Jump to content

twotix

Members
  • Posts

    15
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Getting inbound/outbound detections for a couple of IP addresses. All within the last two days. These show as being from China: Detection, 9/20/2014 7:18:48 PM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 218.9.30.102, 50427, Inbound, C:\Windows\System32\svchost.exe, Detection, 9/20/2014 7:18:48 PM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 218.9.30.102, 50427, Outbound, C:\Windows\System32\svchost.exe, Outbound Detection for an this IP. Shows from Egypt: Detection, 9/19/2014 11:43:50 AM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 41.35.122.179, 60852, Outbound, C:\Windows\System32\svchost.exe All were blocked but wondered if there was anything to be concerned about (especially if they are outbound) like a trojan or anything malicious? Also, have a Comcast (Cisco) Wireless Gateway so don't know if I can block these individual ports or is that kine of useless anyway?Thanks!
  2. Getting inbound/outbound detections for a couple of IP addresses. All within the last two days. These show as being from China: Detection, 9/20/2014 7:18:48 PM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 218.9.30.102, 50427, Inbound, C:\Windows\System32\svchost.exe, Detection, 9/20/2014 7:18:48 PM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 218.9.30.102, 50427, Outbound, C:\Windows\System32\svchost.exe, Outbound Detection for an this IP. Shows from Egypt: Detection, 9/19/2014 11:43:50 AM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 41.35.122.179, 60852, Outbound, C:\Windows\System32\svchost.exe All were blocked but wondered if there was anything to be concerned about (especially if they are outbound) like a trojan or anything malicious? Also, have a Comcast (Cisco) Wireless Gateway so don't know if I can block these individual ports or is that kine of useless anyway?Thanks!
  3. Getting inbound/outbound detections for a couple of IP addresses. All within the last two days. These show as being from China: Detection, 9/20/2014 7:18:48 PM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 218.9.30.102, 50427, Inbound, C:\Windows\System32\svchost.exe, Detection, 9/20/2014 7:18:48 PM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 218.9.30.102, 50427, Outbound, C:\Windows\System32\svchost.exe, Outbound Detection for an this IP. Shows from Egypt: Detection, 9/19/2014 11:43:50 AM, SYSTEM, MY-VAIO, Protection, Malicious Website Protection, IP, 41.35.122.179, 60852, Outbound, C:\Windows\System32\svchost.exe All were blocked but wondered if there was anything to be concerned about (especially if they are outbound) like a trojan or anything malicious? Also, have a Comcast (Cisco) Wireless Gateway so don't know if I can block these individual ports or is that kine of useless anyway?Thanks!
  4. Had my laptop pronounced clean a couple of weeks back at windowsbbs. This software Malware Bytes Pro flagged as Malware (PUP.Optional.Flux.A,) was installed on my machine at that time but nothing came up with other scans or MBAM Pro. Is this malware? Here is my MBAM Pro log and FBAR scan logs are attached. Thx. ----------------------------------------- Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 6/28/2014 Scan Time: 8:00:39 PM Logfile: Malware Bytes Flux Software 6-28-14.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.06.28.05 Rootkit Database: v2014.06.23.02 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: MY Scan Type: Threat Scan Result: Completed Objects Scanned: 412208 Time Elapsed: 12 min, 59 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 PUP.Optional.Flux.A, HKU\S-1-5-21-679210397-2375353738-1777670786-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Flux, , [23b2b2cbcead75c141eef4b8c43e1fe1], Registry Values: 1 PUP.Optional.Flux.A, HKU\S-1-5-21-679210397-2375353738-1777670786-1005-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|f.lux, "C:\Users\MY\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow, , [973e76070f6cbb7b42ffa90312f05ba5] Registry Data: 0 (No malicious items detected) Folders: 6 PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\runtime, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware, , [23b2b2cbcead75c141eef4b8c43e1fe1], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux, , [23b2b2cbcead75c141eef4b8c43e1fe1], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux\runtime, , [23b2b2cbcead75c141eef4b8c43e1fe1], Files: 11 PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\flux.exe, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\uninstall.exe, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\runtime\Calibri-14-400-0.ytf, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\runtime\Calibri-36-700-0.ytf, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\runtime\flux.psd, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\Justin\AppData\Local\FluxSoftware\Flux\runtime\flux.tre, , [20b585f8087374c2ed42e8c491711ce4], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux\uninstall.exe, , [23b2b2cbcead75c141eef4b8c43e1fe1], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux\runtime\Calibri-14-400-0.ytf, , [23b2b2cbcead75c141eef4b8c43e1fe1], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux\runtime\Calibri-36-700-0.ytf, , [23b2b2cbcead75c141eef4b8c43e1fe1], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux\runtime\flux.psd, , [23b2b2cbcead75c141eef4b8c43e1fe1], PUP.Optional.Flux.A, C:\Users\MY\AppData\Local\FluxSoftware\Flux\runtime\flux.tre, , [23b2b2cbcead75c141eef4b8c43e1fe1], Physical Sectors: 0 (No malicious items detected) (end) -------------------------------- FRST.txt Addition.txt
