1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

How to find out whats calling svchost.exe

Discussion in 'General Security' started by BahDigi, Feb 15, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. BahDigi

    BahDigi Thread Starter

    Joined:
    Feb 15, 2013
    Messages:
    6
    • I have a next gen firewall that can detect protocols
    • A few PCs in my company are making calls to external DNS servers
    • There is no way they should be doing that as they are cfg'ed to use our own internal servers
    • nameservers are buy.internettraffic.com and sell.internettraffic.com
      • 176.74.176.169
      • 176.74.176.170
      • 208.87.35.120.120
      • 208.87.35.120.121
    • Nothing is detected by Forefront, MalwareBytes, Combofix or AdwCleaner
    • I ran process monitor on one of the PCs and found svchost.exe is calling these external name servers
    1. How do I find out what is calling svchost.exe to make these lookups?
    2. Shouldnt svchost.exe use the DNS server we gave the tcp/ip settings? Our internal servers? :mad:
    thanks for any help at all, im stuck.
     

    Attached Files:

  2. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    Process Explorer will tell you what services are related the each svchost.exe process, depending on PID number (1356).
     
  3. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    CurrPorts can give you even more information like ports, local address, remote address, services, module filename and full path for each svchost.exe process accessing the Internet, and more.

    Free and no installation required.
     
  4. BahDigi

    BahDigi Thread Starter

    Joined:
    Feb 15, 2013
    Messages:
    6
    thanks! ill try that now

    for the record.

    In procmon i got the svchost PID and then went to proc explorer.

    In Proc explorer, i hovered the mouse over the specific srvhost.exe with the same PID and got 5 processes that are calling/using this instance of svchost.

    • Cryptographic Services
    • Dns Client (Dnscache)
    • Network Location Awareness
    • Remote Desktop Services
    • Workstation (Lanman Workstation)
    seems pretty normal ....
     
  5. BahDigi

    BahDigi Thread Starter

    Joined:
    Feb 15, 2013
    Messages:
    6
    well, b/c its a UDP query to DNS, not as much info is available vs a TCP connection.

    for the PID in question, currports shows (for UDP) that the llmnr process is active and listening on 0.0.0.0 (all interfaces?), thats all it shows for UDP activity bound to the specific svchost PID.

    I guess ill try a few more cleaner programs like rkill, tdsskiller, aswmbr; see if that helps

    I just wish I could find the binary making these requests ... maybe enable a debug log (if possible) for svchost.exe ...

    Ive also looked through the list of installed progs on the laptop and there really its anything out of the ordinary listed.
     
  6. BahDigi

    BahDigi Thread Starter

    Joined:
    Feb 15, 2013
    Messages:
    6
    well, SUPERAntispyware and Spybot found nothing ... not sure how to find out what is wrong i guess ill just reformat each PC thats exhibits this behaviour.

    Actually this weekend, i will email the owners of

    www
    internettraffic
    .com
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first post the Combofix log that you ran so we can see what it discovered.
    internettraffic .com can be legitimate from within your network
    They also do domain name parking with adverts on it, so when somebody within your network attempts to connect to a website hosted by or parked on internettraffic.com , then although the primary lookup is set to use your dns server, that server will tell the browser that the site is using for example ◦176.74.176.169 as name server so your computer will connect to that IP to connect to the site

    It can be malware related if the few computers in question have been infected, but we can soon see when examining the logs that you have already done
     
  8. BahDigi

    BahDigi Thread Starter

    Joined:
    Feb 15, 2013
    Messages:
    6
    Thanks very much. Here is the log.
    Im 99.99% certain our DNS server (Microsoft) uses resursion so there is no way the client PC should be reaching out directly to other nameservers other than the ones we have given it in its network tcp/ip config.

