BryanLeaman
Members-
Posts
9 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by BryanLeaman
-
Constantly blocking outgoing IPs
BryanLeaman replied to BryanLeaman's topic in Resolved Malware Removal Logs
Looks clean. ESET found a false positive -- an upload script I wrote to push changed files to a web server via FTP. Otherwise the computer is clean as a whistle. Since running TDSSKiller I haven't had any blocked outgoing IP address issues either. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5461 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/4/2011 8:24:44 PM mbam-log-2011-01-04 (20-24-44).txt Scan type: Quick scan Objects scanned: 175082 Time elapsed: 8 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) C:\Documents and Settings\Ann\My Documents\Ohio Conference\Web page\Upload.js probably unknown SCRIPT virus deleted - quarantined --Bryan -
Protection module disabled after reboot
BryanLeaman replied to BryanLeaman's topic in Malwarebytes for Windows Support Forum
Samuel, Thanks. That appears to be all that needed to be done. I've added the startup registry entry and it's working fine now. --Bryan -
I just recently noticed that Malwarebytes' Anti-Malware protection module is disabled after I reboot. It lets me enable it again, but when I reboot, I have to start up Anti-Malware and turn on the protection module all over again. --Bryan P.S. Anti-Malware has been a wonderful tool. I've licensed it on my 2 Windows PCs, my daughter's notebook and just recently for my Mom's new notebook too. Thanks!
-
Constantly blocking outgoing IPs
BryanLeaman replied to BryanLeaman's topic in Resolved Malware Removal Logs
I hope you don't mind, but I peeked at another forum post that listed the same IP addresses being blocked that I'm experiencing. Malwarebytes forum thread As suggested in that thread, I downloaded Kaspersky's TDSSKiller and ran it and it seems to have cleared up the problem. It found TDSS.tdl4 rootkit and removed it. Here's the log: 2011/01/03 20:10:50.0375 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46 2011/01/03 20:10:50.0375 =========================================================================== ===== 2011/01/03 20:10:50.0375 SystemInfo: 2011/01/03 20:10:50.0375 2011/01/03 20:10:50.0375 OS Version: 5.1.2600 ServicePack: 3.0 2011/01/03 20:10:50.0375 Product type: Workstation 2011/01/03 20:10:50.0375 ComputerName: PRESARIO 2011/01/03 20:10:50.0375 UserName: Ann 2011/01/03 20:10:50.0375 Windows directory: C:\WINDOWS 2011/01/03 20:10:50.0375 System windows directory: C:\WINDOWS 2011/01/03 20:10:50.0375 Processor architecture: Intel x86 2011/01/03 20:10:50.0375 Number of processors: 1 2011/01/03 20:10:50.0375 Page size: 0x1000 2011/01/03 20:10:50.0375 Boot type: Normal boot 2011/01/03 20:10:50.0375 =========================================================================== ===== 2011/01/03 20:10:52.0171 Initialize success 2011/01/03 20:10:57.0093 =========================================================================== ===== 2011/01/03 20:10:57.0093 Scan started 2011/01/03 20:10:57.0093 Mode: Manual; 2011/01/03 20:10:57.0093 =========================================================================== ===== 2011/01/03 20:10:59.0187 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys 2011/01/03 20:10:59.0453 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/01/03 20:10:59.0609 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/01/03 20:10:59.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/01/03 20:10:59.0984 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys 2011/01/03 20:11:00.0171 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2011/01/03 20:11:00.0390 AgereSoftModem (51a66c689ad9b9a953f75496209ae520) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/01/03 20:11:00.0875 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 2011/01/03 20:11:01.0046 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/01/03 20:11:01.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/01/03 20:11:01.0609 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/01/03 20:11:01.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/01/03 20:11:01.0953 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/01/03 20:11:02.0000 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys 2011/01/03 20:11:02.0109 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys 2011/01/03 20:11:02.0250 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/01/03 20:11:02.0390 BW2NDIS5 (71cb7616cb36d43ea787c41ab55fe458) C:\WINDOWS\system32\Drivers\BW2NDIS5.sys 2011/01/03 20:11:02.0562 C-Dilla (2423d6259dd63a6f1ffd3d3684b941e5) C:\WINDOWS\system32\drivers\CDANT.SYS 2011/01/03 20:11:02.0750 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/01/03 20:11:02.0859 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 2011/01/03 20:11:03.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/01/03 20:11:03.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/01/03 20:11:03.0406 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/01/03 20:11:03.0921 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/01/03 20:11:04.0109 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/01/03 20:11:04.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/01/03 20:11:04.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/01/03 20:11:04.0843 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/01/03 20:11:04.0984 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/01/03 20:11:05.0140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/01/03 20:11:05.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2011/01/03 20:11:05.0468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/01/03 20:11:05.0609 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/01/03 20:11:05.0750 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/01/03 20:11:05.0984 FPAV_RTP (a98b9d16a38df7afdc1a465925d03884) C:\WINDOWS\system32\DRIVERS\FStopW.sys 2011/01/03 20:11:06.0218 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/01/03 20:11:06.