Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious network activity possible rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 ihackedthegibson

ihackedthegibson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 15 April 2012 - 02:59 AM

Here's my dds log:



DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Nick at 0:52:03 on 2012-04-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2667.1440 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Windows\system32\taskhost.exe
C:\ProgramData\Temp\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={A13E555E-7F86-4A19-BC50-A0D7576E99D1}&mid=c38cc0b05e3947d1b485d1191024e9fb-75ac488663ebbaf2b8a53e7391351b57312b3d4f&lang=en&ds=st011&pr=sa&d=2012-03-06 23:53:20&v=10.0.0.7&sap=hp
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: SteadyVideoBHO Class: {6c680bae-655c-4e3d-8fc4-e6a520c3d928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Nick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CANONI~1.LNK - C:\Windows\system32\rundll32.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: %SystemRoot%\system32\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E68CC5D-B4AB-4685-8924-5F3CF42D5CB1} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E68CC5D-B4AB-4685-8924-5F3CF42D5CB1}\14C4F4841402742594C4C4 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E68CC5D-B4AB-4685-8924-5F3CF42D5CB1}\245502E4564777F627B6 : DhcpNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{6E68CC5D-B4AB-4685-8924-5F3CF42D5CB1}\4646D2772747F5671607 : DhcpNameServer = 8.8.8.8 7.7.7.7
TCP: Interfaces\{6E68CC5D-B4AB-4685-8924-5F3CF42D5CB1}\E4457425 : DhcpNameServer = 192.168.1.2
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll
BHO-X64: AMD SteadyVideo BHO - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\JonDoFox\
FF - prefs.js: browser.search.selectedEngine - Google Encrypted: No Personalization
FF - prefs.js: browser.startup.homepage - hxxp://anonymous-proxy-servers.net
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.ftp - 127.0.0.1
FF - prefs.js: network.proxy.ftp_port - 4001
FF - prefs.js: network.proxy.gopher - 127.0.0.1
FF - prefs.js: network.proxy.gopher_port - 4001
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 4001
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 4001
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-1-9 1817088]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]
R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2011-8-19 423536]
R2 vmware-converter-server;VMware vCenter Converter Standalone Server;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2011-8-19 423536]
R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2011-8-19 423536]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-15 158856]
S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2012-4-9 14216]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2012-4-9 8456]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\rtl8187.sys --> C:\Windows\system32\DRIVERS\rtl8187.sys [?]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\system32\DRIVERS\tap0801.sys --> C:\Windows\system32\DRIVERS\tap0801.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-1-18 11839488]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-15 07:20:24 -------- d-----w- C:\Program Files (x86)\IDA Free
2012-04-15 05:43:15 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{38E49CD3-582C-4F8F-B271-CFA7DFCA88C8}\mpengine.dll
2012-04-15 05:42:47 1258824 ----a-w- C:\Users\Nick\Procmon64.exe
2012-04-14 21:44:58 -------- d---a-w- C:\Users\Nick\.thumbs
2012-04-14 00:45:38 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-14 00:45:36 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-14 00:45:35 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-14 00:36:52 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-14 00:36:51 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-14 00:36:50 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-14 00:36:48 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-14 00:36:47 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-14 00:36:47 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-14 00:36:47 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-14 00:30:23 -------- d-----w- C:\HP
2012-04-13 03:13:49 -------- d---a-w- C:\.Trash-0
2012-04-12 22:20:04 8767136 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-12 21:39:43 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-11 22:08:52 -------- d-----w- C:\ProgramData\regid.1986-12.com.adobe
2012-04-11 21:49:55 55280 ------w- C:\Windows\System32\drivers\PxHlpa64.sys
2012-04-11 21:49:55 10224 ------w- C:\Windows\System32\drivers\cdralw2k.sys
2012-04-11 21:49:55 10224 ------w- C:\Windows\System32\drivers\cdr4_xp.sys
2012-04-11 21:49:54 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2012-04-11 21:49:53 -------- d-----w- C:\Program Files (x86)\My Company Name
