PDA

View Full Version : can someone verify my logs look ok? its a considerable amount of yellow flags


wolfdogg
2018-03-20, 22:33
Darn It, I thought I had a full Log, it was an old one. So its still running the scan, please wait I will paste it when its complete. Sorry

I see this for now... And will add that log later..

RootAlyzer Quick Scan Results

Files in Windows folder
----------------------------------------
108 files tested.
No hidden files detected.
========================================

Files in System folder
----------------------------------------
2495 files tested.
No hidden files detected.
========================================

Global run entries
----------------------------------------
5 values tested.
No hidden entries detected.
========================================

Winlogon entries
----------------------------------------
1 keys tested.
No hidden entries detected.
========================================

Invisible processes (from handles)
----------------------------------------
No handle process IDs tested.
No hidden processes detected.
========================================

Invisible processes (from threads)
----------------------------------------
128 processes tested.
No hidden processes detected.
========================================
wolfdogg
2018-03-21, 00:16
NO way to edit the post after a few hours?

Ok, so here is the log.

// info: Rootkit removal help file
// copyright: (c) 2008-2018 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncom.bar 1:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncom.bar 2:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncom.bar 3:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncom.ini 1:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncom.ini 2:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncom.ini 3:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncomstyles.ini 1:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncomstyles.ini 2:$DATA"
File:"Unknown ADS","D:\installs\~installs.old\Unreal Commander\ini backup.txt:Uncomstyles.ini 3:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Pictures\import_withmeta\1-cull+finalmeta\2010s\2017\McMinnville Vaca with Girls:AFP_AfpInfo:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\Comcast TV Shows Listings  Movies  Airings  Channels - XFINITY TV.webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\Dog sings while the baby cries - YouTube.webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\Gold Rush-03-Special-SinisterGrin@1chann  SockShare.webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\How to do SSH Tunneling (Port Forwarding) - Screen-cast  Ramki .webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\Portland, Oregon TV Listings.webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\Set up Apache server and SSH client to allow tunneling SSH over .webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Favorites\SSH Tunneling · Whatbox.webloc:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dusers\Wolfdogg\Data\Dropbox\Photos\iPhoto Library\ThemeCache:com.dropbox.attributes:$DATA"
File:"Unknown ADS","D:\dusers\Guest\AppData\Local\Google\Chrome\User Data\SwReporter\8.62.4\software_reporter_tool.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\videos\Feature Films\`PG`+ Music + Docu +\Attack Of The Killer Tomatoes (1978).avi:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dpub\videos\Feature Films\`PG`+ Music + Docu +\Attack Of The Killer Tomatoes (1978).avi:com.apple.LaunchServices.OpenWith:$DATA"
File:"Unknown ADS","D:\dpub\videos\Feature Films\`PG +G (Childrens Mostly)\Pippi Longstocking (1973).avi:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dpub\videos\Feature Films\`PG +G (Childrens Mostly)\Pippi Longstocking (1973).avi:com.apple.LaunchServices.OpenWith:$DATA"
File:"Unknown ADS","D:\dpub\videos\Feature Films\`PG +G (Childrens Mostly)\20 000 Leagues Under The Sea\20 000 Leagues Under The Sea.avi:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dpub\videos\Feature Films\`PG +G (Childrens Mostly)\20 000 Leagues Under The Sea\20 000 Leagues Under The Sea.avi:com.apple.LaunchServices.OpenWith:$DATA"
File:"Unknown ADS","D:\dpub\videos\Documentary\`Reality\R5 Sons\R5 Sons - When Things Go Wrong.avi:TOC.WMV:$DATA"
File:"Unknown ADS","D:\dpub\videos\Documentary\`Food\Hells Kitchen\S2\S02E05 Hells Kitchen Lol.avi:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dpub\videos\Cartoon Shorts\Yogi Bear\Yogi Bear 07 Tally Ho Ho Ho.avi:AFP_Resource:$DATA"
File:"Unknown ADS","D:\dpub\Support\_opsystems\VirtualBox-5.1.14-112924-Win.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\merlin asus maximus\378.49-desktop-win8-win7-64bit-international-whql.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\merlin asus maximus\GeForce_Experience_v3.3.0.95.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\merlin asus maximus\Git-2.10.2-64-bit.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\merlin asus maximus\npp.7.3.1.Installer.x64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\merlin asus maximus\vcredist_x64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\merlin asus maximus\vcredist_x86.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\Falcon Server GA-M61PM-S2 rev2\motherboard_bios_ga-m61pm-s2_f8.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_host-specific\Falcon Server GA-M61PM-S2 rev2\motherboard_bios_ga-m61pm-s2_f9d.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_all_drivers\pc game controllers\Pro_Flight_FSX_Plugin_7_0_50_1_x64_Software.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_all_drivers\pc game controllers\Saitek_X52_Flight_Controller_7_0_53_6_x64_Drivers.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Support\_all_drivers\pc game controllers\Saitek_X52_Flight_Controller_7_0_53_6_x64_Software.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\music\audio\animals-nature\nature\Sounds of Nature\Sounds of the Dolphin alias:AFP_AfpInfo:$DATA"
File:"Unknown ADS","D:\dpub\music\audio\animals-nature\nature\Sounds of Nature\Sounds of the Dolphin alias 2:AFP_AfpInfo:$DATA"
