Jump to content

Possible Infection?


Recommended Posts

I keep getting incoming and outgoing IP Blocks from random IPs along with this about a week ago my facebook account was accessed from Texas and by using IP locate I found a Texas IP address as being blocked. I'm not sure if this is coincidence or not, it could be I have spyware. I have installed MBAM and ESET NOD32. Both of which cannot find any infected files to which could be causing this.

To take action against the Facebook account access, I changed my password from a different and definitely secured machine.

The messages I see frequently are. (with asterisks for protection for whoever owns that IP)

IP-BLOCK 89.248.***.*** (Type: incoming, Port: 53, Process: svchost.exe)

I am worried that I'm either being keylogged or I have spyware.

 

The logs are attached. Thank you.

 

DDS.txt

Attach.txt

Link to post
Share on other sites

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

GMER 2.1.19163 - http://www.gmer.netRootkit scan 2013-06-20 15:01:49Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721050CLA362 rev.JP2OA3MA 465.76GBRunning: 6drielp2.exe; Driver: C:\Users\CRYSTA~1\AppData\Local\Temp\awloauoc.sys---- Threads - GMER 2.1 ----Thread   [352:412]                                                                                                                     0000000077adfbc0Thread  C:\Windows\System32\svchost.exe [156:1060]                                                                                     000007fefc36f2f4Thread  C:\Windows\System32\svchost.exe [156:1084]                                                                                     000007fefc316204Thread  C:\Windows\System32\svchost.exe [156:1180]                                                                                     000007fefbead8f8Thread  C:\Windows\System32\svchost.exe [156:1192]                                                                                     000007fefbea5620Thread  C:\Windows\System32\svchost.exe [156:1196]                                                                                     000007fefbea6e74Thread  C:\Windows\System32\svchost.exe [156:1280]                                                                                     000007fefbe7ffc0Thread  C:\Windows\System32\svchost.exe [156:1400]                                                                                     000007fefb5b331cThread  C:\Windows\System32\svchost.exe [156:2556]                                                                                     000007fef94720c0Thread  C:\Windows\System32\svchost.exe [156:1568]                                                                                     000007fef94726a8Thread  C:\Windows\System32\svchost.exe [156:1736]                                                                                     000007fef94014a0Thread  C:\Windows\System32\svchost.exe [156:2976]                                                                                     000007fef94729dcThread  C:\Windows\System32\svchost.exe [156:3060]                                                                                     000007fef94729dcThread  C:\Windows\System32\svchost.exe [156:3200]                                                                                     000007fefec1c608Thread  C:\Windows\System32\svchost.exe [156:3368]                                                                                     000007fef7f6a2b0Thread  C:\Windows\System32\svchost.exe [156:4364]                                                                                     000007fefa7f88f8Thread  C:\Windows\system32\svchost.exe [1220:2360]                                                                                    000007fef94f0ea8Thread  C:\Windows\system32\svchost.exe [1220:2356]                                                                                    000007fef94e9db0Thread  C:\Windows\system32\svchost.exe [1220:3104]                                                                                    000007fef94f1c94Thread  C:\Windows\system32\svchost.exe [1220:6884]                                                                                    000007fef94eaa10Thread  C:\Windows\System32\spoolsv.exe [1688:3500]                                                                                    000007fef80510c8Thread  C:\Windows\System32\spoolsv.exe [1688:3656]                                                                                    000007fef7b36144Thread  C:\Windows\System32\spoolsv.exe [1688:3676]                                                                                    000007fef79c5fd0Thread  C:\Windows\System32\spoolsv.exe [1688:3684]                                                                                    000007fef81f3438Thread  C:\Windows\System32\spoolsv.exe [1688:3688]                                                                                    000007fef79c63ecThread  C:\Windows\System32\spoolsv.exe [1688:3736]                                                                                    000007fef84b5e5cThread  C:\Windows\System32\spoolsv.exe [1688:3744]                                                                                    000007fef7de5074Thread  C:\Windows\SysWOW64\ntdll.dll [1800:1804]                                                                                      000000000034795aThread  C:\Windows\SysWOW64\ntdll.dll [2008:2012]                                                                                      00000000001c975eThread  C:\Windows\SysWOW64\ntdll.dll [2008:2032]                                                                                      00000000001bfe50Thread  C:\Windows\SysWOW64\ntdll.dll [1452:1496]                                                                                      00000000013cebb2Thread  C:\Windows\SysWOW64\ntdll.dll [1452:2320]                                                                                      000000000137a500Thread  C:\Windows\SysWOW64\ntdll.dll [1452:2428]                                                                                      000000000137d0a0Thread  C:\Windows\SysWOW64\ntdll.dll [1452:2292]                                                                                      0000000001376190Thread  C:\Windows\SysWOW64\ntdll.dll [1876:1924]                                                                                      000000000040b7cfThread  C:\Windows\SysWOW64\ntdll.dll [1876:1584]                                                                                      0000000000409d40Thread  C:\Windows\System32\WUDFHost.exe [3412:3636]                                                                                   000007fef7da24a0Thread   [3732:3780]                                                                                                                   0000000077cf2e25Thread   [3732:1356]                                                                                                                   0000000077cf3e45Thread   [3732:1200]                                                                                                                   0000000077257587Thread  C:\Windows\Explorer.EXE [3712:2872]                                                                                            000007fefc316204Thread  C:\Windows\Explorer.EXE [3712:4048]                                                                                            000007fef1842118Thread  C:\Windows\Explorer.EXE [3712:3096]                                                                                            000007fef99c2154Thread  C:\Windows\Explorer.EXE [3712:4508]                                                                                            000007fefbe31010Thread  C:\Windows\Explorer.EXE [3712:4816]                                                                                            0000000074f62e08Thread  C:\Windows\Explorer.EXE [3712:5204]                                                                                            0000000074f62e08Thread  C:\Windows\Explorer.EXE [3712:3508]                                                                                            0000000074f62e08Thread  C:\Windows\Explorer.EXE [3712:5552]                                                                                            0000000074f62e08Thread  C:\Windows\Explorer.EXE [3712:5764]                                                                                            000007fefbd31ebcThread  C:\Windows\SysWOW64\ntdll.dll [252:728]                                                                                        0000000000041532Thread  C:\Windows\system32\svchost.exe [5116:6604]                                                                                    000007fee60644e0Thread   [5228:5184]                                                                                                                   000000005ac5a8e1Thread   [5228:5544]                                                                                                                   0000000077cf2e25Thread   [5228:6900]                                                                                                                   0000000077cf3e45Thread   [5228:288]                                                                                                                    00000000708f62eeThread  C:\Windows\SysWOW64\ntdll.dll [5644:3752]                                                                                      0000000000e166d0Thread  C:\Windows\SysWOW64\ntdll.dll [5644:2392]                                                                                      0000000000dff10fThread  C:\Windows\SysWOW64\ntdll.dll [5644:6008]                                                                                      0000000000dff10f---- Registry - GMER 2.1 ----Reg     HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@LeaseObtainedTime    1371733462Reg     HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@T1                   1371733589Reg     HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@T2                   1371733685Reg     HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{419F8156-FD4F-44DC-B337-E3978892B5B4}@LeaseTerminatesTime  1371733717---- EOF - GMER 2.1 ----

