Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outgoing connections


  • This topic is locked This topic is locked
7 replies to this topic

#1 Fred33

Fred33

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 30 March 2012 - 01:34 AM

Hello!

3 times in the last couple of weeks, I have had Mcafee Net Guard pop up and notify me that it has blocked outgoing connections to some odd IP addresses, 2 of which are located in the Seychelles, which I can't think my computer would have any reason to connect to. I have attached an image of the messages I get, along with an image of my blocked incoming connections log at the same time as the second outgoing connection attempt, which might be related. I did check on the Mcafee forums but I was advised to come here. I have run full system scans using Mcafee, Avira free, Malwarebytes, Windows Defender and Mcafee GetSusp, but they have all turned up nothing, except Avira came up with a load of warnings, mostly that access was denied to folders that don't exist, but no detections were made, and GetSusp, which said there were 23 suspicious and 4 unknown files, but I can account for all of them. All scans were run in safe mode. I System Restored to the earliest point possible, but I have had an outgoing connection attempt to the Seychelles since then, so the problem still persists.

I should add that while running dds.scr, Windows Defender detected mbr.sys in the Temp folder and asked to Permit or Deny. I did nothing and dds.scr finished anyway. I wasn't sure whether this is to do with dds.scr or not, so since dds.scr finished anyway I have left it as it is.

The report that Windows Defender gave is as follows:

-------

Summary:
Services and Drivers change occurred.

This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

Path:
C:\Users\Lloyd\AppData\Local\Temp\mbr.sys

Detected changes:
regkey:
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mbr

file:
C:\Users\Lloyd\AppData\Local\Temp\mbr.sys

Advice:
Permit this detected item only if you trust the program or the software publisher.

Publisher:
Not available

Digitally Signed By:
NOT SIGNED

Product name:
Not available

Description:
Not available

Original name:
Not available

Creation date:
30/03/2012 06:46

Size:
25088 bytes

Version:
Not available

Type:
file type unknown

Checkpoint:
Drivers

Category:
Not Yet Classified

-------


Anyway, I have followed the instructions on this forum, and here is DDS.txt:

-------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_31
Run by Lloyd at 6:46:02 on 2012-03-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3582.2489 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer provided by Wanadoo
uDefault_Page_URL = hxxp://www.wanadoo.co.uk
uSearch Bar = hxxp://www.wanadoo.co.uk/iesearch/default.htm
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120223012504.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{9FBD3D91-F7E0-4BF6-B60A-3E65377FB018} : NameServer = 193.36.79.101 193.36.79.100
TCP: Interfaces\{BA32A50A-3D27-4FAE-8591-5916311409BE} : DhcpNameServer = 172.31.79.142 172.31.79.144 157.54.14.146 157.54.14.162
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lloyd\appdata\roaming\mozilla\firefox\profiles\cyed3n4w.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\users\lloyd\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 475704]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-11 36000]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-7-19 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-7-19 165680]
R1 nm3;Microsoft Network Monitor 3 Driver;c:\windows\system32\drivers\nm3.sys [2010-6-9 39736]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-11 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-11 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-11 74640]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-19 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-19 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-19 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-7-19 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-7-19 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-7-19 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-7-19 159608]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-19 2214504]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-7-19 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-7-19 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-7-19 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-7-19 338176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2012-2-23 25832]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-7-19 87656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-29 05:26:07 -------- d-----w- c:\users\lloyd\appdata\local\{9A678C7B-6852-4A0D-BB04-C57A0B9CB03F}
2012-03-28 03:17:23 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{9ba93781-263a-4ea6-a3ab-9c11ceb7fe60}\mpengine.dll
2012-03-26 23:13:05 -------- d-----w- c:\users\lloyd\appdata\local\{2D8FA567-E519-435B-AED1-05BCACFE5555}
2012-03-25 21:45:02 -------- d-----w- c:\users\lloyd\appdata\local\{BE843F7D-84DD-4D8E-B595-4F6BDD434633}
2012-03-25 21:44:24 -------- d-----w- c:\users\lloyd\appdata\local\{F8BA7FFA-C8DD-4943-BD59-BCB4495E1D25}
2012-03-24 21:24:10 -------- d-----w- c:\users\lloyd\appdata\local\{736354E2-A9BD-4FC4-BBD2-C5DDE854FF5F}
2012-03-24 21:23:59 -------- d-----w- c:\users\lloyd\appdata\local\{11AC45CA-5D41-4D77-B50A-1AD71A79F9DE}
2012-03-22 23:01:49 -------- d-----w- c:\users\lloyd\appdata\local\{69583EC9-D71E-4463-9976-68F7A6B91F85}
2012-03-22 23:01:38 -------- d-----w- c:\users\lloyd\appdata\local\{7CBC063B-856B-40EC-9CF9-4746B717CB33}
2012-03-22 05:03:58 -------- d-----w- c:\users\lloyd\appdata\local\{0AC551F2-078E-4563-8B28-DBC43694C8FB}
2012-03-22 05:03:46 -------- d-----w- c:\users\lloyd\appdata\local\{21C88EDC-3C92-46BD-92A0-94F529404C92}
2012-03-20 18:07:52 -------- d-----w- c:\users\lloyd\appdata\local\{1BAF8EFB-4F51-4613-9B23-845F7DE92DFA}
