Author Topic: svchost.exe process and a bunch of PUM (and other stuffs)  (Read 139734 times)

0 Members and 2 Guests are viewing this topic.

Reply #90September 18, 2015, 09:25:01 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #90 on: September 18, 2015, 09:25:01 PM »
Hi Heantrad,

You are welcome.

Regards.
So today I did a scan with RogueKiller because Ron is making me install a lot of things and this was detected.
Any idead of what can it be? (I haven't deleted it yet).
Also, the svchost.exe process keeps appearing, it doesn't show in this report because I exported it to json format by mistake and I did another scan in txt format.
And, it's normal that the rootkit section appears totally blank?, in older version it appeared a lot of files in green for information purposes, has it been updated?
So... Microsoft Security Essentials detected this... I'm going to delete it and the things that RogueKiller detected too...
Also, I've seen the scheluded tasks to be sure that the Trojan hasn't created one and I found why the Proxy server keeped reapearing, something created a scheluded task.
So, today I noticed this, it was created the same day I replied with this comment, if you want I can send you the file so you can see what it is, for now I will move it to a .rar file until I know what to do with it.
« Last Edit: September 23, 2015, 03:11:44 PM by Heantrad »

Reply #91September 24, 2015, 12:31:45 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #91 on: September 24, 2015, 12:31:45 AM »
Hi Heantrad,

Quote from: Heantrad
So today I did a scan with RogueKiller because Ron is making me install a lot of things and this was detected.
Any idead of what can it be? (I haven't deleted it yet).
Could you please post RogueKiller log ? I'm sure Ron won't make you install something unsafe.

Quote from: Heantrad
Also, the svchost.exe process keeps appearing, it doesn't show in this report because I exported it to json format by mistake and I did another scan in txt format.
This is a bug on our side. Don't worry about that.

Quote from: Heantrad
And, it's normal that the rootkit section appears totally blank?, in older version it appeared a lot of files in green for information purposes, has it been updated?
Yes. RogueKiller doesn't display legit hooks anymore.

Quote from: Heantrad
So... Microsoft Security Essentials detected this... I'm going to delete it and the things that RogueKiller detected too...
Also, I've seen the scheluded tasks to be sure that the Trojan hasn't created one and I found why the Proxy server keeped reapearing, something created a scheluded task.
Please see this with Ron. If something must be removed, he will instruct you how to do it with FRST.

Quote from: Heantrad
So, today I noticed this, it was created the same day I replied with this comment, if you want I can send you the file so you can see what it is, for now I will move it to a .rar file until I know what to do with it.
Yes, the file could be useful for analysis.
Please rar it and attach it with your next reply.

Regards.

Reply #92September 24, 2015, 01:51:09 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #92 on: September 24, 2015, 01:51:09 PM »
Hi Heantrad,

Quote from: Heantrad
So today I did a scan with RogueKiller because Ron is making me install a lot of things and this was detected.
Any idead of what can it be? (I haven't deleted it yet).
Could you please post RogueKiller log ? I'm sure Ron won't make you install something unsafe.

Quote from: Heantrad
Also, the svchost.exe process keeps appearing, it doesn't show in this report because I exported it to json format by mistake and I did another scan in txt format.
This is a bug on our side. Don't worry about that.

Quote from: Heantrad
And, it's normal that the rootkit section appears totally blank?, in older version it appeared a lot of files in green for information purposes, has it been updated?
Yes. RogueKiller doesn't display legit hooks anymore.

Quote from: Heantrad
So... Microsoft Security Essentials detected this... I'm going to delete it and the things that RogueKiller detected too...
Also, I've seen the scheluded tasks to be sure that the Trojan hasn't created one and I found why the Proxy server keeped reapearing, something created a scheluded task.
Please see this with Ron. If something must be removed, he will instruct you how to do it with FRST.

Quote from: Heantrad
So, today I noticed this, it was created the same day I replied with this comment, if you want I can send you the file so you can see what it is, for now I will move it to a .rar file until I know what to do with it.
Yes, the file could be useful for analysis.
Please rar it and attach it with your next reply.