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/01/03 20:11:06.0484 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys 2011/01/03 20:11:06.0656 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/01/03 20:11:06.0734 hamachi (64b48a0d899deca24c424a2cac3ecffa) C:\WINDOWS\system32\DRIVERS\hamachi.sys 2011/01/03 20:11:06.0859 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/01/03 20:11:06.0937 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/01/03 20:11:07.0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/01/03 20:11:07.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/01/03 20:11:07.0687 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys 2011/01/03 20:11:08.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/01/03 20:11:08.0359 IntcAzAudAddService (90e1b42e49d9e91e5accaaaaefa10ce8) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/01/03 20:11:08.0671 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/01/03 20:11:08.0796 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/01/03 20:11:08.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/01/03 20:11:09.0000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/01/03 20:11:09.0125 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/01/03 20:11:09.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/01/03 20:11:09.0437 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/01/03 20:11:09.0562 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/01/03 20:11:09.0828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/01/03 20:11:09.0937 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/01/03 20:11:10.0093 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/01/03 20:11:10.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/01/03 20:11:10.0625 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys 2011/01/03 20:11:10.0796 MLPTDR_C (a0559040b0df7403ddcd9574cb2694de) C:\WINDOWS\system32\MLPTDR_C.sys 2011/01/03 20:11:10.0921 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/01/03 20:11:11.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/01/03 20:11:11.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/01/03 20:11:11.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/01/03 20:11:11.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/01/03 20:11:11.0671 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/01/03 20:11:11.0937 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/01/03 20:11:12.0343 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys 2011/01/03 20:11:12.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/01/03 20:11:12.0578 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/01/03 20:11:12.0687 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/01/03 20:11:12.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/01/03 20:11:12.0812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/01/03 20:11:12.0859 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 2011/01/03 20:11:12.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/01/03 20:11:13.0078 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 2011/01/03 20:11:13.0234 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/01/03 20:11:13.0359 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 2011/01/03 20:11:13.0500 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/01/03 20:11:13.0734 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/01/03 20:11:13.0937 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/01/03 20:11:14.0109 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/01/03 20:11:14.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/01/03 20:11:14.0593 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/01/03 20:11:14.0984 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/01/03 20:11:15.0265 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/01/03 20:11:15.0718 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/01/03 20:11:16.0171 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/01/03 20:11:16.0984 nv (77be0cee4e4a17474650d38ccc9d5579) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/01/03 20:11:18.0000 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2011/01/03 20:11:18.0312 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2011/01/03 20:11:18.0515 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/01/03 20:11:18.0937 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/01/03 20:11:19.0281 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/01/03 20:11:19.0687 OMAWGU(Belkin Corporation) (0c2cb1c6e7d23ff74832839f2fb25163) C:\WINDOWS\system32\DRIVERS\OMAWGU.sys 2011/01/03 20:11:20.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/01/03 20:11:21.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/01/03 20:11:21.0468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/01/03 20:11:21.0812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/01/03 20:11:22.0890 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/01/03 20:11:23.0343 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/01/03 20:11:24.0890 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/01/03 20:11:25.0203 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2011/01/03 20:11:25.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/01/03 20:11:26.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/01/03 20:11:26.0640 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/01/03 20:11:27.0750 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/01/03 20:11:27.0968 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/01/03 20:11:28.0234 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/01/03 20:11:28.0578 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/01/03 20:11:29.0015 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/01/03 20:11:29.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/01/03 20:11:29.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/01/03 20:11:30.0125 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/01/03 20:11:30.0546 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2011/01/03 20:11:30.0984 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/01/03 20:11:31.0203 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/01/03 20:11:31.0515 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys 2011/01/03 20:11:31.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/01/03 20:11:32.0187 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 2011/01/03 20:11:32.0671 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/01/03 20:11:32.0828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/01/03 20:11:33.0250 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/01/03 20:11:33.0500 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 2011/01/03 20:11:33.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/01/03 20:11:34.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/01/03 20:11:34.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/01/03 20:11:35.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/01/03 20:11:35.0484 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/01/03 20:11:35.0609 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/01/03 20:11:35.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/01/03 20:11:36.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/01/03 20:11:36.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/01/03 20:11:36.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/01/03 20:11:37.0265 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/01/03 20:11:37.0562 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2011/01/03 20:11:37.0828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/01/03 20:11:38.0062 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/01/03 20:11:38.0250 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/01/03 20:11:38.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/01/03 20:11:38.0750 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/01/03 20:11:38.0968 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/01/03 20:11:39.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/01/03 20:11:39.0390 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/01/03 20:11:39.0687 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/01/03 20:11:40.0062 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/01/03 20:11:40.0562 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys 2011/01/03 20:11:40.0796 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2011/01/03 20:11:40.0937 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 2011/01/03 20:11:41.0093 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/01/03 20:11:41.0093 =========================================================================== ===== 2011/01/03 20:11:41.0093 Scan finished 2011/01/03 20:11:41.0093 =========================================================================== ===== 2011/01/03 20:11:41.0125 Detected object count: 1 2011/01/03 20:12:02.0046 \HardDisk1 - will be cured after reboot 2011/01/03 20:12:02.0046 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure 2011/01/03 20:12:05.0796 Deinitialize success Thank you so much for your assistance! --Bryan -
Constantly blocking outgoing IPs
BryanLeaman replied to BryanLeaman's topic in Resolved Malware Removal Logs
Thanks for your continued assistance. (A little background) The kpylirel.sys file you mentioned was one I discovered earlier last month and submitted to Malwarebytes mid-December, since it didn't detect it. At the time my PC was trying to make hundreds of SMTP connections at a time. I booted Knoppix off a CD in order to remove it, as I was unable to manually remove it while windows was running. As far as I can tell, the kpylirel.sys file has not re-appeared. Removing kpylirel.sys stopped the SMTP connections, but I am still getting many blocked outgoing connections attempts reported by Anti-Malware (and an unknown number of allowed connections?) when I'm not running anything other than Firefox, using this forum. This was in addition to several other malware programs I discovered and removed (manually & via scanning with Anti-Malware and F-Prot antivirus) including WhiteSmoke Translator and Toolbar. These last ones I discovered within minutes of the infection because the PC was running very slowly and I just happened to ask my son to let me use it -- about 10 minutes after the creation date on the WhiteSmoke stuff. (Current) I followed your instructions and Combofix.exe reported finding the TDL3 rootkit, later reported rootkit activity & rebooted and continued. Here's the log: ComboFix 11-01-02.04 - Ann 01/03/2011 9:48.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.558 [GMT -5:00] Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Ann\Desktop\CFScript.txt AV: F-PROT Antivirus for Windows *Disabled/Updated* {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9} * Resident AV is active FILE :: "c:\windows\system32\drivers\kpylirel.sys" "c:\windows\system32\tspkgk.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\tspkgk.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_KPYLIREL -------\Service_kpylirel ((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 ))))))))))))))))))))))))))))))) . 2011-01-03 14:27 . 2011-01-03 14:28 -------- d-----w- C:\32788R22FWJFW.0.tmp 2010-12-31 19:06 . 2010-12-31 19:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird 2010-12-31 19:06 . 2010-12-31 19:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird 2010-12-17 03:52 . 2010-12-17 03:52 -------- d-----w- c:\documents and settings\Ann\Application Data\Amazon 2010-12-17 03:46 . 2010-12-17 03:46 -------- d-----w- c:\program files\Amazon 2010-12-16 13:27 . 2010-12-28 15:57 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys 2010-12-16 13:27 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\Ann\Application Data\Corel 2010-12-16 02:59 . 2010-12-16 02:59 -------- d-----w- c:\documents and settings\Ann\Application Data\FRISK Software 2010-12-16 01:44 . 2010-12-16 01:44 -------- d-----w- c:\program files\Common Files\Protexis 2010-12-16 01:44 . 2010-12-16 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel 2010-12-16 01:43 . 2010-12-16 01:43 -------- d-----w- c:\program files\Common Files\Corel 2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Borland 2010-12-16 01:41 . 2010-12-16 01:41 -------- d-----w- c:\program files\Common Files\Borland Shared 2010-12-16 01:34 . 2010-12-16 01:34 -------- d-----w- c:\program files\Corel 2010-12-14 16:53 . 2010-12-14 16:53 -------- d-----w- c:\documents and settings\Ann\Application Data\TrojanHunter . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-12-20 23:09 . 2008-10-06 01:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-20 23:08 . 2008-10-06 01:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-17 03:57 . 2009-05-27 19:40 89680 ------w- c:\documents and settings\Ann\MSSSerif120.fon 2007-08-06 16:07 . 2007-11-22 01:43 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll 2007-07-18 18:54 . 2007-11-22 01:43 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll 2007-09-28 23:57 . 2007-09-28 23:57 6275816 ----a-w- c:\program files\opera\program\plugins\ScorchPDFWrapper.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DIMDownloading your update..1285781009224"="c:\program files\Corel\WordPerfect Office X5\Programs\DIM.exe" [2010-02-18 107880] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-01 7311360] "EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400] "UPSMON"="c:\program files\UPSMON\UPSMON.exe" [2005-03-30 429568] "F-PROT Antivirus Tray application"="c:\program files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2010-07-05 1674032] "QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [2010-03-12 136600] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-22 180269] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk backup=c:\windows\pss\Lotus QuickStart.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ann^Start Menu^Programs^Startup^AOL OpenRide.lnk] path=c:\documents and settings\Ann\Start Menu\Programs\Startup\AOL OpenRide.lnk backup=c:\windows\pss\AOL OpenRide.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Bryan^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk] path=c:\documents and settings\Bryan\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel] 2005-09-01 20:24 942080 ----a-w- c:\program files\EarthLink TotalAccess\TaskPanl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-02-17 14:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2005-12-01 20:02 1519616 ----a-w- c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] 2004-12-14 10:23 663552 ----a-w- c:\windows\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2006-02-22 10:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg] 1997-11-23 08:16 20992 ----a-w- c:\progra~1\ULEADS~1\ULEADP~1\SSaver\USSSHREG.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "EarthLinkMonitor"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= "c:\\Program Files\\Online Services\\Aol\\InstallAol.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [11/28/2007 9:50 PM 700632] R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [11/3/2010 4:40 PM 83624] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/5/2008 8:57 PM 363344] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/5/2008 8:57 PM 20952] S2 MLPTDR_C;MLPTDR_C;c:\windows\system32\MLPTDR_C.SYS [5/31/2002 5:04 PM 19296] S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?] S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);c:\windows\system32\drivers\OMAWGU.sys [10/23/2007 10:32 PM 408064] S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000] S4 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = 192.168.1.3:3128 IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll TCP: {DE062798-F8BE-461F-90A3-B4F34C3B3450} = 207.69.188.185,207.69.188.186 FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ofxf3dwh.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q= FF - prefs.js: network.proxy.ftp - 192.168.1.3 FF - prefs.js: network.proxy.ftp_port - 3128 FF - prefs.js: network.proxy.gopher - 192.168.1.3 FF - prefs.js: network.proxy.gopher_port - 3128 FF - prefs.js: network.proxy.http - 192.168.1.3 FF - prefs.js: network.proxy.http_port - 3128 FF - prefs.js: network.proxy.socks - 192.168.1.3 FF - prefs.js: network.proxy.socks_port - 3128 FF - prefs.js: network.proxy.ssl - 192.168.1.3 FF - prefs.js: network.proxy.ssl_port - 3128 FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-01-03 10:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: Maxtor_6L160P0 rev.BAJ41G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86135555]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8613b7b0]; MOV EAX, [0x8613b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x860F1AB8] 3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000006d[0x86147F18] 5 ACPI[0xF74D7620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8615CD98] \Driver\atapi[0x861439C8] -> IRP_MJ_CREATE -> 0x86135555 kernel: MBR read successfully _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB; JMP FAR 0x7a0:0x5c; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6L160P0__________________________BAJ41G10#334c41313159475120 2020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8613539B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\3.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(816) c:\windows\system32\WININET.dll c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll - - - - - - - > 'explorer.exe'(4020) c:\windows\system32\WININET.dll c:\program files\EarthLink TotalAccess\Accelerator\prplsf.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\DRIVERS\CDANTSRV.EXE c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\Common Files\Protexis\License Service\PsiService_2.exe c:\windows\system32\wdfmgr.exe c:\program files\UPSMON\UPSMON_Service.Exe c:\program files\UPSMON\UPSInt2.exe . ************************************************************************** . Completion time: 2011-01-03 10:16:30 - machine was rebooted ComboFix-quarantined-files.txt 2011-01-03 15:16 ComboFix2.txt 2010-12-31 18:59 Pre-Run: 88,065,761,280 bytes free Post-Run: 88,115,363,840 bytes free - - End Of File - - F76D84FE23B4080128789EAB62B7FDFE --Bryan -
Constantly blocking outgoing IPs
BryanLeaman replied to BryanLeaman's topic in Resolved Malware Removal Logs
Thanks. Looks like it found something, but I'm still seeing blocked IP addresses. I've attached the log from Combofix.exe. --Bryan log.txt -
AntiMalware is constantly telling me it's blocking outgoing connections, even when I'm not actively surfing or anything. While I was running the requested scans and Firefox was just resting on this forum (where I was reading the instructions) AntiMalware kept telling me about blocked IP addresses. I'm glad it's blocking them, but I have to think I still have some sort of malware on my system that's causing this. I notice the messages mostly when I have a browser running, but not exclusively then. I believe I've attached all the requested logs. --Bryan attach.zip