Computer Hope

Software => Computer viruses and spyware => Topic started by: TheBiggestNoob on September 13, 2012, 11:13:53 AM

Title: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 13, 2012, 11:13:53 AM
Hello,
I noticed some suspicions Wireshark reports on one of my computers.
While I was not doing anything on that computer(and any program that uses internet was disabled),Wireshark showed some ICMP traffic to random foreign IPs.I attached an example picture.
Full list of IPs are:
99.191.34.205 - USA
78.62.189.39 - Lithuania
89.178.54.81 - Russia
67.212.24.141 - Canada

Is it possible that my computer has been hijacked? What can you tell by looking at that Wireshark report? I used 5 different antiviruses to scan my computer but they didn't detect anything.My computer's local IP is 192.168.1.124, I'm using Windows 7 64bit.

Thanks !

[year+ old attachment deleted by admin]
Title: Re: Wireshark indicates suspicious activity
Post by: Computer Hope Admin on September 13, 2012, 11:44:53 AM
Anything is possible, although not likely if you've ran multiple antivirus and malware detectors. Make sure its not residual by rebooting the computer and not opening any browser window, also where is the computer located home, school, business?
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 13, 2012, 11:53:26 AM
It is a home desktop computer.I also have a laptop but it doesn't have the same issue.
Just rebooted the PC with antivirus disabled and browsers closed.I'll wait 1 hour for it to catch some traffic then I'll post the results here.
Title: Re: Wireshark indicates suspicious activity
Post by: SuperDave on September 13, 2012, 04:17:19 PM
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner  (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner)by Xplode onto your Desktop.
*********************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 13, 2012, 04:47:19 PM
I left the Wireshark running for 2 hours and it didn't pick up any suspicious activity this time.

I will use Check.bat and adwcleaner tools to scan the computer and post the results tomorrow as soon as I get access to that computer.
I've already scanned it with Malwarebytes,Emsisoft,Kaspersky,Spybot,HitmanPro and it came up clean.
Thanks.
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 14, 2012, 11:45:14 AM
SecurityCheck.exe results

 Results of screen317's Security Check version 0.99.50 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
Kaspersky Internet Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 MVPS Hosts File 
 Spybot - Search & Destroy
 SUPERAntiSpyware     
 Secunia PSI (2.0.0.3003)   
 Malwarebytes Anti-Malware version 1.65.0.1400 
 CCleaner     
 JavaFX 2.1.1   
 Java 7 Update 7 
 Adobe Flash Player    11.4.402.265 
 Adobe Reader X (10.1.4)
 Mozilla Firefox (15.0)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Kaspersky Lab Kaspersky Internet Security 2012 avp.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]


AdwCleaner results

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 10:38:55
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Dell - DELL-PC
# Boot Mode : Normal
# Running from : C:\Users\Dell\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\AskToolbarInfo
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Dell\AppData\Roaming\Mozilla\Firefox\Profiles\nax9o85o.default\prefs.js

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Dell\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1505 octets] - [14/09/2012 10:38:55]

########## EOF - C:\AdwCleaner[R1].txt - [1565 octets] ##########

Title: Re: Wireshark indicates suspicious activity
Post by: SuperDave on September 14, 2012, 04:15:25 PM
Ok. We'll run a few more scans just to make sure.

Remove the Adware:
*************************************************
Download Combofix from any of the links below, and save it to your DESKTOP

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here  (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 14, 2012, 05:41:52 PM
AdwCleaner results

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 16:18:59
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : Dell - DELL-PC
# Boot Mode : Normal
# Running from : C:\Users\Dell\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\AskToolbarInfo
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-21-585658329-1536808483-3439428019-1011\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Dell\AppData\Roaming\Mozilla\Firefox\Profiles\nax9o85o.default\prefs.js

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Users\Dell\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1863 octets] - [14/09/2012 16:18:59]

