Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer repeatedly tries to access a private IP


  • Please log in to reply
7 replies to this topic

#1 amykathleen2

amykathleen2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 01 August 2012 - 12:48 AM

I honestly have no idea if this problem is malware-related or not, so I'm really glad this section of the forum exists!

Anyway, I've been having Internet issues lately that I won't go into here. I was examining my router's event log to see if I could spot anything that could give me a clue what was going on. And while I'm not sure if it's related to my problem, I did see something very very fishy going on.
At least 75% of the entries in my router's event log said that my PC's IP address was trying to connect to port 80 (which I know is HTTP) on 172.16.30.115 (which I know is a private IP address) and that the router was dropping traffic to the network 172.16.0.0/12. The reason this is strange is because my home network uses the 192.168.1.0/24 network EXCLUSIVELY. I don't know WHY my PC would be repeatedly trying to access a private IP that is NOT in use on my network, so I decided to try and figure it out.

Hours of sorting through Google search results later, I was no closer to having any clue what kind of drugs my computer was taking, so I posted a question on Yahoo Answers to see if anyone else had ideas that I hadn't thought of. One user did: "Could be a malware trying to contact its Command and Control server, but the malware writer forgot to change the hard-coded IP address to that of CC, I'm not sure. Use netstat to see what program/process is doing that on your computer, and then google-search it." - Yahoo Answers user bohemian9485

I know what netstat is and vaguely what it does, but I'm not proficient with any command-line utilities, so I Googled how to use it. After reading its Wikipedia article, I decided to run the command "netstat -b 10" (-b shows which process is in charge of that connection, 10 tells it to scan again every 10 seconds.) After staring at my screen for about 5 minutes, I finally spotted this scrolling past:
"TCP 192.168.1.x:56814 172.16.30.115:http SYN_SENT
EventSystem
[svchost.exe]"

While I was glad to finally see something trying to access 172.16.30.115, I was disappointed that the most ambiguous process in the world appeared to be the culprit. So then I googled some more, and discovered that I could find out which services were running as svchost.exe by running the command "tasklist /svc /fi "imagename eq svchost.exe"" <-double quotation there to include the quotations that are part of the command as well as enclosing the entire command in quotes

I don't know what all the parameters there do, but it returned a list of PIDs for various services running as svchost.exe. I no longer have that result pulled up, so I can't post it here. But I opened up Task Manager and looked through the Services tab to find out the names of the services that were running as svchost.exe. All of them appeared to be legit Microsoft services.

So now I'm as bewildered as I am when I started, maybe more. SOMETHING running as svchost.exe is repeatedly trying to access the private IP address 172.16.30.115 on a network that uses the 192.168.1.0/24 network EXCLUSIVELY. Does anyone know what is causing this and/or how I can get it to stop? I don't know whether it is having a significant impact on my Internet connection, but even if it isn't, I don't want a useless network query being made repeatedly.

I am running Windows 7 Ultimate 64-bit, and the router whose logs I viewed is the standard AT&T U-Verse modem/router combo.
I have AVG Free installed on my computer. It runs weekly whole-computer scans, and I ran another scan just before deciding to post this. The scan I did came up negative, as have all scheduled scans since like February when it found I-don't-remember-what-but-it-fortunately-wasn't-affecting-me-yet. I also haven't had AVG Free miss an infection that WAS affecting me since like 2007, and that one was probably partially my fault anyway since I had a slow computer and I always cancelled the virus scans when they started. Also I was still using Internet Explorer back then. But my point is, I can't FIND any malware, but my computer is being weird and I have no clue what to do from here.

Help?




-------
Update 8/1/12:

Today I came up with the idea of downloading Wireshark and using it to capture the network traffic coming in and out of my PC's wireless card. (If I knew how Wireshark worked I'd have just captured the traffic between my PC and 172.16.30.115, but I don't.) So I had it run for 30 minutes while I perused the router's log more carefully to figure out how the router was displaying the time.

I figured out from the router log that this mysterious transmission sends three packets from my PC to 172.16.30.115 every ten minutes, within two seconds each time. Like clockwork. Except more exact. So every timestamp, in 24 hour format, is xx:x8:16 or xx:x8:17. (The x's get filled in by what time it is.) So right now it's 6:17 PM, which means that it'll happen again in a minute. CREEPY.

To make things more creepy, we have the Wireshark capture results. After the capture finished, I looked in the Wireshark help document for how to filter what I was seeing, and I discovered that I could show just the stuff sent to or from 172.16.30.115 by entering "ip.addr==172.16.30.115" into the filter field. So I did that, and discovered that there are packets coming to my computer from 172.16.30.115, in a network that only uses the 192.168.1.0/24 network. Not only that, but there is one packet sent from 172.16.30.115 to my computer for every packet sent to 172.16.30.115 by my computer. So there must be SOMETHING that is SOMEHOW using the IP address 172.16.30.115. I just don't have any idea how.

And it gets creepier. As anyone who has used Wireshark probably knows, it is possible to "read" packets that are captured. I say "read" because, in my experience, they've always been gibberish. When you "open" a packet, it shows a protocol analysis of the packet, along with the data it sees inside. The data is composed of a bunch of hex garbage along with Wireshark's "translation" of the hex garbage. Again, I say "translation" because a lot of the hex garbage is actually header stuff for the various protocols, and it's easier to just look at the analysis for that; also any encrypted data will show up as nonsense in the "translation."
The packets that my computer is sending to 172.16.30.115 are exactly as unclear as I'm used to. No English shows up in the "translation," and in fact, from what I can tell, there is no actual data inside these packets. So my computer is sending empty TCP packets to 172.16.30.115 every 10 minutes. From what I can tell, the only important thing in these packets is that the SYN flag is always set. I don't know the significance of that, but that seems to be the only thing worth noting. (I'm reluctant to simply post exactly what Wireshark gave me since I don't know what kind of data might be in there or who might be able to use it for harm.)
The packets that 172.16.30.115 sends to my computer are a different story. In terms of analysis, these ones have the RST and the ACK flags set, and Wireshark has marked two out of every set of three with the label [TCP Retransmission]. The creepy part is the "translation:" it contains the nonsense BUT it also contains the text "Go away, we're not home." When I right-click any of the packets sent in either direction and click "Follow TCP Stream," which (as far as I'm aware) is meant to show everything, including session establishment stuff, in English, the only thing that shows up in the window is the text "Go away, we're not home."

So basically, I'm terrified now. Every ten minutes - exact to the SECONDS - my computer sends empty packets to 172.16.30.115, a PRIVATE IP ADDRESS that is NOT BEING USED on my network, and every ten minutes SOMETHING RESPONDS saying "Go away, we're not home."

I'm so scared. Is this a form of malware? If it is malware, is it just there to scare people who know how to use Wireshark, or is it somehow sending information? What is my PC trying to accomplish? Why is an IP address that shouldn't exist in my network able to respond telling my computer to go away because it's not home? And most importantly, how do I make all of this stop?

I'm pretty much about to start crying. That's how scared I am. :(

Please help me!

Edited by amykathleen2, 01 August 2012 - 06:45 PM.


BC AdBot (Login to Remove)

 


#2 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:06:34 PM

Posted 04 August 2012 - 06:15 PM

Hello Amy and welcome to Bleeping Computer! :thumbup2: My name is swagger and I'll be assisting you.


I am sure you are very worried about your computer and hopefully I can help you find the answers you are looking for. So far you have been very resilient in finding information so working together should provide some insight.

Please follow the directions below, asking any questions before you proceed if you do not understand something completely.

::MiniToolBox::

Download MiniToolBox and save it to your Desktop.

  • Double-click MiniToolBox.exe to run it.
  • Check mark the following boxes:

    Report IE Proxy Settings
    Report FF Proxy Settings
    List content of Hosts
    List IP Configuration
    List Winsock entries
    List last 10 Event Viewer Errors
    List Installed Programs
    List Devices (Only problems)
    List Users, Partitions and Memory size.

