Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected? svchost.exe Problems


  • This topic is locked This topic is locked
10 replies to this topic

#1 FireFighter254

FireFighter254

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:08 AM

Posted 09 January 2012 - 01:39 PM

Hello, everyone, posting what information I believe would help:

Windows Vista Home Basic Service Pack 2

Browser: IE 9

Running Nortons 360
Malwarebytes Anti-Malware

1) Laptop when restart or boot, I have a svchost.exe that becomes a resource hog. Per Task Mgr, it's using an average Peak Working Set of over 900,000K and then settles down to Working Set avg of 350,000K.

2) MBAM consistantly shows a pop-up window every few seconds stating that it has "Successfully Blocked Access to a Potentially Malicious Website and then shows an IP address after it. It's doing this for several IP's (206.161.121.2, 206.161.121.3, 206.161.121.4 & 141.136.16.151 respectively...also showing the process is "svchost.exe". MBAM does this for about 30 minutes after boot-up/restart and then I receive a pop-up from windows that a svchost.exe process has been shut down.

3) I have run full MBAM scans and they all came up clean.

4) N360 gave me (3) warnings this morning, caused by a "svchost.exe" process, please see screen shot below, also one of the MBAM pop-ups are in this screen shot as well.

Thank you for your help!!

Screenshot:

Posted Image

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 09 January 2012 - 01:42 PM

can you post scan logs from malwarebytes?

#3 FireFighter254

FireFighter254
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:08 AM

Posted 09 January 2012 - 03:33 PM

Cryptodan! How are you? You've helped me before with a paypal connection problem.

I sure can, here are the last two MBAM scans that I performed:

NOTE: Just in case you need it, including the protection log from today, looks like it's showing each and every one of these pop-ups I am getting. Hasn't stopped yet, just keeps going and I got another one from N360, same as in the screen shot above.



Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.03.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
NGSP2007 :: NGSP2007-OFF-PC [administrator]

Protection: Enabled

1/3/2012 5:55:34 PM
mbam-log-2012-01-03 (17-55-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201925
Time elapsed: 13 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

alwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.04.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
NGSP2007 :: NGSP2007-OFF-PC [administrator]