########## EOF - C:\AdwCleaner[S1].txt - [1923 octets] ##########

ComboFix Results

ComboFix 12-09-14.03 - Dell 09/14/2012  16:26:22.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3070.2238 [GMT -7:00]
Running from: c:\users\Dell\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-08-14 to 2012-09-14  )))))))))))))))))))))))))))))))
.
.
2012-09-14 23:31 . 2012-09-14 23:32   --------   d-----w-   c:\users\Dell\AppData\Local\temp
2012-09-14 23:31 . 2012-09-14 23:31   --------   d-----w-   c:\users\UpdatusUser\AppData\Local\temp
2012-09-14 23:31 . 2012-09-14 23:31   --------   d-----w-   c:\users\Public\AppData\Local\temp
2012-09-14 23:31 . 2012-09-14 23:31   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-09-12 22:31 . 2012-09-12 22:31   --------   d-----w-   c:\users\Dell\AppData\Roaming\Wireshark
2012-09-12 22:11 . 2012-09-12 22:11   --------   d-----w-   c:\program files\WinPcap
2012-09-12 22:10 . 2012-09-12 22:11   --------   d-----w-   c:\program files\Wireshark
2012-09-12 00:46 . 2012-08-22 17:16   1292144   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2012-09-12 00:46 . 2012-08-22 17:16   712048   ----a-w-   c:\windows\system32\drivers\ndis.sys
2012-09-12 00:46 . 2012-08-22 17:16   240496   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-09-12 00:46 . 2012-08-22 17:16   187760   ----a-w-   c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 00:46 . 2012-08-02 16:57   490496   ----a-w-   c:\windows\system32\d3d10level9.dll
2012-09-12 00:46 . 2012-07-04 19:45   33280   ----a-w-   c:\windows\system32\drivers\RNDISMP.sys
2012-08-31 17:22 . 2012-08-31 17:22   --------   d-----w-   c:\program files\Common Files\Java
2012-08-31 17:21 . 2012-08-31 17:21   93672   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2012-08-31 17:21 . 2012-08-31 17:21   --------   d-----w-   c:\program files\Java
2012-08-25 21:35 . 2012-09-13 17:21   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-08-25 21:35 . 2012-08-25 21:35   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-08-25 21:12 . 2012-08-26 20:37   --------   d-----w-   c:\program files\Microsoft Silverlight
2012-08-24 18:08 . 2012-08-01 22:51   7023536   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{35EE3EC2-7845-49CC-80EA-939A1C9C4D3E}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-08 00:04 . 2012-03-24 01:23   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-08-31 17:21 . 2012-05-05 22:35   821736   ----a-w-   c:\windows\system32\npdeployJava1.dll
2012-08-31 17:21 . 2011-06-07 21:21   746984   ----a-w-   c:\windows\system32\deployJava1.dll
2012-08-24 18:36 . 2012-03-30 20:39   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-24 18:36 . 2011-06-07 21:06   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-09 21:46 . 2012-03-20 23:20   319456   ----a-w-   c:\windows\DIFxAPI.dll
2012-07-18 17:47 . 2012-08-14 18:29   2345984   ----a-w-   c:\windows\system32\win32k.sys
2012-07-06 19:23 . 2012-08-14 18:31   393728   ----a-w-   c:\windows\system32\drivers\bthport.sys
2012-07-04 21:14 . 2012-08-14 18:29   41984   ----a-w-   c:\windows\system32\browcli.dll
2012-07-04 21:14 . 2012-08-14 18:29   102912   ----a-w-   c:\windows\system32\browser.dll
2012-06-29 00:16 . 2012-08-14 18:30   1800704   ----a-w-   c:\windows\system32\jscript9.dll
2012-06-29 00:09 . 2012-08-14 18:30   1129472   ----a-w-   c:\windows\system32\wininet.dll
2012-06-29 00:08 . 2012-08-14 18:30   1427968   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-06-29 00:04 . 2012-08-14 18:30   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-06-29 00:00 . 2012-08-14 18:30   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-06-25 23:04 . 2012-06-25 23:04   1394248   ----a-w-   c:\windows\system32\msxml4.dll
2012-09-13 17:47 . 2012-09-13 17:47   266720   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-05 6265376]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKLM\~\startupfolder\C:^Users^Dell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^HDDlife.lnk]
backup=c:\windows\pss\HDDlife.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51   919008   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-07-27 20:51   35768   ----a-w-   c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 04:28   59240   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2012-02-13 08:06   3481408   ----a-w-   c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
2010-10-27 18:44   328992   ----a-w-   c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2011-06-06 01:41   222496   ----a-w-   c:\programdata\FLEXnet\Connect\11\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-09-08 00:04   981656   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 03:56   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-08-05 00:16   6265376   ----a-w-   c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 12:17   1174016   ----a-w-   c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 16:04   252848   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys
R3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.3.24903.0.sys
R3 FPFZW;FPFZW;
R3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS
R3 YABEZE;YABEZE;
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe
S2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService   REG_MULTI_SZ      HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:36]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-28 18:29]
.
2012-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-28 18:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Dell\AppData\Roaming\Mozilla\Firefox\Profiles\nax9o85o.default\
FF - prefs.js: browser.search.selectedEngine - chrome://browser-region/locale/region.properties
FF - prefs.js: browser.startup.homepage - https:\\\\www.google.com
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MpsSvc]
"ImagePath"="."
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
.
**************************************************************************
.
Completion time: 2012-09-14  16:35:10 - machine was rebooted
ComboFix-quarantined-files.txt  2012-09-14 23:35
.
Pre-Run: 198,491,979,776 bytes free
Post-Run: 198,361,464,832 bytes free
.
- - End Of File - - 1EEB12B6B078AFE59EFC2F0BE6AC1301
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 14, 2012, 05:52:16 PM
Adwcleaner deleted some AskToolbar.Was that a malware? I don't remember installing it.