2012-04-11 21:49:53 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2012-04-11 02:19:56 -------- d-----w- C:\Users\Nick\AppData\Roaming\NCH Software
2012-04-10 03:30:01 -------- d-----w- C:\Program Files\CCleaner
2012-04-09 22:46:18 16256 ----a-w- C:\Windows\System32\EuEpmGdi.dll
2012-04-09 22:46:17 9096 ----a-w- C:\Windows\System32\EuGdiDrv.sys
2012-04-09 22:46:17 86408 ----a-w- C:\Windows\SysWow64\setupempdrv03.exe
2012-04-09 22:46:17 3316736 ----a-w- C:\Windows\System32\BootMan.exe
2012-04-09 22:46:17 2469760 ----a-w- C:\Windows\SysWow64\BootMan.exe
2012-04-09 22:46:17 19840 ----a-w- C:\Windows\SysWow64\EuEpmGdi.dll
2012-04-09 22:46:17 16776 ----a-w- C:\Windows\System32\epmntdrv.sys
2012-04-09 22:46:17 100232 ----a-w- C:\Windows\System32\setupempdrvx64.exe
2012-04-09 22:46:16 8456 ----a-w- C:\Windows\SysWow64\EuGdiDrv.sys
2012-04-09 22:46:16 14216 ----a-w- C:\Windows\SysWow64\epmntdrv.sys
2012-04-09 22:45:48 -------- d-----w- C:\Program Files (x86)\EASEUS
2012-04-01 07:51:56 -------- d-----w- C:\Program Files (x86)\NCH Software
2012-03-31 06:48:13 -------- d-----w- C:\Users\Nick\AppData\Local\gtk-2.0
2012-03-31 05:08:47 -------- d-----w- C:\Program Files\Motorola Inc
2012-03-31 05:08:43 -------- d-----w- C:\Program Files\Common Files\Motorola Shared
2012-03-31 05:07:26 -------- d-----w- C:\Users\Nick\utils
2012-03-31 05:06:24 -------- d-----w- C:\Users\Nick\system
2012-03-31 05:06:23 -------- d-----w- C:\Users\Nick\META-INF
2012-03-31 04:01:15 104960 ----a-w- C:\Users\Nick\cnmss Canon MX420 series Printer WS (Local).dll
2012-03-30 23:41:56 224048 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2012-03-30 23:41:49 130864 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2012-03-30 18:18:12 -------- d-----w- C:\Users\Nick\oCeLoT
2012-03-30 18:13:55 -------- d-----w- C:\Users\Nick\New Folder
2012-03-30 15:34:51 -------- d-----w- C:\Program Files (x86)\Capture
2012-03-30 14:56:48 -------- d-----w- C:\Program Files (x86)\FileInsight
2012-03-30 14:29:04 3342318 ----a-w- C:\Users\Nick\fileinsight.exe
2012-03-30 14:28:01 219136 ----a-w- C:\Users\Nick\PEiD.exe
2012-03-30 14:27:58 -------- d-----w- C:\Users\Nick\pluginsdk
2012-03-30 14:27:56 -------- d-----w- C:\Users\Nick\plugins
2012-03-30 14:25:36 -------- d-----w- C:\Users\Nick\regshot
2012-03-30 14:23:03 -------- d-----w- C:\Users\Nick\upx308w
2012-03-30 14:18:58 520496 ----a-w- C:\Users\Nick\Listdlls.exe
2012-03-30 14:18:47 2473280 ----a-w- C:\Users\Nick\Procmon.exe
2012-03-30 14:18:36 557888 ----a-w- C:\Users\Nick\autorunsc.exe
2012-03-30 14:18:33 638784 ----a-w- C:\Users\Nick\autoruns.exe
2012-03-30 14:14:33 -------- d-----w- C:\Users\Nick\winobj
2012-03-30 12:56:47 21474836480 ----a-w- C:\Users\Nick\notanencryptedfile.jpg.gif.rar.exe
2012-03-30 12:54:32 -------- d-----w- C:\Users\Nick\AppData\Roaming\TrueCrypt
2012-03-30 12:52:50 231376 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
2012-03-30 12:51:42 -------- d-----w- C:\Program Files\TrueCrypt
2012-03-28 21:39:42 -------- d-----w- C:\Program Files (x86)\FreeMind10
2012-03-28 00:55:09 -------- d-----w- C:\Users\Nick\AppData\Local\Eclipse
2012-03-28 00:54:41 -------- d-----w- C:\Users\Nick\.android
2012-03-28 00:54:09 -------- d-----w- C:\Users\Nick\workspace
2012-03-26 09:35:03 -------- d-----w- C:\Users\Nick\jagexcache
2012-03-24 16:01:50 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-03-24 16:01:50 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-24 15:59:52 -------- d-----w- C:\Program Files (x86)\Android
2012-03-24 14:23:57 -------- d-----w- C:\Windows\SysWow64\New folder
2012-03-24 12:52:35 -------- d-----w- C:\Users\Nick\AppData\Local\Trolltech
2012-03-24 09:21:40 -------- d-----w- C:\Users\Nick\eclipse-java-indigo-SR2-win32
2012-03-23 10:42:50 -------- d-----w- C:\Program Files (x86)\SpeedFan
2012-03-23 08:00:26 369664 ----a-w- C:\Users\Nick\stub.exe
2012-03-23 08:00:23 432128 ----a-w- C:\Users\Nick\crackmaxme2.exe
2012-03-22 04:42:44 63088 ----a-w- C:\Windows\System32\drivers\vmx86.sys
2012-03-22 04:41:49 354416 ----a-w- C:\Windows\SysWow64\vmnetdhcp.exe
2012-03-22 04:41:44 433264 ----a-w- C:\Windows\SysWow64\vmnat.exe
2012-03-22 04:41:44 30320 ----a-w- C:\Windows\System32\drivers\vmnetuserif.sys
2012-03-22 04:41:15 942192 ----a-w- C:\Windows\System32\vnetlib64.dll
2012-03-22 04:40:55 39024 ----a-w- C:\Windows\System32\drivers\hcmon.sys
2012-03-22 04:38:06 -------- d-----w- C:\Program Files (x86)\VMware
2012-03-22 04:38:06 -------- d-----w- C:\Program Files (x86)\Common Files\VMware
2012-03-22 04:36:29 -------- d-----w- C:\Program Files\Common Files\VMware
2012-03-21 02:12:24 -------- d-----w- C:\Users\Nick\Radioactive.Cake - Subatomic Disco - 2011 - MP3
2012-03-21 02:12:10 -------- d-----w- C:\Users\Nick\Cybernetika - Colossus - 2011 - MP3
