Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

There are mysterious entries in the registry and abnormal incoming connections


  • This topic is locked This topic is locked
2 replies to this topic

#1 gmeruser123

gmeruser123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 05 March 2014 - 07:26 PM

OS: Windows 7 SP1

 

Some of this post was, I guess incorrectly posted under another topic:

 

http://www.bleepingcomputer.com/forums/t/526524/utorrent-seems-to-be-vulnerable-to-dos-attacks/

 

The content of that post has been pasted here:

 

I have a Linux PC acting as a gateway/router for the Windows PC. Under normal conditions and when the Windows PC is not connected to the Linux PC there are various unsolicited incoming connection attempts.

 

Whenever I enable the NIC on the Windows PC, the unsolicited attempts increase significantly. There are no internet servicing applications running.

 

When a bittorrent or p2p application starts, specifically utorrent, there are attempts to connect via standard private IANA IP addresses.

 

That, I believe might be specific vulnerabilities in those particular applications but the attempt to connect when there are no internet soliciting applications running leads me to believe there is an infected executable acting as a server, perhaps a botnet.

 

I understand that there could be stragglers left over from previously open connections with these applications but I have turned off these services for at least 72 hours. The connections are not coming to the ports that I've reserved for those applications, they're coming into typically known vulnerable ports.

 

Whenever utorrent is running there are hundreds of non-stop DNS lookups, I don't remember this ever occurring before. Is this normal? It seems extremely excessive and it looks like I could get banned from using certain nameservers.

Perhaps this is a DNS DDOS/Amplification Attack

https://www.watchguard.com/infocenter/editorial/41649.asp

There is a registry entry under:

HKEY_CURRENT_USER\Software\Classes\FalconBetaAccount

with a string:

Name: remote_access_client_id
Data: (some digits)

This might be unrelated but there is also a registry entry with random characters:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CA3FB357-B7E4-EA79-4B23-7D57B85C3182}

with a dword:

Name: (random characters)
Value: (more random characters with the last few characters being seemingly legible "leakon" i.e. asdfasdfjafjljsdgfhjflsdkeiswleakon)

 

No antiviral program I've used detects anything in this registry entry. Perhaps it's some form of encryption or obfuscation or an infection.

When I close utorrent down the system "seems" to return to normal, except for the increased traffic. But I have this feeling my PC has been infiltrated every time I use it. Regardless of what this site says:

http://lifehacker.com/5545837/utorrent-falcon-remote-controls-your-bittorrent-downloads-from-any-browser

The falcon beta account entry in the registry feels like a backdoor. I have never enabled this feature.

Avira, Avast, dds, gmer, RootAlyzer, ZHPDiag, AdwCleaner, MalwareBytes, Sophos, TDSKiller, HijackThis, SuperAntiSpyware, ClamAV, ADSSpy, JRT.exe, OTL, lads.exe and just about everything else doesn't detect anything perhaps because the software itself (utorrent) is vulnerable and not necessarily an infection. I've run CCleaner.

 

There were some alternate data streams which may not have been harmful but for the sake of security I removed them as the files they were attached to were completely unnecessary and as such seemed highly suspect.

 

Some other ADS's that I found seemed to be legitimate but I had my doubts so I removed them:

 

"l_encryption_d"

"l_encryption_e"

" C:\ProgramData\TEMP"

 

That was about a month ago so I don't rember the file locations. The so called "encryption" data streams might be legit. But they're not coming from Truecrypt as I have recently re-encrypted the drive and conducted a full search for ADS. And these were not found. Perhaps they're from some other legitimate security software. This is from today:

 

ADS Spy Found streams at:

 

C:\ProgramData\TEMP:9A870F8B 129 bytes

C:\Users\All Users\TEMP:9A870F8B 129 bytes (which is apparently some kind of symbolic link to the other file)

 

OTL reported an ADS:

@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:9A870F8B

 

 

OTL also made some references to files under Zero Access Check:

 

========== ZeroAccess Check ==========
 
[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/07/25 21:24:57 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/25 20:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

 

I removed Avast as it just felt like a dormant piece of software. I installed Avira and it crashes after scanning for over an hour, and I'm guessing the reason it keeps crashing is probably because Avast isn't fully removed or some other software is conflicting with it. I'm stil sticking with Avira for now because it seems to have a better detection rate than Avast.

