I think I'm under attack - Please Help!

[gcolangelo]

So, a few days ago I started receiving email notifications from my router letting me know about security alerts. I'm including recent logs from my router.

2012-07-18 14:03:46.00 [DOS] UDP Packet - Source:192.168.0.12,137 Destination:192.168.0.255,137

2012-07-18 14:03:47.00 [DOS] UDP Packet - Source:192.168.0.12,1900 Destination:239.255.255.250,1900

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,138 Destination:192.168.0.255,138

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,50980 Destination:239.255.255.250,1900

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,1900 Destination:239.255.255.250,1900

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,56638 Destination:239.255.255.250,1900

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,57644 Destination:239.255.255.250,3702

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,138 Destination:192.168.0.255,138

2012-07-18 14:03:48.00 [DOS] UDP Packet - Source:192.168.0.12,56638 Destination:239.255.255.250,1900

2012-07-18 14:03:49.00 [DOS] UDP Packet - Source:192.168.0.12,49385 Destination:239.255.255.250,1900

2012-07-18 14:03:49.00 [DOS] UDP Packet - Source:192.168.0.12,57644 Destination:239.255.255.250,3702

2012-07-18 14:03:49.00 [DOS] UDP Packet - Source:192.168.0.12,1196 Destination:255.255.255.255,1196

2012-07-18 14:03:50.00 [DOS] UDP Packet - Source:192.168.0.12,1900 Destination:239.255.255.250,1900

2012-07-18 14:03:50.00 [DOS] UDP Packet - Source:192.168.0.12,56638 Destination:239.255.255.250,1900

2012-07-18 14:03:51.00 [DOS] UDP Packet - Source:192.168.0.12,1900 Destination:239.255.255.250,1900

2012-07-18 14:03:51.00 [DOS] UDP Packet - Source:192.168.0.12,138 Destination:192.168.0.255,138

2012-07-18 14:03:51.00 [DOS] UDP Packet - Source:192.168.0.12,56638 Destination:239.255.255.250,1900

2012-07-18 14:04:20.00 [DOS] TCP Packet - Source:192.168.0.12,49328 Destination:192.168.0.1,445

2012-07-18 14:04:20.00 [DOS] TCP Packet - Source:192.168.0.12,49330 Destination:192.168.0.1,445

2012-07-18 14:04:20.00 [DOS] TCP Packet - Source:192.168.0.12,49331 Destination:192.168.0.1,139

2012-07-18 14:04:20.00 [DOS] TCP Packet - Source:192.168.0.12,49329 Destination:192.168.0.1,445

2012-07-18 14:04:55.00 [DOS] TCP Packet - Source:192.168.0.12,49356 Destination:192.168.0.1,5000

2012-07-18 14:05:40.00 [DOS] TCP Packet - Source:192.168.0.12,49544 Destination:192.168.0.1,5000

2012-07-18 14:05:44.00 [DOS] TCP Packet - Source:192.168.0.12,49559 Destination:192.168.0.1,5000

2012-07-18 14:05:48.00 [DOS] TCP Packet - Source:192.168.0.12,49574 Destination:192.168.0.1,5000

2012-07-18 14:05:52.00 [DOS] TCP Packet - Source:192.168.0.12,49590 Destination:192.168.0.1,5000

2012-07-18 14:05:57.00 [DOS] TCP Packet - Source:192.168.0.12,49605 Destination:192.168.0.1,5000

2012-07-18 14:06:00.00 [DOS] TCP Packet - Source:192.168.0.12,49618 Destination:192.168.0.1,5000

2012-07-18 14:06:10.00 [DOS] TCP Packet - Source:192.168.0.12,49655 Destination:192.168.0.1,5000

2012-07-18 14:06:14.00 [DOS] TCP Packet - Source:192.168.0.12,49670 Destination:192.168.0.1,5000

My network range is precisely 192.168.0.x, being my router 192.168.0.1

Does anyone know what's going on with my network? Am I infected with some sort of bot?

