Author Topic: Help analyzing log  (Read 3876 times)

0 Members and 1 Guest are viewing this topic.

October 03, 2016, 10:20:04 AM

Ruizi Lin

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Help analyzing log
« on: October 03, 2016, 10:20:04 AM »
Hi sorry new to this and just tried running a scan for the first time, can anyone help me with interpreting the logfile and seeing which are real threats? Thanks a lot for any help.

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Ruizi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 10/03/2016 14:22:05 (Duration : 01:42:58)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{1386F2A3-FEB9-4C55-AD9A-B798EE57299B} (C:\Program Files\BubbleSound\BubbleSound.dll) -> Found
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{7FDF7A92-F901-4F93-9769-A8AC41C8E563} (C:\Program Files\BubbleSound\BubbleSound.dll) -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\SPPDCOM -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\WebApp -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\WebApp -> Found
[PUP] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1146AC44-2F03-4431-B4FD-889BC837521F}{bac261ec} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | 3D BubbleSound : "C:\Program Files\BubbleSound\3D BubbleSound.exe"
  • -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpKsl60ef2a9f (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{95C7238F-614D-42D7-8406-1D51C6F033B6}\MpKsl60ef2a9f.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKsl60ef2a9f (\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{95C7238F-614D-42D7-8406-1D51C6F033B6}\MpKsl60ef2a9f.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2685700321-1317698150-1327457976-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com/?pc=ASJB  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7B3B2863-3DEA-4AA7-8CA9-0ABE6206D5FF} | DhcpNameServer : 10.3.44.1 ([])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7B3B2863-3DEA-4AA7-8CA9-0ABE6206D5FF} | DhcpNameServer : 10.3.44.1 ([])  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[PUP] \bvxvbxvd -- C:\Users\Ruizi\AppData\Local\bvxvbxvd\bvxvbxvd.exe -> Found

¤¤¤ Files : 4 ¤¤¤
[Suspicious.Path][File] C:\Users\Ruizi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqghumeaylnlf.lnk [LNK@] C:\ProgramData\{e8b0fc61-1f5e-6765-e8b0-0fc611f5f184}\hqghumeaylnlf.exe /startup -> Found
[PUP][File] C:\Users\Public\Desktop\Popcorn Time.lnk [LNK@] C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[PUP][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[PUP][Folder] C:\Program Files (x86)\Popcorn Time -> Found

Reply #1October 03, 2016, 02:10:49 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Help analyzing log
« Reply #1 on: October 03, 2016, 02:10:49 PM »
Hi Ruizi Lin,

Welcome to Adlice.com Forum.
Your computer is infected.

You should remove all the [PUP] entries. The [PUM] ones are legit.
For more informations, please refer to RogueKiller Official tutorial.

Regards.