 

My current gateway PC is out of commission because I'm installing a more secure distro. Other tools I have available are:

 

Nirsoft Utilities

SysInternal Suite

Volatility and livekd - memory dump and analysis

Autopsy - forensics

The Sleuthkt - forensics

DEFT 7 - forensics

Backtrack - penetration testing

Windbg

Ollydbg

IDA

Sandboxie

 

I don't use Windows Backup or Restore, I use Macrium Reflect. I use Comodo HIDS instead of Windows UAC, but I may revert to using both. I just hate how it cripples, sometimes crashing or freezing the system with that annoying window overlay. I use NoScript, Adblock Plus and HTTPS Everywhere with Firefox.

 

I use Spamhaus blocklist in my Linux firewall:

 

http://www.spamhaus.org/drop/drop.txt

 

with Bluetack's IANA iblocklists:

 

https://www.iblocklist.com/list.php?list=cslpybexmxyuacbyuvib

https://www.iblocklist.com/list.php?list=pwqnlynprfgtjbgqoizj

https://www.iblocklist.com/list.php?list=bcoepfyewziejvcqyhqo

 

I haven't been able to implement the blocklists in Windows 7 yet. I'm aware of Peerblock but while other's tout it, I have seen traffic that was supposedly blocked get through it. I haven't found an alternative to Peerblock yet. I use two firewalls, Windows 8 Firewall Control as a catch all, when Comodo chokes (and it does) and vice versa. I think their usefulness might be relative to the capabilities of my PC.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16518  BrowserJavaVersion: 10.51.2
Run by mymyusername at 15:50:21 on 2014-03-05
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.7902.3444 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows8FirewallControl\Windows8FirewallService.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Core Temp\Core Temp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows8FirewallControl\Windows8FirewallControl.exe
C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Process Hacker 2\ProcessHacker.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files (x86)\KeyScrambler\keyscrambler.exe
C:\Program Files (x86)\System Explorer\SystemExplorer.exe
C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
C:\cygwin64\bin\mintty.exe
C:\cygwin64\bin\bash.exe
C:\Program Files (x86)\Belvedere\Belvedere.exe
C:\cygwin64\bin\cygrunsrv.exe
C:\cygwin64\usr\sbin\sshd.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Program Files (x86)\Image-Line\FL Studio 10\FL (extended memory).exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Windows\explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe
C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Tray.exe
C:\Windows\explorer.exe
C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe
C:\cygwin64\usr\sbin\sshd.exe
C:\cygwin64\bin\rsync.exe
C:\cygwin64\bin\rsync.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:Tabs
mDefault_Page_URL = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe
BHO: AutorunsDisabled - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
EB: Web Test Recorder 10.0: {5802D092-1784-4908-8CDB-99B6842D353D} -
uRun: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a logon
uRun: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PROCES~1.LNK - C:\Program Files\Process Hacker 2\ProcessHacker.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoInplaceSharing = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-System: ShutdownSessionTimeout = dword:3
IE: >Search in Linkman - C:\Users\myusername\Documents\Linkman\iescript_search.htm
IE: Add to Linkman - C:\Users\myusername\Documents\Linkman\iescript_add.htm
IE: Add to Linkman (all tabs) - C:\Users\myusername\Documents\Linkman\iescript_addall.htm
IE: Add to Linkman and Edit - C:\Users\myusername\Documents\Linkman\iescript_edit.htm
IE: Show Linkman - C:\Users\myusername\Documents\Linkman\iescript_show.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
TCP: Interfaces\{59BA2CF0-115D-4325-BE01-2A36C4311CC4} : NameServer = 208.67.222.222,208.67.220.220
SSODL: WebCheck - <orphaned>
LSA: Authentication Packages =  msv1_0 C:\cygwin64\bin\cyglsa\cyglsa64.dll
x64-mWinlogon: Userinit = C:\Windows\System32\userinit.exe