  5. Figured out this was actually caused by MalwareBytes Professional latest version. Feel free to close this thread.Thx.
  6. CCleaner Registry Cleaner keeps finding this key after reboot even though I have been deleting it. Could this be an indicaton of possible malware? Running Win home premium 64 bit on a Sony Vaio laptop model VPCEG1BFX (2011) Farbar logs attached. Thx. FRST.txt Addition.txt
  7. I ran Malwarebytes Pro updated Quick Scan and these files came up which I removed. Said to restart and my monitor was nuked....lime green and yellow, barely legible. Restored the deleted malware? files but still the same. Did a system restore and it fixed it. Question is why did it happen and is it a malware or malwarebytes issue? Log attached.Thx. MBAM-log-2014-01-06 (04-44-01).txt
  8. Oops...sent you the log file. Attached the combofix.txt as requested although probably the same. Thanks! ComboFix.txt
  9. Done. Nothing found. Processes are still running. Please see the attached screen shots from Task Manager and Glary Utilities Process manager. Same issues as explained in first post. Please refer to that for an explanation.Task Manager still won't allow ending processes because they are critical system ones while Glarysoft won't either. The system path with the questionmarks in front and high priority looks like they are disquised and rogue.Thanks. Windows Task Mgr 8-24-13.bmp Screen Capture 8-24-13.bmp
  10. Done.Thanks! RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Justin [Admin rights] Mode : Scan -- Date : 08/24/2013 12:40:50 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 1 ¤¤¤ [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 1 ¤¤¤ [FF][PROXY] s9exjmvz.default-1376154624703 : user_pref("network.proxy.type", 4); -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ -> C:\windows\system32\config\SYSTEM | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\windows\system32\config\SOFTWARE | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\windows\system32\config\SECURITY | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\windows\system32\config\SAM | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\windows\system32\config\DEFAULT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\Admin\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\All Users\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> C:\Documents and Settings\Bethie\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\fbwuser\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\Justin\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\Justin.NA\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\NA\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND] -> C:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\User\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] -> C:\Documents and Settings\User.NA\NTUSER.DAT | DRVINFO [Drv - C:] | SYSTEMINFO [sys - C:] [sys32 - FOUND] | USERINFO [startup - FOUND] ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST380013A +++++ --- User --- [MBR] 031099d2871845ab8309953ce80d88af [bSP] cb5c6d4d10172c38b46246562b823fcc : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 39997 Mo 1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 81915435 | Size: 36310 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST380013A +++++ --- User --- [MBR] fbb62b50edccfee2acb93d19dbb15866 [bSP] 99ae7c83941e693fe6415400241f8bbe : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 134003 Mo 1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 274438395 | Size: 104461 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_08242013_124050.txt >>
  11. RE: Winlogon.exe and csrss.exe infections Hello, I’m running XP Pro, SP3. I noticed in Glarysoft Pro 3 under processes these two items which appear to be Trojans from my research. One indicator is the executable path which is not my normal system32 folder which on my machine is E:\WINDOWS\system32 folder. The infections have the same file name but with two questionmarks in front. They are also the only two processes that have high priority. My windows system32 folder has the real winlogon.exe that is only 496kb versus the infection file which shows memory of 2554 kb. Same deal for csrss.exe which is 6kb versus the infection at 2764kb. I read that malware files are much larger than the real windows files. Under the Windows Task Manager, they cannot be ended because they are “critical” system processes nor could I end them in Glarysoft 3. Akso, these are not showing up on the attached DDS log. Infections Name Executable winlogon.exe \\??\E:\WINDOWS\system32\winlogon.exe csrss.exe \\??\E:\WINDOWS\system32\csrss.exe Also, are these processes legit as they have no information.: System System Idle Processes I read another thread for troubleshooting winlogon.exe in this forum and ran Roguekiller as was suggested and have attached the report but didn’t delete anything. Thought it might give an indication. I’m running a trial version of Kaspersky Pure 3.0 and MBAM Pro which hasn’t been automatically starting. A few weeks ago, I had to reinstall XP Pro which is why it is on my E partition. I tried to restore a registry backup from Glarysoft and when windows tried to load it would get into a reboot loop. I figured I had nuked the registry. The required dds and attach.txt logs are attached. Thanks! dds.txt attach.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.