File:"Unknown ADS","D:\dpub\Games\Sims (all)\Nostalgic and Old games\intellivision\nostalgia4_setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Games\Sims (all)\Nostalgic and Old games\intellivision\nostalgia5_setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Games\Sims (all)\Nostalgic and Old games\intellivision\intellivision\emulators\jzinstall.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Games\1st and 3rd Person Tactical Land Games\Elder Scrolls Skyrim\dxwebsetup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Games\1st and 3rd Person Tactical Land Games\Elder Scrolls Skyrim\addons\Nexus Mod Manager-0.62.1.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Games\1st and 3rd Person Tactical Land Games\Elder Scrolls Skyrim\addons\skse_1_07_03_installer.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\Net Nanny 6.31+serial\SETUP.EXE:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\2XClient_12.0_build_2193.paf.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\342.01-desktop-win8-win7-winvista-64bit-international.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\EpicSetup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\esetsmartinstaller_enu.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\Ext2Fsd-0.68.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\JetBrains.dotPeek.2016.3.2.web (1).exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\kodi-16.1-Jarvis.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\Linux_Reader.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\LSPFix.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\mp3tagv281setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\MPC-HCPortable_1.7.10.paf.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\Nexus Mod Manager-0.63.13.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\picard-setup-1.4.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\PortableRDC.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\PSISetup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\TagRename3913.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\VirtualBox-5.1.12-112440-Win.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\VirtualBox-5.1.14-112924-Win.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\WinCDEmu-4.1.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\WinPcap_4_1_3.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\Wireshark-win32-2.2.4.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\WoWS_internet_install_na.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\Xming-6-9-0-31-setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\Xming-fonts-7-7-0-10-setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\utilities\virus removal\FRST.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\utilities\virus removal\FRST64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\utilities\virus removal\JRT.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2017\utilities\virus removal\MiniToolBox.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\AutoSplitter_setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\boinc_7.6.22_windows_x86_64_vbox.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\boinc_7.6.33_windows_x86_64_vbox.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\CreationKit DLCs Fixer V3-25146-3.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\DCS_World_Web_Installer.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\deskew.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\DNGCodec_2_0_Installer.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\eMule0.50a-Installer.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\gimp-2.8.18-setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\Git-2.10.2-64-bit.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\googledrivesync.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\heroku-toolbelt (1).exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\heroku-toolbelt.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\lprof-setup-1.11.4.1.2.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\MEGAsyncSetup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\MultiCommander_x64_(6.4.8.2265).exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\naps2-5.3.1-setup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\Nexus Mod Manager-0.62.1.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\Quarantine_Tool.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\rbsetup.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\setup-x86_64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\TeamSpeak3-Client-win64-3.0.19.4.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\unetbootin-windows-625.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\VDFilterPack.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\VidCoder-1.5.34-x64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\x264.2744.x86_64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\x264vfw.2273kMod.x86_64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\zeetreewin-ztw22x64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\scanner\SIE-0.2.603-win64.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\scanner\vuex6495.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\p2p\2peer087.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\p2p\aresregular243_installer.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\p2p\setup_gigatribe_v3.04.013.6884.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\dl_utils\winrar\wrar540.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\dl_media_editing\DScaler4115.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2016\dl_media_editing\x264vfw_full_43_2694bm_43159_fix.exe:BDU:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2015\Defogger.exe:com.apple.metadatakMDItemWhereFroms:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2015\kg5g4n0t.exe:com.apple.metadatakMDItemWhereFroms:$DATA"
File:"Unknown ADS","D:\dpub\Downloads\2015\dl_utils\SecurityCheck.exe:com.apple.metadatakMDItemWhereFroms:$DATA"
File:"No admin in ACL","C:\ProgramData\Microsoft\SLDL\5673e322-818b-4767-9f7c-0ff3f9da9a49\5a09f637-321b-4ade-a8fe-686820e1cb57"


Note, this last entry is RED. all the rest are yellow.
tashi
2018-03-21, 01:34
Hello wolfdogg,


NO way to edit the post after a few hours?




In the Malware Removal Forum, members may not edit their posts.
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.


As the RootAlyzer is an analyst tool and not a scan and fix program, it would be helpful if you provide the following information. :)




The operating system
Security programs installed
Reason for running a rootkit scan
Using peer-to-peer (P2P) file sharing clients?
Farbar Recovery Scan Tool, (FRST) shows in the log, what was this tool used for please.
Last but not least, how the computer running?


Best regards.
wolfdogg
2018-03-23, 20:30
Hello wolfdogg,





In the Malware Removal Forum, members may not edit their posts.
In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.


As the RootAlyzer is an analyst tool and not a scan and fix program, it would be helpful if you provide the following information. :)




The operating system
Security programs installed
Reason for running a rootkit scan
Using peer-to-peer (P2P) file sharing clients?
Farbar Recovery Scan Tool, (FRST) shows in the log, what was this tool used for please.
Last but not least, how the computer running?


