Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM blocks potential malicious access


  • Please log in to reply
8 replies to this topic

#1 dbteepo

dbteepo

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 14 April 2013 - 11:24 AM

Hey there, I downloaded MBAM and received a free trial for the real-time scanner and other such protection. I've been receiving messages the last few days that tell me MBAM has blocked potentially malicious connection from multiple different ip addresses. I've ran MBAM full scans and adware cleaner, but the scans haven't found any sort of virus or infected files. This free trial is ending soon, so I was hoping to get this problem addressed and removed before it becomes a bigger issue. Many thanks in advance.



Btw, running Windows 8, 64bit edition



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:20 PM

Posted 14 April 2013 - 11:30 AM

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif NOTE. Make sure all logs are pasted not attached.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 LCS_Tech

LCS_Tech

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:09:20 PM

Posted 14 April 2013 - 12:36 PM

Hello,

 

Are you running any file sharing programs?

 

I have the pro version running on all my machines and usually the only time I see the website blocking pop up is when I'm running a file sharing program... programs like uTorrent, Tixati, BitTorrent, Ares, Shareaza, Kaza, or any other to the like.

 

 

To quote quietman7 from a post I found a sec ago...

 

Malwarebytes Anti-Malware IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. Notification that an IP address has been blocked does not necessarily mean the computer is infected. Some legitimate programs on your computer (i.e. iTunes, Instant Messenger client, P2P programs, web browsers)) have access to the Internet and that action can trigger an IP alert if it tried to access a malicious IP address. These events are stored in the "protection-log". Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. IP Protection is also designed to block incoming connections it determines to be malicious. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Malwarebytes is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts and the events are stored in the "protection-log".


More information about IP Protection can be found in the Malwarebytes Anti-Malware IP Protection FAQs.


Quote

What does IP Protection do?
IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges...

What does this notification mean?
This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address...

Other FAQs about IP Protection
How does it do this?
How does it inform you?
I got an alert and I wasn't even surfing, how's that happen?
I received a notification on a safe site, why?
How do I disable this?
I got an alert for an IP or website I think is safe, how can I report it?
Does the IP Protection replace my firewall?
Where do I find the IP Protection logs?
How can I add an IP so it won't be detected and can access a site I need to?[/b]



If you are using peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze, etc) or an Instant messaging (IM) client, be aware they can trigger IP Protection alerts. Why? P2P programs are a security risk which can make your system susceptible to asmörgåsbord of malware infections and remote attacks. Malwarebytes IP Protection will block access to some of the peers a P2P client attempts connection to because they are classified or detected as malicious. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup and to allow other P2P users on the same network open access to a shared directory on your computer.

 



#4 dbteepo

dbteepo
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 15 April 2013 - 09:40 PM

Thanks to both of you for the quick responses, and sorry that it took so long for me to reply back.

 

=============  Security Check ===============

 

Results of screen317's Security Check version 0.99.62 
   x64 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 Windows Defender MsMpEng.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````

 

============================= FSS ======================================

 

Farbar Service Scanner Version: 14-04-2013
Ran by Alonzo (administrator) on 15-04-2013 at 20:59:20
Running from "C:\Users\Alonzo\Desktop\Infections"
Windows 8 Pro  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuaueng.dll".


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2013-04-12 17:47] - [2013-03-02 04:59] - 2231528 ____A (Microsoft Corporation) B6D52E2C38B49A156E58FF5B9C6CA8BE

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2013-04-12 17:47] - [2013-03-01 21:45] - 3240448 ____A (Microsoft Corporation) 79F95469604B77296346DE7DB463EA2A

C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2013-03-25 21:58] - [2013-01-28 18:08] - 1555920 ____A (Microsoft Corporation) 905601FFF40D8DA9FA82CBE77D1F5EB1

C:\Program Files\Windows Defender\MsMpEng.exe
[2013-03-25 21:58] - [2013-01-28 20:57] - 0014920 ____A (Microsoft Corporation) 473B9548568BA927ACE0B77EC208A561

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

===================== MiniToolBox =======================

 

MiniToolBox by Farbar  Version:05-03-2013
Ran by Alonzo (administrator) on 15-04-2013 at 21:00:52
Running from "C:\Users\Alonzo\Desktop\Infections"
Windows 8 Pro  (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

