Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Incoming/Outgoing Connections from Eastern Bloc


  • This topic is locked This topic is locked
14 replies to this topic

#1 badcomputer

badcomputer

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 20 January 2014 - 07:01 PM

My PC was running awfully slow until I scanned with malwarebytes. It removed several items, including some conduit infections among others. The log is attached for review. However, the incoming/outgoing connections haven't stopped. For example, one of the IP's is 123.203.114.227 and 195.88.145.239. I did some googling and most of the connections come from "Vlaff Processing LTD. Can you please help?

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.19.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Danny :: SKYNET [administrator]

Protection: Enabled

1/19/2014 4:52:21 AM
MBAM-log-2014-01-19 (10-45-17).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 352132
Time elapsed: 1 hour(s), 45 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\Software\ConduitSearchScopes (PUP.Optional.Conduit.A) -> No action taken.
HKCU\SOFTWARE\CROSSRIDER (PUP.Optional.CrossRider.A) -> No action taken.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MixiDJ_V8 Toolbar (PUP.Optional.MixiDJToolbar.A) -> No action taken.

Registry Values Detected: 2
HKCU\Software\Crossrider|Verifier (PUP.Optional.CrossRider.A) -> Data: 283b61794c0be98a7ec1f72435c2ea17 -> No action taken.
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: e07c9de6dff068904db02e53a96fe5d1 -> No action taken.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit.A) -> Bad: (http://search.conduit.com/?ctid=CT3287822&octid=CT3287822&SearchSource=61&CUI=UN12785963603015719&UM=2&UP=SPDEBFC18F-585C-4E39-B6B5-3362E4ECC0B8) Good: (http://www.google.com) -> No action taken.

Folders Detected: 10
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061 (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\xpi (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\xpi\defaults (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\xpi\defaults\preferences (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Conduit\IE (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Conduit\IE\CT3306061 (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\Connect_DLC_5 (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\MixiDJ_V8 (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Application Data\MixiDJ_V8 (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Application Data\MixiDJ_V8\Logs (PUP.Optional.MixiDJToolbar.A) -> No action taken.

Files Detected: 38
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158058.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158056.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158059.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158060.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158061.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158066.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158067.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158068.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158069.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158070.dll (PUP.Optional.Conduit) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158071.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\System Volume Information\_restore{16740B44-BB8B-4BB6-8EA5-45CDB9C08433}\RP169\A0158072.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\chromeid.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\conduit.xml (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\CT3306061.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\CT3306061.xpi (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\initdata.json (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\manifest.json (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\setup.ini.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\version.txt (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\xpi\install.rdf (PUP.Optional.Conduit.A) -> No action taken.
C:\Documents and Settings\Danny\Local Settings\Temp\ct3306061\xpi\defaults\preferences\defaults.js (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\Connect_DLC_5\GottenAppsContextMenu.xml (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\Connect_DLC_5\OtherAppsContextMenu.xml (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\Connect_DLC_5\SharedAppsContextMenu.xml (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\Connect_DLC_5\ToolbarContextMenu.xml (PUP.Optional.Conduit.A) -> No action taken.
C:\Program Files\MixiDJ_V8\GottenAppsContextMenu.xml (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\hk64tbMixi.dll (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\hktbMixi.dll (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\ldrtbMixi.dll (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\MixiDJ_V8ToolbarHelper.exe (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\OtherAppsContextMenu.xml (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\prxtbMixi.dll (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\SharedAppsContextMenu.xml (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\tbMixi.dll (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\toolbar.cfg (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\ToolbarContextMenu.xml (PUP.Optional.MixiDJToolbar.A) -> No action taken.
C:\Program Files\MixiDJ_V8\uninstall.exe (PUP.Optional.MixiDJToolbar.A) -> No action taken.

(end)
 

Attached Files


Edited by hamluis, 21 January 2014 - 10:41 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 PM

Posted 21 January 2014 - 02:47 PM

Hello badcomputer -

Please open your Malwarebytes program and click Updates (across the top) and  > Now Click on Settings (along the top) > Now Scanner Settings > Now Tick all boxes on the Left side > Now in the top 2 Drop-down Menus select "Show in results list and check for Removal".

 

(-> No action taken.) means you did not remove the infections.

You have found a lot of minor problems, but you have Not Yet Removed any of them -

 

Now Click Scanner and click Perform Full Scan and Scan

 

Copy and paste that log back here -

 

Also download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.

