Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iphlpsvc trying to open ports to China


  • This topic is locked This topic is locked
7 replies to this topic

#1 Bryan Mohr

Bryan Mohr

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 25 March 2013 - 09:09 PM

This is without a browser running. MalwareBytes (Paid) does not find any Malware, but it keeps blocking access to "a potentially malicious website". I caught the ip address for the latest one. It was trying to open port 51729 to 222.71.140.133 (133.140.71.222.broad.xw.sh.synamic.163data.com.cn) which is located in Shanghai China. Port 51729 is opened by svchost using iphlpsvc.

 

Also, my main computer was offline (powered off) a couple of days ago. It has a static ip of 192.168.0.8. I was wiewing some Wireshark output on another computer and was noticing a lot of requests from 192.168.0.8 with my MAC Address going to various other computers on the network. Of course I shut down access at the modem and began running scans (MalwareBytes, SuperAntiSpyware, Kaspersky bootable) but aside from tracking cookies, nothing was found. I also ran Securitycheck and (I forget the exact filename right now) the svchost verifier but nothing was found.

 

So, does anyone have any ideas?

 

Here are the logs:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 10.17.2
Run by Bryan at 21:50:47 on 2013-03-25
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.15863.12576 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\Program Files (x86)\DisplayFusion\DisplayFusionService.exe
C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
D:\Program Files (x86)\EventLog Inspector 3\ELIService.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
d:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
d:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
d:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
d:\Program Files (x86)\Winstep\WsxService.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Secunia\PSI\sua.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe
C:\Program Files (x86)\GIGABYTE\smart6\dbios\SDBMSG.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
D:\Program Files (x86)\Winstep\Nextstart.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
D:\Program Files (x86)\Winstep\WorkShelf.exe
D:\Program Files\Start Menu X\StartMenuX.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
D:\Program Files\Process Hacker 2\ProcessHacker.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
D:\Program Files (x86)\EventLog Inspector 3\ELInspector.exe
D:\Program Files (x86)\Clipboard Share\ClipboardShare.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe
D:\Program Files (x86)\System Explorer\SystemExplorer.exe
C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
D:\Program Files (x86)\Standalone\allsnap150beta\allsnap.exe
D:\Program Files (x86)\Standalone\allsnap150beta\allsnap64.exe
C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
d:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\AlarmClock.exe
C:\Program Files (x86)\DisplayFusion\DisplayFusionAppHook.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\svchost.exe -k swprv
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
D:\Program Files\zabkat\xplorer2_ult\xplorer2_64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: VIPTToolbarManager Class: {1A2641AE-2C42-4C51-A05F-8ECEC3FDC94D} - d:\Program Files (x86)\Visual IP Trace 2009\VisualIPTraceIE.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Visual IP Trace: {E70C26AE-DFF1-40A8-8D37-19180F56F0AA} - d:\Program Files (x86)\Visual IP Trace 2009\VisualIPTraceIE.dll
uRun: [NextSTART] d:\Program Files (x86)\Winstep\nextstart.exe autostart
uRun: [Workshelf] d:\Program Files (x86)\Winstep\workshelf.exe autostart
uRun: [StartMenuX] d:\Program Files\Start Menu X\StartMenuX.exe
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [Process Hacker 2] "d:\Program Files\Process Hacker 2\ProcessHacker.exe" -hide
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
uRun: [EventLog Inspector 3] "D:\Program Files (x86)\EventLog Inspector 3\ELInspector.exe" -auto
uRun: [ClipboardShare] "D:\Program Files (x86)\Clipboard Share\ClipboardShare.exe"
uRun: [DisplayFusion] "c:\Program Files (x86)\DisplayFusion\DisplayFusion.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [SystemExplorerAutoStart] "d:\Program Files (x86)\System Explorer\SystemExplorer.exe" /TRAY
uRun: [FileHippo.com] "c:\Program Files (x86)\FileHippo.com\UpdateChecker.exe" /background
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
mRun: [NextSTART] <no file>
mRunOnce: [SDBOK] C:\Program Files (x86)\GIGABYTE\smart6\dbios\run.exe
StartupFolder: C:\Users\Bryan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ALLSNA~1.LNK - D:\Program Files (x86)\Standalone\allsnap150beta\allsnap.exe
StartupFolder: C:\Users\Bryan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ALLSNA~2.LNK - D:\Program Files (x86)\Standalone\allsnap150beta\allsnap64.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Windows\System: UseOEMBackground = dword:1
IE: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:\Program Files (x86)\Fiddler2\Fiddler.exe"
Trusted Zone: nas4free
TCP: Interfaces\{DAD0AD59-9A89-4DD7-97AC-A6B42F335A77} : NameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Smart Recovery 2: {1d09c093-f71e-43c3-b948-19316cbd695e} -
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-RunOnce: [RPMKickstart] C:\Program Files\GIGABYTE\SMART6\Recovery\RPMKickstart.exe
x64-IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "d:\Program Files (x86)\Fiddler2\Fiddler.exe"
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Bryan\AppData\Roaming\Mozilla\Firefox\Profiles\hc4eyzqw.default\
FF - plugin: C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - plugin: D:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: D:\Program Files (x86)\Adobe\Reader 11.0\Reader\browser\nppdf32.dll
FF - plugin: d:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