 

========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Ethernet (Connected)
802.11n Wireless LAN Card = Wi-Fi (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
set interface interface="Local Area Connection* 9" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 11" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled


popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HP
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Belkin

Wireless LAN adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : AC-81-12-88-8C-8F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 38-60-77-3E-00-65
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::284b:10a9:221f:b943%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, April 15, 2013 3:37:30 PM
   Lease Expires . . . . . . . . . . : Friday, May 23, 2149 3:29:10 AM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 356016247
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-92-7F-74-AC-81-12-88-8C-8D
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : westell.com
   Description . . . . . . . . . . . : 802.11n Wireless LAN Card
   Physical Address. . . . . . . . . : AC-81-12-88-8C-8D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:2c43:1b42:3f57:fdf9(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2c43:1b42:3f57:fdf9%16(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.Belkin:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  192.168.2.1

Name:    google.com
Addresses:  2607:f8b0:4000:805::1006
   74.125.227.193
   74.125.227.194
   74.125.227.195
   74.125.227.196
   74.125.227.197
   74.125.227.198
   74.125.227.199
   74.125.227.200
   74.125.227.201
   74.125.227.206
   74.125.227.192


Pinging google.com [74.125.227.195] with 32 bytes of data:
Reply from 74.125.227.195: bytes=32 time=32ms TTL=55
Reply from 74.125.227.195: bytes=32 time=25ms TTL=55

Ping statistics for 74.125.227.195:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 32ms, Average = 28ms
Server:  UnKnown
Address:  192.168.2.1

Name:    yahoo.com
Addresses:  206.190.36.45
   98.138.253.109
   98.139.183.24


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=99ms TTL=49
Reply from 98.138.253.109: bytes=32 time=98ms TTL=49

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 98ms, Maximum = 99ms, Average = 98ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...ac 81 12 88 8c 8f ......Microsoft Wi-Fi Direct Virtual Adapter
 13...38 60 77 3e 00 65 ......Realtek PCIe GBE Family Controller
 12...ac 81 12 88 8c 8d ......802.11n Wireless LAN Card
  1...........................Software Loopback Interface 1
 16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.6     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.6    276
      192.168.2.6  255.255.255.255         On-link       192.168.2.6    276
    192.168.2.255  255.255.255.255         On-link       192.168.2.6    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.2.6    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.2.6    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 16    306 ::/0                     On-link
  1    306 ::1/128                  On-link
 16    306 2001::/32                On-link
 16    306 2001:0:9d38:6ab8:2c43:1b42:3f57:fdf9/128
                                    On-link
 13    276 fe80::/64                On-link
 16    306 fe80::/64                On-link
 13    276 fe80::284b:10a9:221f:b943/128
                                    On-link
 16    306 fe80::2c43:1b42:3f57:fdf9/128
                                    On-link
  1    306 ff00::/8                 On-link
 16    306 ff00::/8                 On-link
 13    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [67584] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\NLAapi.dll [55296] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [21504] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [289280] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [66560] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [72192] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [53760] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [355328] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/15/2013 03:38:14 PM) (Source: ESENT) (User: )
Description: taskhostex (420) An attempt to open the file "C:\Users\Alonzo\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (04/12/2013 04:45:08 PM) (Source: ESENT) (User: )
Description: taskhostex (3500) An attempt to open the file "C:\Users\Alonzo\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (04/11/2013 01:29:11 PM) (Source: Application Error) (User: )
Description: Faulting application name: ThumbnailExtractionHost.exe, version: 6.2.9200.16384, time stamp: 0x50109bfa
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x000000000005e750
Faulting process id: 0x954
Faulting application start time: 0xThumbnailExtractionHost.exe0
Faulting application path: ThumbnailExtractionHost.exe1
Faulting module path: ThumbnailExtractionHost.exe2
Report Id: ThumbnailExtractionHost.exe3
Faulting package full name: ThumbnailExtractionHost.exe4
Faulting package-relative application ID: ThumbnailExtractionHost.exe5