    ++++++++++++++++++++++++++++++++++++++++++++++

    ComboFix 13-02-15.01 - Administrator 02/15/2013 12:08:07.1.4 - x86
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2996.1574 [GMT -8:00]
    Running from: D:\ComboFix.exe
    AV: Microsoft Forefront Client Security *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
    SP: Microsoft Forefront Client Security *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\cxxxn.crxxxxxxxal\AppData\Local\Microsoft\Windows\Temporary Internet Files\{61439590-247E-417A-88C3-51E3DDFE14B9}.xps
    c:\users\cxxxn.crxxxxxxxal\AppData\Local\Microsoft\Windows\Temporary Internet Files\{784B8982-68F7-455F-8F1A-5A9654E7701B}.xps
    c:\users\cxxxn.crxxxxxxxal\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BF7EBEDA-9187-4C1F-A359-0FE0C268D3BA}.xps
    c:\users\cxxxn.crxxxxxxxal\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CDAC82AD-9086-4E47-BB4E-C2E65171692F}.xps
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-01-15 to 2013-02-15 )))))))))))))))))))))))))))))))
    .
    .
    2013-02-15 20:16 . 2013-02-15 20:18 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2013-02-15 20:16 . 2013-02-15 20:16 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2013-02-15 20:16 . 2013-02-15 20:16 -------- d-----w- c:\users\rcxxxxxxin\AppData\Local\temp
    2013-02-15 20:16 . 2013-02-15 20:16 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-02-15 20:16 . 2013-02-15 20:16 -------- d-----w- c:\users\cmxxxxxxin\AppData\Local\temp
    2013-02-15 20:16 . 2013-02-15 20:16 -------- d-----w- c:\users\cxxxn.crxxxxxxxal\AppData\Local\temp
    2013-02-15 19:47 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{C3615CF8-D3B2-4389-9A0F-6F08AA9D9ED6}\mpengine.dll
    2013-02-15 19:42 . 2013-02-15 19:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
    2013-02-15 18:52 . 2013-02-15 18:52 -------- d-----w- c:\users\Administrator\AppData\Local\Macromedia
    2013-02-15 18:47 . 2013-02-15 18:47 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
    2013-02-14 21:36 . 2013-02-14 21:36 -------- d-----w- c:\users\Administrator\AppData\Roaming\Apple Computer
    2013-02-14 21:35 . 2013-02-14 21:35 -------- d-----w- c:\users\Administrator\AppData\Roaming\SoftGrid Client
    2013-01-23 20:45 . 2013-01-23 20:47 -------- d-----w- c:\users\krobinsonadmin
    2013-01-21 18:59 . 2013-01-21 19:01 -------- d-----w- c:\users\jrxxxxxxmin
    2013-01-18 20:16 . 2013-01-18 20:16 -------- d-----w- c:\windows\Sun
    2013-01-17 20:59 . 2013-01-17 20:59 -------- d-----w- c:\users\cxxxn.crxxxxxxxal\AppData\Roaming\Malwarebytes
    2013-01-17 20:59 . 2013-01-17 20:59 -------- d-----w- c:\programdata\Malwarebytes
    2013-01-17 20:59 . 2013-01-17 20:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-01-17 20:59 . 2012-12-15 00:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-01-17 20:59 . 2013-01-17 20:59 -------- d-----w- c:\users\cxxxn.crxxxxxxxal\AppData\Local\Programs
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-15 19:53 . 2012-04-10 18:43 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-02-15 19:53 . 2011-07-13 22:41 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-30 10:53 . 2011-07-13 23:19 232336 ------w- c:\windows\system32\MpSigStub.exe
    2013-01-08 04:57 . 2011-07-13 23:19 6991832 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
    2012-12-07 12:26 . 2013-01-16 17:40 308736 ----a-w- c:\windows\system32\Wpc.dll
    2012-12-07 12:20 . 2013-01-16 17:40 2576384 ----a-w- c:\windows\system32\gameux.dll
    2012-12-07 10:46 . 2013-01-16 17:40 43520 ----a-w- c:\windows\system32\csrr.rs
    2012-12-07 10:46 . 2013-01-16 17:40 30720 ----a-w- c:\windows\system32\usk.rs
    2012-12-07 10:46 . 2013-01-16 17:40 45568 ----a-w- c:\windows\system32\oflc-nz.rs
    2012-12-07 10:46 . 2013-01-16 17:40 44544 ----a-w- c:\windows\system32\pegibbfc.rs
    2012-12-07 10:46 . 2013-01-16 17:40 23552 ----a-w- c:\windows\system32\oflc.rs
    2012-12-07 10:46 . 2013-01-16 17:40 20480 ----a-w- c:\windows\system32\pegi-pt.rs
    2012-12-07 10:46 . 2013-01-16 17:40 20480 ----a-w- c:\windows\system32\pegi-fi.rs
    2012-12-07 10:46 . 2013-01-16 17:40 46592 ----a-w- c:\windows\system32\fpb.rs
    2012-12-07 10:46 . 2013-01-16 17:40 20480 ----a-w- c:\windows\system32\pegi.rs