2012-03-20 18:07:39 -------- d-----w- c:\users\lloyd\appdata\local\{41BAA9F7-CC70-431C-AED7-07C8545DDF94}
2012-03-19 19:59:15 -------- d-----w- c:\users\lloyd\appdata\local\{2C200071-B19A-4A44-B070-9B8E2656FF20}
2012-03-19 19:59:04 -------- d-----w- c:\users\lloyd\appdata\local\{3D8A6A03-A254-4791-BB8A-79DA26F2C169}
2012-03-18 18:42:05 -------- d-----w- c:\users\lloyd\appdata\local\{5B470439-4CC0-4107-BAB0-3ECB6EF2A025}
2012-03-18 18:41:53 -------- d-----w- c:\users\lloyd\appdata\local\{3044EF70-96A6-4582-AC56-6983CD96C6C9}
2012-03-17 20:55:07 -------- d-----w- c:\users\lloyd\appdata\local\{12CB7C19-6AEC-4A63-B661-167789EBA0DE}
2012-03-17 20:54:49 -------- d-----w- c:\users\lloyd\appdata\local\{4F970D4C-BA22-4A54-813B-1EF08AEDAB80}
2012-03-17 00:37:14 -------- d-----w- c:\users\lloyd\appdata\local\{49FA6C27-9F58-4968-953B-82AF68C9E122}
2012-03-17 00:37:03 -------- d-----w- c:\users\lloyd\appdata\local\{B9C7CAB6-52D2-495B-9477-02C9CE75735E}
2012-03-16 13:17:54 -------- d-----w- c:\users\lloyd\appdata\local\{5F8232D4-D3D0-412B-A976-868BEBD81350}
2012-03-16 13:17:42 -------- d-----w- c:\users\lloyd\appdata\local\{879E5112-3D47-4D0C-9C41-92F71BE03496}
2012-03-15 20:24:52 -------- d-----w- c:\users\lloyd\appdata\local\{EC880D0A-6A0E-45F9-A0EF-3E016331A471}
2012-03-15 20:24:36 -------- d-----w- c:\users\lloyd\appdata\local\{61A45B11-1BB6-4481-859A-AEAD257B587C}
2012-03-14 23:25:05 -------- d-----w- c:\users\lloyd\appdata\local\{E2F392F4-5400-4B0E-9B83-B63550FF526C}
2012-03-14 23:24:53 -------- d-----w- c:\users\lloyd\appdata\local\{CD75A3CA-A948-426B-9FBD-1096D2C9C026}
2012-03-14 13:13:15 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 13:13:00 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 13:12:59 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 13:12:55 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 13:12:55 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 13:12:55 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 13:12:55 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 13:12:55 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 13:12:51 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-13 10:11:48 -------- d-----w- c:\users\lloyd\appdata\local\{A0B13D4E-558E-4B35-BA52-9419646BA117}
2012-03-13 10:11:35 -------- d-----w- c:\users\lloyd\appdata\local\{537611A2-8444-4FBE-A6F6-0D1D5D490EA5}
2012-03-13 08:56:16 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2012-03-13 08:56:16 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2012-03-12 20:48:29 -------- d-----w- c:\users\lloyd\appdata\local\{A07DB822-4573-4569-8B93-E5EEBA216A06}
2012-03-12 20:48:12 -------- d-----w- c:\users\lloyd\appdata\local\{CFE98A52-1EDA-413D-920B-FD565E560E3F}
2012-03-12 12:32:45 -------- d-----w- c:\users\lloyd\appdata\local\{6AE0006A-E40A-4C36-8D6C-6E86EDC69B22}
2012-03-11 23:30:05 267272 ----a-w- c:\windows\system32\xactengine2_10.dll
2012-03-11 23:30:03 444776 ----a-w- c:\windows\system32\d3dx10_36.dll
2012-03-11 23:30:03 1374232 ----a-w- c:\windows\system32\D3DCompiler_36.dll
2012-03-11 23:30:02 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2012-03-11 23:30:01 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2012-03-11 22:32:50 -------- d-----w- c:\users\lloyd\appdata\local\Microsoft Games
2012-03-11 16:51:46 14664 ----a-w- c:\windows\stinger.sys
2012-03-11 16:48:23 -------- d-----w- c:\program files\stinger
2012-03-11 16:04:27 -------- d-----w- c:\users\lloyd\appdata\local\{AD23970E-E27B-4125-8CD9-FE6F37DFDB28}