FF - ExtSQL: 2013-03-23 08:39; translator@zoli.bod; C:\Users\Bryan\AppData\Roaming\Mozilla\Firefox\Profiles\hc4eyzqw.default\extensions\translator@zoli.bod.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 dlkmdldr;dlkmdldr;C:\Windows\System32\drivers\dlkmdldr.sys [2013-1-8 15224]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R1 KProcessHacker2;KProcessHacker2;D:\Program Files\Process Hacker 2\kprocesshacker.sys [2013-1-10 39320]
R2 DES2 Service;DES2 Service for Energy Saving.;C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe [2013-1-8 68136]
R2 DisplayFusionService;DisplayFusionService;C:\Program Files (x86)\DisplayFusion\DisplayFusionService.exe [2013-2-12 1243024]
R2 DisplayLinkService;DisplayLinkManager;C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [2012-7-30 8515544]
R2 DymoPnpService;DYMO PnP Service;C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [2012-1-30 32336]
R2 MBAMScheduler;MBAMScheduler;D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-10 398184]
R2 MBAMService;MBAMService;D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-10 682344]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 130008]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2012-9-24 1328736]
R2 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2012-9-24 656480]
R2 Smart TimeLock;Smart TimeLock Service;C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe [2013-1-8 114688]
R2 WinisoCDBus;WinISO Virtual CD Drive;C:\Windows\System32\drivers\WinisoCDBus.sys [2013-1-10 204032]
R2 Winstep Xtreme Service;Winstep Xtreme Service;d:\Program Files (x86)\Winstep\WsxService --> d:\Program Files (x86)\Winstep\WsxService [?]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;C:\Windows\System32\drivers\BazisVirtualCDBus.sys [2011-6-4 198480]
R3 DisplayLinkUsbPort;DisplayLink USB Device;C:\Windows\System32\drivers\DisplayLinkUsbPort_6.3.40660.0.sys [2012-7-30 17408]
R3 dlkmd;dlkmd;C:\Windows\System32\drivers\dlkmd.sys [2013-1-8 318840]
R3 dvdfab;dvdfab;C:\Windows\System32\drivers\dvdfab.sys [2013-1-9 79232]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-3-7 40832]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-3-7 65280]
R3 keycrypt;keycrypt;C:\Windows\System32\drivers\KeyCrypt64.sys [2013-3-21 25784]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-10 24176]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2013-3-22 24176]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf.sys [2011-12-16 17976]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-1-8 413800]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632]
R3 SystemExplorerHelpService;System Explorer Service;D:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [2013-1-14 821720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-9 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 Droppix Service;Droppix Service;C:\Program Files (x86)\Common Files\Droppix\DxService.exe [2013-1-9 221184]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-1-8 30528]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-8 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2013-1-10 31800]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-8 57856]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-12-19 106408]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-8 1255736]
S4 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S4 DroidExplorerService;DroidExplorer Service;C:\Program Files\Droid Explorer\DroidExplorer.Service.exe [2012-10-14 254976]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\System32\drivers\RsFx0105.sys [2011-9-22 311144]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]
S4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-2 382824]
.
=============== File Associations ===============
.
FileExt: .scr: scrfile="%1" /S [UserChoice]
.
=============== Created Last 30 ================
.
2013-03-26 01:47:21    --------    d-----w-    C:\Program Files (x86)\Evernote
2013-03-26 01:27:06    237840    ----a-w-    C:\Windows\System32\drivers\VBoxDrv.sys
2013-03-26 01:27:04    120080    ----a-w-    C:\Windows\System32\drivers\VBoxUSBMon.sys
2013-03-24 18:29:59    --------    d-----w-    C:\Users\Bryan\AppData\Roaming\PotPlayerMini
2013-03-24 18:29:59    --------    d-----w-    C:\Users\Bryan\AppData\Local\Daum
2013-03-24 18:22:20    --------    d-----w-    C:\Program Files (x86)\Daum
2013-03-24 18:12:02    --------    d-----w-    C:\Users\Bryan\.gimp-2.8
2013-03-24 17:36:55    --------    d-----w-    C:\Program Files\GIMP 2
2013-03-24 04:22:46    9311288    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{30E90F4F-0B16-4AAA-9ACE-7E98ABD656F7}\mpengine.dll
2013-03-23 19:33:59    --------    d-----w-    C:\Users\Bryan\AppData\Local\Opera
2013-03-23 19:33:55    --------    d-----w-    C:\Program Files (x86)\Opera x64
2013-03-23 19:33:52    --------    d-----w-    C:\Program Files\Opera x64
2013-03-23 12:00:39    --------    d-----w-    C:\ProgramData\IdealSoftware
2013-03-23 12:00:22    --------    d-----w-    C:\Users\Bryan\AppData\Local\IdealSoftware
2013-03-23 12:00:20    --------    d-----w-    C:\Program Files (x86)\IdealMediaSolution
2013-03-23 04:24:46    9311288    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-23 00:17:16    --------    d-----w-    C:\Program Files\PeerBlock
2013-03-22 04:42:48    --------    d-----w-    C:\Windows\PAC7311
2013-03-22 04:42:03    --------    d-----w-    C:\Windows\Downloaded Installations
2013-03-22 04:09:39    --------    d-----w-    C:\Users\Bryan\AppData\Local\www.ispyconnect.com
2013-03-22 04:08:16    --------    d-----w-    C:\Users\Bryan\AppData\Roaming\iSpyServer
2013-03-22 04:07:32    --------    d-----w-    C:\Program Files (x86)\iSpy
2013-03-22 01:38:40    119808    ----a-r-    C:\Users\Bryan\AppData\Roaming\Microsoft\Installer\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe
2013-03-22 01:38:40    --------    d-----w-    C:\Users\Bryan\AppData\Local\Apps
2013-03-21 19:01:38    972264    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6D4E35F8-443F-4DEF-B9B3-3A774394DBCE}\gapaengine.dll
2013-03-21 13:14:54    --------    d-----w-    C:\Users\Bryan\vw
2013-03-21 13:14:53    --------    d-----w-    C:\Users\Bryan\Visual IP Trace
