Lascif
Members-
Posts
4 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Lascif
-
Seeing as my last post did not include the ComboFix log in the post here it is.
-
Here is the ComboFix log. Along with this, when ComboFix forced a shutdown on my computer it bluescreened. It bluescreened at the point where it says "Shutting Down" when you wait for it to shut down. I have included these logs too in case they are related as I don't usually BlueScreen at all. ComboFix Log BlueScreen: ==================================================Dump File : 062013-37237-01.dmpCrash Time : 20/06/2013 16:06:56Bug Check String : DRIVER_POWER_STATE_FAILUREBug Check Code : 0x1000009fParameter 1 : 00000000`00000004Parameter 2 : 00000000`00000258Parameter 3 : fffffa80`036b0040Parameter 4 : fffff800`00b9c3d0Caused By Driver : WudfPf.sysCaused By Address : WudfPf.sys+6500File Description : Product Name : Company : File Version : Processor : x64Crash Address : ntoskrnl.exe+78a7aStack Address 1 : Stack Address 2 : Stack Address 3 : Computer Name : Full Path : C:\Windows\Minidump\062013-37237-01.dmpProcessors Count : 4Major Version : 15Minor Version : 7601Dump File Size : 714,832==================================================ComboFix.txt
-
GMER 2.1.19163 - http://www.gmer.netRootkit scan 2013-06-20 15:01:49Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721050CLA362 rev.JP2OA3MA 465.76GBRunning: 6drielp2.exe; Driver: C:\Users\CRYSTA~1\AppData\Local\Temp\awloauoc.sys---- Threads - GMER 2.1 ----Thread [352:412] 0000000077adfbc0Thread C:\Windows\System32\svchost.exe [156:1060] 000007fefc36f2f4Thread C:\Windows\System32\svchost.exe [156:1084] 000007fefc316204Thread C:\Windows\System32\svchost.exe [156:1180] 000007fefbead8f8Thread C:\Windows\System32\svchost.exe [156:1192] 000007fefbea5620Thread C:\Windows\System32\svchost.exe [156:1196] 000007fefbea6e74Thread C:\Windows\System32\svchost.exe [156:1280] 000007fefbe7ffc0Thread C:\Windows\System32\svchost.exe [156:1400] 000007fefb5b331cThread C:\Windows\System32\svchost.exe [156:2556] 000007fef94720c0Thread C:\Windows\System32\svchost.exe [156:1568] 000007fef94726a8Thread C:\Windows\System32\svchost.exe [156:1736] 000007fef94014a0Thread C:\Windows\System32\svchost.exe [156:2976] 000007fef94729dcThread C:\Windows\System32\svchost.exe [156:3060] 000007fef94729dcThread C:\Windows\System32\svchost.exe [156:3200] 000007fefec1c608Thread C:\Windows\System32\svchost.exe [156:3368] 000007fef7f6a2b0Thread C:\Windows\System32\svchost.exe [156:4364] 000007fefa7f88f8Thread C:\Windows\system32\svchost.exe [1220:2360] 000007fef94f0ea8Thread C:\Windows\system32\svchost.exe [1220:2356] 000007fef94e9db0Thread C:\Windows\system32\svchost.exe [1220:3104] 000007fef94f1c94Thread C:\Windows\system32\svchost.exe [1220:6884] 000007fef94eaa10Thread C:\Windows\System32\spoolsv.exe [1688:3500] 000007fef80510c8Thread C:\Windows\System32\spoolsv.exe [1688:3656] 000007fef7b36144Thread C:\Windows\System32\spoolsv.exe [1688:3676] 000007fef79c5fd0Thread C:\Windows\System32\spoolsv.exe [1688:3684] 000007fef81f3438Thread C:\Windows\System32\spoolsv.exe [1688:3688] 000007fef79c63ecThread C:\Windows\System32\spoolsv.exe [1688:3736] 000007fef84b5e5cThread C:\Windows\System32\spoolsv.exe [1688:3744] 000007fef7de5074Thread C:\Windows\SysWOW64\ntdll.dll [1800:1804] 000000000034795aThread C:\Windows\SysWOW64\ntdll.dll [2008:2012] 00000000001c975eThread C:\Windows\SysWOW64\ntdll.dll [2008:2032] 00000000001bfe50Thread C:\Windows\SysWOW64\ntdll.dll [1452:1496] 00000000013cebb2Thread C:\Windows\SysWOW64\ntdll.dll [1452:2320] 000000000137a500Thread C:\Windows\SysWOW64\ntdll.dll [1452:2428] 000000000137d0a0Thread C:\Windows\SysWOW64\ntdll.dll [1452:2292] 0000000001376190Thread C:\Windows\SysWOW64\ntdll.dll [1876:1924] 000000000040b7cfThread C:\Windows\SysWOW64\ntdll.dll [1876:1584] 0000000000409d40Thread C:\Windows\System32\WUDFHost.exe [3412:3636] 000007fef7da24a0Thread [3732:3780] 0000000077cf2e25Thread [3732:1356] 0000000077cf3e45Thread [3732:1200] 0000000077257587Thread C:\Windows\Explorer.EXE [3712:2872] 000007fefc316204Thread C:\Windows\Explorer.EXE [3712:4048] 000007fef1842118Thread C:\Windows\Explorer.EXE [3712:3096] 000007fef99c2154Thread C:\Windows\Explorer.EXE [3712:4508] 000007fefbe31010Thread C:\Windows\Explorer.EXE [3712:4816] 0000000074f62e08Thread C:\Windows\Explorer.EXE [3712:5204] 0000000074f62e08Thread C:\Windows\Explorer.EXE [3712:3508] 0000000074f62e08Thread C:\Windows\Explorer.EXE [3712:5552] 0000000074f62e08Thread C:\Windows\Explorer.EXE [3712:5764] 000007fefbd31ebcThread C:\Windows\SysWOW64\ntdll.dll [252:728] 0000000000041532Thread C:\Windows\system32\svchost.exe [5116:6604] 000007fee60644e0Thread [5228:5184] 000000005ac5a8e1Thread [5228:5544] 0000000077cf2e25Thread [5228:6900] 0000000077cf3e45Thread [5228:288] 00000000708f62eeThread C:\Windows\SysWOW64\ntdll.dll [5644:3752] 0000000000e166d0Thread C:\Windows\SysWOW64\ntdll.dll [5644:2392] 0000000000dff10fThread C:\Windows\SysWOW64\ntdll.dll [5644:6008] 0000000000dff10f---- Registry - GMER 2.1 ----Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@LeaseObtainedTime 1371733462Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@T1 1371733589Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@T2 1371733685Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@LeaseTerminatesTime 1371733717---- EOF - GMER 2.1 ---- ark.txt
-
I keep getting incoming and outgoing IP Blocks from random IPs along with this about a week ago my facebook account was accessed from Texas and by using IP locate I found a Texas IP address as being blocked. I'm not sure if this is coincidence or not, it could be I have spyware. I have installed MBAM and ESET NOD32. Both of which cannot find any infected files to which could be causing this. To take action against the Facebook account access, I changed my password from a different and definitely secured machine. The messages I see frequently are. (with asterisks for protection for whoever owns that IP) IP-BLOCK 89.248.***.*** (Type: incoming, Port: 53, Process: svchost.exe) I am worried that I'm either being keylogged or I have spyware. The logs are attached. Thank you. DDS.txt Attach.txt