The address you see in the log belongs to the PC I'm using right now, I have all other devices turned off, including the wireless printers because they would also show being a source when they are on (the printers).

I'm going nuts here, please help.

[screen317]

Hi and welcome to Malwarebytes.

First, lets see if the router is hijacked.

1. Very important: First disconnect your computers from the Internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

3. Reset the IP/DNS settings of your Internet connection on each computer connected:

• Go to Start -> Control Panel -> Double click on Network Connections.
  
• Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  
• Select the General tab.
  
• Double click on Internet Protocol (TCP/IP).
  
  • Under General tab:
    
    • Select "Obtain an IP address automatically".
      
    • Select "Obtain DNS server address automatically".
      

  [*]Click OK twice to save the settings.

  [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

• Click the Start logo in the bottom left corner of the screen
  
• Click on Run
  
• In the command window copy/paste the following:
  

  ipconfig /flushdns

  
  

• Then hit enter.
  
• Exit the command window.
  

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

See if the messages persist.

[gcolangelo]

Thank you for your reply. I followed every step and unfortunately I'm still receiving the warnings.

2012-07-19 17:48:38.00 [DOS] UDP Packet - Source:192.168.0.2,1900 Destination:239.255.255.250,1900

2012-07-19 17:48:38.00 [DOS] UDP Packet - Source:192.168.0.2,1900 Destination:239.255.255.250,1900

I have run MalwareBytes and McAfee antivirus on all of my machines, they detected and eliminated different threats but this really puzzles me.

It is not showing in these recent logs, but I was constantly receiving this security alert from my router on my email as well:

UDP Packet - Source:10.197.0.1,67

Destination:255.255.255.255,68

[screen317]

Is there only one computer on this network?

Let's look a little deeper.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

[gcolangelo]

My home network has:

- 1 wired PC

- 3 wireless laptops

- 1 Kindle reader

- 1 Kindle Fire

I will update and run MBAM and DDS and will post the logs.

[gcolangelo]

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.20.09

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Master :: KYLE [administrator]

Protection: Enabled

7/20/2012 6:08:53 PM

mbam-log-2012-07-20 (18-08-53).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 238243

Time elapsed: 14 minute(s), 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

---------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Master at 18:47:18 on 2012-07-20

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3691.2321 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe

C:\Program Files (x86)\Internet Content Filter\UpdateService.exe

C:\Windows\system32\mfevtps.exe

C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Sender\rgsendersvc.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files (x86)\Internet Content Filter\mfeicfcore.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Hewlett-Packard\HP LinkUp Sender\LinkUpZeroC.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\DllHost.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\atieclxx.exe

C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Sender\rgsender.exe

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Hewlett-Packard\HP LinkUp Sender\LinkUpFTSender.exe

C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Sender\rgsender_gui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Users\Master\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar1.exe

C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar2.exe

C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files (x86)\Internet Content Filter\mfp.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Master\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

mStart Page = about:blank

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120715114156.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

uRun: [Google Update] "C:\Users\Master\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

mRun: [nmapp] "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

mRun: [<NO NAME>]

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [iCF] "C:\Program Files (x86)\Internet Content Filter\mfp.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 3 (0x3)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{2CC0ADA1-D213-436C-8CFD-2956B820453C} : DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{2CC0ADA1-D213-436C-8CFD-2956B820453C}\743434232303737323 : DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{2CC0ADA1-D213-436C-8CFD-2956B820453C}\94E6E602144702458656022456163686 : DhcpNameServer = 75.75.75.75 8.8.8.8

TCP: Interfaces\{2CC0ADA1-D213-436C-8CFD-2956B820453C}\D6562716B696 : DhcpNameServer = 10.128.128.128

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp4.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120715114156.dll

BHO-X64: scriptproxy - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [HPQuickWebProxy] "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"

mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

mRun-x64: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"

mRun-x64: [nmapp] "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

mRun-x64: [(Default)]

mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun-x64: [iCF] "C:\Program Files (x86)\Internet Content Filter\mfp.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

.