  • Click the Go button and post the log file (Result.txt).

    (NOTE: The Result.txt should appear when the program completes. If the log does not automatically appear it should be on your desktop or in the folder the file was downloaded to.)
::Malwarebytes' Anti-Malware::

Please download Malwarebytes Anti-Malware and save it to your desktop.

Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
(NOTE: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.)

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

regards,

swagger

#3 amykathleen2

amykathleen2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 04 August 2012 - 09:32 PM

I did as you asked. I did edit some information in the logs to protect my personal information, and I added some notes into the the MiniToolBox log. Anything that I added or edited is marked by an asterisk on either side. I don't believe that any of the information I removed should be necessary for you to help me, but if it is then please let me know.

Here is the MiniToolBox log:

MiniToolBox by Farbar Version: 23-07-2012
Ran by *my name - removed to protect myself* (administrator) on 04-08-2012 at 19:14:52
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


*note: all of these Hosts entries were added by Spybot S&D, which I used to use but uninstalled because it made my life really difficult.*

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com

There are 15110 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel® Centrino® Advanced-N 6200 AGN = Wireless Network Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection" nexthop=192.168.0.1 publish=Yes
add route prefix=0.0.0.0/0 interface="Wireless Network Connection" nexthop=192.168.1.1 publish=Yes
set subinterface interface=?<) subinterface=ethernet_9 mtu=1477
add address name="Local Area Connection" address=192.168.0.64 mask=255.255.255.0
add address name="Wireless Network Connection" address=192.168.1.64 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : ComputerofAmy
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
Physical Address. . . . . . . . . : *removed to protect myself*
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : *removed to protect myself*
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6200 AGN
Physical Address. . . . . . . . . : *removed to protect myself*
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : *If I remember correctly, these addresses are related to MAC addresses; removed to protect myself*(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : *not sure if this is personally identifying... removed just in case*
DHCPv6 Client DUID. . . . . . . . : *not sure if this is personally identifying... removed just in case*
DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
2001:4860:4860::8844
8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : *removed to protect myself*
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{*not sure what this number is, or if it is personally identifying... removed just in case*}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{*not sure what this number is, or if it is personally identifying... removed just in case*}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{*not sure what this number is, or if it is personally identifying... removed just in case*}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : *not sure if this is personally identifying... removed just in case*(Preferred)
Link-local IPv6 Address . . . . . : *not sure if this is personally identifying... removed just in case*(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{*not sure what this number is, or if it is personally identifying... removed just in case*}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: google-public-dns-a.google.com
Address: 2001:4860:4860::8888

Name: google.com
Addresses: 2404:6800:4004:804::1003
74.125.235.128
74.125.235.142
74.125.235.129
74.125.235.132
74.125.235.136
74.125.235.137
74.125.235.130
74.125.235.135
74.125.235.131
74.125.235.133
74.125.235.134


Pinging google.com [74.125.235.128] with 32 bytes of data:
Reply from 74.125.235.128: bytes=32 time=167ms TTL=47
Reply from 74.125.235.128: bytes=32 time=166ms TTL=47

Ping statistics for 74.125.235.128:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 166ms, Maximum = 167ms, Average = 166ms
Server: google-public-dns-a.google.com
Address: 2001:4860:4860::8888

Name: yahoo.com
Addresses: 209.191.122.70
72.30.38.140
98.139.183.24


Pinging yahoo.com [72.30.38.140] with 32 bytes of data:
Reply from 72.30.38.140: bytes=32 time=138ms TTL=50
Reply from 72.30.38.140: bytes=32 time=93ms TTL=50

Ping statistics for 72.30.38.140:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 93ms, Maximum = 138ms, Average = 115ms
Server: google-public-dns-a.google.com
Address: 2001:4860:4860::8888

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
17...*removed to protect myself* ......Microsoft Virtual WiFi Miniport Adapter #2
16...*removed to protect myself* ......Microsoft Virtual WiFi Miniport Adapter
13...*removed to protect myself* ......Intel® Centrino® Advanced-N 6200 AGN
11...*removed to protect myself* ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.64 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.64 281
192.168.1.64 255.255.255.255 On-link 192.168.1.64 281
192.168.1.255 255.255.255.255 On-link 192.168.1.64 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.64 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.64 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.0.1 Default
0.0.0.0 0.0.0.0 192.168.1.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:4137:9e76:cd0:424:b4e6:cf05/128
On-link
13 281 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::cd0:424:b4e6:cf05/128
On-link
13 281 fe80::692a:ce9a:a562:2764/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

*note: I do not know if the numbers in brackets here are personally identifying, but I left them there in case they're important for you to see. Please tell me if they are personally identifying in any way so I can remove them.*

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 06 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 09 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 06 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 09 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 12 C:\Program Files (x86)\VMware\VMware Workstation\x64\vsocklib.dll [File Not found] ()
x64-Catalog9 13 C:\Program Files (x86)\VMware\VMware Workstation\x64\vsocklib.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/04/2012 01:02:40 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 896897

Error: (08/04/2012 01:02:40 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 896897

Error: (08/04/2012 01:02:40 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/04/2012 00:47:49 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5102

Error: (08/04/2012 00:47:49 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5102

Error: (08/04/2012 00:47:49 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/04/2012 00:47:48 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4103

Error: (08/04/2012 00:47:48 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4103

Error: (08/04/2012 00:47:48 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/04/2012 00:47:47 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3042


System errors:

*note: I don't know if the numbers (and letters) here are personally identifying either. Once again, please tell me if they are so I can remove them.*

=============
Error: (08/04/2012 04:02:47 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (08/03/2012 05:01:41 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (08/02/2012 02:40:25 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (08/02/2012 00:39:12 PM) (Source: DCOM) (User: )
Description: {51FA2736-5DEE-11D4-98E8-006008BF430C}

Error: (08/01/2012 04:35:10 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/31/2012 02:36:17 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (07/30/2012 01:23:23 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (07/30/2012 01:27:21 AM) (Source: DCOM) (User: )
Description: {51FA2736-5DEE-11D4-98E8-006008BF430C}

Error: (07/29/2012 07:27:18 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (07/28/2012 11:06:05 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)


Microsoft Office Sessions:
=========================
Error: (08/04/2012 01:02:40 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 896897

Error: (08/04/2012 01:02:40 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 896897

Error: (08/04/2012 01:02:40 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/04/2012 00:47:49 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5102

Error: (08/04/2012 00:47:49 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5102

Error: (08/04/2012 00:47:49 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/04/2012 00:47:48 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4103

Error: (08/04/2012 00:47:48 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4103

Error: (08/04/2012 00:47:48 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (08/04/2012 00:47:47 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3042