2013-03-21 04:30:51    25784    ----a-w-    C:\Windows\System32\drivers\KeyCrypt64.sys
2013-03-21 04:30:50    --------    d-----w-    C:\Users\Bryan\AppData\Local\AntiLogger Free
2013-03-21 04:30:50    --------    d-----w-    C:\Program Files (x86)\Zemana AntiLogger Free
2013-03-21 04:30:50    --------    d-----w-    C:\Program Files (x86)\KeyCryptSDK
2013-03-21 04:19:20    --------    d-----w-    C:\Users\Bryan\AppData\Roaming\Likno Software
2013-03-21 04:19:02    53248    ------w-    C:\Windows\SysWow64\ZLIB.DLL
2013-03-21 04:19:01    880640    ------w-    C:\Windows\SysWow64\UniBox10.ocx
2013-03-21 04:19:01    380928    ------w-    C:\Windows\SysWow64\UniFlexGrid10.ocx
2013-03-21 04:19:01    364544    ------w-    C:\Windows\SysWow64\UniGrid210.ocx
2013-03-21 04:19:01    212992    ------w-    C:\Windows\SysWow64\UniBoxVB12.ocx
2013-03-21 04:19:01    139264    ------w-    C:\Windows\SysWow64\uniflexsup.dll
2013-03-21 04:19:01    1097728    ------w-    C:\Windows\SysWow64\UniBox210.ocx
2013-03-21 04:18:54    --------    d-----w-    C:\ProgramData\InstallMate
2013-03-15 23:14:04    131856    ----a-w-    C:\Windows\System32\drivers\VBoxNetAdp.sys
2013-03-15 23:13:06    146704    ----a-w-    C:\Windows\System32\drivers\VBoxNetFlt.sys
2013-03-15 23:13:04    204048    ----a-w-    C:\Windows\System32\VBoxNetFltNobj.dll
2013-03-14 10:05:59    --------    d-----w-    C:\ProgramData\dvdfab
2013-03-13 07:11:22    95648    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-13 07:10:24    108448    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll
2013-03-13 00:46:08    972264    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-03-12 07:17:09    --------    d-----w-    C:\Users\Bryan\AppData\Roaming\Wireshark
.
==================== Find3M  ====================
.
2013-03-26 01:39:19    25640    ----a-w-    C:\Windows\gdrv.sys
2013-03-20 12:42:05    73432    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-20 12:42:05    693976    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-13 07:11:17    861088    ----a-w-    C:\Windows\SysWow64\npDeployJava1.dll
2013-03-13 07:11:17    782240    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2013-03-13 07:10:20    963488    ----a-w-    C:\Windows\System32\deployJava1.dll
2013-03-13 07:10:20    1085344    ----a-w-    C:\Windows\System32\npDeployJava1.dll
2013-02-12 05:45:24    135168    ----a-w-    C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22    350208    ----a-w-    C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22    308736    ----a-w-    C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22    111104    ----a-w-    C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31    474112    ----a-w-    C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26    2176512    ----a-w-    C:\Windows\apppatch\AcGenral.dll
2013-02-02 06:57:02    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-02-02 06:47:24    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-02-02 06:47:19    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-02-02 06:42:18    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-02-02 06:41:51    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-02-02 06:38:01    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-02-02 03:38:35    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-02-02 03:30:32    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-02-02 03:30:21    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-02-02 03:26:47    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-02-02 03:26:21    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-02-02 03:23:28    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-01-30 10:53:22    273840    ------w-    C:\Windows\System32\MpSigStub.exe
2013-01-20 20:59:04    230320    ----a-w-    C:\Windows\System32\drivers\MpFilter.sys
2013-01-20 20:59:04    130008    ----a-w-    C:\Windows\System32\drivers\NisDrvWFP.sys
2013-01-13 03:02:36    30528    ----a-w-    C:\Windows\GVTDrv64.sys
2013-01-10 04:36:57    14    ----a-w-    C:\Windows\SysWow64\sysvflc.dll
2013-01-10 04:35:27    231376    ----a-w-    C:\Windows\System32\drivers\truecrypt.sys
2013-01-09 03:05:06    175616    ----a-w-    C:\Windows\System32\msclmd.dll
2013-01-09 03:05:06    152576    ----a-w-    C:\Windows\SysWow64\msclmd.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\SysWow64\dlumdfb9.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\SysWow64\dlumdfb11.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\SysWow64\dlumdfb10.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\SysWow64\dlumd9.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\SysWow64\dlumd11.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\SysWow64\dlumd10.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\System32\dlumd9.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\System32\dlumd11.dll
2013-01-09 00:49:29    0    ----a-w-    C:\Windows\System32\dlumd10.dll
2013-01-06 07:31:12    204032    ----a-w-    C:\Windows\System32\drivers\WinisoCDBus.sys
2013-01-05 05:53:43    5553512    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2013-01-05 05:00:15    3967848    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00:11    3913064    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46:09    215040    ----a-w-    C:\Windows\System32\winsrv.dll
2013-01-04 04:51:16    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2013-01-04 04:43:21    44032    ----a-w-    C:\Windows\apppatch\acwow64.dll
2013-01-04 03:26:48    3153408    ----a-w-    C:\Windows\System32\win32k.sys
2013-01-04 02:47:35    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2013-01-04 02:47:34    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2013-01-04 02:47:34    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2013-01-04 02:47:33    14336    ----a-w-    C:\Windows\SysWow64\ntvdm64.dll
2013-01-03 06:00:54    1913192    ----a-w-    C:\Windows\System32\drivers\tcpip.sys
2013-01-03 06:00:42    288088    ----a-w-    C:\Windows\System32\drivers\FWPKCLNT.SYS
.
============= FINISH: 21:51:18.13 ===============
 