* If the program slows, it is just gathering / looking for more information.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

Include that with your post -

 

Thank You -



#3 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 21 January 2014 - 07:22 PM

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.21.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Danny :: SKYNET [administrator]

Protection: Enabled

1/21/2014 5:45:56 PM
mbam-log-2014-01-21 (17-45-56).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 365983
Time elapsed: 1 hour(s), 18 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 Results of screen317's Security Check version 0.99.79  
 Windows XP Service Pack 3 x86   
 Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 avast! Free Antivirus    
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 45  
 Java version out of Date!
 Adobe Flash Player     11.9.900.170  
 Adobe Reader XI  
 Mozilla Firefox (26.0)
 Google Chrome 31.0.1650.63  
 Google Chrome 32.0.1700.76  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 33% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 PM

Posted 21 January 2014 - 10:26 PM

Internet Explorer 6 Out of date!

Are you running Windows Updates, it should be at least I.E.8

 Total Fragmentation on Drive C:: 33% Defragment your hard drive soon! (Do NOT defrag if SSD!)

This is very clogged for a standard Hard Drive -

Go - Programs > Accessories > System Tools > Disk Defragmenter and run it -

 

Your Malwarebytes scan looks very good, but you have deleted the items twice ??

 

How is it running now ??

 

Thanks


Edited by noknojon, 21 January 2014 - 10:27 PM.


#5 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 22 January 2014 - 12:04 AM

Malwarebytes is detecting outgoing/incoming connections to the Eastern Bloc constantly as I have stated recently, like 89.28.19.79, detecting it as malicious websites.


Edited by badcomputer, 22 January 2014 - 12:05 AM.


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 PM

Posted 22 January 2014 - 04:34 AM

Hi -

We can take a further look -

 

Please post a snapshot with Speccy for more system details -
How to Publish a snapshot with Speccy <<-- Full Directions Here, only post the link

 

Download MiniToolBox, Save it to your desktop to run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
 
Click Go and copy / paste the result (Result.txt).

 

 

Thanks -



#7 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 22 January 2014 - 11:31 AM

http://speccy.piriform.com/results/xgdwTjykcSuNNQP8QeSkfsQ

MiniToolBox by Farbar  Version: 18-12-2013
Ran by Danny (administrator) on 22-01-2014 at 11:27:29
Running from "C:\Documents and Settings\Danny\My Documents\Downloads"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

ASIX AX88772 USB2.0 to Fast Ethernet Adapter = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : skynet

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : ASIX AX88772 USB2.0 to Fast Ethernet Adapter

        Physical Address. . . . . . . . . : 00-0B-E6-08-93-D9

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.6

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DHCP Server . . . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

        Lease Obtained. . . . . . . . . . : Wednesday, January 22, 2014 11:23:11 AM

        Lease Expires . . . . . . . . . . : Thursday, January 23, 2014 11:23:11 AM

Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.229.167, 74.125.229.168, 74.125.229.160, 74.125.229.174
      74.125.229.166, 74.125.229.163, 74.125.229.162, 74.125.229.164, 74.125.229.165
      74.125.229.161, 74.125.229.169



Pinging google.com [74.125.229.164] with 32 bytes of data:



Reply from 74.125.229.164: bytes=32 time=17ms TTL=52

Reply from 74.125.229.164: bytes=32 time=13ms TTL=52



Ping statistics for 74.125.229.164:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 13ms, Maximum = 17ms, Average = 15ms

Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109



Pinging yahoo.com [206.190.36.45] with 32 bytes of data:



Reply from 206.190.36.45: bytes=32 time=113ms TTL=46

Reply from 206.190.36.45: bytes=32 time=96ms TTL=46



Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 96ms, Maximum = 113ms, Average = 104ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0b e6 08 93 d9 ...... ASIX AX88772 USB2.0 to Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.6      20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
      169.254.0.0      255.255.0.0      192.168.1.6     192.168.1.6      20
      192.168.1.0    255.255.255.0      192.168.1.6     192.168.1.6      20
      192.168.1.6  255.255.255.255        127.0.0.1       127.0.0.1      20
    192.168.1.255  255.255.255.255      192.168.1.6     192.168.1.6      20
        224.0.0.0        240.0.0.0      192.168.1.6     192.168.1.6      20
  255.255.255.255  255.255.255.255      192.168.1.6     192.168.1.6      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/13/2014 00:43:14 PM) (Source: ESENT) (User: )
Description: wuauclt (492) An attempt to delete the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The delete file operation will fail with error -1032 (0xfffffbf8).