=========================== Installed Programs ============================

µTorrent (Version: 3.1.3)
Adobe AIR (Version: 2.6.0.19140)
Adobe Community Help (Version: 3.5.23)
Adobe Download Assistant (Version: 1.0.4)
Adobe Flash Builder 4.5 (Version: 4.5)
Adobe Flash Player 10 ActiveX (Version: 10.1.52.14)
Adobe Flash Player 10 ActiveX (Version: 10.2.153.1)
Adobe Flash Player 11 Plugin (Version: 11.3.300.268)
Adobe Media Player (Version: 1.8)
Adobe Photoshop Elements 8.0 (Version: 8.0)
Adobe Photoshop.com Inspiration Browser (Version: 3.07)
Adobe Premiere Elements 10 (Version: 10.0)
Adobe Premiere Elements 10 Content (Version: 10.0)
Adobe Premiere Elements 10 Content 1 (Version: 10.0)
Adobe Premiere Elements 10 Content 2 (Version: 10.0)
Adobe Premiere Elements 10 Content 3 (Version: 10.0)
Adobe Premiere Elements 10 HD Content 1 (Version: 10.0)
Adobe Premiere Elements 10 HD Content 2 (Version: 10.0)
Adobe Premiere Elements 10 HD Content 3 (Version: 10.0)
Adobe Premiere Elements 8.0 (Version: 8.0)
Adobe Premiere Elements 8.0 (Version: 8.0.1)
Adobe Premiere Elements 8.0 Templates (Version: 8.0)
Adobe Reader X (10.1.3) (Version: 10.1.3)
Adobe Shockwave Player 11.5 (Version: 11.5.8.612)
Alcor Micro USB Card Reader (Version: 1.2.517.35221)
Alien Swarm
Alliance of Valiant Arms
Android SDK Tools (Version: 1.16)
Apple Application Support (Version: 2.1.9)
Apple Mobile Device Support (Version: 5.2.0.6)
Apple Software Update (Version: 2.1.3.127)
ATI Catalyst Install Manager (Version: 3.0.790.0)
Audacity 1.3.13 (Unicode)
AVG 2012 (Version: 12.0.2197)
AVG 2012 (Version: 12.0.2437)
AVG 2012 (Version: 2012.0.2197)
BioShock 2
Blacklight: Retribution
Bonjour (Version: 3.0.0.10)
Broadcom 2070 Bluetooth 3.0 (Version: 6.3.0.6300)
Brother MFL-Pro Suite MFC-J6510DW (Version: 1.0.20.0)
CamStudio
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2010.0909.1412.23625)
Catalyst Control Center Graphics Previews Vista (Version: 2010.0909.1412.23625)
Catalyst Control Center InstallProxy (Version: 2010.0909.1412.23625)
Catalyst Control Center Localization All (Version: 2010.0909.1412.23625)
ccc-core-static (Version: 2010.0909.1412.23625)
ccc-utility64 (Version: 2010.0909.1412.23625)
CCC Help Chinese Standard (Version: 2010.0909.1411.23625)
CCC Help Chinese Traditional (Version: 2010.0909.1411.23625)
CCC Help Czech (Version: 2010.0909.1411.23625)
CCC Help Danish (Version: 2010.0909.1411.23625)
CCC Help Dutch (Version: 2010.0909.1411.23625)
CCC Help English (Version: 2010.0909.1411.23625)
CCC Help Finnish (Version: 2010.0909.1411.23625)
CCC Help French (Version: 2010.0909.1411.23625)
CCC Help German (Version: 2010.0909.1411.23625)
CCC Help Greek (Version: 2010.0909.1411.23625)
CCC Help Hungarian (Version: 2010.0909.1411.23625)
CCC Help Italian (Version: 2010.0909.1411.23625)
CCC Help Japanese (Version: 2010.0909.1411.23625)
CCC Help Korean (Version: 2010.0909.1411.23625)
CCC Help Norwegian (Version: 2010.0909.1411.23625)
CCC Help Polish (Version: 2010.0909.1411.23625)
CCC Help Portuguese (Version: 2010.0909.1411.23625)
CCC Help Russian (Version: 2010.0909.1411.23625)
CCC Help Spanish (Version: 2010.0909.1411.23625)
CCC Help Swedish (Version: 2010.0909.1411.23625)
CCC Help Thai (Version: 2010.0909.1411.23625)
CCC Help Turkish (Version: 2010.0909.1411.23625)
Cisco Packet Tracer 5.3.3
Core Temp 1.0 RC3 (Version: 1.0)
CyberLink DVD Suite (Version: 7.0.3320)
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Driver Download Manager (Version: 3.0.0.0)
Deus Ex: Game of the Year Edition
Deus Ex: Human Revolution
Deus Ex: Invisible War
doPDF 7.2 printer
DVD Menu Pack for HP MediaSmart Video (Version: 4.2.4412)
Elements 10 Organizer (Version: 10.0)
Energy Star Digital Logo (Version: 1.0.1)
ESU for Microsoft Windows 7 (Version: 1.0.0)
Fences Pro (Version: 1.0)
FFmpeg v0.6.2 for Audacity
Fraps (remove only)
Global Agenda
Google Chrome (Version: 21.0.1180.60)
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Lost Coast
Half-Life Deathmatch: Source
Half-Life: Blue Shift
Half-Life: Opposing Force
Half-Life: Source
Hewlett-Packard ACLM.NET v1.1.2.0 (Version: 1.00.0000)
HP 3D DriveGuard (Version: 4.1.9.1)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP Documentation (Version: 1.1.2.1)
HP ENVY Document Card Utilities (Version: 1.0.5)
HP MediaSmart DVD (Version: 4.2.4521)
HP MediaSmart Movies and TV (Version: 1.0.1.2)
HP MediaSmart Music (Version: 4.2.4604)
HP MediaSmart Photo (Version: 4.2.4513)
HP MediaSmart SmartMenu (Version: 3.1.2.2)
HP MediaSmart Video (Version: 4.2.4522)
HP MediaSmart Webcam (Version: 4.2.3303)
HP MediaSmart/TouchSmart Netflix (Version: 1.0.9.0)
HP MovieStore (Version: 1.0.023)
HP MovieStore (Version: 2.0.2)
HP Power Manager (Version: 1.4.4)
HP Product Detection (Version: 11.14.0001)
HP Quick Launch (Version: 2.3.6)
HP Setup (Version: 8.4.4400.3525)
HP Software Framework (Version: 4.1.13.1)
HP Support Assistant (Version: 6.1.12.1)
HP Wireless Assistant (Version: 4.0.10.0)
IDT Audio (Version: 1.0.6300.0)
Intel Digital Logo (Version: 1.0.5)
Intel PROSet Wireless
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® PROSet/Wireless WiFi Software (Version: 14.2.0000)
Intel® Rapid Storage Technology (Version: 9.6.1.1001)
Intel® Turbo Boost Technology Driver (Version: 01.02.00.1002)
iTunes (Version: 10.6.3.25)
Java Auto Updater (Version: 2.1.6.0)
Java™ 6 Update 21 (64-bit) (Version: 6.0.210)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ 7 Update 5 (Version: 7.0.50)
JavaFX 2.1.1 (Version: 2.1.1)
JumpStart Typing
Junk Mail filter update (Version: 15.4.3502.0922)
LADSPA_plugins-win-0.4.15
LAME v3.98.3 for Audacity
MediaFACE II
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30320)
Microsoft .NET Framework 4 Extended (Version: 4.0.30320)
Microsoft .NET Framework 4 Multi-Targeting Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Expression Blend 3 SDK (Version: 1.0.1343.0)
Microsoft Expression Blend 4 (Version: 4.0.20525.0)
Microsoft Expression Blend SDK for .NET 4 (Version: 2.0.20525.0)
Microsoft Expression Blend SDK for Silverlight 4 (Version: 2.0.20525.0)
Microsoft Expression Design 4 (Version: 7.0.20516.0)
Microsoft Expression Encoder 4 (Version: 4.0.1639.0)
Microsoft Expression Encoder 4 Screen Capture Codec (Version: 4.0.1639.0)
Microsoft Expression Studio 4 (Version: 4.0.20525.0)
Microsoft Expression Web 4 (Version: 4.0.1303.0)
Microsoft Expression Web 4 Service Pack 2
Microsoft Mathematics (64-bit) (Version: 4.0)
Microsoft Mathematics Add-in (32-bit) (Version: 2.0.040811.01)
Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Visio 2010 (Version: 14.0.6029.1000)
Microsoft Office Visio MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Press Training Kit Exam Prep Suite 70-640 (Version: 1.0.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Silverlight 3 SDK (Version: 3.0.40818.0)
Microsoft Silverlight 4 SDK (Version: 4.0.50401.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visio 2010 Service Pack 1 (SP1)
Microsoft Visio Professional 2010 (Version: 14.0.6029.1000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Microsoft XNA Framework Redistributable 4.0 (Version: 4.0.20823.0)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_ATL_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (Version: 1.00.0000)
MicroVolts
Moon Breakers
Movie Theme Pack for HP MediaSmart Video (Version: 4.2.4412)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB2721691) (Version: 4.30.2114.0)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
MuseScore 1.1 MuseScore score typesetter (Version: 1.1.0)
Nuance PaperPort 12 (Version: 12.1.0000)
Nuance PDF Viewer Plus (Version: 5.30.3290)
PaperPort Image Printer 64-bit (Version: 1.00.0001)
PDF Settings CS5 (Version: 10.0)
Portal
Portal 2
Power2Go (Version: 6.1.4419)
PRE10STI64Installer (Version: 1.0)
Puzzle Pirates
PX Profile Update (Version: 1.00.1.)
PxMergeModule (Version: 1.00.0000)
Q.U.B.E.
QuickTime (Version: 7.71.80.42)
QuickTime for Windows (32-bit)
Realtek Ethernet Controller Driver (Version: 7.25.824.2010)
Recovery Manager (Version: 5.5.3223)
RoxioNow Player (Version: 1.9.5.101)
SafeHouse Explorer 3.01 (Version: 3.01.00.1)
Samsung Kies (Version: 2.0.0.11042_3)
SAMSUNG USB Driver for Mobile Phones (Version: 1.4.103.0)
Scansoft PDF Professional
Shure Wireless Workbench Software 5.0 (Version: 5.0)
Sideway
Skype™ 5.5 (Version: 5.5.124)
SmartSound Common Data (Version: 1.1.0)
SmartSound Premiere Elements 10 x64 Plugin (Version: 5.70.0001)
SmartSound Quicktracks for Premiere Elements 8.0 (Version: 3.11.3090)
SmartSound Sonicfire Pro 5 (Version: 5.7.1)
Songsmith (Academic Edition) (Version: 09.07.1300)
Source Filmmaker
Steam (Version: 1.0.0.0)
Synaptics Pointing Device Driver (Version: 15.1.6.64)
Team Fortress 2
Team Fortress Classic
Terraria
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
WD Drive Utilities (Version: 1.0.0)
WD Security (Version: 1.0.0)
WD SmartWare (Version: 1.5.4)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
WinPcap 4.1.2 (Version: 4.1.0.2001)
WinRAR 4.01 (64-bit) (Version: 4.01.0)
Wireshark 1.8.1 (64-bit) (Version: 1.8.1)
Worms Reloaded
WPF Toolkit February 2010 (Version 3.5.50211.1) (Version: 3.5.50211.1)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 44%
Total physical RAM: 5941.61 MB
Available physical RAM: 3272.7 MB
Total Pagefile: 11881.4 MB
Available Pagefile: 8648.47 MB
Total Virtual: 4095.88 MB
Available Virtual: 3965.16 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:671.1 GB) (Free:154.45 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:27.24 GB) (Free:3.99 GB) NTFS
4 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32