x64-BHO: AutorunsDisabled - <orphaned>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [Windows8FirewallControl] C:\Program Files\Windows8FirewallControl\Windows8FirewallControl.exe
x64-Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
x64-Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" /LaunchType=Auto /LaunchApps=Common
x64-DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 analytics.microsoft.com
Hosts: 127.0.0.1 metrics.bitdefender.com
Hosts: 127.0.0.1 metrics.mcafee.com
Hosts: 127.0.0.1  om.symantec.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\myusername\AppData\Roaming\Mozilla\Firefox\Profiles\myprofile\
FF - prefs.js: browser.search.selectedEngine - Google SSL
FF - prefs.js: browser.startup.homepage - about:newtab
FF - prefs.js: keyword.URL - hxxps://encrypted.google.com/search?q=
FF - prefs.js: network.proxy.socks_port - 443
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\thinkTDA\npthinkorswim.dll
FF - plugin: C:\Program Files (x86)\thinkTDA\nptossc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
//user_pref(browser.cache.disk.capacity,0);
//FF - user.js: network.http.max-connections-per-server - 32
//FF - user.js: network.http.max-persistent-connections-per-server - 10
//FF - user.js: network.http.pipelining.maxrequests - 200
FF - user.js: browser.cache.disk.capacity - 131072
FF - user.js: browser.cache.disk.enable - true
FF - user.js: browser.cache.disk.smart_size.enabled - false
FF - user.js: browser.cache.disk.smart_size.first_run - false
FF - user.js: browser.cache.disk.smart_size_cached_value - 235520
FF - user.js: browser.cache.memory.capacity - 20000
FF - user.js: browser.download.dir - D:\Downloads
FF - user.js: browser.download.lastDir - D:\Downloads
FF - user.js: browser.download.save_converter_index - 0
FF - user.js: browser.history.maxStateObjectSize - 65536000
FF - user.js: browser.history_expire_days.mirror - 1825
FF - user.js: browser.history_expire_days_min - 1825
FF - user.js: browser.safebrowsing.enabled - false
FF - user.js: browser.safebrowsing.gethashURL -
FF - user.js: browser.safebrowsing.keyURL -
FF - user.js: browser.safebrowsing.malware.enabled - false
FF - user.js: browser.safebrowsing.malware.reportURL -
FF - user.js: browser.safebrowsing.reportErrorURL -
FF - user.js: browser.safebrowsing.reportGenericURL -
FF - user.js: browser.safebrowsing.reportMalwareErrorURL -
FF - user.js: browser.safebrowsing.reportMalwareURL -
FF - user.js: browser.safebrowsing.reportPhishURL -
FF - user.js: browser.safebrowsing.reportURL -
FF - user.js: browser.safebrowsing.updateURL -
FF - user.js: browser.safebrowsing.warning.infoURL -
FF - user.js: browser.tabs.animate - false
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: dom.ipc.plugins.hangUITimeoutSecs - 0
FF - user.js: dom.max_chrome_script_run_time - 0
FF - user.js: dom.max_script_run_time - 0
FF - user.js: geo.enabled - false
FF - user.js: keyword.URL - hxxps://encrypted.google.com/search?q=
FF - user.js: mousewheel.withnokey.numlines - 10
FF - user.js: mousewheel.withnokey.sysnumlines - false
FF - user.js: network.dns.disableIPv6 - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 24
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequests - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.prefetch-next - false
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: services.sync.prefs.sync.browser.safebrowsing.enabled - false
FF - user.js: services.sync.prefs.sync.browser.safebrowsing.malware.enabled - false
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2014-3-3 28600]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2013-9-24 23168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdguard.sys [2013-9-24 709144]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2013-9-24 48872]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-11-14 283064]
R1 nbdrv;NetBalancer LightWeight Filter;C:\Windows\System32\drivers\nbdrv.sys [2014-2-12 41392]
R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\System32\drivers\nm3.sys [2010-6-9 46392]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2014-3-3 440400]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2014-3-3 440400]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2014-3-3 108440]