Protection: Enabled

1/4/2012 9:56:24 AM
mbam-log-2012-01-04 (09-56-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201537
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2012/01/09 07:20:45 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Executing scheduled update: Daily
2012/01/09 07:20:56 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Starting database refresh
2012/01/09 07:20:56 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Stopping IP protection
2012/01/09 07:20:56 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Scheduled update executed successfully: database updated from version v2012.01.08.02 to version v2012.01.09.05
2012/01/09 07:21:01 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE IP Protection stopped
2012/01/09 07:21:32 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Database refreshed successfully
2012/01/09 07:21:32 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Starting IP protection
2012/01/09 07:21:35 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE IP Protection started successfully
2012/01/09 12:31:18 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Starting protection
2012/01/09 12:31:23 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Protection started successfully
2012/01/09 12:31:26 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE Starting IP protection
2012/01/09 12:31:29 -0500 NGSP2007-OFF-PC NGSP2007 MESSAGE IP Protection started successfully
2012/01/09 12:35:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51534, Process: svchost.exe)
2012/01/09 12:36:00 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 66.179.234.169 (Type: outgoing, Port: 51866, Process: svchost.exe)
2012/01/09 12:36:24 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 51960, Process: svchost.exe)
2012/01/09 12:37:30 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 52231, Process: svchost.exe)
2012/01/09 12:38:52 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52532, Process: svchost.exe)
2012/01/09 12:42:03 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 53179, Process: svchost.exe)
2012/01/09 12:42:13 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53215, Process: svchost.exe)
2012/01/09 12:42:38 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53276, Process: svchost.exe)
2012/01/09 12:42:39 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53280, Process: svchost.exe)
2012/01/09 12:42:42 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53283, Process: svchost.exe)
2012/01/09 12:45:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53660, Process: svchost.exe)
2012/01/09 12:45:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 173.192.183.194 (Type: outgoing, Port: 53671, Process: svchost.exe)
2012/01/09 12:46:37 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53862, Process: svchost.exe)
2012/01/09 12:46:53 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53875, Process: svchost.exe)
2012/01/09 12:49:14 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54284, Process: svchost.exe)
2012/01/09 12:50:27 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54393, Process: svchost.exe)
2012/01/09 12:50:27 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54396, Process: svchost.exe)
2012/01/09 12:52:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54723, Process: svchost.exe)
2012/01/09 12:52:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 54726, Process: svchost.exe)
2012/01/09 12:52:45 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54759, Process: svchost.exe)
2012/01/09 12:53:35 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 54958, Process: svchost.exe)
2012/01/09 12:54:32 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55106, Process: svchost.exe)
2012/01/09 12:54:57 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 55126, Process: svchost.exe)
2012/01/09 12:55:13 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55141, Process: svchost.exe)
2012/01/09 12:55:38 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 55214, Process: svchost.exe)
2012/01/09 12:57:08 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55489, Process: svchost.exe)
2012/01/09 12:57:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 55588, Process: svchost.exe)
2012/01/09 12:59:29 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 55811, Process: svchost.exe)
2012/01/09 12:59:53 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 55878, Process: svchost.exe)
2012/01/09 13:00:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55907, Process: svchost.exe)
2012/01/09 13:00:10 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55927, Process: svchost.exe)
2012/01/09 13:00:18 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55951, Process: svchost.exe)
2012/01/09 13:00:42 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55974, Process: svchost.exe)
2012/01/09 13:00:51 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 56004, Process: svchost.exe)
2012/01/09 13:01:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 56038, Process: svchost.exe)
2012/01/09 13:01:31 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56068, Process: svchost.exe)
2012/01/09 13:03:49 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 56232, Process: svchost.exe)
2012/01/09 13:03:49 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 56236, Process: svchost.exe)
2012/01/09 13:04:46 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56438, Process: svchost.exe)
2012/01/09 13:05:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56443, Process: svchost.exe)
2012/01/09 13:05:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 56447, Process: svchost.exe)
2012/01/09 13:05:59 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56474, Process: svchost.exe)
2012/01/09 13:06:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56504, Process: svchost.exe)
2012/01/09 13:07:36 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 56652, Process: svchost.exe)
2012/01/09 13:07:44 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 56659, Process: svchost.exe)
2012/01/09 13:07:44 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56664, Process: svchost.exe)
2012/01/09 13:08:25 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 56690, Process: svchost.exe)
2012/01/09 13:09:13 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 56789, Process: svchost.exe)
2012/01/09 13:10:26 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 56875, Process: svchost.exe)
2012/01/09 13:11:30 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 57005, Process: svchost.exe)
2012/01/09 13:13:40 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 57218, Process: svchost.exe)
2012/01/09 13:13:48 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 57252, Process: svchost.exe)
2012/01/09 13:14:04 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 57261, Process: svchost.exe)
2012/01/09 13:15:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 57530, Process: svchost.exe)
2012/01/09 13:17:51 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 57891, Process: svchost.exe)
2012/01/09 13:18:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 57950, Process: svchost.exe)
2012/01/09 13:18:31 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 57957, Process: svchost.exe)
2012/01/09 13:19:20 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 57996, Process: svchost.exe)
2012/01/09 13:19:28 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 57999, Process: svchost.exe)
2012/01/09 13:21:45 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 58046, Process: svchost.exe)
2012/01/09 13:22:18 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58114, Process: svchost.exe)
2012/01/09 13:22:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 58167, Process: svchost.exe)
2012/01/09 13:22:43 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 58176, Process: svchost.exe)
2012/01/09 13:22:51 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 58181, Process: svchost.exe)
2012/01/09 13:23:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 58213, Process: svchost.exe)
2012/01/09 13:23:39 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58264, Process: svchost.exe)
2012/01/09 13:24:36 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58336, Process: svchost.exe)
2012/01/09 13:25:32 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 58379, Process: svchost.exe)
2012/01/09 13:25:41 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58383, Process: svchost.exe)
2012/01/09 13:25:49 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58387, Process: svchost.exe)
2012/01/09 13:26:21 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 58417, Process: svchost.exe)
2012/01/09 13:26:30 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 58420, Process: svchost.exe)
2012/01/09 13:26:46 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58478, Process: svchost.exe)
2012/01/09 13:27:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.151 (Type: outgoing, Port: 58535, Process: svchost.exe)
2012/01/09 13:27:51 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58597, Process: svchost.exe)
2012/01/09 13:28:40 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 58601, Process: svchost.exe)
2012/01/09 13:29:52 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58675, Process: svchost.exe)
2012/01/09 13:30:01 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 58678, Process: svchost.exe)
2012/01/09 13:30:33 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 58773, Process: svchost.exe)
2012/01/09 13:30:49 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 58783, Process: svchost.exe)
2012/01/09 13:32:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 58927, Process: svchost.exe)