2012-03-20 00:46:55 -------- d-----w- C:\Users\Nick\remux-3.0
2012-03-19 08:11:07 19384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll
2012-03-19 08:11:06 97208 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2012-03-19 08:11:06 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2012-03-19 08:11:04 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-19 08:11:03 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
.
==================== Find3M ====================
.
2012-04-12 22:21:13 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-10 07:07:04 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-15 01:23:00 147248 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2012-03-15 01:22:58 166192 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2012-03-15 01:22:42 320816 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-15 03:48:32 10856960 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-02-15 03:21:24 25839104 ----a-w- C:\Windows\System32\atio6axx.dll
2012-02-15 03:18:56 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-02-15 03:18:40 791040 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-02-15 03:17:04 957952 ----a-w- C:\Windows\System32\aticfx64.dll
2012-02-15 03:13:56 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2012-02-15 03:13:40 496128 ----a-w- C:\Windows\System32\atieclxx.exe
2012-02-15 03:13:00 235520 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-02-15 03:11:42 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-02-15 03:10:58 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-02-15 03:10:54 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-02-15 03:10:48 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-02-15 03:07:44 6200320 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-02-15 02:58:56 19392000 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-02-15 02:52:28 7646208 ----a-w- C:\Windows\System32\atidxx64.dll
2012-02-15 02:41:28 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2012-02-15 02:40:54 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2012-02-15 02:40:42 4958208 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-02-15 02:34:56 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-02-15 02:34:54 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-02-15 02:34:46 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-02-15 02:34:44 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-02-15 02:34:36 5954048 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-02-15 02:34:30 13859840 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-02-15 02:29:52 5062656 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-02-15 02:29:50 11561984 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-02-15 02:25:06 7551488 ----a-w- C:\Windows\System32\atiumd64.dll
2012-02-15 02:16:38 58880 ----a-w- C:\Windows\System32\coinst.dll
2012-02-15 02:14:00 512000 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-02-15 02:13:50 356352 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-02-15 02:13:36 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-02-15 02:13:32 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-02-15 02:13:32 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-02-15 02:13:28 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2012-02-15 02:13:20 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-02-15 02:13:12 327680 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-02-15 02:12:22 43008 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-02-15 02:12:14 33280 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-02-15 02:12:08 39936 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-02-15 02:12:00 30208 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-02-15 02:11:22 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-02-15 02:11:16 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2012-02-15 02:11:16 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-02-15 02:11:10 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-02-15 02:11:10 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-09 06:06:36 125376 ----a-w- C:\Windows\System32\drivers\scdemu.sys
2012-02-07 18:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-25 06:38:39 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-01-25 06:38:38 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-01-18 20:41:32 252016 ----a-w- C:\Windows\SysWow64\vmnc.dll
2012-01-18 20:06:00 62064 ----a-w- C:\Windows\System32\vmnetbridge.dll
2012-01-18 20:06:00 48752 ----a-w- C:\Windows\System32\vnetinst.dll
2012-01-18 20:06:00 45680 ----a-w- C:\Windows\System32\drivers\vmnetbridge.sys
2012-01-18 20:06:00 24176 ----a-w- C:\Windows\System32\drivers\vmnet.sys
2012-01-18 20:06:00 20080 ----a-w- C:\Windows\System32\drivers\vmnetadapter.sys
.
============= FINISH: 0:53:20.19 ===============