============= SERVICES / DRIVERS ===============

.

R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]

R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]

R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2012-7-14 23208]

R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]

R3 hprg;hprg;C:\Windows\system32\DRIVERS\hprg.sys --> C:\Windows\system32\DRIVERS\hprg.sys [?]

S3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2012-7-14 66320]

S3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]

.

=============== Created Last 30 ================

.

2012-07-19 21:41:54 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CBE39EAD-2D9F-4653-B2B9-FE7D8D6C1CD2}\mpengine.dll

2012-07-18 21:35:40 -------- d-----w- C:\FRST

2012-07-18 14:08:57 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-18 14:06:10 -------- d-----w- C:\Users\Master\AppData\Roaming\Malwarebytes

2012-07-18 14:05:47 -------- d-----w- C:\ProgramData\Malwarebytes

2012-07-18 14:05:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-07-18 14:05:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-07-18 14:04:49 -------- d-----w- C:\Users\Master\AppData\Local\Apple

2012-07-15 15:47:50 4117304 ----a-w- C:\Windows\SysWow64\seinst.dll

2012-07-15 15:47:48 -------- d-----w- C:\Program Files (x86)\Internet Content Filter

2012-07-15 15:47:40 2326840 ----a-w- C:\Windows\sediag.exe

2012-07-15 15:47:38 -------- d-----w- C:\ProgramData\Internet Content Filter

2012-07-15 15:42:26 -------- d-----w- C:\Program Files (x86)\McAfee.com

2012-07-15 15:41:55 10248 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys

2012-07-15 15:41:53 -------- d-----w- C:\Program Files (x86)\Common Files\McAfee

2012-07-15 15:41:41 75936 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys

2012-07-15 15:41:41 65264 ----a-w- C:\Windows\System32\drivers\cfwids.sys

2012-07-15 15:41:41 513456 ----a-w- C:\Windows\System32\drivers\mfefirek.sys

2012-07-15 15:41:41 335784 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys

2012-07-15 15:41:41 300392 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys

2012-07-15 15:41:41 100912 ----a-w- C:\Windows\System32\drivers\mferkdet.sys

2012-07-15 15:41:34 -------- d-----w- C:\Program Files\Common Files\McAfee

2012-07-15 15:41:32 -------- d-----w- C:\Program Files\McAfee.com

2012-07-15 15:41:31 -------- d-----w- C:\Program Files\McAfee

2012-07-15 15:41:05 -------- d-----w- C:\Program Files (x86)\McAfee

2012-07-15 15:36:03 177144 ----a-w- C:\Windows\System32\mfevtps.exe

2012-07-15 06:23:02 -------- d-----w- C:\Users\Master\AppData\Local\Google

2012-07-15 06:22:27 -------- d-----w- C:\Users\Master\AppData\Local\Apps

2012-07-15 06:22:26 -------- d-----w- C:\Users\Master\AppData\Local\Deployment

2012-07-15 03:06:50 -------- d-----w- C:\Users\Master\AppData\Local\Hewlett-Packard_Developme

2012-07-15 02:57:47 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware

2012-07-11 14:23:07 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-07-10 19:08:50 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-07-07 17:38:50 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-03 15:56:02 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A68638E4-6C29-4F63-B1E5-506AE6BE486E}\gapaengine.dll

2012-06-23 22:16:07 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-23 22:15:46 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-23 22:15:18 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-06-23 22:15:18 186752 ----a-w- C:\Windows\System32\wuwebv.dll

.

==================== Find3M ====================

.

2012-07-12 14:29:58 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-21 13:08:44 169320 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys

2012-06-21 13:08:42 752672 ----a-w- C:\Windows\System32\drivers\mfehidk.sys

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll

2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll

2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

.

============= FINISH: 18:49:19.54 ===============

[screen317]

Hi,

I notice that you are using more than one antivirus program (McAfee and Microsoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Reboot.

Are any of the computers on this network experiencing any symptoms of infection??

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!