Author Topic: svchost.exe process and a bunch of PUM (and other stuffs)  (Read 85279 times)

0 Members and 2 Guests are viewing this topic.

Reply #15July 16, 2015, 11:25:30 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #15 on: July 16, 2015, 11:25:30 pm »
Hi Heantrad,

OK.
Additionally, please download TCPView, then execute it.
Locate the column "Local Port" and copy/paste the line that has the value 64178 (you can sort the column) in your next reply.

Regards.

Reply #16July 17, 2015, 01:39:49 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #16 on: July 17, 2015, 01:39:49 pm »
Hi Heantrad,

OK.
Additionally, please download TCPView, then execute it.
Locate the column "Local Port" and copy/paste the line that has the value 64178 (you can sort the column) in your next reply.

Regards.
Alright, sorry for replying a bit late, but I will do all that in a moment.
When AdwCleaner detected the Proxy for the first time, I had installed MalwareBytes, AdwCleaner, CCleaner and Microsoft Security Essentials only.
Also I use Dropbox, don't know if it uses a Proxy.

Reply #17July 17, 2015, 02:05:20 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #17 on: July 17, 2015, 02:05:20 pm »
Hi Heantrad,

OK.
Additionally, please download TCPView, then execute it.
Locate the column "Local Port" and copy/paste the line that has the value 64178 (you can sort the column) in your next reply.

Regards.
Alright, here you have the FRST logs
Also, there was no 64178 value, don't know why, if you needed it for the svchost.exe process that RogueKiller detects, it hasn't appeared again so far, if it appears again, I'll run TCPView again.
« Last Edit: July 23, 2015, 04:08:48 pm by Heantrad »

Reply #18July 18, 2015, 12:44:01 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #18 on: July 18, 2015, 12:44:01 am »
Hi Heantrad,

Since the port 64178 was not listed, theses lines are harmless.
However, we are going to delete them.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Regards.

Reply #19July 18, 2015, 10:44:41 am

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #19 on: July 18, 2015, 10:44:41 am »
Hi Heantrad,

Since the port 64178 was not listed, theses lines are harmless.
However, we are going to delete them.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Regards.
Done, here you have the fixlog.
By the way, when I did the fix, Google chrome reseted the fixed tabs and the most visited websites that I had, maybe it was related to that?
Also, AdwCleaner still detects the ProxyOverride <-looopback> CORRECTION: I defragmented the disk and appart of creating a restauration point that occupies 4 GB it made the loopback thing dissapear, so, that.

Oh and the svchost process has appeared again (and those four DNS registry keys are the only ones that appear now, two of them have dissapeared):

RogueKiller V10.9.1.0 [Jul  9 2015] by Adlice Software
correo : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Sitio web : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Sistema Operativo : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Iniciado en : Modo Normal
Usuario : PAQUITO [Administrador]
Started from : C:\Users\PAQUITO\Desktop\Carpetas\Programas\RogueKiller.exe
Modo : Escanear -- Fecha : 07/19/2015 20:06:30

¤¤¤ Procesos : 1 ¤¤¤
[Proc.Svchost] svchost.exe(4052) --
  • -> Eliminado [TermThr]


¤¤¤ Registro : 4 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{18969D2B-6655-459E-970C-054BCF84438E} | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{18969D2B-6655-459E-970C-054BCF84438E} | DhcpNameServer : 62.81.16.164 62.81.16.213 ([SPAIN (ES)][SPAIN (ES)])  -> Encontrado

¤¤¤ Tareas : 0 ¤¤¤

¤¤¤ Archivos : 0 ¤¤¤

¤¤¤ Archivo de hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Cargado) ¤¤¤

¤¤¤ Navegadores Web : 0 ¤¤¤

¤¤¤ Chequeo MBR : ¤¤¤
+++++ PhysicalDrive0: ST380011A ATA Device +++++
--- User ---
[MBR] 56e60236016fbee647d48fdc4748b6cb
[BSP] f9290963082e6a88bf87140ae95018f6 : Windows XP MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD50 00AZRX-00A8L SCSI Disk Device +++++
--- User ---
[MBR] 2c2b02fc763bc7f60c91970e27545702
[BSP] 8618bcf435fd08ab414ac96125d49708 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476929 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Función incorrecta. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

+++++ PhysicalDrive4: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

+++++ PhysicalDrive5: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] El dispositivo no está listo. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] Solicitud no compatible. )

And finally, today when I turned on the PC after executing the fix yesterday, the Windows 10 free install thing appeared (it hadn't appeared for me before, don't know why)
« Last Edit: July 23, 2015, 04:09:32 pm by Heantrad »

Reply #20July 21, 2015, 04:03:56 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #20 on: July 21, 2015, 04:03:56 pm »
Hi Heantrad,

Could you please download RogueKiller latest version, do a scan and post the JSON report ?

Regards.

Reply #21July 21, 2015, 05:04:26 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #21 on: July 21, 2015, 05:04:26 pm »
Hi Heantrad,

Could you please download RogueKiller latest version, do a scan and post the JSON report ?

Regards.
I got one log without the svchost and another with the svchost, I'll attach both.
« Last Edit: July 23, 2015, 04:09:15 pm by Heantrad »

Reply #22July 22, 2015, 04:20:10 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #22 on: July 22, 2015, 04:20:10 pm »
Hi Heantrad,

Your system is clean.

Regards.

Reply #23July 22, 2015, 04:24:15 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #23 on: July 22, 2015, 04:24:15 pm »
Hi Heantrad,

Your system is clean.

Regards.
Thanks a lot.
So, the svchost process is just a normal process that crashes for an unknow reasons and restarts again?
However, if something more happens I will reply, thanks again for helping me with all this stuff.

Reply #24July 22, 2015, 04:26:50 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #24 on: July 22, 2015, 04:26:50 pm »
Hi Heantrad,

You are welcome.
The fact RogueKiller detects the newly created svchost process is a bug we need to troubleshoot.

Regards.

Reply #25July 22, 2015, 04:36:09 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #25 on: July 22, 2015, 04:36:09 pm »
Hi Heantrad,

You are welcome.
The fact RogueKiller detects the newly created svchost process is a bug we need to troubleshoot.

Regards.
Alright.
Also, something I forgot to ask and I shoulded do from the beginning.
Does AZLyrics have a virus?

Reply #26July 22, 2015, 05:18:02 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #26 on: July 22, 2015, 05:18:02 pm »
Hi Heantrad,

According to VirusTotal, AZLyrics were distributing malwares in 2014.
There were no detection since then, so it should be alright. However, I strongly advice you to run an adblocker program when browsing it.

Regards.

Reply #27July 22, 2015, 05:52:58 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #27 on: July 22, 2015, 05:52:58 pm »
Hi Heantrad,

According to VirusTotal, AZLyrics were distributing malwares in 2014.
There were no detection since then, so it should be alright. However, I strongly advice you to run an adblocker program when browsing it.

Regards.
Alright, no more lyrics websites, once is enough to learn.
Thanks again.

Reply #28July 22, 2015, 05:55:00 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2477
  • Reputation:
    84
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #28 on: July 22, 2015, 05:55:00 pm »
Hi Heantrad,

You are very welcome. :)

Regards.

Reply #29July 22, 2015, 08:25:45 pm

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM
« Reply #29 on: July 22, 2015, 08:25:45 pm »
Hi Heantrad,

You are very welcome. :)

Regards.
Also, should I make a reply on the false positives post about the DNS thing or it doesn't matter?