Regards.
The log has been posted on my previous reply.
And here is the file.

Reply #93September 24, 2015, 03:29:56 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #93 on: September 24, 2015, 03:29:56 PM »
Hi Heantrad,

Sorry, I didn't see the log at first sight.
The new lines are liked to ESet Smart Security driver, so they are legit.

I checked the file you attached.
It's not a valid PE file (exe file) and therefore it poses no threat.

Regards.

Reply #94September 24, 2015, 05:32:07 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #94 on: September 24, 2015, 05:32:07 PM »
Hi Heantrad,

Sorry, I didn't see the log at first sight.
The new lines are liked to ESet Smart Security driver, so they are legit.

I checked the file you attached.
It's not a valid PE file (exe file) and therefore it poses no threat.

Regards.
I unistalled them because I thought that the trojan might have created them, it's okay anyways right?
So, if I execute the file, what would happen
So, I use an USB pen for computing class and today, when I used the USB, I saw it had a file called autorun, I've searched for info and I saw that some virus use that to install virus trough a USB, what should I do?
« Last Edit: September 24, 2015, 10:15:10 PM by Heantrad »

Reply #95September 24, 2015, 11:39:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #95 on: September 24, 2015, 11:39:47 PM »
Hi Heantrad,

Quote from: Heantrad
I unistalled them because I thought that the trojan might have created them, it's okay anyways right?
Yes.

Quote from: Heantrad
So, if I execute the file, what would happen
Absolutely nothing since Windows cannot interpret it.

Quote from: Heantrad
So, I use an USB pen for computing class and today, when I used the USB, I saw it had a file called autorun, I've searched for info and I saw that some virus use that to install virus trough a USB, what should I do?
AutoRun could be subverted by malwares for propagation purposes but, most of the time, the instruction on the autorun.inf file are perfectly legit.
For more information, please read Creating an AutoRun-Enabled Application.

Regards.

Reply #96September 25, 2015, 02:47:57 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #96 on: September 25, 2015, 02:47:57 PM »
Hi Heantrad,

Quote from: Heantrad
I unistalled them because I thought that the trojan might have created them, it's okay anyways right?
Yes.

Quote from: Heantrad
So, if I execute the file, what would happen
Absolutely nothing since Windows cannot interpret it.

Quote from: Heantrad
So, I use an USB pen for computing class and today, when I used the USB, I saw it had a file called autorun, I've searched for info and I saw that some virus use that to install virus trough a USB, what should I do?
AutoRun could be subverted by malwares for propagation purposes but, most of the time, the instruction on the autorun.inf file are perfectly legit.
For more information, please read Creating an AutoRun-Enabled Application.

Regards.
Could it be that Panda USB vaccine has created the autorun file? As in the PC I use on that class has it.
Also, for curiosity, is hotmail/outlook that bad?
« Last Edit: September 25, 2015, 04:43:43 PM by Heantrad »

Reply #97September 28, 2015, 04:53:27 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #97 on: September 28, 2015, 04:53:27 PM »
Hi Heantrad,

Quote from: Heantrad
Could it be that Panda USB vaccine has created the autorun file? As in the PC I use on that class has it.
This is certainly the case.

Quote from: Heantrad
Also, for curiosity, is hotmail/outlook that bad?
Not at all. I think it's a pretty good solution for end-user.

Regards.

Reply #98September 28, 2015, 04:59:22 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #98 on: September 28, 2015, 04:59:22 PM »
Hi Heantrad,

Quote from: Heantrad
Could it be that Panda USB vaccine has created the autorun file? As in the PC I use on that class has it.
This is certainly the case.

Quote from: Heantrad
Also, for curiosity, is hotmail/outlook that bad?
Not at all. I think it's a pretty good solution for end-user.

Regards.
Alright, then I'll keep the autorun, thanks.