    2012-12-07 10:46 . 2013-01-16 17:40 21504 ----a-w- c:\windows\system32\grb.rs
    2012-12-07 10:46 . 2013-01-16 17:40 15360 ----a-w- c:\windows\system32\djctq.rs
    2012-12-07 10:46 . 2013-01-16 17:40 40960 ----a-w- c:\windows\system32\cob-au.rs
    2012-12-07 10:46 . 2013-01-16 17:40 55296 ----a-w- c:\windows\system32\cero.rs
    2012-12-07 10:46 . 2013-01-16 17:40 51712 ----a-w- c:\windows\system32\esrb.rs
    2012-11-30 04:53 . 2013-01-16 17:41 169984 ----a-w- c:\windows\system32\winsrv.dll
    2012-11-30 04:47 . 2013-01-16 17:41 293376 ----a-w- c:\windows\system32\KernelBase.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2012-11-30 04:45 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2012-11-30 02:55 . 2013-01-16 17:41 271360 ----a-w- c:\windows\system32\conhost.exe
    2012-11-30 02:38 . 2013-01-16 17:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2012-11-30 02:38 . 2013-01-16 17:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2012-11-30 02:38 . 2013-01-16 17:41 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2012-11-30 02:38 . 2013-01-16 17:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2012-11-23 02:56 . 2013-01-16 17:45 2345984 ----a-w- c:\windows\system32\win32k.sys
    2012-11-23 02:48 . 2013-01-16 17:39 49152 ----a-w- c:\windows\system32\taskhost.exe
    2012-11-22 04:45 . 2013-01-16 17:45 626688 ----a-w- c:\windows\system32\usp10.dll
    2012-11-20 16:50 . 2012-11-20 16:50 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
    2012-11-20 16:50 . 2012-11-20 16:50 185344 ----a-w- c:\windows\system32\elshyph.dll
    2012-11-20 16:50 . 2012-11-20 16:50 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2012-11-20 16:50 . 2012-11-20 16:50 525312 ----a-w- c:\windows\system32\vbscript.dll
    2012-11-20 16:50 . 2012-11-20 16:50 38400 ----a-w- c:\windows\system32\imgutil.dll
    2012-11-20 16:50 . 2012-11-20 16:50 2706432 ----a-w- c:\windows\system32\mshtml.tlb
    2012-11-20 16:50 . 2012-11-20 16:50 1772032 ----a-w- c:\windows\system32\wininet.dll
    2012-11-20 16:50 . 2012-11-20 16:50 158720 ----a-w- c:\windows\system32\msls31.dll
    2012-11-20 16:50 . 2012-11-20 16:50 150528 ----a-w- c:\windows\system32\iexpress.exe
    2012-11-20 16:50 . 2012-11-20 16:50 137216 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-11-20 16:50 . 2012-11-20 16:50 135680 ----a-w- c:\windows\system32\wextract.exe
    2012-11-20 16:50 . 2012-11-20 16:50 12800 ----a-w- c:\windows\system32\mshta.exe
    2012-11-20 16:50 . 2012-11-20 16:50 111104 ----a-w- c:\windows\system32\IEAdvpack.dll
    2012-11-20 16:50 . 2012-11-20 16:50 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2012-11-20 16:50 . 2012-11-20 16:50 718336 ----a-w- c:\windows\system32\mshtmlmedia.dll
    2012-11-20 16:50 . 2012-11-20 16:50 61952 ----a-w- c:\windows\system32\tdc.ocx
    2012-11-20 16:50 . 2012-11-20 16:50 61440 ----a-w- c:\windows\system32\iesetup.dll
    2012-11-20 16:50 . 2012-11-20 16:50 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2012-11-20 16:50 . 2012-11-20 16:50 361984 ----a-w- c:\windows\system32\html.iec
    2012-11-20 16:50 . 2012-11-20 16:50 2882048 ----a-w- c:\windows\system32\jscript9.dll
    2012-11-20 16:50 . 2012-11-20 16:50 23040 ----a-w- c:\windows\system32\licmgr10.dll
    2012-11-20 16:50 . 2012-11-20 16:50 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-11-20 16:50 . 2012-11-20 16:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2012-11-20 16:49 . 2012-11-20 16:49 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 906240 ----a-w- c:\windows\system32\FntCache.dll
    2012-11-20 16:49 . 2012-11-20 16:49 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 417792 ----a-w- c:\windows\system32\WMPhoto.dll
    2012-11-20 16:49 . 2012-11-20 16:49 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2012-11-20 16:49 . 2012-11-20 16:49 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
    2012-11-20 16:49 . 2012-11-20 16:49 1504768 ----a-w- c:\windows\system32\d3d11.dll
    2012-11-20 16:49 . 2012-11-20 16:49 1247744 ----a-w- c:\windows\system32\DWrite.dll
    2012-11-20 16:49 . 2012-11-20 16:49 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
    2012-11-20 16:49 . 2012-11-20 16:49 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2012-11-20 16:49 . 2012-11-20 16:49 220160 ----a-w- c:\windows\system32\d3d10core.dll