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:18 PM

Posted 16 April 2012 - 09:59 AM

Hi,

can you please run aswMBR next:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 ihackedthegibson

ihackedthegibson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 16 April 2012 - 10:15 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-16 08:09:52
-----------------------------
08:09:52.653 OS Version: Windows x64 6.1.7601 Service Pack 1
08:09:52.653 Number of processors: 2 586 0x200
08:09:52.653 ComputerName: LEN-HP UserName: Nick
08:10:10.952 Initialize success
08:11:50.432 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000007f
08:11:50.447 Disk 0 Vendor: ST250LT0 0002 Size: 238475MB BusType: 11
08:11:50.463 Disk 0 MBR read successfully
08:11:50.479 Disk 0 MBR scan
08:11:50.494 Disk 0 unknown MBR code
08:11:50.494 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
08:11:50.525 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 214355 MB offset 409600
08:11:50.525 Disk 0 Partition - 00 05 Extended 23919 MB offset 439410686
08:11:50.650 Disk 0 Partition 3 00 83 Linux 22883 MB offset 439410688
08:11:50.650 Disk 0 Partition - 00 05 Extended 1036 MB offset 486275072
08:11:50.713 Disk 0 scanning C:\Windows\system32\drivers
08:12:32.556 Service scanning
08:12:48.375 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
08:13:07.984 Modules scanning
08:13:08.015 Disk 0 trace - called modules:
08:13:08.171 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys ACPI.sys storport.sys hal.dll amd_sata.sys
08:13:08.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003138060]
08:13:08.202 3 CLASSPNP.SYS[fffff8800199e43f] -> nt!IofCallDriver -> [0xfffffa8003011040]
08:13:08.234 5 amd_xata.sys[fffff880010fea1d] -> nt!IofCallDriver -> [0xfffffa8003001970]
08:13:08.249 7 ACPI.sys[fffff88000e7d7a1] -> nt!IofCallDriver -> \Device\0000007f[0xfffffa8002ffe060]
08:13:08.265 Scan finished successfully
08:13:24.832 Disk 0 MBR has been saved successfully to "C:\Users\Nick\Desktop\MBR.dat"
08:13:24.863 The log file has been saved successfully to "C:\Users\Nick\Desktop\aswMBR.txt"

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:18 PM

Posted 16 April 2012 - 11:22 AM

Hi,

could you please expand on why you think you've been infected? What and where has this suspicious network activity been observed?

myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:18 PM

Posted 25 April 2012 - 03:08 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users