2012-03-11 16:04:16 -------- d-----w- c:\users\lloyd\appdata\local\{E54087C8-78E5-4B08-A7A1-B2ECBF3ADFA8}
2012-03-11 11:41:44 -------- d-----w- c:\users\lloyd\appdata\roaming\Avira
2012-03-11 11:37:51 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-11 11:37:51 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-03-11 11:37:46 -------- d-----w- c:\programdata\Avira
2012-03-11 11:37:46 -------- d-----w- c:\program files\Avira
2012-03-10 09:40:23 -------- d-----w- c:\users\lloyd\appdata\local\{C9E64759-FEF0-4A1D-A646-C1D0558F91A1}
2012-03-10 09:40:12 -------- d-----w- c:\users\lloyd\appdata\local\{97944081-72CF-4649-A046-33CFFB6671E3}
2012-03-10 07:40:00 -------- d-----w- c:\users\lloyd\appdata\local\{15E6D370-F7B8-4956-8B0E-7A5E9AB0CFED}
2012-03-10 07:39:48 -------- d-----w- c:\users\lloyd\appdata\local\{90CDB56D-7610-4A5D-A95A-66DBCB30C561}
2012-03-09 09:33:24 -------- d-----w- c:\users\lloyd\appdata\local\{F16D3477-19FB-4B63-9B03-C7F98F6F0E20}
2012-03-09 09:33:11 -------- d-----w- c:\users\lloyd\appdata\local\{B7E872C7-6EFE-4F40-9BC5-4ACF5B2B0B3D}
2012-03-08 17:15:33 -------- d-----w- c:\users\lloyd\appdata\local\{FDD4225E-0AA4-4041-99F5-4ACC9FC54ACD}
2012-03-08 17:15:20 -------- d-----w- c:\users\lloyd\appdata\local\{D9DB742E-920C-49C8-92C8-76BC9D476488}
2012-03-08 05:14:52 -------- d-----w- c:\users\lloyd\appdata\local\{09B4DEF8-E972-41B6-98C5-8CA7BB45D218}
2012-03-08 05:14:40 -------- d-----w- c:\users\lloyd\appdata\local\{5E053E4F-E5FC-4F27-B2B0-0D2DD4FCDC77}
2012-03-07 10:50:13 -------- d-----w- c:\users\lloyd\appdata\local\{545CF880-E3E2-43A4-B9B7-1BA2EA52FA92}
2012-03-07 10:50:02 -------- d-----w- c:\users\lloyd\appdata\local\{8C8914D5-3D8B-4B03-8AA8-76B3E2F41397}
2012-03-07 07:44:20 -------- d-----w- c:\users\lloyd\appdata\local\{BC69C7ED-E96C-4E79-ADFB-A5CE939292F9}
2012-03-06 08:06:47 -------- d-----w- c:\users\lloyd\appdata\local\{1944DBFE-108D-4536-85F9-48F45CDC6C38}
2012-03-06 08:06:37 -------- d-----w- c:\users\lloyd\appdata\local\{B0B6E1AF-B16B-472C-8193-649DCE22BEA3}
2012-03-05 12:20:43 -------- d-----w- c:\users\lloyd\appdata\local\{7F0C319B-596D-4343-9BBC-C218A2B4F9D7}
2012-03-05 12:20:31 -------- d-----w- c:\users\lloyd\appdata\local\{0035433A-7EDF-478D-9457-106D0257D7A1}
2012-03-05 00:20:05 -------- d-----w- c:\users\lloyd\appdata\local\{823CD654-EB8A-4770-9E56-B71A75B4EAA6}
2012-03-05 00:19:54 -------- d-----w- c:\users\lloyd\appdata\local\{D84D7815-D790-4966-B7B8-5397865264D8}
2012-03-04 00:20:55 -------- d-----w- c:\users\lloyd\appdata\local\{9B8E5CDE-2260-4623-9FE5-DA9515EC3FE9}
2012-03-04 00:20:44 -------- d-----w- c:\users\lloyd\appdata\local\{D3B7FAC0-ED0E-44B6-A5AE-A10DEEA47421}
2012-03-03 00:20:23 -------- d-----w- c:\users\lloyd\appdata\local\{6B9BEBBA-00C1-48B1-A7FC-A7706B1212BD}
2012-03-03 00:20:11 -------- d-----w- c:\users\lloyd\appdata\local\{91137CA1-BF3F-4228-9F8C-814605388601}
2012-03-02 21:32:22 -------- d-----w- c:\users\lloyd\appdata\local\{2436AA27-C230-47F0-A593-3000044D6B6F}
2012-02-29 20:48:48 -------- d-----w- c:\users\lloyd\appdata\local\{B21A0AA0-51A2-452F-A33E-353C35BA5F61}
2012-02-29 20:48:37 -------- d-----w- c:\users\lloyd\appdata\local\{E53255CD-6C8B-4711-AF8D-9E3F95E2CCDE}
.
==================== Find3M ====================
.
2012-03-11 16:51:03 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-11 16:51:03 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-03-11 16:51:03 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-23 02:05:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 01:27:15 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 6:47:04.09 ===============