Error: (04/11/2013 00:14:14 PM) (Source: Application Error) (User: )
Description: Faulting application name: ThumbnailExtractionHost.exe, version: 6.2.9200.16384, time stamp: 0x50109bfa
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x0000000000065630
Faulting process id: 0x2aa0
Faulting application start time: 0xThumbnailExtractionHost.exe0
Faulting application path: ThumbnailExtractionHost.exe1
Faulting module path: ThumbnailExtractionHost.exe2
Report Id: ThumbnailExtractionHost.exe3
Faulting package full name: ThumbnailExtractionHost.exe4
Faulting package-relative application ID: ThumbnailExtractionHost.exe5

Error: (04/11/2013 05:58:52 AM) (Source: Application Error) (User: )
Description: Faulting application name: ThumbnailExtractionHost.exe, version: 6.2.9200.16384, time stamp: 0x50109bfa
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x0000000000065630
Faulting process id: 0x1974
Faulting application start time: 0xThumbnailExtractionHost.exe0
Faulting application path: ThumbnailExtractionHost.exe1
Faulting module path: ThumbnailExtractionHost.exe2
Report Id: ThumbnailExtractionHost.exe3
Faulting package full name: ThumbnailExtractionHost.exe4
Faulting package-relative application ID: ThumbnailExtractionHost.exe5

Error: (04/10/2013 09:42:19 PM) (Source: Application Error) (User: )
Description: Faulting application name: conhost.exe, version: 6.2.9200.16384, time stamp: 0x5010883c
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000264
Fault offset: 0x00000000000e2438
Faulting process id: 0x17b0
Faulting application start time: 0xconhost.exe0
Faulting application path: conhost.exe1
Faulting module path: conhost.exe2
Report Id: conhost.exe3
Faulting package full name: conhost.exe4
Faulting package-relative application ID: conhost.exe5

Error: (04/10/2013 08:02:44 PM) (Source: Application Error) (User: )
Description: Faulting application name: conhost.exe, version: 6.2.9200.16384, time stamp: 0x5010883c
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x000000000005e750
Faulting process id: 0x1618
Faulting application start time: 0xconhost.exe0
Faulting application path: conhost.exe1
Faulting module path: conhost.exe2
Report Id: conhost.exe3
Faulting package full name: conhost.exe4
Faulting package-relative application ID: conhost.exe5

Error: (04/10/2013 06:41:55 PM) (Source: Application Error) (User: )
Description: Faulting application name: NOTEPAD.EXE, version: 6.2.9200.16384, time stamp: 0x501099bc
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x00000000000655c6
Faulting process id: 0x10f0
Faulting application start time: 0xNOTEPAD.EXE0
Faulting application path: NOTEPAD.EXE1
Faulting module path: NOTEPAD.EXE2
Report Id: NOTEPAD.EXE3
Faulting package full name: NOTEPAD.EXE4
Faulting package-relative application ID: NOTEPAD.EXE5

Error: (04/10/2013 06:14:38 PM) (Source: Application Error) (User: )
Description: Faulting application name: ThumbnailExtractionHost.exe, version: 6.2.9200.16384, time stamp: 0x50109bfa
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x000000000003cee1
Faulting process id: 0x16c8
Faulting application start time: 0xThumbnailExtractionHost.exe0
Faulting application path: ThumbnailExtractionHost.exe1
Faulting module path: ThumbnailExtractionHost.exe2
Report Id: ThumbnailExtractionHost.exe3
Faulting package full name: ThumbnailExtractionHost.exe4
Faulting package-relative application ID: ThumbnailExtractionHost.exe5

Error: (04/10/2013 06:02:36 PM) (Source: Application Error) (User: )
Description: Faulting application name: taskhostex.exe, version: 6.2.9200.16451, time stamp: 0x50987142
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000005
Fault offset: 0x000000000003cf01
Faulting process id: 0x2064
Faulting application start time: 0xtaskhostex.exe0
Faulting application path: taskhostex.exe1
Faulting module path: taskhostex.exe2
Report Id: taskhostex.exe3
Faulting package full name: taskhostex.exe4
Faulting package-relative application ID: taskhostex.exe5


System errors:
=============
Error: (04/15/2013 03:37:29 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 12:26:21 PM on ?4/?15/?2013 was unexpected.

Error: (04/15/2013 00:26:21 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 11:38:16 AM on ?4/?15/?2013 was unexpected.