========================= Users: ========================================

User accounts for \\COMPUTEROFAMY

Administrator *my name - removed to protect myself* Guest


**** End of log ****







And here is the Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.04.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
*my name - removed to protect myself* :: COMPUTEROFAMY [administrator]

8/4/2012 7:56:06 PM
mbam-log-2012-08-04 (19-56-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198534
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Thank you for volunteering to help me!

#4 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:06:34 PM

Posted 05 August 2012 - 09:26 AM

Hello Amy,

I do not see anything malicious in your logs. Was this the first time you've run Malwarebyte's Anti-Malware? It appears that it was because it wasn't listed in your installed programs of the MiniToolBox log. I just want to make sure we have any previous scans especially if something was found.

Also, can you perform the below command again and paste the results here?
tasklist /svc /fi "imagename eq svchost.exe"
In order to copy text from a COMMAND prompt window, you must right-click somewhere in the window and select Mark. Next, highlight the next you want to copy with your left mouse button. Once you've selected the text, right-click somewhere in the COMMAND prompt window to make the copy final. You can then paste the output here.

I'd like you to run some additional scans as well.

::TDSS Killer::

Download the TDSS Killer and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.7.48.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run it.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan.
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan result - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
::ESET Online Scanner::

Please run a free online scan with the ESET Online Scanner.
  • Tick the box next to Yes, I accept the Terms of Use.
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan Archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    (NOTE: If Eset doesn't find any threats, it will NOT produce any log.)

regards,

swagger

#5 amykathleen2

amykathleen2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 05 August 2012 - 11:36 PM

Yes, this was the first time I used the Malwarebytes software. I use AVG Free as my antivirus/antimalware software.

Results of the tasklist /svc /fi "imagename eq svchost.exe" command:
svchost.exe 816 DcomLaunch, PlugPlay, Power
svchost.exe 920 RpcEptMapper, RpcSs
svchost.exe 1132 AudioSrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 1164 AudioEndpointBuilder, hidserv,
HomeGroupListener, IPBusEnum, Netman,
PcaSvc, SysMain, TrkWks, UxSms, Wlansvc,
wudfsvc
svchost.exe 1204 BDESVC, BITS, Browser, EapHost, gpsvc,
iphlpsvc, LanmanServer, ProfSvc, Schedule,
SENS, ShellHWDetection, Themes, Winmgmt,
wuauserv
svchost.exe 1388 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost
svchost.exe 1520 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
svchost.exe 1884 BFE, DPS, MpsSvc
svchost.exe 2180 FDResPub, FontCache, SSDPSRV, upnphost
svchost.exe 2412 Pml Driver HPZ12
svchost.exe 2784 stisvc
svchost.exe 3956 bthserv
svchost.exe 1620 PolicyAgent
svchost.exe 6228 p2pimsvc, p2psvc, PNRPsvc
svchost.exe 6328 SDRSVC



TDSS Killer log:

18:56:30.0475 6768 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
18:56:32.0503 6768 ============================================================
18:56:32.0503 6768 Current date / time: 2012/08/05 18:56:32.0503
18:56:32.0503 6768 SystemInfo:
18:56:32.0503 6768
18:56:32.0503 6768 OS Version: 6.1.7601 ServicePack: 1.0
18:56:32.0503 6768 Product type: Workstation
18:56:32.0503 6768 ComputerName: COMPUTEROFAMY
18:56:32.0503 6768 UserName: *my name - removed to protect myself*
18:56:32.0503 6768 Windows directory: C:\Windows
18:56:32.0503 6768 System windows directory: C:\Windows
18:56:32.0503 6768 Running under WOW64
18:56:32.0503 6768 Processor architecture: Intel x64
18:56:32.0503 6768 Number of processors: 4
18:56:32.0503 6768 Page size: 0x1000
18:56:32.0503 6768 Boot type: Normal boot
18:56:32.0503 6768 ============================================================
18:56:33.0938 6768 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
18:56:33.0970 6768 ============================================================
18:56:33.0970 6768 \Device\Harddisk0\DR0:
18:56:33.0970 6768 MBR partitions:
18:56:33.0970 6768 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x63800
18:56:33.0970 6768 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x53E33800
18:56:33.0970 6768 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x53E97800, BlocksNum 0x367B000
18:56:33.0970 6768 \Device\Harddisk0\DR0\Partition3: MBR, Type 0xC, StartLBA 0x57512800, BlocksNum 0x336F0
18:56:33.0970 6768 ============================================================
18:56:34.0016 6768 C: <-> \Device\Harddisk0\DR0\Partition1
18:56:34.0048 6768 D: <-> \Device\Harddisk0\DR0\Partition2
18:56:34.0063 6768 F: <-> \Device\Harddisk0\DR0\Partition3
18:56:34.0157 6768 ============================================================
18:56:34.0157 6768 Initialize success
18:56:34.0157 6768 ============================================================
18:57:00.0349 6772 ============================================================
18:57:00.0349 6772 Scan started
18:57:00.0349 6772 Mode: Manual;
18:57:00.0349 6772 ============================================================
18:57:08.0368 6772 1394ohci - ok
18:57:08.0383 6772 Accelerometer - ok
18:57:08.0399 6772 ACPI - ok
18:57:08.0477 6772 AcpiPmi - ok
18:57:08.0602 6772 AdobeActiveFileMonitor10.0 - ok
18:57:08.0649 6772 AdobeActiveFileMonitor8.0 - ok
18:57:08.0773 6772 AdobeARMservice - ok
18:57:08.0836 6772 adp94xx - ok
18:57:08.0867 6772 adpahci - ok
18:57:08.0883 6772 adpu320 - ok
18:57:08.0883 6772 AeLookupSvc - ok
18:57:08.0898 6772 AESTFilters - ok
18:57:08.0914 6772 AFD - ok
18:57:08.0929 6772 agp440 - ok
18:57:08.0929 6772 ALG - ok
18:57:08.0976 6772 aliide - ok
18:57:09.0101 6772 ALSysIO - ok
18:57:09.0132 6772 AMD External Events Utility - ok
18:57:09.0148 6772 amdide - ok
18:57:09.0179 6772 AmdK8 - ok
18:57:09.0195 6772 amdkmdag - ok
18:57:09.0241 6772 amdkmdap - ok
18:57:09.0257 6772 AmdPPM - ok
18:57:09.0273 6772 amdsata - ok
18:57:09.0273 6772 amdsbs - ok
18:57:09.0273 6772 amdxata - ok
18:57:09.0319 6772 AmUStor - ok
18:57:09.0335 6772 androidusb - ok
18:57:09.0397 6772 AppID - ok
18:57:09.0413 6772 AppIDSvc - ok
18:57:09.0413 6772 Appinfo - ok
18:57:09.0429 6772 Apple Mobile Device - ok
18:57:09.0491 6772 AppMgmt - ok
18:57:09.0522 6772 arc - ok
18:57:09.0522 6772 arcsas - ok
18:57:09.0569 6772 aspnet_state - ok
18:57:09.0600 6772 AsyncMac - ok
18:57:09.0600 6772 atapi - ok
18:57:09.0647 6772 AtiHdmiService - ok
18:57:09.0678 6772 AudioEndpointBuilder - ok
18:57:09.0678 6772 AudioSrv - ok
18:57:09.0694 6772 AVGIDSAgent - ok
18:57:09.0709 6772 AVGIDSDriver - ok
18:57:09.0725 6772 AVGIDSFilter - ok
18:57:09.0772 6772 AVGIDSHA - ok
18:57:09.0819 6772 Avgldx64 - ok
18:57:09.0819 6772 Avgmfx64 - ok
18:57:09.0850 6772 Avgrkx64 - ok
18:57:09.0850 6772 Avgtdia - ok
18:57:09.0850 6772 avgwd - ok
18:57:10.0177 6772 AxInstSV - ok
18:57:10.0209 6772 b06bdrv - ok
18:57:10.0240 6772 b57nd60a - ok
18:57:10.0271 6772 BDESVC - ok
18:57:10.0271 6772 Beep - ok
18:57:10.0318 6772 BFE - ok
18:57:10.0333 6772 BITS - ok
18:57:10.0365 6772 blbdrive - ok
18:57:10.0396 6772 Bonjour Service - ok
18:57:10.0396 6772 bowser - ok
18:57:10.0427 6772 BrFiltLo - ok
18:57:10.0427 6772 BrFiltUp - ok
18:57:10.0458 6772 Browser - ok
18:57:10.0458 6772 Brserid - ok
18:57:10.0458 6772 BrSerWdm - ok
18:57:10.0458 6772 BrUsbMdm - ok
18:57:10.0474 6772 BrUsbSer - ok
18:57:10.0474 6772 BrYNSvc - ok
18:57:10.0489 6772 BthEnum - ok
18:57:10.0505 6772 BTHMODEM - ok
18:57:10.0505 6772 BthPan - ok
18:57:10.0536 6772 BTHPORT - ok
18:57:10.0583 6772 bthserv - ok
18:57:10.0583 6772 BTHUSB - ok
18:57:10.0661 6772 btwampfl - ok
18:57:10.0723 6772 btwaudio - ok
18:57:10.0755 6772 btwavdt - ok
18:57:10.0755 6772 btwdins - ok
18:57:10.0770 6772 btwl2cap - ok
18:57:10.0770 6772 btwrchid - ok
18:57:10.0801 6772 cdfs - ok
18:57:10.0864 6772 cdrom - ok
18:57:10.0926 6772 CertPropSvc - ok
18:57:10.0957 6772 circlass - ok
18:57:10.0957 6772 CLFS - ok
18:57:10.0957 6772 clr_optimization_v2.0.50727_32 - ok
18:57:10.0973 6772 clr_optimization_v2.0.50727_64 - ok
18:57:11.0082 6772 clr_optimization_v4.0.30319_32 - ok
18:57:11.0082 6772 clr_optimization_v4.0.30319_64 - ok
18:57:11.0129 6772 clwvd - ok
18:57:11.0176 6772 CmBatt - ok
18:57:11.0176 6772 cmdide - ok
18:57:11.0176 6772 CNG - ok
18:57:11.0191 6772 Compbatt - ok
18:57:11.0223 6772 CompositeBus - ok
18:57:11.0238 6772 COMSysApp - ok
18:57:11.0254 6772 crcdisk - ok
18:57:11.0269 6772 CryptSvc - ok
18:57:11.0285 6772 CSC - ok
18:57:11.0316 6772 CscService - ok
18:57:11.0316 6772 cvhsvc - ok
18:57:11.0644 6772 DcomLaunch - ok
18:57:11.0691 6772 defragsvc - ok
18:57:11.0691 6772 DfsC - ok
18:57:11.0784 6772 dgderdrv - ok
18:57:11.0784 6772 Dhcp - ok
18:57:11.0815 6772 discache - ok
18:57:11.0847 6772 Disk - ok
18:57:11.0847 6772 Dnscache - ok
18:57:11.0893 6772 dot3svc - ok
18:57:11.0909 6772 DPS - ok
18:57:11.0909 6772 drmkaud - ok
18:57:11.0925 6772 DXGKrnl - ok
18:57:11.0940 6772 EapHost - ok
18:57:11.0940 6772 ebdrv - ok
18:57:11.0956 6772 EFS - ok
18:57:12.0003 6772 ehRecvr - ok
18:57:12.0081 6772 ehSched - ok
18:57:12.0081 6772 elxstor - ok
18:57:12.0096 6772 ErrDev - ok
18:57:12.0221 6772 EventSystem - ok
18:57:12.0252 6772 EvtEng - ok
18:57:12.0252 6772 exfat - ok
18:57:12.0252 6772 fastfat - ok
18:57:12.0424 6772 Fax - ok
18:57:12.0502 6772 fdc - ok
18:57:12.0502 6772 fdPHost - ok
18:57:12.0517 6772 FDResPub - ok
18:57:12.0517 6772 FileInfo - ok
