Jump to content

Suspecting malware using my network resources maliciously


Recommended Posts

Hi guys,

Although my computer seems to be running OK, I noticed several symptoms that make me think that it could be infected by some malicious malware.

Symptom 1: My router (Tenda) would go down intermittendly (sometimes as many as 5 times in the same day). When router was down, I cannot access internet, and any other computer in the network could not access it, I could not ping the router. Sometimes I could ping the router but I could not connect to the admin page of the router (web console). Tenda support told me that I may have an ARP virus (spoofing of IP address to redirect packets...)

Symptom 2: Although MBAM did not spot any malware, it reported many times that it "has blocked access to some potentially malicious website", giving me some IP addresses located in Moldavia or Ukraine. I suspect that some rogue servers are trying to access our network and scan for loopholes and flows.

Symptom 3: We repeatdly have IP address conflicts (although we are using a small router configured in DHCP mode and only 4 computers are connected to in automatic DHCP mode). Usually we never had IP conflicts before with such configuration.

Tenda suggested that I should run an analysis of my network traffic which I did using Colasoft Capsa 7, but it did not report any ARP spoofing or so...

Anyway, here are my logs, I hope you guys can help me find-out whether my computer is infected or not.

Thanks,

Alex

DDS (Ver_2011-07-14.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Alex at 17:52:06 on 2011-07-19

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1925 [GMT 6:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ================

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\DU Meter\DUMeterSvc.exe

C:\Program Files\ICQ6Toolbar\ICQ Service.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\AMT\UNS.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\TeamViewer\Version6\TeamViewer.exe

C:\Program Files\TeamViewer\Version6\tv_w32.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\WINDOWS\System32\alg.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\1.3.21.57\GoogleCrashHandler.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\ICQ7.5\ICQ.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\DUMETE~1\DUMeter.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Documents and Settings\Alex\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.lemonde.fr/

uProxyServer = 192.168.0.131:3128

uURLSearchHooks: ICQToolBar: {855F3B16-6D32-4fe6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll

uURLSearchHooks: <No Name>: - LocalServer32 - <no file>

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4A368E80-174F-4872-96B5-0B27DDD11DB2} - c:\program files\spywareguard\dlprotect.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>

BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

EB: ICQToolBar: {855F3B16-6D32-4FE6-8A56-BBB695989046} - c:\program files\icq6toolbar\ICQToolBar.dll

uRun: [Google Update] "c:\documents and settings\alex\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [DU Meter] c:\program files\du meter\DUMeter.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [GoogleContactSync] c:\program files\webgear\go contact sync\GOContactSync.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Facebook Update] "c:\documents and settings\alex\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [iCQ] "c:\progra~1\icq7.5\ICQ.exe" silent loginmode=4

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [sAOB Monitor] c:\program files\acronis\onlinebackupstandalone\TrueImageMonitor.exe

mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\alex\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\alex\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alex\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech touch mouse server\iTouch-Server-Win.exe

StartupFolder: c:\docume~1\alex\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\WINDOW~1.LNK -

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\icq7.5\ICQ.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab

TCP: NameServer = 192.168.0.1

TCP: Interfaces\{AF2AF932-8107-43F0-8A67-E91CF47DD3A8} : DHCPNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: ipp - <Clsid value has no data>

Handler: msdaipp - <Clsid value has no data>

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SpywareGuard.Handler - {81559C35-8464-49F7-BB0E-07A383BEF910} - c:\program files\spywareguard\spywareguard.dll

SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

IFEO: Your Image File Name Here without a path - ntsd -d

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\alex\application data\mozilla\firefox\profiles\74654nhv.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=1.1.9&q=

FF - prefs.js: network.proxy.ftp - 192.168.0.131

FF - prefs.js: network.proxy.ftp_port - 3128

FF - prefs.js: network.proxy.gopher - 192.168.0.131

FF - prefs.js: network.proxy.gopher_port - 3128

FF - prefs.js: network.proxy.http - 192.168.0.131

FF - prefs.js: network.proxy.http_port - 3128

FF - prefs.js: network.proxy.socks - 192.168.0.131

FF - prefs.js: network.proxy.socks_port - 3128

FF - prefs.js: network.proxy.ssl - 192.168.0.131

FF - prefs.js: network.proxy.ssl_port - 3128

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\alex\application data\mozilla\firefox\profiles\74654nhv.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll

FF - plugin: c:\documents and settings\alex\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\alex\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\alex\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\documents and settings\alex\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.2166.3772\npCIDetect14.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-6-17 752128]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-16 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-16 309848]

R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;c:\windows\system32\drivers\CSN5PDTS82.sys [2011-7-15 28184]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-3-21 218688]

R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-6-17 3975088]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-16 19544]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-16 42184]

R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-2-24 22504]

R2 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2011-3-1 513536]

R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2011-3-7 247096]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-27 366640]

R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-6-1 2337144]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2010-11-8 1464856]

R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-6-17 163232]

R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-8-24 227896]

R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2011-7-10 38608]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-27 22712]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-8-24 49152]

R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2011-3-24 25088]

S1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;c:\windows\system32\drivers\csn5pdts82x64.sys --> c:\windows\system32\drivers\CSN5PDTS82x64.sys [?]