Error: (01/13/2014 00:35:37 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (01/13/2014 00:35:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/13/2014 00:35:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (01/13/2014 00:35:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (01/13/2014 09:24:00 AM) (Source: HiRezSoftwareManagerSvc) (User: )
Description: Service cannot be started. The service process could not connect to the service controller

Error: (01/10/2014 08:30:24 AM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 6.3.0.105, faulting module skype.exe, version 6.3.0.105, fault address 0x003b15de.
Processing media-specific event for [skype.exe!ws!]

Error: (12/30/2013 10:44:15 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 26.0.0.5087, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/03/2013 05:56:29 PM) (Source: Application Error) (User: )
Description: Faulting application league of legends.exe, version 3.14.0.738, faulting module league of legends.exe, version 3.14.0.738, fault address 0x0042c7b0.
Processing media-specific event for [league of legends.exe!ws!]

Error: (12/03/2013 03:12:57 PM) (Source: Application Error) (User: )
Description: Faulting application skype.exe, version 6.3.0.105, faulting module skype.exe, version 6.3.0.105, fault address 0x003b15de.
Processing media-specific event for [skype.exe!ws!]


System errors:
=============
Error: (01/22/2014 11:23:54 AM) (Source: 0) (User: )
Description: C:

Error: (01/21/2014 07:48:38 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Error: (01/19/2014 11:22:06 PM) (Source: DCOM) (User: SKYNET)
Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.

Error: (01/19/2014 10:48:21 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.

Error: (01/19/2014 03:20:29 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.

Error: (01/19/2014 01:28:43 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: The server {9B1F122C-2982-4E91-AA8B-E071D54F2A4D} did not register with DCOM within the required timeout.

Error: (01/16/2014 06:00:51 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/16/2014 03:51:19 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
aswRvrt
aswSnx
aswSP
aswTdi
aswVmm
Fips
intelppm

Error: (01/16/2014 03:50:41 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/16/2014 03:46:16 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Hi-Rez Studios Authenticate and Update Service service to connect.


Microsoft Office Sessions:
=========================
Error: (01/13/2014 00:43:14 PM) (Source: ESENT)(User: )
Description: wuauclt492C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (01/13/2014 00:35:37 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (01/13/2014 00:35:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/13/2014 00:35:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (01/13/2014 00:35:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA connection with the server could not be established

Error: (01/13/2014 09:24:00 AM) (Source: HiRezSoftwareManagerSvc)(User: )
Description: Service cannot be started. The service process could not connect to the service controller

Error: (01/10/2014 08:30:24 AM) (Source: Application Error)(User: )
Description: skype.exe6.3.0.105skype.exe6.3.0.105003b15de

Error: (12/30/2013 10:44:15 PM) (Source: Application Hang)(User: )
Description: firefox.exe26.0.0.5087hungapp0.0.0.000000000

Error: (12/03/2013 05:56:29 PM) (Source: Application Error)(User: )
Description: league of legends.exe3.14.0.738league of legends.exe3.14.0.7380042c7b0

Error: (12/03/2013 03:12:57 PM) (Source: Application Error)(User: )
Description: skype.exe6.3.0.105skype.exe6.3.0.105003b15de


=========================== Installed Programs ============================

µTorrent (Version: 3.3.2.30303)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.170)
Adobe Flash Player 11 Plugin (Version: 11.9.900.170)
Adobe Reader XI (11.0.06) (Version: 11.0.06)
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
avast! Free Antivirus (Version: 9.0.2011)
Bonjour (Version: 3.0.0.10)
Google Chrome (Version: 32.0.1700.76)
Google Update Helper (Version: 1.3.22.3)
Hi-Rez Studios Authenticate and Update Service (Version: 3.0.0.0)
iTunes (Version: 11.1.3.8)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
Kingsoft Office 2012 (8.1.0.3375) (Version: 8.1.0.3375)
League of Legends (Version: 1.3)
Left 4 Dead 2
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 26.0 (x86 en-US) (Version: 26.0)
Mozilla Maintenance Service (Version: 26.0)
NVIDIA Control Panel 331.58 (Version: 331.58)
NVIDIA GeForce Experience 1.7 (Version: 1.7)
NVIDIA Graphics Driver 331.58 (Version: 331.58)
NVIDIA Install Application (Version: 2.1002.140.952)
NVIDIA nView 140.75 (Version: 140.75)
NVIDIA PhysX (Version: 9.13.0725)
NVIDIA PhysX System Software 9.13.0725 (Version: 9.13.0725)
NVIDIA Update 9.3.16 (Version: 9.3.16)
NVIDIA Update Components (Version: 9.3.16)
Pando Media Booster (Version: 2.6.0.8)
QuickTime (Version: 7.73.80.64)
RealDownloader (Version: 1.3.0)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.0)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.35.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.6662)
RealUpgrade 1.1 (Version: 1.1.0)
Skype Click to Call (Version: 6.13.13771)
Skype™ 6.3 (Version: 6.3.105)
Smite (Version: 0.1.1887.0)
Star Wars: The Old Republic (Version: 1.00)
Steam (Version: 1.0.0.0)
TeamSpeak 3 Client (Version: 3.0.10.1)
Tribes Ascend (Version: 1.0.1268.1)
WebFldrs XP (Version: 9.50.7523)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR 4.20 (32-bit) (Version: 4.20.0)
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 2046.42 MB
Available physical RAM: 1349.45 MB
Total Pagefile: 3939.45 MB
Available Pagefile: 3394.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 1980.65 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:213.32 GB) NTFS