R2 NetBalancerService;NetBalancerService;C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe [2014-2-12 19688]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;C:\Program Files\Macrium\Reflect\ReflectService.exe [2013-12-20 1142768]
R2 sshd;CYGWIN sshd;C:\cygwin64\bin\cygrunsrv.exe [2014-2-15 185875]
R2 Windows8FirewallService;Windows8FirewallService;C:\Program Files\Windows8FirewallControl\Windows8FirewallService.exe [2013-10-19 3806720]
R3 KeyScrambler;KeyScrambler;C:\Windows\System32\drivers\keyscrambler.sys [2014-2-19 222200]
R3 SystemExplorerHelpService;System Explorer Service;C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [2013-10-12 821720]
R4 KProcessHacker2;KProcessHacker2;C:\Program Files\Process Hacker 2\kprocesshacker.sys [2013-10-9 39576]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 syslog-ng;CYGWIN syslog-ng;C:\cygwin64\bin\cygrunsrv.exe [2014-2-15 185875]
S2 TrueCryptSystemFavorites;TrueCrypt System Favorites;C:\Windows\SysWOW64\TrueCrypt.exe [2013-10-18 1516496]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-9-24 164056]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2013-10-10 17480]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2013-10-10 9800]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-2-11 111616]
S3 PORTMON;PORTMON;C:\Portable\SysinternalsSuite\PORTMSYS.SYS [2013-11-2 28656]
S3 PSMounterEx;Macrium Reflect Image Explorer Driver;C:\Windows\System32\drivers\psmounterex.sys [2013-8-1 76408]
S3 PSVolAcc;PSVolAcc;C:\Windows\System32\drivers\PSVolAcc.sys [2013-6-28 13944]
S3 rspLLL;rspLLL;C:\Windows\System32\drivers\rspLLL64.sys [2013-10-12 23968]
S3 SaxNDIS;Ax3soft Packet Driver (SaxNDIS);C:\Windows\System32\drivers\SAXNDIS.sys [2013-10-19 49448]
S3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2010-7-4 139880]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-14 56832]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152]
S4 AntiVirWebService;Avira Web Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [2014-3-3 1017424]
S4 BootRacerServ;BootRacerServ;C:\Program Files (x86)\BootRacer\BootRacerServ.exe [2013-8-19 67888]
S4 DragonSvc;Dragon Service;C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe [2010-8-12 296808]
S4 PRTGCoreService;PRTG Core Server Service;C:\Program Files (x86)\PRTG Network Monitor\64 bit\PRTG Server.exe [2013-11-4 7487488]
S4 PRTGProbeService;PRTG Probe Service;C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe [2013-11-4 8814304]
S4 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-10-18 19456]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\System32\drivers\RsFx0105.sys [2011-9-22 311144]
S4 Synergy;Synergy;C:\Program Files\Synergy\synergyd.exe [2013-10-22 291840]
S4 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-10-18 29696]
S4 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-10-18 30208]
.
=============== Created Last 30 ================
.
2014-03-05 16:44:36    --------    d-----w-    C:\j
2014-03-05 04:42:27    --------    d-----w-    C:\Windows\ERUNT
2014-03-03 08:27:00    --------    d-----w-    C:\Users\myusername\AppData\Roaming\Avira
2014-03-03 08:21:41    28600    ----a-w-    C:\Windows\System32\drivers\avkmgr.sys
2014-03-03 08:21:41    108440    ----a-w-    C:\Windows\System32\drivers\avgntflt.sys
2014-03-03 08:21:37    --------    d-----w-    C:\ProgramData\Avira
2014-03-03 08:21:37    --------    d-----w-    C:\Program Files (x86)\Avira
2014-03-03 08:01:24    --------    d-s---w-    C:\Windows\SysWow64\Microsoft
2014-03-03 07:16:33    --------    d-----w-    C:\Users\myusername\AppData\Roaming\QFX Software
2014-03-03 07:16:33    --------    d-----w-    C:\ProgramData\QFX Software
2014-03-03 06:46:11    97280    ----a-w-    C:\bootsect.exe
2014-03-02 14:57:05    --------    d-sh--w-    C:\Recycled
2014-02-26 04:19:56    --------    d-----w-    C:\Users\myusername\AppData\Local\Eclipse
2014-02-26 04:19:20    --------    d-----w-    C:\Users\myusername\workspace
2014-02-26 02:24:50    --------    d-----w-    C:\Users\myusername\store
2014-02-26 02:24:50    --------    d-----w-    C:\Users\myusername\localdata
2014-02-26 01:45:56    --------    d-----w-    C:\Users\myusername\config
2014-02-26 00:34:38    --------    d-----w-    C:\Program Files (x86)\Launch4j