18:57:12.0517 6772 Filetrace - ok
18:57:12.0533 6772 FLEXnet Licensing Service - ok
18:57:12.0533 6772 flpydisk - ok
18:57:12.0580 6772 FltMgr - ok
18:57:12.0580 6772 FontCache - ok
18:57:12.0595 6772 FontCache3.0.0.0 - ok
18:57:12.0595 6772 FsDepends - ok
18:57:12.0595 6772 Fs_Rec - ok
18:57:12.0611 6772 fvevol - ok
18:57:12.0673 6772 gagp30kx - ok
18:57:12.0689 6772 GEARAspiWDM - ok
18:57:12.0736 6772 gpsvc - ok
18:57:12.0751 6772 hcw85cir - ok
18:57:13.0048 6772 HdAudAddService - ok
18:57:13.0048 6772 HDAudBus - ok
18:57:13.0110 6772 HECIx64 - ok
18:57:13.0110 6772 HidBatt - ok
18:57:13.0110 6772 HidBth - ok
18:57:13.0126 6772 HidIr - ok
18:57:13.0126 6772 hidserv - ok
18:57:13.0157 6772 HidUsb - ok
18:57:13.0173 6772 hkmsvc - ok
18:57:13.0173 6772 HomeGroupListener - ok
18:57:13.0173 6772 HomeGroupProvider - ok
18:57:13.0204 6772 HP Support Assistant Service - ok
18:57:13.0219 6772 HP Wireless Assistant Service - ok
18:57:13.0235 6772 hpdoccardsvc - ok
18:57:13.0235 6772 HPDrvMntSvc.exe - ok
18:57:13.0266 6772 hpdskflt - ok
18:57:13.0266 6772 hpqwmiex - ok
18:57:13.0313 6772 HpSAMD - ok
18:57:13.0313 6772 hpsrv - ok
18:57:13.0313 6772 HPWMISVC - ok
18:57:13.0360 6772 HTTP - ok
18:57:13.0360 6772 hwpolicy - ok
18:57:13.0422 6772 i8042prt - ok
18:57:13.0422 6772 iaStor - ok
18:57:13.0469 6772 IAStorDataMgrSvc - ok
18:57:13.0469 6772 iaStorV - ok
18:57:13.0469 6772 idsvc - ok
18:57:13.0485 6772 igfx - ok
18:57:13.0516 6772 iirsp - ok
18:57:13.0516 6772 IKEEXT - ok
18:57:13.0516 6772 Impcd - ok
18:57:13.0531 6772 intelide - ok
18:57:13.0563 6772 intelkmd - ok
18:57:13.0563 6772 intelppm - ok
18:57:13.0578 6772 IPBusEnum - ok
18:57:13.0578 6772 IpFilterDriver - ok
18:57:13.0578 6772 iphlpsvc - ok
18:57:13.0594 6772 IPMIDRV - ok
18:57:13.0594 6772 IPNAT - ok
18:57:13.0703 6772 iPod Service - ok
18:57:13.0719 6772 IRENUM - ok
18:57:13.0734 6772 isapnp - ok
18:57:13.0750 6772 iScsiPrt - ok
18:57:13.0765 6772 kbdclass - ok
18:57:13.0797 6772 kbdhid - ok
18:57:13.0812 6772 KeyIso - ok
18:57:13.0812 6772 KSecDD - ok
18:57:13.0812 6772 KSecPkg - ok
18:57:13.0828 6772 ksthunk - ok
18:57:13.0828 6772 KtmRm - ok
18:57:13.0843 6772 LanmanServer - ok
18:57:13.0843 6772 LanmanWorkstation - ok
18:57:13.0843 6772 libusb0 - ok
18:57:13.0890 6772 lltdio - ok
18:57:13.0890 6772 lltdsvc - ok
18:57:13.0906 6772 lmhosts - ok
18:57:13.0906 6772 LMS - ok
18:57:13.0937 6772 LSI_FC - ok
18:57:13.0953 6772 LSI_SAS - ok
18:57:13.0953 6772 LSI_SAS2 - ok
18:57:13.0968 6772 LSI_SCSI - ok
18:57:13.0968 6772 luafv - ok
18:57:14.0031 6772 Mcx2Svc - ok
18:57:14.0031 6772 megasas - ok
18:57:14.0046 6772 MegaSR - ok
18:57:14.0077 6772 MMCSS - ok
18:57:14.0077 6772 Modem - ok
18:57:14.0093 6772 monitor - ok
18:57:14.0093 6772 mouclass - ok
18:57:14.0109 6772 mouhid - ok
18:57:14.0109 6772 mountmgr - ok
18:57:14.0140 6772 MozillaMaintenance - ok
18:57:14.0140 6772 mpio - ok
18:57:14.0155 6772 mpsdrv - ok
18:57:14.0155 6772 MpsSvc - ok
18:57:14.0171 6772 MRxDAV - ok
18:57:14.0171 6772 mrxsmb - ok
18:57:14.0171 6772 mrxsmb10 - ok
18:57:14.0171 6772 mrxsmb20 - ok
18:57:14.0187 6772 msahci - ok
18:57:14.0187 6772 msdsm - ok
18:57:14.0187 6772 MSDTC - ok
18:57:14.0202 6772 Msfs - ok
18:57:14.0218 6772 mshidkmdf - ok
18:57:14.0233 6772 msisadrv - ok
18:57:14.0233 6772 MSiSCSI - ok
18:57:14.0233 6772 msiserver - ok
18:57:14.0265 6772 MSKSSRV - ok
18:57:14.0265 6772 MSPCLOCK - ok
18:57:14.0265 6772 MSPQM - ok
18:57:14.0280 6772 MsRPC - ok
18:57:14.0280 6772 mssmbios - ok
18:57:14.0280 6772 MSTEE - ok
18:57:14.0296 6772 MTConfig - ok
18:57:14.0311 6772 Mup - ok
18:57:14.0343 6772 MyWiFiDHCPDNS - ok
18:57:14.0358 6772 napagent - ok
18:57:14.0389 6772 NativeWifiP - ok
18:57:14.0405 6772 NDIS - ok
18:57:14.0405 6772 NdisCap - ok
18:57:14.0421 6772 NdisTapi - ok
18:57:14.0421 6772 Ndisuio - ok
18:57:14.0436 6772 NdisWan - ok
18:57:14.0436 6772 NDProxy - ok
18:57:14.0436 6772 NetBIOS - ok
18:57:14.0452 6772 NetBT - ok
18:57:14.0452 6772 Netlogon - ok
18:57:14.0452 6772 Netman - ok
18:57:14.0483 6772 NetMsmqActivator - ok
18:57:14.0483 6772 NetPipeActivator - ok
18:57:14.0499 6772 netprofm - ok
18:57:14.0499 6772 NetTcpActivator - ok
18:57:14.0499 6772 NetTcpPortSharing - ok
18:57:14.0514 6772 netw5v64 - ok
18:57:14.0577 6772 NETwNs64 - ok
18:57:14.0608 6772 nfrd960 - ok
18:57:14.0623 6772 NlaSvc - ok
18:57:14.0686 6772 NPF - ok
18:57:14.0686 6772 Npfs - ok
18:57:14.0686 6772 nsi - ok
18:57:14.0701 6772 nsiproxy - ok
18:57:14.0701 6772 Ntfs - ok
18:57:14.0717 6772 Null - ok
18:57:14.0795 6772 nvraid - ok
18:57:14.0795 6772 nvstor - ok
18:57:14.0795 6772 nv_agp - ok
18:57:14.0811 6772 ohci1394 - ok
18:57:14.0811 6772 ose - ok
18:57:14.0842 6772 osppsvc - ok
18:57:14.0873 6772 p2pimsvc - ok
18:57:14.0889 6772 p2psvc - ok
18:57:14.0889 6772 Parport - ok
18:57:14.0889 6772 partmgr - ok
18:57:14.0889 6772 PcaSvc - ok
18:57:14.0904 6772 pci - ok
18:57:14.0920 6772 pciide - ok
18:57:14.0920 6772 pcmcia - ok
18:57:14.0920 6772 pcw - ok
18:57:14.0998 6772 PDFProFiltSrvPP - ok
18:57:15.0013 6772 PEAUTH - ok
18:57:15.0045 6772 PeerDistSvc - ok
18:57:15.0060 6772 PerfHost - ok
18:57:15.0076 6772 pla - ok
18:57:15.0091 6772 PlugPlay - ok
18:57:15.0154 6772 Pml Driver HPZ12 - ok
18:57:15.0154 6772 PNRPAutoReg - ok
18:57:15.0154 6772 PNRPsvc - ok
18:57:15.0169 6772 PolicyAgent - ok
18:57:15.0169 6772 Power - ok
18:57:15.0185 6772 PptpMiniport - ok
18:57:15.0185 6772 Processor - ok
18:57:15.0201 6772 ProfSvc - ok
18:57:15.0216 6772 ProtectedStorage - ok
18:57:15.0232 6772 Psched - ok
18:57:15.0232 6772 PxHlpa64 - ok
18:57:15.0247 6772 ql2300 - ok
18:57:15.0247 6772 ql40xx - ok
18:57:15.0247 6772 QWAVE - ok
18:57:15.0263 6772 QWAVEdrv - ok
18:57:15.0263 6772 RasAcd - ok
18:57:15.0279 6772 RasAgileVpn - ok
18:57:15.0279 6772 RasAuto - ok
18:57:15.0294 6772 Rasl2tp - ok
18:57:15.0294 6772 RasMan - ok
18:57:15.0294 6772 RasPppoe - ok
18:57:15.0310 6772 RasSstp - ok
18:57:15.0310 6772 rdbss - ok
18:57:15.0325 6772 rdpbus - ok
18:57:15.0325 6772 RDPCDD - ok
18:57:15.0325 6772 RDPDR - ok
18:57:15.0357 6772 RDPENCDD - ok
18:57:15.0357 6772 RDPREFMP - ok
18:57:15.0403 6772 RdpVideoMiniport - ok
18:57:15.0403 6772 RDPWD - ok
18:57:15.0419 6772 rdyboost - ok
18:57:15.0450 6772 RegSrvc - ok
18:57:15.0450 6772 RemoteAccess - ok
18:57:15.0466 6772 RemoteRegistry - ok
18:57:15.0481 6772 RFCOMM - ok
18:57:15.0497 6772 RoxioNow Service - ok
18:57:15.0575 6772 rpcapd - ok
18:57:15.0591 6772 RpcEptMapper - ok
18:57:15.0591 6772 RpcLocator - ok