Error: (04/14/2013 07:46:10 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.

Error: (04/14/2013 03:32:37 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.

Error: (04/14/2013 01:47:21 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.

Error: (04/13/2013 01:58:24 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.

Error: (04/12/2013 05:32:44 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 51. The Windows SChannel error state is 900.

Error: (04/11/2013 05:40:23 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:02:58 PM on ?4/?11/?2013 was unexpected.

Error: (04/08/2013 04:16:24 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Error Reporting Service service, but this action failed with the following error:
%%1056

Error: (04/08/2013 04:14:24 PM) (Source: Service Control Manager) (User: )
Description: The Windows Error Reporting Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.


Microsoft Office Sessions:
=========================
Error: (04/15/2013 03:38:14 PM) (Source: ESENT)(User: )
Description: taskhostex420C:\Users\Alonzo\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (04/12/2013 04:45:08 PM) (Source: ESENT)(User: )
Description: taskhostex3500C:\Users\Alonzo\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (04/11/2013 01:29:11 PM) (Source: Application Error)(User: )
Description: ThumbnailExtractionHost.exe6.2.9200.1638450109bfantdll.dll6.2.9200.16420505ab405c0000005000000000005e75095401ce36e275e57ca7C:\WINDOWS\System32\ThumbnailExtractionHost.exeC:\WINDOWS\SYSTEM32\ntdll.dllb3b5bcd4-a2d5-11e2-be73-3860773e0065

Error: (04/11/2013 00:14:14 PM) (Source: Application Error)(User: )
Description: ThumbnailExtractionHost.exe6.2.9200.1638450109bfantdll.dll6.2.9200.16420505ab405c000000500000000000656302aa001ce36d7fd9ddaa7C:\WINDOWS\System32\ThumbnailExtractionHost.exeC:\WINDOWS\SYSTEM32\ntdll.dll3b707c5f-a2cb-11e2-be73-3860773e0065

Error: (04/11/2013 05:58:52 AM) (Source: Application Error)(User: )
Description: ThumbnailExtractionHost.exe6.2.9200.1638450109bfantdll.dll6.2.9200.16420505ab405c00000050000000000065630197401ce36a38d6d2dcaC:\WINDOWS\System32\ThumbnailExtractionHost.exeC:\WINDOWS\SYSTEM32\ntdll.dllcb3fe377-a296-11e2-be73-3860773e0065

Error: (04/10/2013 09:42:19 PM) (Source: Application Error)(User: )
Description: conhost.exe6.2.9200.163845010883cntdll.dll6.2.9200.16420505ab405c000026400000000000e243817b001ce365e2fa77e3cC:\WINDOWS\system32\conhost.exeC:\WINDOWS\SYSTEM32\ntdll.dll6d6fdf0f-a251-11e2-be73-3860773e0065

Error: (04/10/2013 08:02:44 PM) (Source: Application Error)(User: )
Description: conhost.exe6.2.9200.163845010883cntdll.dll6.2.9200.16420505ab405c0000005000000000005e750161801ce365045de057dC:\WINDOWS\system32\conhost.exeC:\WINDOWS\SYSTEM32\ntdll.dll83e8cd4b-a243-11e2-be73-3860773e0065

Error: (04/10/2013 06:41:55 PM) (Source: Application Error)(User: )
Description: NOTEPAD.EXE6.2.9200.16384501099bcntdll.dll6.2.9200.16420505ab405c000000500000000000655c610f001ce3644fba6698fC:\WINDOWS\system32\NOTEPAD.EXEC:\WINDOWS\SYSTEM32\ntdll.dll3976a933-a238-11e2-be73-3860773e0065

Error: (04/10/2013 06:14:38 PM) (Source: Application Error)(User: )
Description: ThumbnailExtractionHost.exe6.2.9200.1638450109bfantdll.dll6.2.9200.16420505ab405c0000005000000000003cee116c801ce36412c2dfc93C:\WINDOWS\System32\ThumbnailExtractionHost.exeC:\WINDOWS\SYSTEM32\ntdll.dll6a07c228-a234-11e2-be73-3860773e0065