2012/01/09 13:32:43 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 58989, Process: svchost.exe)
2012/01/09 13:33:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 59023, Process: svchost.exe)
2012/01/09 13:33:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 59027, Process: svchost.exe)
2012/01/09 13:33:56 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 59038, Process: svchost.exe)
2012/01/09 13:34:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59067, Process: svchost.exe)
2012/01/09 13:34:44 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 59091, Process: svchost.exe)
2012/01/09 13:35:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 59117, Process: svchost.exe)
2012/01/09 13:36:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59162, Process: svchost.exe)
2012/01/09 13:36:46 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 59177, Process: svchost.exe)
2012/01/09 13:36:54 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 59182, Process: svchost.exe)
2012/01/09 13:37:10 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.151 (Type: outgoing, Port: 59198, Process: svchost.exe)
2012/01/09 13:37:59 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 59282, Process: svchost.exe)
2012/01/09 13:38:47 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 59340, Process: svchost.exe)
2012/01/09 13:39:20 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59379, Process: svchost.exe)
2012/01/09 13:39:28 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59388, Process: svchost.exe)
2012/01/09 13:40:33 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 59442, Process: svchost.exe)
2012/01/09 13:40:57 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59478, Process: svchost.exe)
2012/01/09 13:43:06 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59690, Process: svchost.exe)
2012/01/09 13:43:47 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 59760, Process: svchost.exe)
2012/01/09 13:46:30 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 59942, Process: svchost.exe)
2012/01/09 13:47:03 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 60036, Process: svchost.exe)
2012/01/09 13:47:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.152 (Type: outgoing, Port: 60061, Process: svchost.exe)
2012/01/09 13:48:32 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 60227, Process: svchost.exe)
2012/01/09 13:48:32 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 60232, Process: svchost.exe)
2012/01/09 13:49:14 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 60289, Process: svchost.exe)
2012/01/09 13:49:55 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 60297, Process: svchost.exe)
2012/01/09 13:50:03 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 60302, Process: svchost.exe)
2012/01/09 13:50:04 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 60305, Process: svchost.exe)
2012/01/09 13:50:28 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 60308, Process: svchost.exe)
2012/01/09 13:50:36 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 60311, Process: svchost.exe)
2012/01/09 13:53:13 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 60575, Process: svchost.exe)
2012/01/09 13:54:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 60700, Process: svchost.exe)
2012/01/09 13:54:27 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 60703, Process: svchost.exe)
2012/01/09 13:54:43 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 60765, Process: svchost.exe)
2012/01/09 13:56:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 60983, Process: svchost.exe)
2012/01/09 13:57:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.152 (Type: outgoing, Port: 61167, Process: svchost.exe)
2012/01/09 13:57:26 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 61201, Process: svchost.exe)
2012/01/09 13:58:39 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 63557, Process: svchost.exe)
2012/01/09 13:58:47 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 63563, Process: svchost.exe)
2012/01/09 13:59:03 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 63612, Process: svchost.exe)
2012/01/09 13:59:19 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 63659, Process: svchost.exe)
2012/01/09 13:59:28 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 63662, Process: svchost.exe)
2012/01/09 14:01:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 63926, Process: svchost.exe)
2012/01/09 14:01:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 63933, Process: svchost.exe)
2012/01/09 14:02:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 63980, Process: svchost.exe)
2012/01/09 14:02:28 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 64046, Process: svchost.exe)
2012/01/09 14:03:09 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 64124, Process: svchost.exe)
2012/01/09 14:04:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 64236, Process: svchost.exe)
2012/01/09 14:04:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 64239, Process: svchost.exe)
2012/01/09 14:06:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 64533, Process: svchost.exe)
2012/01/09 14:07:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.152 (Type: outgoing, Port: 64806, Process: svchost.exe)
2012/01/09 14:08:08 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 65074, Process: svchost.exe)
2012/01/09 14:08:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 65221, Process: svchost.exe)
2012/01/09 14:08:25 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 65250, Process: svchost.exe)
2012/01/09 14:08:41 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 65285, Process: svchost.exe)
2012/01/09 14:09:54 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 49257, Process: svchost.exe)
2012/01/09 14:10:10 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 49319, Process: svchost.exe)
2012/01/09 14:10:19 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 49339, Process: svchost.exe)
2012/01/09 14:10:19 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 49342, Process: svchost.exe)
2012/01/09 14:10:43 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 49348, Process: svchost.exe)
2012/01/09 14:11:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49357, Process: svchost.exe)
2012/01/09 14:11:40 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 49360, Process: svchost.exe)
2012/01/09 14:13:24 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 49369, Process: svchost.exe)
2012/01/09 14:13:41 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49373, Process: svchost.exe)
2012/01/09 14:13:57 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49450, Process: svchost.exe)
2012/01/09 14:14:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49453, Process: svchost.exe)
2012/01/09 14:14:13 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 49456, Process: svchost.exe)
2012/01/09 14:15:42 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 49522, Process: svchost.exe)
2012/01/09 14:15:50 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 49530, Process: svchost.exe)
2012/01/09 14:16:54 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 49643, Process: svchost.exe)
2012/01/09 14:17:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 49650, Process: svchost.exe)
2012/01/09 14:17:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 49651, Process: svchost.exe)
2012/01/09 14:17:19 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49749, Process: svchost.exe)
2012/01/09 14:18:48 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49926, Process: svchost.exe)
2012/01/09 14:18:56 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49962, Process: svchost.exe)
2012/01/09 14:19:53 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 49987, Process: svchost.exe)
2012/01/09 14:20:25 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 50008, Process: svchost.exe)
2012/01/09 14:20:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50011, Process: svchost.exe)
2012/01/09 14:20:58 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 50016, Process: svchost.exe)
2012/01/09 14:21:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 50063, Process: svchost.exe)
2012/01/09 14:21:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 50064, Process: svchost.exe)
2012/01/09 14:22:35 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50115, Process: svchost.exe)
2012/01/09 14:22:43 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50118, Process: svchost.exe)
2012/01/09 14:24:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50175, Process: svchost.exe)
2012/01/09 14:24:28 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 50219, Process: svchost.exe)
2012/01/09 14:25:25 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 50301, Process: svchost.exe)
2012/01/09 14:26:38 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50353, Process: svchost.exe)
2012/01/09 14:27:10 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 50374, Process: svchost.exe)
2012/01/09 14:27:51 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 50501, Process: svchost.exe)
2012/01/09 14:28:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 50523, Process: svchost.exe)
2012/01/09 14:28:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50538, Process: svchost.exe)
2012/01/09 14:28:56 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50604, Process: svchost.exe)
2012/01/09 14:29:45 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50735, Process: svchost.exe)
2012/01/09 14:30:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 50742, Process: svchost.exe)
2012/01/09 14:32:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 50905, Process: svchost.exe)
2012/01/09 14:32:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 50906, Process: svchost.exe)