Best regards.

Hello,
Sorry, I thought I had added that info, maybe it got lost during the initial edit. Here it goes again;

its Win7x64 Ult 7.3 experience index, with processor being the 7.3 bottleneck. Memory is 7.5 rest is 7.7.

I have Spyboy S&D, MalwareBytes, which is all i have been using, and all i have running now.

I ran rootkit scan to keep up on security.

I dont use peer to peer client.

In the past, several months ago, I have used hitmanpro, FRST (if i recall correctly), JRT, ADWCleaner, RogueKiller, rkill, and iexplore(to kill any dangerous programs first, so i can safely run scans), I also had ran ESET at that time. I had been getting what seemed malicious network traffic, and constant supersloooowwwwww performance, if not a dead stand-still alot of times. I had comodo internet firewall, which in the end by removing that alot of the problems went away.

Months later, I have been getting the slow performance again, with 2 or 3 instances of chrome users running, one user with two browser instances running, one of which has about 30 tabs open, a couple each on the others. (I use multiple users; 1 for development, 1 for audio music or news, and 1 for personal for separation of concerns and better organization)

So with all my software development tabs open, things seemed to come to a standstill at some random point, right when i opened a new tab and that page got stuck on loading, then i had a you tube ad blocker plugin go unreponsive, so i disabled that, but a day later, yesterday, without that plugin enabled i was getting the same issues.

I have recently installed a program that I really want to keep, its RandomPhotoScreensaver rps4.5.10.1.exe, and its possible this is causing the latest issue. With this one, it seems sometimes when i come back to my computer, when i resume desktop usage after it has ran, it doesnt seem to close all the way. However, from what i remember, that was because opening that browser tab caused me to walk away.

During these times, I wasnt even able to open perfmon until walking away, coming back in the morning, and doing some random operation still in the slowness, the perfmon UAC finally popped up, wow...., so then when looking at perfmon, chrome is the one taking up the most memory. Memory usage at the time is about 9 out of 12GB, and for the cpu I see some redline, which means a process is not responding. the cpu performance is only about 30% at the time, but the cpu queuing is sometimes near 100%, and the redlines are in the 20-30% range, but I didn't notice which program was causing it, i thought maybe chrome.

See redline example 13006. However, things are running fine, i actually didnt expect to see that, and am not used to seeing that actually either.

Here is the resource monitor now, when things are running smooth (taken 2 mins after the former screenshot, just now) 13007
wolfdogg
2018-03-23, 20:47
I noticed in the previous screenshot, the CPU area was not scrolled correctly, here is that info 13008

By the way, I just noticed an entry in there called
xvpnd.exe I had subscribed for expressVPN recenltly so i can use P2P, but there was a payment problem, so it only worked for a few hours(the vpn connection) but I let it cancel because I think I found a better company anyway, that i havent signed up for yet. I can see how that may be causing network adapter issues.. I uninstalled that just now.
tashi
2018-03-23, 22:09
Hello wolfdogg,



I dont use peer to peer client.


Your logs shows:
p2p\2peer087.exe
eMule0.50a-Installer.exe
p2p\aresregular243_installer.exe
p2p\setup_gigatribe_v3.04.013.6884.exe

Where did you download this from please.
Downloads\Net Nanny 6.31+serial\SETUP.EXE

Best regards.
wolfdogg
2018-03-24, 01:10
Hello wolfdogg,



Your logs shows:
p2p\2peer087.exe
eMule0.50a-Installer.exe
p2p\aresregular243_installer.exe
p2p\setup_gigatribe_v3.04.013.6884.exe

Where did you download this from please.
Downloads\Net Nanny 6.31+serial\SETUP.EXE

Best regards.

I keep downloads all the way back to 1998, this is a new operating system, the stuff from 2016 was from a previous installation of windows. that directory your seeing references are is an archive.

As far as the Net Nanny, I'm not sure where I got that, but its not installed, and is also from 2016. I only keep the downloads, not their sources.

Do you see a problem related to any of those?

And also, I guess the main question, based on the logs, how would I use the rootkit search to find something that may be actively being used on boot? I think thats what im aiming for, as opposed to removing any unsafe downloads from years past that aren't installed.
tashi
2018-03-24, 02:09
Hello wolfdogg,

We had a similar conversation previously in 2017:
https://forums.spybot.info/showthread.php?74351-Unknown-ADS-in-videos-and-more

If you want to find out if there are any infections you can start a topic in the malware forum as suggested last time.

As you know, the tools used will remove any bad items found on a machine, archived or not.

Best regards.
wolfdogg
2018-03-27, 04:49
Hello wolfdogg,

We had a similar conversation previously in 2017:
https://forums.spybot.info/showthread.php?74351-Unknown-ADS-in-videos-and-more

If you want to find out if there are any infections you can start a topic in the malware forum as suggested last time.

As you know, the tools used will remove any bad items found on a machine, archived or not.

Best regards.

Thanks for the responses, and help!