Error: (04/10/2013 06:02:36 PM) (Source: Application Error)(User: )
Description: taskhostex.exe6.2.9200.1645150987142ntdll.dll6.2.9200.16420505ab405c0000005000000000003cf01206401ce363f7dfa3b87C:\WINDOWS\system32\taskhostex.exeC:\WINDOWS\SYSTEM32\ntdll.dllbbadea8d-a232-11e2-be73-3860773e0065


=========================== Installed Programs ============================

Age of Wushu (Version: 0.0.1.029)
BitLord 2.3 (Version: 2.3.1-196)
DAEMON Tools Ultra (Version: 1.0.0.0068)
Diablo II
League of Legends (Version: 1.3)
Lightning Warrior Raidy
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Pando Media Booster (Version: 2.6.0.8)
Realtek High Definition Audio Driver (Version: 6.0.1.6662)
Settings Alerter (Version: 4.5.0.5054)
WinRAR 4.20 (64-bit) (Version: 4.20.0)

========================= Memory info: ===================================

Percentage of memory in use: 20%
Total physical RAM: 7666.8 MB
Available physical RAM: 6096.79 MB
Total Pagefile: 8818.8 MB
Available Pagefile: 7079.23 MB
Total Virtual: 4095.88 MB
Available Virtual: 3953.76 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:919.71 GB) (Free:833.79 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:11.71 GB) (Free:1.42 GB) NTFS
3 Drive e: (Diablo II LOD) (CDROM) (Total:0.47 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\HP

Administrator            Alonzo                   ASPNET                  
Guest                   


**** End of log ****

 

=============================== MBAM ===================================

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.16.01

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16540
Alonzo :: HP [administrator]

4/15/2013 9:02:31 PM
mbam-log-2013-04-15 (21-02-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206468
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

========================= MBAR Scan Log ==========================

 

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.04.16.01

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16540
Alonzo :: HP [administrator]

4/15/2013 9:18:48 PM
mbar-log-2013-04-15 (21-18-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 27797
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

====================== MBAR Sys Log =========================

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.05.0.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16540

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.096000 GHz
Memory total: 8039227392, free: 6327566336

------------ Kernel report ------------
     04/15/2013 21:11:34
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\pciide.sys
\SystemRoot\System32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\intelide.sys
\SystemRoot\System32\drivers\viaide.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\atapi.sys
\SystemRoot\System32\drivers\ataport.SYS
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\WdFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\System32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\system32\DRIVERS\netr28x.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\system32\DRIVERS\Rt630x64.sys
\SystemRoot\System32\drivers\usbohci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\sdbus.sys
\SystemRoot\System32\drivers\amdppm.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\dtscsibus.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\drivers\USBSTOR.SYS
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\kbdhid.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mslldp.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WinUsb.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\drivers\WpdUpFltr.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8009573740
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000041\
Lower Device Object: 0xfffffa8009577060
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
Initialization returned 0x0
Load Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8007e40060
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\0000002f\
Lower Device Object: 0xfffffa80075947f0
Lower Device Driver Name: \Driver\storahci\
Driver name found: storahci
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\Drivers\storport.sys (0x0)
Load Function returned 0x0
Downloaded database version: v2013.04.16.01
Downloaded database version: v2013.03.25.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8007e40060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007e40b10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007e40060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa80075947f0, DeviceName: \Device\0000002f\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xfffff8a009ea8ae0, 0xfffffa8007e40060, 0xfffffa800ae37740
Lower DeviceData: 0xfffff8a009e9cd10, 0xfffffa80075947f0, 0xfffffa800aed73a0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2CE79C87

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 200704
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 208845  Numsec = 1928763900

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1928974336  Numsec = 24548784

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xfffffa8009573740, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8009572040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009573740, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa8009577060, DeviceName: \Device\00000041\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

 

================================================================================

 

To LCS_Tech, I had Bitlord but I didn't spend much time downloading torrents. I know that I set it not to run on startup but since I don't know how effective that is at protecting my computer I went ahead and removed it (after completing the scans) just to be safe.

 



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:20 PM

Posted 15 April 2013 - 09:48 PM

Your logs look clean so far...

 

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


=============================================================================

p22002970.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


=======================================

p22002970.gif Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 dbteepo

dbteepo
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 19 April 2013 - 10:15 PM

Thanks Broni, Eset picked up something.