2012/01/09 14:33:10 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 50986, Process: svchost.exe)
2012/01/09 14:34:24 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 51089, Process: svchost.exe)
2012/01/09 14:34:40 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51117, Process: svchost.exe)
2012/01/09 14:34:40 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51122, Process: svchost.exe)
2012/01/09 14:35:29 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 51253, Process: svchost.exe)
2012/01/09 14:35:53 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51338, Process: svchost.exe)
2012/01/09 14:36:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51361, Process: svchost.exe)
2012/01/09 14:36:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51389, Process: svchost.exe)
2012/01/09 14:37:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 51609, Process: svchost.exe)
2012/01/09 14:38:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 51704, Process: svchost.exe)
2012/01/09 14:39:26 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51768, Process: svchost.exe)
2012/01/09 14:40:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 178.238.233.153 (Type: outgoing, Port: 51776, Process: svchost.exe)
2012/01/09 14:40:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51778, Process: svchost.exe)
2012/01/09 14:40:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51781, Process: svchost.exe)
2012/01/09 14:40:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 51785, Process: svchost.exe)
2012/01/09 14:40:31 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51791, Process: svchost.exe)
2012/01/09 14:40:47 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 51796, Process: svchost.exe)
2012/01/09 14:40:55 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 51800, Process: svchost.exe)
2012/01/09 14:43:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 51852, Process: svchost.exe)
2012/01/09 14:43:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 51855, Process: svchost.exe)
2012/01/09 14:43:21 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51864, Process: svchost.exe)
2012/01/09 14:43:54 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51869, Process: svchost.exe)
2012/01/09 14:44:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 51922, Process: svchost.exe)
2012/01/09 14:45:06 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 51928, Process: svchost.exe)
2012/01/09 14:45:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51931, Process: svchost.exe)
2012/01/09 14:45:47 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51935, Process: svchost.exe)
2012/01/09 14:46:43 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 51976, Process: svchost.exe)
2012/01/09 14:47:24 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 52112, Process: svchost.exe)
2012/01/09 14:47:32 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52121, Process: svchost.exe)
2012/01/09 14:48:21 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52150, Process: svchost.exe)
2012/01/09 14:49:18 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52341, Process: svchost.exe)
2012/01/09 14:49:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52385, Process: svchost.exe)
2012/01/09 14:49:58 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52473, Process: svchost.exe)
2012/01/09 14:51:11 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 52631, Process: svchost.exe)
2012/01/09 14:51:51 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52755, Process: svchost.exe)
2012/01/09 14:52:24 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52787, Process: svchost.exe)
2012/01/09 14:53:36 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 52843, Process: svchost.exe)
2012/01/09 14:53:45 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 52855, Process: svchost.exe)
2012/01/09 14:54:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 52876, Process: svchost.exe)
2012/01/09 14:55:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 52912, Process: svchost.exe)
2012/01/09 14:55:38 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52960, Process: svchost.exe)
2012/01/09 14:55:54 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 52966, Process: svchost.exe)
2012/01/09 14:56:02 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 52976, Process: svchost.exe)
2012/01/09 14:56:59 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53058, Process: svchost.exe)
2012/01/09 14:57:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53078, Process: svchost.exe)
2012/01/09 14:57:32 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53110, Process: svchost.exe)
2012/01/09 14:57:48 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53114, Process: svchost.exe)
2012/01/09 14:57:56 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53119, Process: svchost.exe)
2012/01/09 14:58:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53123, Process: svchost.exe)
2012/01/09 14:58:36 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53126, Process: svchost.exe)
2012/01/09 14:59:09 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53131, Process: svchost.exe)
2012/01/09 15:01:01 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 53218, Process: svchost.exe)
2012/01/09 15:01:01 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53221, Process: svchost.exe)
2012/01/09 15:02:38 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 53295, Process: svchost.exe)
2012/01/09 15:02:46 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53299, Process: svchost.exe)
2012/01/09 15:03:19 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 53318, Process: svchost.exe)
2012/01/09 15:04:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53378, Process: svchost.exe)
2012/01/09 15:04:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53381, Process: svchost.exe)
2012/01/09 15:05:04 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53386, Process: svchost.exe)
2012/01/09 15:05:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53389, Process: svchost.exe)
2012/01/09 15:06:41 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53396, Process: svchost.exe)
2012/01/09 15:08:20 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53530, Process: svchost.exe)
2012/01/09 15:09:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53571, Process: svchost.exe)
2012/01/09 15:09:34 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53604, Process: svchost.exe)
2012/01/09 15:09:58 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 53666, Process: svchost.exe)
2012/01/09 15:09:58 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 53668, Process: svchost.exe)
2012/01/09 15:10:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 53705, Process: svchost.exe)
2012/01/09 15:13:21 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 54127, Process: svchost.exe)
2012/01/09 15:14:18 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 54282, Process: svchost.exe)
2012/01/09 15:14:42 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 54330, Process: svchost.exe)
2012/01/09 15:15:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54365, Process: svchost.exe)
2012/01/09 15:15:31 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54378, Process: svchost.exe)
2012/01/09 15:16:35 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54551, Process: svchost.exe)
2012/01/09 15:17:16 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.151 (Type: outgoing, Port: 54658, Process: svchost.exe)
2012/01/09 15:17:33 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 54728, Process: svchost.exe)
2012/01/09 15:18:14 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 54884, Process: svchost.exe)
2012/01/09 15:18:31 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 54950, Process: svchost.exe)
2012/01/09 15:19:27 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55018, Process: svchost.exe)
2012/01/09 15:21:12 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55207, Process: svchost.exe)
2012/01/09 15:22:09 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 55350, Process: svchost.exe)
2012/01/09 15:22:41 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55406, Process: svchost.exe)
2012/01/09 15:23:38 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55525, Process: svchost.exe)
2012/01/09 15:23:46 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55530, Process: svchost.exe)
2012/01/09 15:24:10 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55553, Process: svchost.exe)
2012/01/09 15:24:35 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55566, Process: svchost.exe)
2012/01/09 15:25:07 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 55580, Process: svchost.exe)
2012/01/09 15:25:23 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 55587, Process: svchost.exe)
2012/01/09 15:25:40 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55590, Process: svchost.exe)
2012/01/09 15:26:52 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55607, Process: svchost.exe)
2012/01/09 15:27:17 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 141.136.16.151 (Type: outgoing, Port: 55608, Process: svchost.exe)
2012/01/09 15:27:41 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55612, Process: svchost.exe)
2012/01/09 15:27:49 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.4 (Type: outgoing, Port: 55616, Process: svchost.exe)
2012/01/09 15:28:05 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.3 (Type: outgoing, Port: 55620, Process: svchost.exe)
2012/01/09 15:28:22 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.2 (Type: outgoing, Port: 55623, Process: svchost.exe)
2012/01/09 15:30:15 -0500 NGSP2007-OFF-PC NGSP2007 IP-BLOCK 206.161.121.5 (Type: outgoing, Port: 55631, Process: svchost.exe)

