proxy server keeped reapearing, something created a scheluded task.

Please see this with Ron. If something must be removed, he will instruct you how to do it with FRST.

So, today I noticed this, it was created the same day I replied with this comment, if you want I can send you the file so you can see what it is, for now I will move it to a .rar file until I know what to do with it.

Yes, the file could be useful for analysis.
Please rar it and attach it with your next reply.

Regards.

The log has been posted on my previous reply.
And here is the file.

45

RogueKiller / Re: svchost.exe process and a bunch of PUM (and other stuffs)

« on: September 18, 2015, 09:25:01 PM »

Hi Heantrad,

You are welcome.

Regards.

So today I did a scan with RogueKiller because Ron is making me install a lot of things and this was detected.
Any idead of what can it be? (I haven't deleted it yet).
Also, the svchost.exe process keeps appearing, it doesn't show in this report because I exported it to json format by mistake and I did another scan in txt format.
And, it's normal that the rootkit section appears totally blank?, in older version it appeared a lot of files in green for information purposes, has it been updated?
So... Microsoft Security Essentials detected this... I'm going to delete it and the things that RogueKiller detected too...
Also, I've seen the scheluded tasks to be sure that the Trojan hasn't created one and I found why the Proxy server keeped reapearing, something created a scheluded task.
So, today I noticed this, it was created the same day I replied with this comment, if you want I can send you the file so you can see what it is, for now I will move it to a .rar file until I know what to do with it.