Attached Files


Edited by Fred33, 30 March 2012 - 01:35 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 AM

Posted 04 April 2012 - 09:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

C:\Users\Lloyd\AppData\Local\Temp\mbr.sys This file is normally associated with the aswMBR tool. Did you run that tool recently?

Nothing suspicious was found on your DDS log.


Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 AM

Posted 10 April 2012 - 08:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 AM

Posted 18 April 2012 - 09:46 AM

Topic reopened.

#5 Fred33

Fred33
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 20 April 2012 - 05:35 AM

Thank you for reopening.

I've not heard of aswMBR i'm afraid, so no I haven't run it.

I was unfortunately unable to disable Mcafee due to it having expired literally yesterday, but I don't want to uninstall it due to it blocking these connections.

I ran Combofix anyway, and the log is below. I should note that during Mcafee removed/quarantined what I think was called "AIC Test" or something similar during stage 3 or 4. This probably did something to the test, but I don't really want to risk removing Mcafee as I said.

I should also add, after running Combofix a folder called "$RECYCLE.BIN" appeared on my D drive, containing a recycle bin and 5 system folders. I don't know if this is anything.

Thank you again.

Here are the two logs:



--------------------------------------------------



ComboFix 12-04-20.02 - Lloyd 20/04/2012 10:56:13.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3582.2439 [GMT 1:00]
Running from: c:\users\Lloyd\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\system32\tmp2403.tmp
c:\windows\system32\tmp2404.tmp
c:\windows\system32\tmp5F10.tmp
c:\windows\system32\tmpAABF.tmp
c:\windows\system32\tmpAAC0.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-20 to 2012-04-20 )))))))))))))))))))))))))))))))
.
.
2012-04-20 10:03 . 2012-04-20 10:03 -------- d-----w- c:\users\Lloyd\AppData\Local\temp
2012-04-20 10:03 . 2012-04-20 10:03 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-20 10:03 . 2012-04-20 10:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-18 08:43 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0EE4F786-ADBC-4E81-968F-3B989806C836}\mpengine.dll
2012-04-18 08:43 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-18 08:43 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-18 08:43 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-18 08:43 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-18 08:43 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-18 08:43 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-09 11:18 . 2012-04-09 11:18 -------- d-----w- c:\program files\BBC iPlayer Desktop
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 16:53 . 2012-03-11 16:51 14664 ----a-w- c:\windows\stinger.sys
2012-03-11 16:51 . 2011-07-19 12:07 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-11 16:51 . 2011-07-19 11:52 159608 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-11 16:51 . 2011-03-13 10:20 475704 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-02-23 09:18 . 2011-07-19 07:33 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-23 02:05 . 2011-07-19 08:30 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 01:27 . 2011-07-19 23:01 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-14 15:45 . 2012-03-14 13:12 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 13:12 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12 . 2012-03-14 13:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-14 13:12 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-14 13:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-02 15:16 . 2012-03-14 13:13 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 08:57 . 2012-03-11 11:37 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-01-31 08:57 . 2012-03-11 11:37 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-23 03:44 . 2011-07-19 21:06 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-26 10828392]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s%s
TCP: Interfaces\{9FBD3D91-F7E0-4BF6-B60A-3E65377FB018}: NameServer = 193.36.79.101 193.36.79.100
FF - ProfilePath - c:\users\Lloyd\AppData\Roaming\Mozilla\Firefox\Profiles\cyed3n4w.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\prxtbuTor.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-20 11:03
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-20 11:04:42
ComboFix-quarantined-files.txt 2012-04-20 10:04
.
Pre-Run: 138,143,784,960 bytes free
Post-Run: 138,622,439,424 bytes free
.
- - End Of File - - 1EEB92E55D4CF9347C2034B5F9285E1C



--------------------------------------------------



Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira Free Antivirus
McAfee Total Protection
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 22
Java™ 6 Update 31
Java version out of date!
Adobe Flash Player 11.1.102.62
Adobe Reader X 10.1.0 Adobe Reader out of Date!
Mozilla Firefox 10.0.2 Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
WinPatrol winpatrol.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Windows Defender MSASCui.exe
BillP Studios WinPatrol WinPatrol.exe
``````````End of Log````````````

Edited by Fred33, 20 April 2012 - 06:14 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 AM

Posted 20 April 2012 - 09:12 AM

The ComboFix log is good.

You may not be using Internet Explorer but for your security you should update to version 8.
http://www.microsoft.com/download/en/details.aspx?id=22166

===

Remove this old version of Java™ 6 Update 22 using the Add/Remove program list.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Please let me know if the problem persists.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 AM

Posted 26 April 2012 - 08:54 AM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:07 AM

Posted 26 April 2012 - 08:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users