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 09 January 2012 - 03:37 PM

Can you perform complete scans?


Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

#5 FireFighter254

FireFighter254
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:08 AM

Posted 09 January 2012 - 04:29 PM

Full scan on MBAM? Sure, let me know if you need that.

Unfortunatley, a few days ago, I ran a disk clean up through Windows, so the minidump files are gone. I did have a BSOD just prior to the disk clean up.

The Blue Screen report follows the mini tool box log....in case you need it.

MiniToolBox by Farbar
Ran by NGSP2007 (administrator) on 09-01-2012 at 16:22:30
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

::1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

Broadcom 802.11b/g WLAN = Wireless Network Connection (Connected)
Intel® PRO/100 VE Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : NGSP2007-Off-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.actdsltmp

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : domain.actdsltmp
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-1A-73-13-6B-5B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::50e0:3ad6:7374:28a8%9(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, January 09, 2012 12:26:57 PM
Lease Expires . . . . . . . . . . : Tuesday, January 10, 2012 12:26:55 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 151001715
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0D-81-D5-D3-00-16-36-DB-D5-A6
DNS Servers . . . . . . . . . . . : 192.168.0.1
198.6.1.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-16-36-DB-D5-A6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : domain.actdsltmp
Description . . . . . . . . . . . : isatap.domain.actdsltmp
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{51A1592B-E40D-47C6-8E39-A54FEA99398D}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.0.1



Pinging google.com [74.125.227.51] with 32 bytes of data:

Reply from 74.125.227.51: bytes=32 time=31ms TTL=54

Reply from 74.125.227.51: bytes=32 time=44ms TTL=54



Ping statistics for 74.125.227.51:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 31ms, Maximum = 44ms, Average = 37ms

Server: UnKnown
Address: 192.168.0.1



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=78ms TTL=55

Reply from 209.191.122.70: bytes=32 time=85ms TTL=55



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 78ms, Maximum = 85ms, Average = 81ms

Server: UnKnown
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time=11ms TTL=128

Reply from 127.0.0.1: bytes=32 time=3ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 3ms, Maximum = 11ms, Average = 7ms

===========================================================================
Interface List
9 ...00 1a 73 13 6b 5b ...... Broadcom 802.11b/g WLAN
8 ...00 16 36 db d5 a6 ...... Intel® PRO/100 VE Network Connection
1 ........................... Software Loopback Interface 1
13 ...00 00 00 00 00 00 00 e0 isatap.domain.actdsltmp
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
14 ...00 00 00 00 00 00 00 e0 isatap.{51A1592B-E40D-47C6-8E39-A54FEA99398D}
15 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.5 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.5 281
192.168.0.5 255.255.255.255 On-link 192.168.0.5 281
192.168.0.255 255.255.255.255 On-link 192.168.0.5 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.5 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.5 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
9 281 fe80::/64 On-link
9 281 fe80::50e0:3ad6:7374:28a8/128
On-link
1 306 ff00::/8 On-link
9 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/09/2012 08:54:26 AM) (Source: Application Hang) (User: )
Description: The program Explorer.EXE version 6.0.6002.18005 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: be4
Start Time: 01ccccc9b98a51ae
Termination Time: 0

Error: (01/06/2012 06:40:05 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module ntdll.dll, version 6.0.6002.18327, time stamp 0x4cb73436, exception code 0xc0000005, fault offset 0x0006628e,
process id 0x478, application start time 0xsvchost.exe0.

Error: (01/06/2012 06:01:07 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module USER32.dll, version 6.0.6002.18005, time stamp 0x49e0380e, exception code 0xc0000409, fault offset 0x00065276,
process id 0x460, application start time 0xsvchost.exe0.

Error: (01/06/2012 04:47:25 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\001F\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/06/2012 04:39:50 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\0012\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/06/2012 04:39:16 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\0005\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/06/2012 04:38:40 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\0001\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/06/2012 04:38:37 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\0007\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/06/2012 04:38:37 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\0013\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/06/2012 04:38:34 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\INF\SMSVCHOST 4.0.0.0\001D\_SMSVCHOSTPERFCOUNTERS.INI> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (01/09/2012 00:50:34 PM) (Source: Service Control Manager) (User: )
Description: iPod Service1

Error: (01/09/2012 00:50:24 PM) (Source: Service Control Manager) (User: )
Description: Bonjour Service1

Error: (01/09/2012 00:46:36 PM) (Source: DCOM) (User: )
Description: {752073A1-23F2-4396-85F0-8FDB879ED0ED}

Error: (01/09/2012 00:40:51 PM) (Source: Service Control Manager) (User: )
Description: TomTomHOMEService1

Error: (01/09/2012 00:40:40 PM) (Source: Service Control Manager) (User: )
Description: SBSD Security Center Service1

Error: (01/09/2012 00:40:35 PM) (Source: Service Control Manager) (User: )
Description: XAudioService1

Error: (01/09/2012 00:27:19 PM) (Source: LSM) (User: )
Description: Terminal Service start failed. The relevant status code was The configuration data for this product is corrupt. Contact your support personnel.
.