The prep guide days to attach attach.txt, but DDS says to only attach it if requested. Is it requested?



BC AdBot (Login to Remove)

 


#2 Bryan Mohr

Bryan Mohr
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 26 March 2013 - 03:21 PM

Update: iphlpsvc tries to connect to various ip addresses throughout the day. Sometimes I catch the ip before it disappears from the screen. This time it tried to open 89.28.23.193 which geolocates to Chisinau, Moldova at starnet.md.



#3 Bryan Mohr

Bryan Mohr
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 27 March 2013 - 08:59 PM

Nothing? Well, does anyone know of a program that will check for problems in the Policy in Windows 7 to check for any possible openings for uninvited RDP?



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:13 AM

Posted 28 March 2013 - 07:10 PM

Greetings and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:13 AM

Posted 28 March 2013 - 08:13 PM

Greetings,

Thank you for your patience. Please do this for me. In addition, please copy and paste the Attach.txt document produced while running DDS.

===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • When the Status box shows Scan Finished click Delete
  • Click Report
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Attach log
  • RogueKiller log
  • TDSS zip file (attached)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Bryan Mohr

Bryan Mohr
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 31 March 2013 - 12:48 AM

Thank you for the reply. But because the infected machine is my primary working computer I just couldn't wait any longer and couldn't take the chance of infecting a customer's machine so I did a few more boot disk scans, then several utilities running under Hiren's Mini Win-7. Ever since I haven't had any reports of opened ports. So it looks like I am all clear now. I'll keep an eye on it though and if it starts again, I will start a new thread. I'm prepping another machine to be kept in reserve so that I can still work if my primary machine goes down again, so I won't be so worried about getting it fixed immediately.

 

Thanks again, And if it happens again, I hope you will be available to handle the call. Take care.

 

Bryan



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:13 AM

Posted 31 March 2013 - 09:07 AM

OK, thanks for letting us know.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:13 AM

Posted 31 March 2013 - 09:08 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users