S1 CsNdisLWF;CsNdisLWF NDIS Protocol Driver;c:\windows\system32\drivers\csndislwf.sys --> c:\windows\system32\drivers\CsNdisLWF.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-1 136176]

S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files\du meter\DUM_XP32.sys [2011-3-1 14992]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-1 136176]

S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2007-7-16 35072]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-3-12 18432]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"

ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"

ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"

.

=============== Created Last 30 ================

.

2011-07-18 14:10:00 -------- d-----w- c:\documents and settings\alex\local settings\application data\ApplicationHistory

2011-07-18 10:18:21 -------- d-----w- c:\windows\system32\winrm

2011-07-18 10:18:18 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

2011-07-18 10:16:09 -------- d-----w- c:\program files\Windows Media Connect 2

2011-07-18 10:14:21 -------- d-----w- c:\windows\system32\LogFiles

2011-07-18 10:12:07 -------- d-----w- c:\windows\system32\URTTEMP

2011-07-15 11:16:06 -------- d-----w- c:\program files\common files\Colasoft Shared

2011-07-15 11:16:06 -------- d-----w- c:\documents and settings\alex\application data\Colasoft MAC Scanner

2011-07-15 11:16:02 -------- d-----w- c:\documents and settings\all users\application data\Colasoft Capsa 7.4 - Enterprise Edition Demo

2011-07-15 11:16:02 -------- d-----w- c:\documents and settings\alex\application data\Colasoft Capsa 7.4 - Enterprise Edition Demo

2011-07-15 11:14:38 28184 ----a-w- c:\windows\system32\drivers\CSN5PDTS82.sys

2011-07-15 11:14:32 -------- d-----w- c:\program files\Colasoft Capsa 7 Enterprise Demo Edition

2011-07-14 04:00:02 -------- d-----w- c:\documents and settings\alex\local settings\application data\MetaGeek,_LLC

2011-07-13 09:36:10 -------- d-----w- c:\program files\iCamSource

2011-07-13 08:23:11 -------- d-----w- c:\program files\MetaGeek

2011-07-13 07:59:59 -------- d-----w- c:\documents and settings\alex\application data\Hobbyist Software

2011-07-13 07:58:40 -------- d-----w- c:\program files\Hobbyist Software

2011-07-12 08:17:13 -------- d-sh--w- C:\Diskeeper

2011-07-10 13:29:01 38608 ----a-w- c:\windows\system32\drivers\DKRtWrt.sys

2011-07-10 13:28:57 -------- d-----w- c:\program files\common files\Diskeeper Corporation

2011-07-10 13:28:56 -------- d-----w- c:\documents and settings\all users\application data\Diskeeper Corporation

2011-07-10 13:28:55 -------- d-----w- c:\program files\Windows Home Server

2011-07-10 13:28:55 -------- d-----w- c:\program files\Diskeeper Corporation

2011-07-10 06:54:36 -------- d-----w- c:\windows\system32\NtmsData

2011-07-06 18:53:28 -------- d-----w- c:\documents and settings\alex\local settings\application data\Facebook

2011-07-06 13:39:42 -------- d-----w- c:\program files\iPod

2011-07-06 13:39:20 -------- d-----w- c:\program files\iTunes

2011-07-05 00:00:16 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-07-05 00:00:15 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-07-03 20:30:25 -------- d-----w- c:\documents and settings\alex\.homeplayer

2011-07-03 20:28:45 -------- d-----w- c:\program files\HomePlayer

2011-07-03 20:08:12 -------- d-----w- c:\program files\FpTest

2011-06-20 13:18:06 -------- d-----w- c:\program files\EverythingAccess.com

2011-06-20 13:14:57 -------- d-----w- c:\program files\Access Password Recovery Master

2011-06-19 15:51:56 -------- d-----w- c:\windows\SxsCaPendDel

.

==================== Find3M ====================

.

2011-07-18 07:22:34 60 ----a-w- c:\windows\wpd99.drv

2011-07-17 03:49:06 151552 ----a-w- c:\windows\KMSEmulator.exe

2011-07-06 13:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 13:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-06-16 21:29:22 163232 ----a-w- c:\windows\system32\drivers\afcdp.sys

2011-06-16 21:29:15 752128 ----a-w- c:\windows\system32\drivers\tdrpm273.sys

2011-06-16 21:29:13 600928 ----a-w- c:\windows\system32\drivers\timntr.sys

2011-06-16 21:29:02 170464 ----a-w- c:\windows\system32\drivers\snapman.sys

2011-06-16 20:45:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-10 02:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-05-10 02:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-05-04 02:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 00:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys

.

============= FINISH: 17:58:43.51 ===============

ark.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

1. Very important: First disconnect your computers from the Internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

3. Reset the IP/DNS settings of your Internet connection on each computer connected:

  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
    • Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".

    [*]Click OK twice to save the settings.

    [*]Reboot if you had to change any setting.

4. Flush the DNS cache:

  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following:
    ipconfig /flushdns


  • Then hit enter.
  • Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

Link to post
Share on other sites

  • 2 weeks later...

Hi Chris,

I have followed all your steps, and I keep having the popups!

It's happening both at home and in the office, so I repeated the same steps both on my office router (Tenda) and home router (Linksys)

On my home router, in addition I have upgraded to the latest firmware.

Of course, I have changed the admin console passwords for the routers both at home and in the office. Both routers Wifi are protected with strong passwords (also changed).

Any idea?

Alex

Link to post
Share on other sites

  • Staff

Hi,

If it's happening at home and at the office then it's not the router.

Let's investigate further.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.