 

==============AdwCleaner=================

 

# AdwCleaner v2.200 - Logfile created 04/11/2013 at 17:36:34
# Updated 02/04/2013 by Xplode
# Operating system : Windows 8 Pro  (64 bits)
# User : Alonzo - HP
# Boot Mode : Normal
# Running from : C:\Users\Alonzo\Desktop\Infections\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\ProgramData\Browser Manager

***** [Registry] *****

Data Deleted : [x64] HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SETTIN~1\Datamngr\x64\datamngr.dll
Data Deleted : [x64] HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SETTIN~1\Datamngr\x64\IEBHO.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SETTIN~1\Datamngr\datamngr.dll
Data Deleted : HKLM\..\Windows [AppInit_DLLs] = C:\PROGRA~2\SETTIN~1\Datamngr\IEBHO.dll
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader
Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1
Key Deleted : HKLM\SOFTWARE\Classes\iLividIEHelper.DNSGuard
Key Deleted : HKLM\SOFTWARE\Classes\iLividIEHelper.DNSGuard.1
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Key Deleted : HKLM\SOFTWARE\DataMngr
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2D6C718-7E52-428E-8852-365C4B1A6E36}
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [10]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16519

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [2582 octets] - [11/04/2013 17:35:27]
AdwCleaner[R2].txt - [2642 octets] - [11/04/2013 17:36:25]
AdwCleaner[S1].txt - [2574 octets] - [11/04/2013 17:36:34]
AdwCleaner[S2].txt - [2826 octets] - [20/11/2012 00:26:23]

########## EOF - C:\AdwCleaner[S1].txt - [2694 octets] ##########

 

================JRT=======================

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.6 (04.19.2013:1)
OS: Windows 8 Pro x64
Ran by Alonzo on Fri 04/19/2013 at 20:44:52.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\windows nt\currentversion\windows\\AppInit_DLLs

 

~~~ Registry Keys

 

~~~ Files

Successfully deleted: [File] C:\eula.1028.txt
Successfully deleted: [File] C:\eula.1031.txt
Successfully deleted: [File] C:\eula.1033.txt
Successfully deleted: [File] C:\eula.1036.txt
Successfully deleted: [File] C:\eula.1040.txt
Successfully deleted: [File] C:\eula.1041.txt
Successfully deleted: [File] C:\eula.1042.txt
Successfully deleted: [File] C:\eula.2052.txt
Successfully deleted: [File] C:\install.res.1028.dll
Successfully deleted: [File] C:\install.res.1031.dll
Successfully deleted: [File] C:\install.res.1033.dll
Successfully deleted: [File] C:\install.res.1036.dll
Successfully deleted: [File] C:\install.res.1040.dll
Successfully deleted: [File] C:\install.res.1041.dll
Successfully deleted: [File] C:\install.res.1042.dll
Successfully deleted: [File] C:\install.res.2052.dll
Successfully deleted: [File] C:\install.res.3082.dll
Successfully deleted: [File] "C:\Users\Alonzo\desktop\play games.lnk"
Successfully deleted: [File] "C:\Users\Alonzo\documents\1click.cfg"

 

~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\wincert"
Successfully deleted: [Folder] "C:\Users\Alonzo\appdata\locallow\datamngr"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 04/19/2013 at 20:50:42.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

=====================ESetScan===============================

 

C:\Windows.old\Users\Alonzo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\19ce0d79-449e4f24 Java/Exploit.CVE-2012-1723.GE trojan cleaned by deleting - quarantined
C:\Windows.old\Users\Alonzo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\12d96f3b-4a5d67b0 multiple threats cleaned by deleting - quarantined
C:\Windows.old\Users\Alonzo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\49a5927b-75210cdc a variant of Java/Exploit.CVE-2013-0422.CF trojan cleaned by deleting - quarantined



#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:20 PM

Posted 19 April 2013 - 10:20 PM

How is computer doing?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 dbteepo

dbteepo
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 20 April 2013 - 03:37 AM

Everything seems to be running fine, thanks. I'll keep an eye on my event viewer for awhile and see if anything looks funny or out of place. If we're finished here then I wish you well *waves*



#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:20 PM

Posted 20 April 2013 - 12:18 PM

Way to go!! p4193510.gif
Good luck and stay safe :)
 


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users