========================= Users: ========================================

User accounts for \\SKYNET

Administrator            ASPNET                   Danny                    
Guest                    HelpAssistant            SUPPORT_388945a0         
UpdatusUser              

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini010914-01.dmp
C:\WINDOWS\Minidump\Mini011813-01.dmp

**** End of log ****
 



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 PM

Posted 22 January 2014 - 03:44 PM

Although Windows Updates are set, I see no current ones listed at all ??

You may guess that (after Google Chrome) µTorrent is one of my least liked programs, and you will get infected there.

 

I do not have a direct answer yet, but Skype and similar programs are from European areas.

 

Now, read and then Download TCPView for Windows <= from here
The directions are very plain and good to follow.

 

Thanks -



#9 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 January 2014 - 12:45 AM

It says the post is too long. How do I attach a file here? I can't find the option.


Edited by badcomputer, 23 January 2014 - 12:58 AM.


#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 PM

Posted 23 January 2014 - 03:40 AM

Do you know how to create a Zip File ??

 

Also the program was for you to keep an eye on in and out access -



#11 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 January 2014 - 12:01 PM

The program shows a worrisome amount of connections to IP's in the range I mentioned that are currently blocked by Malwarebytes, listed as TIMEWAIT and run by System Process. I need help shutting them down and finding what is running them.



#12 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 January 2014 - 12:29 PM

http://www.filedropper.com/tcp1

 

Update: AdwCleaner finds the following folders, but when attempting to clean, the program locks up, no advance in the progress bar and the cursor turns into a timer, freezing the rest of processes.

 

# AdwCleaner v3.017 - Report created 23/01/2014 at 13:15:01
# Updated 12/01/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Danny - SKYNET
# Running from : C:\Documents and Settings\Danny\My Documents\Downloads\adwcleaner(1).exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Danny\Application Data\Mozilla\Firefox\Profiles\gcvkjrpr.default\searchplugins\Conduit.xml
Folder Found : C:\Documents and Settings\Danny\Application Data\Mozilla\Firefox\Profiles\gcvkjrpr.default\Extensions\{d1b5aad5-d1ae-4b20-88b1-feeaeb4c1ebc}
Folder Found C:\Documents and Settings\Danny\Application Data\Mozilla\Firefox\Profiles\gcvkjrpr.default\CT3306061
Folder Found C:\Documents and Settings\Danny\Local Settings\Application Data\Conduit
Folder Found C:\Documents and Settings\Danny\Local Settings\Application Data\NativeMessaging

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.2900.5512


-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Documents and Settings\Danny\Application Data\Mozilla\Firefox\Profiles\gcvkjrpr.default\prefs.js ]