 

ark.txt

Link to post
Share on other sites

Combofix


Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Link to post
Share on other sites

Here is the ComboFix log.

Along with this, when ComboFix forced a shutdown on my computer it bluescreened. It bluescreened at the point where it says "Shutting Down" when you wait for it to shut down. I have included these logs too in case they are related as I don't usually BlueScreen at all.

 

ComboFix Log

BlueScreen: 

==================================================Dump File         : 062013-37237-01.dmpCrash Time        : 20/06/2013 16:06:56Bug Check String  : DRIVER_POWER_STATE_FAILUREBug Check Code    : 0x1000009fParameter 1       : 00000000`00000004Parameter 2       : 00000000`00000258Parameter 3       : fffffa80`036b0040Parameter 4       : fffff800`00b9c3d0Caused By Driver  : WudfPf.sysCaused By Address : WudfPf.sys+6500File Description  : Product Name      : Company           : File Version      : Processor         : x64Crash Address     : ntoskrnl.exe+78a7aStack Address 1   : Stack Address 2   : Stack Address 3   : Computer Name     : Full Path         : C:\Windows\Minidump\062013-37237-01.dmpProcessors Count  : 4Major Version     : 15Minor Version     : 7601Dump File Size    : 714,832==================================================

ComboFix.txt

Link to post
Share on other sites

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.