Sign in to follow this  
Followers 0
mitchsh

Malwarebytes keeps blocking two odd IP addresses

3 posts in this topic

Hello!

About two weeks ago my command prompt kept randomly popping up and something would be typed quickly and then it would disappear. Of course this freaked me the heck out, so I installed Malwarebytes to work with the Norton Antivirus that I have already installed and ran scans with both programs. On those initial scans, Norton found nothing but Malwarebytes found one thing, and here is the log from that initial scan:

Database version: v2012.02.22.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

Sophia Mitchell :: SOPHIALAPTOP [administrator]

Protection: Enabled

2/22/2012 11:22:59

mbam-log-2012-02-22 (11-22-59).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 686522

Time elapsed: 3 hour(s), 19 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://go.microsoft....Id=57426&Ext=%s -> Quarantined and deleted successfully.

Registry Data Items Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (http://www.helpmeope...m/?n=app&ext=%s) Good: (http://shell.windows...edir.asp?Ext=%s) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

So, I thought everything was good because it was quarantined and repaired. Right? Well in the last couple of days my laptop will randomly use a TON of memory, to the point where all of my applications run much more slowly. Malwarebytes pops up every few minutes saying it's blocking some random IP addresses (listed below) and after deciding to look into it it looks like I've got some sort of virus or trojan. So here I am, asking for help.

In the past 10 days the following IP adresses have been shown trying to do suspicious activities:

2012/02/22 13:28:00 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.165 (Type: outgoing, Port: 60462, Process: chrome.exe)

2012/02/22 13:28:02 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.166 (Type: outgoing, Port: 60463, Process: chrome.exe)

2012/02/22 13:28:03 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.167 (Type: outgoing, Port: 60464, Process: chrome.exe)

2012/02/22 13:28:03 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.163 (Type: outgoing, Port: 60465, Process: chrome.exe)

2012/02/22 13:28:03 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.164 (Type: outgoing, Port: 60466, Process: chrome.exe)

2012/02/22 13:29:32 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.165 (Type: outgoing, Port: 60608, Process: chrome.exe)

2012/02/22 13:29:32 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.166 (Type: outgoing, Port: 60609, Process: chrome.exe)

2012/02/22 13:29:33 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.167 (Type: outgoing, Port: 60610, Process: chrome.exe)

2012/02/22 13:29:33 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.163 (Type: outgoing, Port: 60611, Process: chrome.exe)

2012/02/22 13:29:33 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 94.100.30.164 (Type: outgoing, Port: 60612, Process: chrome.exe)

2012/02/22 15:08:21 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 95.168.173.155 (Type: outgoing, Port: 61470, Process: chrome.exe)

2012/02/22 15:08:22 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 95.168.173.155 (Type: outgoing, Port: 61471, Process: chrome.exe)

2012/02/22 15:51:06 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 109.163.230.92 (Type: outgoing, Port: 62123, Process: chrome.exe)

2012/02/28 18:14:21 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 62732, Process: firefox.exe)

2012/03/01 14:31:44 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 50058, Process: firefox.exe)

2012/03/01 14:31:44 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 50066, Process: firefox.exe)

2012/03/01 14:36:25 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 50140, Process: chrome.exe)

2012/03/01 14:36:25 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 50141, Process: chrome.exe)

2012/03/01 14:36:25 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 64.20.54.67 (Type: outgoing, Port: 50142, Process: chrome.exe)

2012/03/01 14:39:14 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 91.215.158.80 (Type: outgoing, Port: 50205, Process: chrome.exe)

2012/03/01 14:39:14 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 91.215.158.80 (Type: outgoing, Port: 50207, Process: chrome.exe)

2012/03/01 14:39:14 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 91.215.158.80 (Type: outgoing, Port: 50208, Process: chrome.exe)

2012/03/01 14:39:14 -0500 SOPHIALAPTOP Sophia Mitchell IP-BLOCK 91.215.158.80 (Type: outgoing, Port: 50209, Process: chrome.exe)

It seems that literally every time I connect to the internet things are trying to communicate without my knowledge. Which is especially concerning since I used this laptop for banking, work and school. Help!

Also I ran a full scan from HijakThis, and here is the log file:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 15:10:18, on 3/1/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

Running processes:

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Program Files (x86)\AirPort\APAgent.exe

C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Users\Sophia Mitchell\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Users\Sophia Mitchell\AppData\Roaming\HP SimpleSave Application\StartHelper.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Sophia Mitchell\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://apl.startnow....ion=6.1-x64-SP1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe,

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\coIEPlg.dll

O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\IPS\IPSBHO.DLL

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL

O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL

O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\coIEPlg.dll

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files (x86)\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [Google Update] "C:\Users\Sophia Mitchell\AppData\Local\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [chromium] C:\Users\Sophia Mitchell\AppData\Local\Google\Chrome\Application\chrome.exe --no-startup-window

O4 - HKCU\..\Run: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe

O4 - Startup: Dropbox.lnk = Sophia Mitchell\AppData\Roaming\Dropbox\bin\Dropbox.exe

O4 - Startup: HP SimpleSave Monitor.lnk = Sophia Mitchell\AppData\Roaming\HP SimpleSave Application\StartHelper.exe

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://lojackforlap...mweb/testoc.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: BackupService - ArcSoft, Inc. - C:\Users\Sophia Mitchell\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe

O23 - Service: Servicio Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: HPWMISVC - Unknown owner - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: LogMeIn Rescue (243f8f0c-a1b6-4089-9c46-db7a0c22137c) (LMIRescue_243f8f0c-a1b6-4089-9c46-db7a0c22137c) - Unknown owner - C:\Users\SOPHIA~1\AppData\Local\Temp\LMIR0001.tmp\LMI_Rescue_srv.exe (file missing)

O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe

O23 - Service: Remote Procedure Call (RPC) LD (rpcld) - Unknown owner - C:\ProgramData\Rpcnet\Bin\rpcld.exe (file missing)

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\SysWOW64\rpcnet.exe

O23 - Service: RtVOsdService Installer (RtVOsdService) - Realtek Semiconductor Corp. - C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - C:\Program Files (x86)\SafeConnect\scManager.sys servicestart (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 16892 bytes

Also please note that when I ran the scan it said some folders were hidden and couldn't be changed. Not sure if that's normal. What does it look like?

Also in the title I meant it keeps blocking two today. Obviously the log shows more than two. Thanks!!

Share this post


Link to post
Share on other sites

Hello mitchsh! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictlya and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

It seems that literally every time I connect to the internet things are trying to communicate without my knowledge. Which is especially concerning since I used this laptop for banking, work and school. Help!

You must immediately stop any such activity, especially banking, because your data at risk. Your system is infected with trojan that attempts to connect to a medium risk domain that may pose a minor security risk. It is necessary to change all your passwords. If you have access to another computer and you know is not infected, do it from there.

Step 1

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 2

Next, locate to C:\Qoobox and post the content of Add or Remove Programs.txt

In your next post, please include:

  • ComboFix log
  • Add or Remove Programs list

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.