Line Found : user_pref("CT3287822.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"about%3Ablank\",\"EB_MAIN_FRAME_TITLE\":\"\"}");
Line Found : user_pref("CT3287822_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1363667846548,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Found : user_pref("CT3306061.FF19Solved", "true");
Line Found : user_pref("CT3306061.UserID", "UN30360322721216399");
Line Found : user_pref("CT3306061.fullUserID", "UN30360322721216399.IN.20140114182844");
Line Found : user_pref("CT3306061.installDate", "14/01/2014 18:28:52");
Line Found : user_pref("CT3306061.installSessionId", "{377FCB2F-6821-4A3B-BDDF-58A79025512E}");
Line Found : user_pref("CT3306061.installSp", "TRUE");
Line Found : user_pref("CT3306061.installerVersion", "1.8.1.4");
Line Found : user_pref("CT3306061.searchRevert", "true");
Line Found : user_pref("CT3306061.searchUninstallUserMode", "2");
Line Found : user_pref("CT3306061.searchUserMode", "2");
Line Found : user_pref("CT3306061.toolbarInstallDate", "14-01-2014 18:28:44");
Line Found : user_pref("CT3306061.versionFromInstaller", "10.23.0.722");
Line Found : user_pref("CT3306061.xpeMode", "1");
Line Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3287822&octid=CT3287822&SearchSource=61&CUI=UN27253776682103421&UM=UM_ID&UP=SPDEBFC18F-585C-4E39-B6B5-3362E4ECC0B8");
Line Found : user_pref("Smartbar.ConduitSearchEngineList", "MixiDJ V8 Customized Web Search");
Line Found : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287822&SearchSource=2&CUI=UN27253776682103421&UM=UM_ID&q=");
Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3287822");
Line Found : user_pref("browser.search.defaultthis.engineName", "MixiDJ V8 Customized Web Search");
Line Found : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287822&SearchSource=3&q={searchTerms}&CUI=UN27253776682103421");
Line Found : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287822&SearchSource=2&CUI=UN27253776682103421&UM=UM_ID&q=");
Line Found : user_pref("smartbar.machineId", "XGMY4NRG/6MDUSEWFPPWQAJYH3UNEWMWFY4NJYFJJW/JRCKUEYHHQTFPX3U51DICSRKCB0ON29WTLV05XGMRNQ");

[ File : C:\Documents and Settings\Administrator.SKYNET\Application Data\Mozilla\Firefox\Profiles\4tnzek2q.default\prefs.js ]


-\\ Google Chrome v32.0.1700.76

[ File : C:\Documents and Settings\Danny\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Found : homepage
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup
Found : homepage
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup
Found : homepage
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : urls_to_restore_on_startup
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword
Found : icon_url
Found : search_url
Found : suggest_url
Found : keyword

*************************

AdwCleaner[R0].txt - [7115 octets] - [19/01/2014 04:33:09]
AdwCleaner[R1].txt - [6037 octets] - [23/01/2014 12:46:27]
AdwCleaner[R2].txt - [1979 octets] - [23/01/2014 12:55:42]
AdwCleaner[R3].txt - [5353 octets] - [23/01/2014 13:01:41]
AdwCleaner[R4].txt - [1203 octets] - [23/01/2014 13:05:41]
AdwCleaner[R5].txt - [5155 octets] - [23/01/2014 13:15:01]
AdwCleaner[S0].txt - [363 octets] - [19/01/2014 04:34:12]
AdwCleaner[S1].txt - [366 octets] - [23/01/2014 12:47:52]
AdwCleaner[S2].txt - [2066 octets] - [23/01/2014 12:56:22]
AdwCleaner[S3].txt - [366 octets] - [23/01/2014 13:02:21]
AdwCleaner[S4].txt - [1265 octets] - [23/01/2014 13:06:08]

########## EOF - C:\AdwCleaner\AdwCleaner[R5].txt - [5512 octets] ##########
 


Edited by badcomputer, 23 January 2014 - 01:29 PM.


#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 PM

Posted 23 January 2014 - 02:12 PM

Hello -

There are some scans that are not allowed in this area of the forum.

I am not saying you are infectrd, but more help is needed -

 

Please follow the instructions in THIS PREP GUIDE starting at Step #6.

NOTE - If you cannot complete a step, skip it and continue.

 

 Once the proper DDS logs are created, then make a NEW TOPIC and post it to =>
Virus, Trojan, Spyware, and Malware Removal Logs. area -

 

An Expert will diagnose them when one is available, and add further steps. Please be patient as the area can get busy.

 

The sooner you post there, the sooner you will get more help.

 

If HelpBot posts a reply, please follow its Step #1 and the team will be notified.

 

Please post a link to your new topic back here, so we can lock this one to prevent others posting useless informatiom.

 

Thank You -



#14 badcomputer

badcomputer
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 January 2014 - 04:52 PM

Thank you



#15 hamluis

hamluis

    Moderator


  • Moderator
  • 55,757 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:41 AM

Posted 24 January 2014 - 07:59 AM

Reference:  http://www.bleepingcomputer.com/forums/t/521871/conduit-connections-to-bosnia-and-the-eastern-bloc/#entry3268314 .

 

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users