2014-02-25 20:37:29    --------    d-----w-    C:\Program Files (x86)\FreeCap
2014-02-25 16:30:19    --------    d-----w-    C:\Users\myusername\q
2014-02-23 19:17:03    --------    d-----w-    C:\Program Files\Autopsy-3.0.9
2014-02-23 18:31:01    --------    d-----w-    C:\Program Files (x86)\Windows System Control Center
2014-02-23 18:29:11    --------    d-----w-    C:\Program Files (x86)\Sysinternals Suite
2014-02-23 01:34:40    --------    d-----w-    C:\Program Files (x86)\Open Workbench
2014-02-23 00:43:02    --------    d-----w-    C:\Users\myusername\.memoranda
2014-02-22 21:23:08    --------    d-----w-    C:\Program Files (x86)\ProjectLibre
2014-02-22 19:40:32    --------    d-----w-    C:\Users\myusername\AppData\Roaming\Open Source Applications Foundation
2014-02-22 19:40:28    --------    d-----w-    C:\Users\myusername\AppData\Roaming\Python-Eggs
2014-02-22 19:38:37    --------    d-----w-    C:\Program Files (x86)\Chandler1.0.3
2014-02-22 16:42:45    --------    d-----w-    C:\Program Files\WinHTTrack
2014-02-22 06:53:50    --------    d-----w-    C:\Program Files (x86)\KeyStore Explorer 5.0
2014-02-22 06:20:04    --------    d-----w-    C:\Users\myusername\.rcp
2014-02-22 03:03:26    270336    ----a-w-    C:\Windows\SysWow64\ssleay32.dll
2014-02-22 03:03:26    270336    ----a-w-    C:\Windows\SysWow64\libssl32.dll
2014-02-22 03:03:26    1176576    ----a-w-    C:\Windows\SysWow64\libeay32.dll
2014-02-22 03:03:09    --------    d-----w-    C:\OpenSSL-Win32
2014-02-22 02:10:54    --------    d-----w-    C:\Users\myusername\.keytooliui
2014-02-22 00:36:47    --------    d-----w-    C:\Program Files (x86)\JSmooth 0.9.9-7
2014-02-20 04:18:23    222200    ----a-w-    C:\Windows\System32\drivers\keyscrambler.sys
2014-02-20 04:18:19    --------    d-----w-    C:\Program Files (x86)\KeyScrambler
2014-02-19 11:20:02    --------    d-----w-    C:\Users\myusername\AppData\Roaming\OpenDNS Updater
2014-02-19 11:19:59    --------    d-----w-    C:\Program Files (x86)\OpenDNS Updater
2014-02-18 16:32:35    --------    d-----w-    C:\Users\myusername\AppData\Roaming\RichardsonSoftware
2014-02-18 16:32:35    --------    d-----w-    C:\Users\myusername\AppData\Roaming\RazorSQL
2014-02-18 02:33:18    877480    ----a-w-    C:\Windows\SysWow64\npdeployJava1.dll
2014-02-18 02:33:18    800168    ----a-w-    C:\Windows\SysWow64\deployJava1.dll
2014-02-15 05:25:24    --------    d-----w-    C:\tmp
2014-02-15 03:06:08    1554944    ----a-w-    C:\Windows\SysWow64\vorbis.acm
2014-02-13 06:53:47    65536    ----a-w-    C:\Windows\SysWow64\QuickTimeVR.qtx
2014-02-13 06:53:47    49152    ----a-w-    C:\Windows\SysWow64\QuickTime.qts
2014-02-13 06:53:38    499712    ----a-w-    C:\Windows\SysWow64\msvcp71.dll
2014-02-13 06:53:38    348160    ----a-w-    C:\Windows\SysWow64\msvcr71.dll
2014-02-13 06:53:38    --------    d-----w-    C:\Program Files (x86)\Media Player Classic
2014-02-13 06:53:37    --------    d-----w-    C:\Program Files (x86)\QuickTime Alternative
2014-02-13 04:07:55    --------    d-----w-    C:\Users\myusername\AppData\Roaming\MPEG Streamclip
2014-02-13 03:46:46    --------    d-----w-    C:\Program Files\Inkscape-0.48
2014-02-13 03:27:28    --------    d-----w-    C:\Users\myusername\.MCTranscodingSDK
2014-02-13 03:19:17    --------    d-----w-    C:\ProgramData\Geevs
2014-02-13 03:18:10    --------    d-----w-    C:\Program Files\Lightworks
2014-02-13 01:15:44    --------    d-----w-    C:\Users\myusername\AppData\Roaming\ActiveState
2014-02-13 01:15:33    --------    d-----w-    C:\Users\myusername\AppData\Local\ActiveState
2014-02-12 20:39:52    --------    d-----w-    C:\ProgramData\SeriousBit
2014-02-12 20:38:59    41392    ----a-w-    C:\Windows\System32\drivers\nbdrv.sys
2014-02-12 20:38:58    --------    d-----w-    C:\Program Files\NetBalancer
2014-02-12 20:31:50    --------    d-----w-    C:\Program Files (x86)\ActiveState Komodo Edit 8
2014-02-12 03:28:28    85016    ---ha-w-    C:\Windows\System32\drivers\PROCMON23.SYS
2014-02-11 23:21:46    --------    d-----w-    C:\ProgramData\BootRacer
2014-02-11 22:35:22    --------    d-----r-    C:\Sandbox
2014-02-11 20:17:12    --------    d-----w-    C:\Program Files (x86)\DjVuLibre
2014-02-11 20:14:48    548864    ----a-w-    C:\Windows\System32\vbscript.dll
2014-02-11 20:14:48    454656    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-02-11 20:09:45    1882112    ----a-w-    C:\Windows\System32\msxml3.dll
2014-02-11 19:53:03    --------    d-----w-    C:\Program Files (x86)\BootRacer
2014-02-09 15:23:28    --------    d-----w-    C:\Program Files\Wireshark
2014-02-08 20:32:39    --------    d-----w-    C:\Users\myusername\AppData\Local\enchant
2014-02-08 20:32:28    --------    d-----w-    C:\Users\myusername\.bluefish
2014-02-08 20:30:38    --------    d-----w-    C:\Program Files (x86)\Bluefish
2014-02-07 18:58:00    --------    d-----w-    C:\Users\myusername\.designer
2014-02-07 02:57:34    --------    d-----w-    C:\Program Files (x86)\Ffmpeg For Audacity
2014-02-07 02:54:51    --------    d-----w-    C:\Program Files (x86)\Lame For Audacity
2014-02-04 00:31:43    --------    d-----w-    C:\Users\myusername\AppData\Local\q
.
==================== Find3M  ====================
.
2014-03-05 06:23:08    283064    ----a-w-    C:\Windows\System32\drivers\dtsoftbus01.sys
2014-02-26 01:43:27    17288    ----a-w-    C:\Windows\System32\drivers\Dbgv.sys
2014-02-24 14:30:22    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-24 14:30:22    692616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-06 11:30:46    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-02-06 11:30:12    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-02-06 11:07:39    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-02-06 11:06:47    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-02-06 10:49:03    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-02-06 10:48:45    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-02-06 10:48:11    708608    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-02-06 10:20:26    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-02-06 10:11:37    5768704    ----a-w-    C:\Windows\System32\jscript9.dll
2014-02-06 10:01:36    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-02-06 10:00:46    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-02-06 09:50:32    2041856    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-02-06 09:47:22    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-02-06 09:46:27    553472    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-02-06 09:25:36    4244480    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-02-06 09:24:52    2334208    ----a-w-    C:\Windows\System32\wininet.dll
2014-02-06 09:09:30    1964032    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-02-06 08:41:35    1820160    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-02-02 18:33:25    76888    ----a-w-    C:\Windows\SysWow64\PnkBstrA.exe
2014-01-29 19:12:32    41008    ----a-w-    C:\Windows\SysWow64\RGBAcodec.dll
2014-01-25 04:26:29    466456    ----a-w-    C:\Windows\System32\wrap_oal.dll
2014-01-25 04:26:29    444952    ----a-w-    C:\Windows\SysWow64\wrap_oal.dll
2014-01-25 04:26:29    122904    ----a-w-    C:\Windows\System32\OpenAL32.dll
2014-01-25 04:26:29    109080    ----a-w-    C:\Windows\SysWow64\OpenAL32.dll
2014-01-21 13:10:47    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-01-10 15:48:52    86016    ----a-w-    C:\Windows\SysWow64\NtDirect.dll
2014-01-01 03:17:50    43520    ----a-w-    C:\Windows\SysWow64\glfw3.dll
2013-12-24 23:09:41    1987584    ----a-w-    C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32    2565120    ----a-w-    C:\Windows\System32\d3d10warp.dll
2013-12-06 02:30:08    2048    ----a-w-    C:\Windows\System32\msxml3r.dll
2013-12-06 02:02:08    2048    ----a-w-    C:\Windows\SysWow64\msxml3r.dll
2013-12-06 02:02:08    1237504    ----a-w-    C:\Windows\SysWow64\msxml3.dll
.
============= FINISH: 15:52:51.19 ===============
 

Attached Files


Edited by gmeruser123, 06 March 2014 - 12:56 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 PM

Posted 10 March 2014 - 07:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/526615 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 PM

Posted 15 March 2014 - 07:35 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users