Reply #99September 28, 2015, 10:44:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #99 on: September 28, 2015, 10:44:25 PM »
Hi Heantrad,

You are welcome.

Regards.

Reply #100September 30, 2015, 03:03:36 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #100 on: September 30, 2015, 03:03:36 PM »
Hi Heantrad,

You are welcome.

Regards.
Alright, so Ron has finished with me, so I'm doing a full scan with every antispyware I have.
AdwCleaner has detected this task, I searched for info and it seems that a virus can do that, is it legit or not?
I'll update if any program I have detects anything more.

Reply #101September 30, 2015, 05:04:49 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #101 on: September 30, 2015, 05:04:49 PM »
Hi Heantrad,

It's legit.

Regards.

Reply #102September 30, 2015, 06:39:41 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #102 on: September 30, 2015, 06:39:41 PM »
Hi Heantrad,

It's legit.

Regards.
Alright, I'm still doing scans, MBAM says it's clean, now there's only left SAS!, MSE and RogueKiller.
Also, when I did the scan with ESET Online Scaner it detected that the installers of CCleaner had adware, is that true?
And a weird thing that has been happening, for some reason the volumes at the volume mixer keep reseting at the maximun without an aparent reason, what could be causing it?
What are the shortcuts .ink? SAS! has a option to follow them, but I don't know if it's a good decision to make it do it or it will make that SAS! analyzes less files.
« Last Edit: September 30, 2015, 06:43:02 PM by Heantrad »

Reply #103September 30, 2015, 09:32:41 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #103 on: September 30, 2015, 09:32:41 PM »
Hi Heantrad,

Quote from: Heantrad
Also, when I did the scan with ESET Online Scaner it detected that the installers of CCleaner had adware, is that true?
CCleaner installer don't contains any adware.

Quote from: Heantrad
And a weird thing that has been happening, for some reason the volumes at the volume mixer keep reseting at the maximun without an aparent reason, what could be causing it?
I'm sorry but I have no clue.

Quote from: Heantrad
What are the shortcuts .ink? SAS! has a option to follow them, but I don't know if it's a good decision to make it do it or it will make that SAS! analyzes less files.
.lnk files are Shell Links.
If you enable SAS! to follow them, it will then scan the files "linked" to them. It won't make it analyzes less files.

Regards.

Reply #104September 30, 2015, 09:49:15 PM

Heantrad

  • Jr. Member

  • Offline
  • **

  • 92
  • Reputation:
    0
    • View Profile
Re: svchost.exe process and a bunch of PUM (and other stuffs)
« Reply #104 on: September 30, 2015, 09:49:15 PM »
Hi Heantrad,

Quote from: Heantrad
Also, when I did the scan with ESET Online Scaner it detected that the installers of CCleaner had adware, is that true?
CCleaner installer don't contains any adware.

Quote from: Heantrad
And a weird thing that has been happening, for some reason the volumes at the volume mixer keep reseting at the maximun without an aparent reason, what could be causing it?
I'm sorry but I have no clue.

Quote from: Heantrad
What are the shortcuts .ink? SAS! has a option to follow them, but I don't know if it's a good decision to make it do it or it will make that SAS! analyzes less files.
.lnk files are Shell Links.
If you enable SAS! to follow them, it will then scan the files "linked" to them. It won't make it analyzes less files.

Regards.
SAS! hasn't detected anything.
Also, I found this http://answers.microsoft.com/en-us/windows/forum/windows_7-pictures/volume-mixer-does-not-retain-settings-for/558434e7-fe84-48e0-9385-474594c52e50 , could any of those solutions work if the volume mixer keeps resetting?

RogueKiller did detect something, I'll leave here the log (I haven't deleted anything yet).
The home page of IE seems to be this (Safeweb Norton and VirusTotal say it's safe) https://www.google.es/?gfe_rd=cr&ei=7UUMVrreAs2q8wed_L0g&gws_rd=ssl
Also, it's me or there's now more DNS entries than before?
« Last Edit: September 30, 2015, 10:33:07 PM by Heantrad »