And ComboFix had false positives I.M.O. it deleted WinPcap driver that is required for Wireshark.It also disinfected userinit.exe file and put the original one in Quarantine folder but when I uploaded the original file to VirusTotal,none of the antiviruses recognized it as a malware.Could this be a false positive too ?

Thanks guys.
Title: Re: Wireshark indicates suspicious activity
Post by: SuperDave on September 15, 2012, 12:54:25 PM
Here's the information about those IP's. Do they mean anything to you?

Code: [Select]
99.191.34.205
IP Address:  99.191.34.205
Host of this IP:  99-191-34-205.lightspeed.snfcca.sbcglobal.net
Organization:  AT&T U-verse
ISP:  AT&T U-verse
City:  Canyon Country
Country:  United States 
State:  California
Postal Code:  91387
Timezone:  America/Los_Angeles
Local Time:  15.09.2012 11:43:54
Code: [Select]
78.62.189.39
IP Address:  78.62.189.39
Host of this IP:  78-62-189-39.static.zebra.lt
Organization:  TEO LT
ISP:  TEO LT
City:  Kaunas
Country:  Lithuania 
State:  Kauno Apskritis
Timezone:  Europe/Vilnius
Local Time:  15.09.2012 21:45:17
Code: [Select]
89.178.54.81
IP Address:  89.178.54.81
Host of this IP:  *Blocked Russian URL*
Organization:  Beeline
ISP:  VimpelCom
City:  Moscow
Country:  Russian Federation 
State:  Moscow City
Timezone:  Europe/Moscow
Local Time:  15.09.2012 22:46:24
Code: [Select]
67.212.24.141
IP Address:  67.212.24.141
Host of this IP:  dsl-67-212-24-141.acanac.net
Organization:  Canaca-com
ISP:  Canaca-com
City:  Toronto
Country:  Canada 
State:  Ontario
Timezone:  America/Rainy_River
Local Time:  15.09.2012 13:47:24

Quote
Adwcleaner deleted some AskToolbar.Was that a malware? I don't remember installing it.
I strongly recommend that you remove Ask from your computer because it;

•Promotes its toolbars on sites targeted to kids.

•Promotes its toolbars through ads that appear to be part of other companies' sites.

•Promotes its toolbars through other companies' spyware.

•Installs without any disclosure whatsoever and without any consent whatsoever.

•Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

•Makes confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.

See Here  (http://www.benedelman.org/spyware/ask-toolbars/) for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

AskBarDis or anything related to Ask

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis. or anything related to Ask.
******************************************************

Quote
And ComboFix had false positives I.M.O. it deleted WinPcap driver that is required for Wireshark.It also disinfected userinit.exe file and put the original one in Quarantine folder but when I uploaded the original file to VirusTotal,none of the antiviruses recognized it as a malware.Could this be a false positive too ?
CF is a very trusted program and I trust it's findings.
*****************************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
 ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 15, 2012, 05:06:16 PM
The above mentioned IP addresses are not familiar to me that's why I suspected an unauthorized intrusion.

ESET finished the scan with the following results:
Z:\V\username\Nero_7.10.1.0.rar   Win32/Toolbar.AskSBar application
Z:\V\username\Audio_Video\converter\Convert from AVI to DVD\Setup_MoviesToDVD.exe   Win32/Toolbar.Widgi application

Now I see where the problem came from :)
Title: Re: Wireshark indicates suspicious activity
Post by: SuperDave on September 15, 2012, 07:27:03 PM
Please run ESET again and remove the infections.
Title: Re: Wireshark indicates suspicious activity
Post by: TheBiggestNoob on September 15, 2012, 07:30:13 PM
Done.
Thanks a lot for your help !
Title: Re: Wireshark indicates suspicious activity
Post by: SuperDave on September 16, 2012, 01:10:56 PM
Ok. We can do some cleanup.

To uninstall ComboFix

(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

*******************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.

(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup2.jpg)

Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.

(http://i424.photobucket.com/albums/pp322/digistar/diskcleanup.jpg)

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*****************************************************
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)

Check out Keeping Yourself Safe On The Web  (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!