    2012-11-20 16:49 . 2012-11-20 16:49 604160 ----a-w- c:\windows\system32\d3d10level9.dll
    2012-11-20 16:49 . 2012-11-20 16:49 3419136 ----a-w- c:\windows\system32\d2d1.dll
    2012-11-20 16:49 . 2012-11-20 16:49 293376 ----a-w- c:\windows\system32\dxgi.dll
    2012-11-20 16:49 . 2012-11-20 16:49 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-11-20 16:49 . 2012-11-20 16:49 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2012-11-20 16:49 . 2012-11-20 16:49 1885696 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-11-20 06:17 . 2012-11-26 23:59 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoftGridTray"="c:\program files\Microsoft Application Virtualization Client\SFTTray.exe" [2012-09-04 854760]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-23 1725736]
    "Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-07-20 1033600]
    "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2012-07-30 5164632]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "GlobalProtect"="c:\program files\Palo Alto Networks\GlobalProtect\PanGPA.exe" [2012-01-13 689480]
    "IntelliType Pro"="c:\program files\Microsoft Mouse and Keyboard Center\itype.exe" [2012-10-12 1093272]
    "IntelliPoint"="c:\program files\Microsoft Mouse and Keyboard Center\ipoint.exe" [2012-10-12 1668248]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
    .
    c:\users\cxxxn.crxxxxxxxal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2011-6-13 804128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
    @="Service"
    .
    R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [x]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
    R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [x]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
    S2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [x]
    S2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [x]
    S2 PanGPS;PanGPS;c:\program files\Palo Alto Networks\GlobalProtect\PanGPS.exe [x]
    S2 PanGPUpdater;PanGPUpdater;c:\program files\Palo Alto Networks\GlobalProtect\PanGPUpdater.exe [x]
    S2 PanInstaller;PanInstaller;c:\program files\Palo Alto Networks\Pan Connect\PanInstaller.exe [x]
    S2 PanService;PanService;c:\program files\Palo Alto Networks\Pan Connect\PanService.exe [x]
    S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
    S3 PanGpd;PanGP Virtual Miniport;c:\windows\system32\DRIVERS\pangpd.sys [x]
    S3 PanSvd;Pan Virtual Miniport;c:\windows\system32\DRIVERS\pansvd.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfswin7.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaywin7.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirwin7.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvolwin7.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - PROCMON23
    *Deregistered* - MBAMSwissArmy
    *Deregistered* - PROCEXP152
    *Deregistered* - PROCMON23
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
    FontCache
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-02-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 19:53]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wuffryqv.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4167937607-2570531820-773661332-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,1c,5c,87,b6,ca,22,4f,ae,17,8a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,1c,5c,87,b6,ca,22,4f,ae,17,8a,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-02-15 12:21:30
    ComboFix-quarantined-files.txt 2013-02-15 20:21
    .
    Pre-Run: 290,806,779,904 bytes free
    Post-Run: 290,887,892,992 bytes free
    .
    - - End Of File - - DE6717A1D1D1FE22270324FD1C2DB205

    ++++++++++++++++++++++++++++++++++++++++++++++
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    nothing showing there
     
  10. BahDigi

    BahDigi Thread Starter

    Joined:
    Feb 15, 2013
    Messages:
    6
    ok, thanks i appreciate your input.
    I guess ill lower the risk level on this behaviour for now. ALlthough i still dont like clients calling out to foreign dns servers.

    Cheers!
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1089653

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice