Jump to content

Suspected malware


Recommended Posts

Hi all

I got a virus of some sort on 31 Jan that caused my machine to hard restart, which I posted about here, but the post seems to have been missed. I disconnected from the internet, installed MBAM, but couldn't get rid of everything, so formatted the partition on my drive and re-installed Win7 x64. There is another partition on the drive that wasn't removed, and all my other drives in the machine are as they were while infected.

I also paid for and installed MBAM Pro. Since then, I keep getting incoming and outgoing blocks by MBAM. Outgoing I can understand (dodgy advertising sites), but incoming blocks on random ports is worrying. The majority of these blocks are from Skype, although some are from FireFox. I don't seem to get any from IE, but I don't use that much.

Attached are DDS, Attach, and some MBAM logs (personal name removed).

Any help gratefully appreciated.

Attach.txt

DDS.txt

protection-log-2012-02-10.txt

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Log below. e4awand is the product the company I work for develops, so you can ignore that.

My computer is behaving normally. The number of blocked ip addresses appears to have reduced over the last couple of days, although I have had some today still.

--------

ComboFix 12-02-13.01 - Xxxxxxxxxx 14/02/2012 22:08:29.1.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.12205.10027 [GMT 0:00]

Running from: c:\users\Xxxxxxxxxx\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Xxxxxxxxxx\AppData\Roaming\Microsoft\AddIns\e4awand_oracle.dll

c:\users\Xxxxxxxxxx\AppData\Roaming\Microsoft\AddIns\e4awand_oracle.xll

.

.

((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))

.

.

2012-02-14 22:11 . 2012-02-14 22:11 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-14 17:56 . 2012-01-17 04:39 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE60AFEE-A1C9-4904-BFC5-3496E921FB48}\mpengine.dll

2012-02-14 17:20 . 2012-02-14 17:20 -------- d-----w- c:\program files\GIGABYTE

2012-02-14 17:20 . 2012-02-14 17:20 -------- d-----w- c:\program files (x86)\GIGABYTE

2012-02-14 17:20 . 2011-11-02 10:48 21616 ----a-w- c:\windows\system32\drivers\AppleCharger.sys

2012-02-14 17:20 . 2010-04-06 16:30 31272 ----a-w- c:\windows\system32\AppleChargerSrv.exe

2012-02-13 13:27 . 2012-02-13 13:28 -------- d-----w- c:\program files (x86)\PacificPoker

2012-02-07 17:00 . 2012-02-07 17:00 -------- d-----w- c:\windows\Hewlett-Packard

2012-02-06 10:50 . 2012-02-06 10:50 -------- dc----w- c:\windows\system32\DRVSTORE

2012-02-06 10:48 . 2012-02-06 10:49 -------- d-----w- c:\programdata\Apple

2012-02-06 10:36 . 2012-02-06 10:36 -------- d-----w- c:\program files (x86)\Common Files\Adobe

2012-02-06 10:34 . 1998-10-29 16:45 306688 ----a-w- c:\windows\IsUninst.exe

2012-02-01 08:57 . 2012-02-01 08:57 -------- d-----w- c:\windows\system32\appmgmt

2012-01-31 23:22 . 2012-01-31 23:22 -------- d-----w- c:\program files (x86)\Common Files\LogiShrd

2012-01-31 23:22 . 2012-01-31 23:22 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2012-01-31 23:22 . 2012-01-31 23:22 -------- d-----w- c:\programdata\Logishrd

2012-01-31 23:22 . 2012-01-31 23:22 -------- d-----w- c:\program files\Logitech

2012-01-31 23:01 . 2012-01-31 23:02 -------- d-----w- c:\program files (x86)\get_iplayer

2012-01-31 23:01 . 2012-01-31 23:01 -------- d-----w- c:\programdata\get_iplayer

2012-01-31 22:56 . 2004-03-02 14:29 45145 ------w- c:\windows\SysWow64\plugincpl13118.cpl

2012-01-31 22:56 . 2012-01-31 22:56 -------- d-----w- c:\program files (x86)\Oracle

2012-01-31 22:56 . 2004-03-02 14:29 36943 ------w- c:\windows\SysWow64\ActPanel.dll

2012-01-31 22:23 . 2012-01-31 22:23 -------- d-----w- c:\programdata\Quest Software

2012-01-31 22:22 . 2012-01-31 22:22 -------- d-----w- c:\program files (x86)\Raize

2012-01-31 22:22 . 2005-01-08 03:00 24064 ----a-w- c:\windows\SysWow64\CS30Inspectors70.bpl

2012-01-31 22:22 . 2002-08-09 08:00 778240 ----a-w- c:\windows\SysWow64\rtl70.bpl

2012-01-31 22:22 . 2002-08-09 08:00 227328 ----a-w- c:\windows\SysWow64\vclie70.bpl

2012-01-31 22:22 . 2002-08-09 08:00 1381376 ----a-w- c:\windows\SysWow64\vcl70.bpl

2012-01-31 22:22 . 2012-01-31 22:23 -------- d-----w- c:\program files (x86)\Quest Software

2012-01-31 22:18 . 2012-01-31 14:24 -------- d-----w- c:\windows\Panther

2012-01-31 22:12 . 2012-01-31 22:12 -------- d-----w- c:\programdata\Malwarebytes

2012-01-31 22:12 . 2012-01-31 22:12 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-01-31 22:12 . 2011-12-10 15:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-31 21:59 . 2012-01-31 21:59 -------- d-----w- c:\program files (x86)\Calibre2

2012-01-31 21:45 . 2012-01-31 21:45 -------- d-----w- c:\program files (x86)\FileZilla FTP Client

2012-01-31 21:40 . 2011-09-23 20:45 81008 ----a-w- c:\windows\system32\drivers\vmci.sys

2012-01-31 21:40 . 2011-09-23 20:45 68720 ----a-w- c:\windows\system32\drivers\vmx86.sys

2012-01-31 21:40 . 2011-09-23 20:44 334448 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe

2012-01-31 21:40 . 2011-09-23 20:45 404080 ----a-w- c:\windows\SysWow64\vmnat.exe

2012-01-31 21:40 . 2011-09-23 20:44 30320 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2012-01-31 21:40 . 2011-09-23 20:45 968816 ----a-w- c:\windows\system32\vnetlib64.dll

2012-01-31 21:40 . 2011-09-23 20:44 31856 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2012-01-31 21:40 . 2011-09-23 19:21 38512 ----a-w- c:\windows\system32\drivers\hcmon.sys

2012-01-31 21:39 . 2012-01-31 21:39 -------- d-----w- c:\program files (x86)\Common Files\VMware

2012-01-31 21:22 . 2012-01-31 21:27 -------- d-----w- c:\program files (x86)\Common Files\InstallEngine

2012-01-31 21:21 . 2009-05-12 13:58 4165632 ----a-w- c:\windows\SysWow64\cdintf400.dll

2012-01-31 21:20 . 2012-01-31 21:20 -------- d-----w- c:\program files (x86)\Common Files\Sage Shared

2012-01-31 21:20 . 2012-01-31 21:20 -------- d-----w- c:\program files (x86)\Common Files\Sage Line50

2012-01-31 21:20 . 2012-01-31 21:21 -------- d-----w- c:\program files (x86)\Common Files\Sage SData

2012-01-31 21:20 . 2012-01-31 21:27 -------- d-----w- c:\program files (x86)\Common Files\Sage SBD

2012-01-31 21:20 . 2012-01-31 21:26 -------- d-----w- c:\programdata\Sage

2012-01-31 21:20 . 2012-01-31 21:20 -------- d-----w- c:\program files (x86)\Common Files\Sage Report Designer 2007

2012-01-31 21:20 . 2012-01-31 21:20 -------- d-----w- c:\program files (x86)\Sage

2012-01-31 20:25 . 2012-01-31 20:25 -------- d-----w- c:\program files (x86)\TextPad 5

2012-01-31 19:03 . 2012-01-31 22:18 -------- d-----w- c:\program files (x86)\Google

2012-01-31 17:27 . 2012-01-31 17:29 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-01-31 17:27 . 2012-01-31 17:27 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-01-31 17:27 . 2012-02-01 08:58 -------- d-----w- c:\program files (x86)\Java

2012-01-31 17:15 . 2012-02-14 18:21 -------- d-----w- c:\programdata\VMware

2012-01-31 17:15 . 2012-01-31 21:39 -------- d-----w- c:\program files (x86)\VMware

2012-01-31 17:10 . 2012-01-31 17:10 -------- d-----w- c:\program files (x86)\Foxit Software

2012-01-31 17:01 . 2012-01-31 17:01 -------- d-----w- c:\program files\Java

2012-01-31 16:20 . 2012-01-31 16:20 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2012-01-31 16:15 . 2012-01-31 16:15 -------- d-----w- c:\program files (x86)\MSXML 4.0

2012-01-31 16:14 . 2012-01-31 16:14 -------- d-----w- c:\program files (x86)\Microsoft Silverlight

2012-01-31 16:12 . 2012-01-31 16:12 -------- d-----w- c:\programdata\WEBREG

2012-01-31 16:11 . 2008-08-12 10:58 254976 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp082.dll

2012-01-31 16:10 . 2012-01-31 16:10 -------- d-----w- c:\windows\SysWow64\spool

2012-01-31 16:10 . 2012-01-31 16:10 -------- d-----w- c:\programdata\HP Product Assistant

2012-01-31 16:09 . 2012-01-31 16:09 -------- d-----w- c:\program files (x86)\Common Files\HP

2012-01-31 16:09 . 2012-01-31 16:09 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard

2012-01-31 16:09 . 2012-01-31 16:09 -------- d-----w- c:\windows\hpoj6500e709

2012-01-31 16:09 . 2008-08-12 10:58 131072 ----a-w- c:\windows\system32\hpf3l082.dll

2012-01-31 16:09 . 2012-02-07 17:00 -------- d-----w- c:\program files (x86)\HP

2012-01-31 16:06 . 2012-01-31 16:06 -------- d-----w- c:\program files (x86)\Microsoft Synchronization Services

2012-01-31 16:03 . 2012-01-31 16:03 -------- d-----r- C:\MSOCache

2012-01-31 15:50 . 2012-02-14 16:42 -------- d-----w- c:\program files (x86)\SugarSync

2012-01-31 15:28 . 2012-01-31 15:28 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-01-31 15:28 . 2012-01-31 15:28 -------- d-----w- c:\windows\SysWow64\Macromed

2012-01-31 15:28 . 2012-01-31 16:06 -------- d-----w- c:\program files (x86)\Microsoft.NET

2012-01-31 15:24 . 2012-01-31 15:24 -------- d-----w- c:\windows\SysWow64\Wat

2012-01-31 15:24 . 2012-01-31 15:24 -------- d-----w- c:\windows\system32\Wat

2012-01-31 15:05 . 2012-01-31 15:05 -------- d-----r- c:\program files (x86)\Skype

2012-01-31 15:05 . 2012-01-31 15:05 -------- d-----w- c:\programdata\Skype

2012-01-31 15:05 . 2012-01-31 23:22 -------- d-----w- c:\program files\Common Files\logishrd

2012-01-31 15:04 . 2012-01-31 15:04 -------- d-----w- c:\program files (x86)\Common Files\Intel Corporation

2012-01-31 15:03 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll

2012-01-31 15:03 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll

2012-01-31 15:03 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll

2012-01-31 15:03 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-01-31 15:03 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2012-01-31 15:00 . 2011-05-20 09:53 557848 ----a-w- c:\windows\system32\drivers\iaStor.sys

2012-01-31 14:59 . 2012-01-31 14:59 -------- d-----w- c:\program files (x86)\Etron Technology

2012-01-31 14:59 . 2012-02-14 18:20 -------- d-sh--w- c:\windows\Installer

2012-01-31 14:54 . 2011-03-12 12:08 1465344 ----a-w- c:\windows\system32\XpsPrint.dll

2012-01-31 14:53 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll

2012-01-31 14:53 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll

2012-01-31 14:53 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll

2012-01-31 14:53 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll

2012-01-31 14:53 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll

2012-01-31 14:53 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-01-31 14:53 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll

2012-01-31 14:53 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll

2012-01-31 14:53 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-01-31 14:53 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2012-01-31 14:53 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2012-01-31 14:45 . 2012-01-31 15:00 -------- d-----w- c:\program files (x86)\Intel

2012-01-31 14:45 . 2012-01-31 14:45 -------- d-----w- c:\program files\Common Files\Intel

2012-01-31 14:45 . 2012-01-31 14:45 -------- d-----w- c:\program files (x86)\Common Files\Intel

2012-01-31 14:43 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll

2012-01-31 14:43 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys

2012-01-31 14:27 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll

2012-01-31 14:27 . 2012-02-14 17:20 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information

2012-01-31 14:27 . 2012-01-31 14:43 -------- d-----w- c:\program files (x86)\Realtek

2012-01-31 14:24 . 2012-02-01 11:09 -------- d-----w- c:\users\Xxxxxxxxxx

2012-01-31 14:24 . 2012-01-31 14:24 -------- d-----w- C:\Recovery

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-27 00:52 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe

2012-01-12 00:19 . 2012-01-12 00:19 4448256 ----a-w- c:\windows\SysWow64\GPhotos.scr

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]

"SugarSync"="c:\program files (x86)\SugarSync\SugarSyncManager.exe" [2012-02-03 9401424]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-09-23 129648]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

.

c:\users\Xxxxxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech . Product Registration.lnk - c:\program files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2012-2-6 113664]

Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]

S2 Sage SData Service;Sage SData Service;c:\program files (x86)\Common Files\Sage SData\Sage.SData.Service.exe [2009-08-21 49152]

S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-09-23 539248]

S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [x]

S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]

S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]

S3 LVUVC64;Logitech QuickCam S5500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - APPLECHARGER

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]

@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"

[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]

2012-02-03 18:41 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]

@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"

[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]

2012-02-03 18:41 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]

@="{A759AFF6-5851-457D-A540-F4ECED148351}"

[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]

2012-02-03 18:41 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]

@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"

[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]

2012-02-03 18:41 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-28 167704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-28 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-28 416024]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.co.uk/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll

TCP: Interfaces\{ECBED843-4F39-4BD3-A4CB-64C8E700FB78}: NameServer = 192.168.0.1

FF - ProfilePath - c:\users\Xxxxxxxxxx\AppData\Roaming\Mozilla\Firefox\Profiles\4e7i70o3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-02-14 22:12:59

ComboFix-quarantined-files.txt 2012-02-14 22:12

.

Pre-Run: 42,610,003,968 bytes free

Post-Run: 43,365,003,264 bytes free

.

- - End Of File - - 7F2DD2A1818651C1EE9E66794EA07C23

Link to post
Share on other sites

The IPs are almost exclusively from Skype. See below. The concern was the varying IPs and also varying ports.

The odd thing is how they have tapered off massively over the last couple days. Loads up to 11 Feb, then one on the 12th, none on the 12th, and only one on the 14th.

Reading that article it looks that could be all it is. I did have a few hits from Firefox early on, but those would probably be advertising on whichever forum I happened to be on.

If you're happy it's just Skype, I'm happy to go with that.

Thanks for your invaluable help. :)

--------MBAM Logs--------------

2012/02/11 00:52:32 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 00:52:40 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 00:52:48 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 01:44:01 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 01:44:01 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 01:44:09 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 02:24:58 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 02:24:59 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 02:24:59 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 03:06:52 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 03:06:52 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 03:07:08 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 03:58:29 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 03:58:29 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 03:58:37 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 05:51:59 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 05:51:59 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 05:52:07 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 06:02:32 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 06:02:40 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 06:02:48 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 07:45:54 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 07:45:54 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 07:46:02 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 08:37:31 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 08:37:32 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 08:37:40 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 08:38:28 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 08:38:28 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 08:38:36 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 09:19:31 GMT MESSAGE Executing scheduled update: Daily

2012/02/11 09:19:36 GMT MESSAGE Scheduled update executed successfully: database updated from version v2012.02.10.03 to version v2012.02.11.03

2012/02/11 09:19:36 GMT MESSAGE Starting database refresh

2012/02/11 09:19:36 GMT MESSAGE Stopping IP protection

2012/02/11 09:20:01 GMT MESSAGE IP Protection stopped

2012/02/11 09:20:02 GMT MESSAGE Database refreshed successfully

2012/02/11 09:20:02 GMT MESSAGE Starting IP protection

2012/02/11 09:20:02 GMT MESSAGE IP Protection started successfully

2012/02/11 09:29:38 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 09:29:46 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 09:29:54 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 11:21:49 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 11:21:57 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 11:22:05 GMT IP-BLOCK 91.212.226.82 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 23:22:11 GMT IP-BLOCK 79.133.196.251 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/11 23:22:19 GMT IP-BLOCK 79.133.196.251 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/12 07:40:20 GMT IP-BLOCK 94.100.22.126 (Type: outgoing, Port: 54157, Process: skype.exe)

2012/02/12 07:40:20 GMT IP-BLOCK 94.100.22.126 (Type: outgoing, Port: 28599, Process: skype.exe)

2012/02/14 17:01:07 GMT IP-BLOCK 83.128.61.92 (Type: outgoing, Port: 28599, Process: skype.exe)

Link to post
Share on other sites

If it were me, I'd uninstall skype and see if MBAM is still seeing those going out.

IP Information for 91.212.226.82

IP Location: Russian Federation Artem Artem Zhirkov Alekseevich

IP Information for 79.133.196.251

IP Location: Poland Etop Sp. Z O.o

IP Information for 94.100.22.126

IP Location: Netherlands Amsterdam Eureka Solutions Sp. Z O.o

IP Information for 83.128.61.92

IP Location: Netherlands Naaldwijk Caiw Diensten B.v

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.