Error: (01/09/2012 00:27:18 PM) (Source: Service Control Manager) (User: )
Description: PxHelp20

Error: (01/09/2012 00:27:12 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (01/09/2012 00:25:47 PM) (Source: volmgr) (User: )
Description: Configuring the Page file for crash dump failed. Make sure there is a page
file on the boot partition and that is large enough to contain all physical
memory.


Microsoft Office Sessions:
=========================
Error: (10/28/2011 03:09:41 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 147 seconds with 0 seconds of active time. This session ended with a crash.

Error: (07/31/2011 07:31:55 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 35389 seconds with 4800 seconds of active time. This session ended with a crash.

Error: (03/15/2011 04:56:46 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 35118 seconds with 2040 seconds of active time. This session ended with a crash.

Error: (03/05/2011 09:54:12 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 58 seconds with 0 seconds of active time. This session ended with a crash.

Error: (02/12/2011 09:46:01 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 36630 seconds with 1980 seconds of active time. This session ended with a crash.

Error: (09/27/2010 10:25:36 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2252 seconds with 420 seconds of active time. This session ended with a crash.

Error: (08/27/2010 05:24:52 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 48913 seconds with 2280 seconds of active time. This session ended with a crash.

Error: (02/25/2010 07:57:31 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 648 seconds with 420 seconds of active time. This session ended with a crash.

Error: (02/10/2010 01:39:56 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 517 seconds with 360 seconds of active time. This session ended with a crash.

Error: (01/25/2010 06:36:34 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1334 seconds with 360 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

3DVIA Player 4.1 (Version: 4.1.0.65)
Acrobat.com (Version: 1.6.65)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.2)
Adobe ExtendScript Toolkit 2 (Version: 2.0.1)
Adobe Flash Player 10 Plugin (Version: 10.3.181.34)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 9.4.7 (Version: 9.4.7)
Adobe Setup (Version: 1.0)
Adobe Shockwave Player (Version: 11)
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
ASL_HS_Installer32 (Version: 1.0.9)
Bonjour (Version: 3.0.0.10)
Broadcom 802.11 Wireless LAN Adapter (Version: 4.170.77.3)
Brother P-touch Editor 5.0 (Version: 5.0.032)
Canon Inkjet Printer Driver Add-On Module
Canon MP Navigator 2.0
Canon MP450
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint EX
CCScore (Version: 6.02.1001.0001)
Conexant HD Audio
Crystal Reports for .NET Framework 2.0 (x86) (Version: 10.2.0)
Dell Digital Jukebox Driver
eReg (Version: 1.20.138.34)
ESSBrwr (Version: 6.04.0000.0001)
ESSCDBK (Version: 6.04.0000.0001)
ESScore (Version: 6.04.0000.0003)
ESSgui (Version: 6.04.0000.0001)
ESSini (Version: 6.04.0000.0001)
ESSPCD (Version: 6.04.0000.0001)
ESSPDock (Version: 6.03.0001.0004)
ESSSONIC (Version: 6.4.0000.0001)
ESSTOOLS (Version: 5.00.0000.0004)
essvatgt (Version: 6.04.0000.0001)
FileOpen Plug-in for Adobe Acrobat® and Acrobat Reader® (Version: 2.0.3.874)
Futuremark SystemInfo (Version: 3.21.2.1)
GearDrvs (Version: 1.00.0000)
GearDrvs (Version: 5.0.0.2)
HDAUDIO Soft Data Fax Modem with SmartCP
Holdem Manager
HP Active Support Library (Version: 3.1.9.1)
HP Connections (remove only)
HP Customer Experience Enhancements (Version: 1.00.0000)
HP Easy Setup - Core (Version: 1.00.0000)
HP Easy Setup - Frontend (Version: 5.00.0000)
HP Help and Support (Version: 2.0.9.0)
HP Product Detection (Version: 9.7.2)
HP Quick Launch Buttons 6.10 B9 (Version: 6.10 B9)
HP QuickPlay 3.6
HP Update (Version: 4.000.010.008)
HP User Guide 0048 (Version: 1.02.0001)
HP Wireless Assistant (Version: 3.00 H3)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
HPNetworkAssistant (Version: 1.1.70)
ImTOO MOV Converter 6 (Version: 6.5.2.0216)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
iTunes (Version: 10.5.1.42)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 23 (Version: 6.0.230)
kgcbaby (Version: 5.03.0000.0002)
kgcbase (Version: 5.03.0000.0004)
kgchday (Version: 5.03.0000.0002)
kgchlwn (Version: 5.03.0000.0002)
kgcinvt (Version: 5.03.0000.0003)
kgckids (Version: 5.03.0000.0002)
kgcmove (Version: 5.03.0000.0003)
kgcvday (Version: 5.03.0000.0002)
Kodak EasyShare software
LightScribe 1.4.124.1 (Version: 1.4.124.1)
Lite-Configurator (Version: 2.0)
Logitech SetPoint 6.20 (Version: 6.20.64)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Automated Troubleshooting Services Shim
Microsoft IntelliPoint 6.1 (Version: 6.10.156.0)
Microsoft Office 2003 Web Components (Version: 11.0.8173.0)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access 2003 Runtime (Version: 11.0.5614.0)
Microsoft Office Accounting 2007 (Version: 2.0.7503.0)
Microsoft Office Accounting Equifax Addin (Version: 2.0.7416.00)
Microsoft Office Accounting Fixed Asset Manager (Version: 2.0.7416.00)
Microsoft Office Accounting PayPal Addin (Version: 2.0.7416.00)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Small Business Connectivity Components (Version: 2.0.7024.0)
Microsoft Office Standard 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) (Version: 9.4.5000.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mikogo
Mozilla Firefox (3.6.18) (Version: 3.6.18 (en-US))
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
muvee autoProducer 5.0 (Version: 5.00.050)
NCH Toolbox
netbrdg (Version: 6.04.0000.0001)
Norton 360 Premier Edition (Version: 5.1.0.29)
OfotoXMI (Version: 6.04.0000.0001)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Paint.NET v3.5.10 (Version: 3.60.0)
PokerStove version 1.23
PokerTracker 3 (remove only)
Pool Sharks (Version: 1.0.30)
PostgreSQL 8.3 (Version: 8.3)
Prism Video Converter
PS-Tools (Version: 4.0.4)
Quicken 2005 (Version: 14.00.0000)
QuickTime (Version: 7.70.80.34)
SFR (Version: 6.04.0000.0001)
SHASTA (Version: 6.04.0000.0001)
skin0001 (Version: 6.04.0000.0004)
SKINXSDK (Version: 6.02.1001.0001)
Small Block Engine Assembly
Sonic Activation Module (Version: 1.0)
Spybot - Search & Destroy (Version: 1.6.2)
staticcr (Version: 6.04.0000.0005)
SUPERAntiSpyware (Version: 4.47.1000)
Synaptics Pointing Device Driver (Version: 11.0.7.0)
TomTom HOME 2.7.6.2056 (Version: 2.7.6.2056)
TomTom HOME Visual Studio Merge Modules (Version: 1.0.2)
tooltips (Version: 6.04.0000.0001)
Vista Shortcut Manager (Version: 2.0)
VPRINTOL (Version: 6.04.0000.0001)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WIRELESS (Version: 6.04.0000.0001)
WOT for Internet Explorer (Version: 10.8.30.0)
WOT Services (Version: 1.00.0000)
YouTube Downloader 3.5