18:57:15.0606 6772 RpcSs - ok
18:57:15.0653 6772 rspndr - ok
18:57:15.0669 6772 RTL8167 - ok
18:57:15.0684 6772 SafDskNT - ok
18:57:15.0684 6772 SamSs - ok
18:57:15.0684 6772 sbp2port - ok
18:57:15.0684 6772 SCardSvr - ok
18:57:15.0700 6772 scfilter - ok
18:57:15.0700 6772 Schedule - ok
18:57:15.0700 6772 SCPolicySvc - ok
18:57:15.0715 6772 sdbus - ok
18:57:15.0715 6772 SDRSVC - ok
18:57:15.0747 6772 secdrv - ok
18:57:15.0747 6772 seclogon - ok
18:57:15.0747 6772 SENS - ok
18:57:15.0762 6772 SensrSvc - ok
18:57:15.0778 6772 Serenum - ok
18:57:15.0778 6772 Serial - ok
18:57:15.0809 6772 sermouse - ok
18:57:15.0825 6772 SessionEnv - ok
18:57:15.0825 6772 sffdisk - ok
18:57:15.0825 6772 sffp_mmc - ok
18:57:15.0825 6772 sffp_sd - ok
18:57:15.0840 6772 sfloppy - ok
18:57:15.0840 6772 Sftfs - ok
18:57:15.0840 6772 sftlist - ok
18:57:15.0840 6772 Sftplay - ok
18:57:15.0856 6772 Sftredir - ok
18:57:15.0856 6772 Sftvol - ok
18:57:15.0856 6772 sftvsa - ok
18:57:15.0887 6772 SharedAccess - ok
18:57:15.0887 6772 ShellHWDetection - ok
18:57:15.0903 6772 SiSRaid2 - ok
18:57:15.0903 6772 SiSRaid4 - ok
18:57:15.0934 6772 Smb - ok
18:57:15.0981 6772 SNMPTRAP - ok
18:57:15.0996 6772 spldr - ok
18:57:15.0996 6772 Spooler - ok
18:57:16.0012 6772 sppsvc - ok
18:57:16.0012 6772 sppuinotify - ok
18:57:16.0012 6772 srv - ok
18:57:16.0027 6772 srv2 - ok
18:57:16.0059 6772 SrvHsfHDA - ok
18:57:16.0059 6772 SrvHsfV92 - ok
18:57:16.0059 6772 SrvHsfWinac - ok
18:57:16.0074 6772 srvnet - ok
18:57:16.0355 6772 ssadbus - ok
18:57:16.0402 6772 ssadmdfl - ok
18:57:16.0402 6772 ssadmdm - ok
18:57:16.0433 6772 ssadserd - ok
18:57:16.0433 6772 SSDPSRV - ok
18:57:16.0433 6772 SstpSvc - ok
18:57:16.0464 6772 STacSV - ok
18:57:16.0464 6772 stexstor - ok
18:57:16.0480 6772 STHDA - ok
18:57:16.0480 6772 StillCam - ok
18:57:16.0495 6772 stisvc - ok
18:57:16.0495 6772 swenum - ok
18:57:16.0495 6772 SwitchBoard - ok
18:57:16.0542 6772 swprv - ok
18:57:16.0542 6772 Synth3dVsc - ok
18:57:16.0589 6772 SynTP - ok
18:57:16.0589 6772 SysMain - ok
18:57:16.0589 6772 TabletInputService - ok
18:57:16.0605 6772 TapiSrv - ok
18:57:16.0605 6772 TBS - ok
18:57:16.0667 6772 Tcpip - ok
18:57:16.0683 6772 TCPIP6 - ok
18:57:16.0683 6772 tcpipreg - ok
18:57:16.0698 6772 TDPIPE - ok
18:57:16.0698 6772 TDTCP - ok
18:57:16.0729 6772 tdx - ok
18:57:16.0729 6772 TermDD - ok
18:57:16.0745 6772 TermService - ok
18:57:16.0745 6772 Themes - ok
18:57:16.0761 6772 THREADORDER - ok
18:57:16.0761 6772 TrkWks - ok
18:57:16.0761 6772 TrustedInstaller - ok
18:57:16.0776 6772 tssecsrv - ok
18:57:16.0776 6772 TsUsbFlt - ok
18:57:16.0776 6772 tsusbhub - ok
18:57:16.0792 6772 tunnel - ok
18:57:16.0792 6772 uagp35 - ok
18:57:16.0792 6772 udfs - ok
18:57:16.0807 6772 UI0Detect - ok
18:57:16.0807 6772 uliagpkx - ok
18:57:16.0839 6772 umbus - ok
18:57:16.0854 6772 UmPass - ok
18:57:16.0885 6772 UmRdpService - ok
18:57:16.0885 6772 UNS - ok
18:57:16.0885 6772 upnphost - ok
18:57:16.0917 6772 USBAAPL64 - ok
18:57:16.0932 6772 usbaudio - ok
18:57:16.0948 6772 usbccgp - ok
18:57:16.0948 6772 usbcir - ok
18:57:16.0948 6772 usbehci - ok
18:57:16.0963 6772 usbhub - ok
18:57:16.0963 6772 usbohci - ok
18:57:16.0963 6772 usbprint - ok
18:57:16.0979 6772 usbscan - ok
18:57:16.0979 6772 USBSTOR - ok
18:57:16.0979 6772 usbuhci - ok
18:57:16.0979 6772 usbvideo - ok
18:57:16.0995 6772 UxSms - ok
18:57:16.0995 6772 VaultSvc - ok
18:57:17.0010 6772 vdrvroot - ok
18:57:17.0057 6772 vds - ok
18:57:17.0073 6772 vga - ok
18:57:17.0073 6772 VgaSave - ok
18:57:17.0073 6772 VGPU - ok
18:57:17.0088 6772 vhdmp - ok
18:57:17.0104 6772 viaide - ok
18:57:17.0135 6772 VMnetAdapter - ok
18:57:17.0135 6772 volmgr - ok
18:57:17.0151 6772 volmgrx - ok
18:57:17.0151 6772 volsnap - ok
18:57:17.0182 6772 vsmraid - ok
18:57:17.0182 6772 VSS - ok
18:57:17.0197 6772 vwifibus - ok
18:57:17.0291 6772 vwififlt - ok
18:57:17.0291 6772 vwifimp - ok
18:57:17.0291 6772 W32Time - ok
18:57:17.0307 6772 WacomPen - ok
18:57:17.0353 6772 WANARP - ok
18:57:17.0385 6772 Wanarpv6 - ok
18:57:17.0431 6772 WatAdminSvc - ok
18:57:17.0431 6772 wbengine - ok
18:57:17.0431 6772 WbioSrvc - ok
18:57:17.0431 6772 wcncsvc - ok
18:57:17.0447 6772 WcsPlugInService - ok
18:57:17.0447 6772 Wd - ok
18:57:17.0478 6772 WDC_SAM - ok
18:57:17.0478 6772 WDDMService - ok
18:57:17.0541 6772 WDDriveService - ok
18:57:17.0541 6772 Wdf01000 - ok
18:57:17.0541 6772 WDFMEService - ok
18:57:17.0556 6772 WdiServiceHost - ok
18:57:17.0556 6772 WdiSystemHost - ok
18:57:17.0572 6772 WDRulesService - ok
18:57:17.0572 6772 WebClient - ok
18:57:17.0572 6772 Wecsvc - ok
18:57:17.0587 6772 wercplsupport - ok
18:57:17.0603 6772 WerSvc - ok
18:57:17.0634 6772 WfpLwf - ok
18:57:17.0634 6772 WIMMount - ok
18:57:17.0634 6772 WinDefend - ok
18:57:17.0650 6772 WinHttpAutoProxySvc - ok
18:57:17.0650 6772 Winmgmt - ok
18:57:17.0665 6772 WinRM - ok
18:57:17.0681 6772 WinUsb - ok
18:57:17.0681 6772 Wlansvc - ok
18:57:17.0697 6772 wlidsvc - ok
18:57:17.0697 6772 WmiAcpi - ok
18:57:17.0712 6772 wmiApSrv - ok
18:57:17.0712 6772 WMPNetworkSvc - ok
18:57:17.0728 6772 WPCSvc - ok
18:57:17.0743 6772 WPDBusEnum - ok
18:57:17.0743 6772 ws2ifsl - ok
18:57:17.0759 6772 wscsvc - ok
18:57:17.0759 6772 WSDPrintDevice - ok
18:57:17.0775 6772 WSearch - ok
18:57:17.0775 6772 wuauserv - ok
18:57:17.0775 6772 WudfPf - ok
18:57:17.0806 6772 WUDFRd - ok
18:57:17.0806 6772 wudfsvc - ok
18:57:17.0821 6772 WwanSvc - ok
18:57:17.0899 6772 yukonw7 - ok
18:57:17.0946 6772 MBR (0x1B8) (e8281e3fcc034dce04ae9bd573a2b72b) \Device\Harddisk0\DR0
18:57:18.0180 6772 \Device\Harddisk0\DR0 - ok
18:57:18.0196 6772 Boot (0x1200) (ce8ea2909136d84deb44dd10c578a0be) \Device\Harddisk0\DR0\Partition0
18:57:18.0196 6772 \Device\Harddisk0\DR0\Partition0 - ok
18:57:18.0211 6772 Boot (0x1200) (645bb954fe287c5a7ab25791b9775e45) \Device\Harddisk0\DR0\Partition1
18:57:18.0211 6772 \Device\Harddisk0\DR0\Partition1 - ok
18:57:18.0274 6772 Boot (0x1200) (b82bf7553af42e139bfbda3b322371bd) \Device\Harddisk0\DR0\Partition2
18:57:18.0274 6772 \Device\Harddisk0\DR0\Partition2 - ok
18:57:18.0289 6772 Boot (0x1200) (d31f2ad50590ca6b697ce74bad4b3075) \Device\Harddisk0\DR0\Partition3
18:57:18.0289 6772 \Device\Harddisk0\DR0\Partition3 - ok
18:57:18.0289 6772 ============================================================
18:57:18.0289 6772 Scan finished
18:57:18.0289 6772 ============================================================
18:57:18.0461 6880 Detected object count: 0
18:57:18.0461 6880 Actual detected object count: 0





The ESET Online Scanner didn't find anything.

#6 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:06:34 PM

Posted 08 August 2012 - 10:25 AM

Hello Amy,

All of your logs look clean. I noticed that you also posted HERE and stated that you were seeing weird messages in a WireShark capture that let you to believe it was the storm virus. Have you looked at your router's settings or tried resetting it to factory default to see if the issue goes away?

regards,

swagger

Edited by swagger, 08 August 2012 - 11:27 AM.


#7 amykathleen2

amykathleen2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 12 August 2012 - 12:45 AM

The router is brand new. We just switched to AT&T U-Verse from their DSL service, which meant that we were given one of their "gateways" that are a router/modem combo. We decided to start using the gateway instead of the Linksys that we'd been using with our old DSL modem, since the Linksys had been giving us strange wifi issues from the first day we got it (we'd randomly lose connections on some devices and not others, and then we'd check the router settings and see that it had decided to lock out certain traffic - it LOVED to switch to only allowing wireless-n traffic, which shouldn't have even caused problems - anyway it was full of issues so we decided to stop using it when we didn't have to anymore.) The new router is also the reason I was able to see the router logs, since the old router only collected logs if my father configured it to using a password that only he had and it saved the logs directly to his PC. I wasn't allowed to access them. The new router stores its logs on itself, and anyone on our network can access them.
The entries saying my PC was trying to connect to 172.16.30.115 started as soon as my PC connected to the wifi, even before I had changed any settings. So I don't know how long this has been going on, but it has certainly been happening since we got this router.
So quite honestly, at this point I'm completely bewildered. As you noted, a WireShark capture revealed packets leaving my PC headed for 172.16.30.115, and each packet was responded to by source IP 172.16.30.115 with the payload "Go away, we're not home." When I googled that, it did come up with results about the Storm worm, but I don't think it possibly could be the Storm worm since that is an old virus and neither my antivirus software nor any of the programs you had me run were able to find anything. Also, I've found a couple of places where people have noticed their AT&T 2Wire routers returning the "Go away, we're not home" packets when dropping traffic. So I'm fairly sure at this point that I don't have the Storm worm, but I don't know what is happening. Even if I did have the Storm worm, that still wouldn't explain the traffic going to 172.16.30.115.
Thank you for all your help. I'm guessing that there's nothing else you can do to help me, since it seems I don't have any malware on my computer, and I'm sory for wasting your time. I just wish I knew what was going on, because this is really strange.

#8 swagger

swagger

  • Members
  • 476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina
  • Local time:06:34 PM

Posted 14 August 2012 - 09:48 AM

Hi Amy,

Unfortunately I'm not sure what else I can do for you. If you are still worried, you might want to post in the Virus, Trojan, Spyware, and Malware Removal Logs forum so they can take a deeper look. I am limited in my knowledge and the tools that I can use to help you. I wish you the best of luck though and if you figure out what it is/was, please feel free to let me know.

regards,

swagger




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users