========================= Memory info: ===================================

Percentage of memory in use: 82%
Total physical RAM: 2037.31 MB
Available physical RAM: 348.71 MB
Total Pagefile: 4313.89 MB
Available Pagefile: 2000.33 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.14 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:68.34 GB) (Free:2.02 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:6.19 GB) (Free:0.57 GB) NTFS

========================= Users: ========================================

User accounts for \\NGSP2007-OFF-PC

Administrator Guest NGSP2007
postgres

========================= Minidump Files ==================================

No minidump file found

**** End of log ****


==================================================
Dump File : Mini010612-01.dmp
Crash Time : 1/6/2012 9:05:28 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0x82456588
Parameter 3 : 0x88f6bb8c
Parameter 4 : 0x88f6b888
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+3e588
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18533 (vistasp2_gdr.111025-0338)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\Minidump\Mini010612-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
Dump File Size : 138,128
==================================================

Edited by FireFighter254, 09 January 2012 - 04:31 PM.


#6 FireFighter254

FireFighter254
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:08 AM

Posted 09 January 2012 - 06:01 PM

Shortly after my last post, I received the pop-up about the svchost.exe stopping. Once that happens, one of the svchost.exe's in my Task Mgr looks like below in screenshot and has no description, also if I right-click and select open file location, nothiing happens. Certain tasks such as Start, then Explore hangs for a minute or so, etc. Hope this additional information helps you.



Posted Image

Posted Image


Also, after the svchost is stopped, my overall Windows theme changes *(colors, etc) Below is my normal and the 2nd one is what it looks like now...in all windows, taskbar, outlook, etc. Won't change back unless I restart.

Posted Image

Posted Image

Edited by FireFighter254, 09 January 2012 - 06:07 PM.


#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 09 January 2012 - 09:08 PM

Please download GMER From here http://www.gmer.net/ and run it. There will be a log generated so post the log.

#8 FireFighter254

FireFighter254
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:08 AM

Posted 10 January 2012 - 01:02 AM

Thanks Cryptodan. As soon as I started GMER, I got that Warning pop-up (GMER has found system modification caused by rootkit...etc) It asked me if I wanted to continue to scan? I assumed "yes"?

Found TDL4@MDR what I saw so far. Guess we'll be trying TDSSKiller next? Uggh, how did this crap get on here. Thanks so much for helping me.

Here is the log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-10 00:57:09
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort1 TOSHIBA_MK8034GSX rev.AH301H
Running: c6jtd732.exe; Driver: C:\Users\NGSP2007\AppData\Local\Temp\awxyipob.sys


---- System - GMER 1.0.15 ----

SSDT 871BD390 ZwAlertResumeThread
SSDT 871BD450 ZwAlertThread
SSDT 871BD860 ZwAllocateVirtualMemory
SSDT 870C84B8 ZwAlpcConnectPort
SSDT 87875068 ZwAssignProcessToJobObject
SSDT 871BD140 ZwCreateMutant
SSDT 871FED28 ZwCreateSymbolicLinkObject
SSDT 872010A8 ZwCreateThread
SSDT 87875148 ZwDebugActiveProcess
SSDT 871BDBA8 ZwDuplicateObject
SSDT 871BD6C0 ZwFreeVirtualMemory
SSDT 871BD210 ZwImpersonateAnonymousToken
SSDT 871BD2D0 ZwImpersonateThread
SSDT 870DE7E0 ZwLoadDriver
SSDT 871BD5E0 ZwMapViewOfSection
SSDT 871BD080 ZwOpenEvent
SSDT 871BDD48 ZwOpenProcess
SSDT 871BDB28 ZwOpenProcessToken
SSDT 87875370 ZwOpenSection
SSDT 871BDC78 ZwOpenThread
SSDT 871FEF18 ZwProtectVirtualMemory
SSDT 8782C158 ZwResumeThread
SSDT 8782C398 ZwSetContextThread
SSDT 8782C458 ZwSetInformationProcess
SSDT 87875228 ZwSetSystemInformation
SSDT 871BD048 ZwSuspendProcess
SSDT 8782C218 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8F7D5640]
SSDT 8782C2D8 ZwTerminateThread
SSDT 8782C528 ZwUnmapViewOfSection
SSDT 871BD790 ZwWriteVirtualMemory
SSDT 871FEE18 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 824B48A0 8 Bytes [90, D3, 1B, 87, 50, D4, 1B, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 824B48B4 4 Bytes [60, D8, 1B, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 824B48C0 4 Bytes [B8, 84, 0C, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 824B4914 4 Bytes [68, 50, 87, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 824B4978 4 Bytes [40, D1, 1B, 87]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] ntdll.dll!NtMapViewOfSection 779D4974 5 Bytes JMP 02C2003A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] kernel32.dll!ReadProcessMemory + 3E 77891CB3 7 Bytes JMP 02C200F7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] kernel32.dll!WriteProcessMemory + 106 77891DBE 7 Bytes JMP 02C20319
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] kernel32.dll!CreateIoCompletionPort + 52 778B9DA6 7 Bytes JMP 02C203CF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] kernel32.dll!VirtualAllocEx + 54 778DAF70 7 Bytes JMP 02C20263
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] kernel32.dll!CreateThread 778DCB2E 5 Bytes JMP 6E247303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] kernel32.dll!GetProcessHandleCount + 35 77925D4F 7 Bytes JMP 02C201AD
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!SetWindowsHookExW 769687AD 5 Bytes JMP 6E282194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!CallNextHookEx 76968E3B 5 Bytes JMP 6E2A7BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!UnhookWindowsHookEx 769698DB 5 Bytes JMP 6E2CEB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!EnableWindow 7696CD8B 5 Bytes JMP 6E289A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!DefWindowProcA 7696DB88 7 Bytes JMP 6E24952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!CreateWindowExA 7696DC2A 5 Bytes JMP 6E253363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!CreateWindowExW 76971305 5 Bytes JMP 6E2AFF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!DefWindowProcW 769803B4 7 Bytes JMP 6E2A7C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!DialogBoxParamW 769910B0 5 Bytes JMP 6E1E170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!DialogBoxIndirectParamW 76992EF5 5 Bytes JMP 6E3D62BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!DialogBoxParamA 769A8152 5 Bytes JMP 6E3D6259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!DialogBoxIndirectParamA 769A847D 5 Bytes JMP 6E3D6323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!MessageBoxIndirectA 769BD4D9 5 Bytes JMP 6E3D61E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!MessageBoxIndirectW 769BD5D3 5 Bytes JMP 6E3D6167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!MessageBoxExA 769BD639 5 Bytes JMP 6E3D6103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] USER32.dll!MessageBoxExW 769BD65D 5 Bytes JMP 6E3D609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] ole32.dll!OleLoadFromStream 76121E80 5 Bytes JMP 6E3D6A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] ole32.dll!CoGetTreatAsClass + D2F 7613FAE3 7 Bytes JMP 02C20485
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2424] ole32.dll!CoCreateInstance + 3E 76159F7C 7 Bytes JMP 02C2053F
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3620] kernel32.dll!SetUnhandledExceptionFilter 778BA8C5 5 Bytes JMP 65045465 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3620] ole32.dll!OleLoadFromStream 76121E80 5 Bytes JMP 6536B771 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!EnableWindow 7696CD8B 5 Bytes JMP 6E289A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!DialogBoxParamW 769910B0 5 Bytes JMP 6E1E170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!DialogBoxIndirectParamW 76992EF5 5 Bytes JMP 6E3D62BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!DialogBoxParamA 769A8152 5 Bytes JMP 6E3D6259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!DialogBoxIndirectParamA 769A847D 5 Bytes JMP 6E3D6323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!MessageBoxIndirectA 769BD4D9 5 Bytes JMP 6E3D61E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!MessageBoxIndirectW 769BD5D3 5 Bytes JMP 6E3D6167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!MessageBoxExA 769BD639 5 Bytes JMP 6E3D6103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4732] USER32.dll!MessageBoxExW 769BD65D 5 Bytes JMP 6E3D609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A77817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74ACA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A7BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A6F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A6E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74AA8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74A7DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A6FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A6FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74AFCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74A9C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A6D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A66853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A6687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3916] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A72AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641f28628
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641f28628 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10090400000000000F01FEC\Usage@OutlookMAPI2Intl_1033 1076494335

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Users\NGSP2007\AppData\Roaming\Microsoft\Windows\Cookies\425PAM79.txt 2625 bytes

---- EOF - GMER 1.0.15 ----

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:08 PM

Posted 10 January 2012 - 05:38 AM

Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.

#10 FireFighter254

FireFighter254
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:08 AM

Posted 11 January 2012 - 08:13 PM

Cryptodan,

Everything has been completed per your request, here is the link to the new post.

http://www.bleepingcomputer.com/forums/topic437602.html

Thank you!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:08 AM

Posted 11 January 2012 - 09:27 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 3 - 5 days and ALL logs are amswered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users