UPD Flood from my PC WAN Outbound

[sregan]

Log from my router:

09/13/2010 18:50:58 **UDP Flood Stop** (from WAN Outbound)
09/13/2010 18:50:57 **UDP flood** 192.168.2.100, 53651->> 208.67.220.220, 53 (from WAN Outbound)
09/13/2010 18:50:56 **UDP flood** 192.168.2.100, 55243->> 208.67.220.220, 53 (from WAN Outbound)
09/13/2010 18:50:52 **UDP flood** 192.168.2.100, 54201->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:51 **UDP flood** 192.168.2.100, 57393->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:47 **UDP flood** 192.168.1.1, 32768->> 208.67.220.220, 53 (from WAN Outbound)
09/13/2010 18:50:47 **UDP flood** 192.168.1.1, 32768->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:46 **UDP flood** 192.168.1.1, 32768->> 208.67.220.220, 53 (from WAN Outbound)
09/13/2010 18:50:46 **UDP flood** 192.168.1.1, 32768->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:42 **UDP flood** 192.168.2.100, 53651->> 208.67.220.220, 53 (from WAN Outbound)
09/13/2010 18:50:41 **UDP flood** 192.168.2.100, 55243->> 208.67.220.220, 53 (from WAN Outbound)
09/13/2010 18:50:37 **UDP flood** 192.168.2.100, 54201->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:36 **UDP flood** 192.168.2.100, 57393->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:27 **UDP flood** 192.168.2.100, 61424->> 208.67.222.222, 53 (from WAN Outbound)
09/13/2010 18:50:22 **UDP flood** 192.168.2.104, 137->> 67.215.65.132, 137 (from WAN Outbound)
09/13/2010 18:50:21 **UDP flood** 192.168.2.104, 137->> 67.215.65.132, 137 (from WAN Outbound)
09/13/2010 18:50:19 **UDP flood** 192.168.2.104, 137->> 67.215.65.132, 137 (from WAN Outbound)
09/13/2010 18:50:05 **UDP flood** 192.168.2.104, 60149->> 190.159.38.200, 53161 (from WAN Outbound)
09/13/2010 18:50:05 **UDP flood** 192.168.2.104, 60149->> 58.51.11.238, 16001 (from WAN Outbound)
09/13/2010 18:50:05 **UDP flood** 192.168.2.104, 60149->> 187.10.115.32, 27370 (from WAN Outbound)
09/13/2010 18:50:04 **UDP flood** 192.168.2.104, 60149->> 99.106.241.244, 60362 (from WAN Outbound)
09/13/2010 18:50:03 **UDP flood** 192.168.2.104, 60149->> 92.37.31.121, 15178 (from WAN Outbound)
09/13/2010 18:50:03 **UDP flood** 192.168.2.104, 60149->> 95.133.247.203, 6881 (from WAN Outbound)
09/13/2010 18:50:03 **UDP flood** 192.168.2.104, 60149->> 81.224.57.214, 12085 (from WAN Outbound)
09/13/2010 18:50:03 **UDP flood** 192.168.2.104, 60149->> 68.49.141.232, 53561 (from WAN Outbound)
09/13/2010 18:50:03 **UDP flood** 192.168.2.104, 60149->> 60.221.158.76, 28203 (from WAN Outbound)
09/13/2010 18:50:02 **UDP flood** 192.168.2.104, 60149->> 187.110.76.26, 62701 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 219.73.2.118, 9476 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 122.118.68.205, 13034 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 60.198.44.180, 13367 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 174.35.130.58, 11514 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 190.225.71.91, 13314 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 195.39.133.17, 23454 (from WAN Outbound)
09/13/2010 18:50:01 **UDP flood** 192.168.2.104, 60149->> 81.203.216.181, 11921 (from WAN Outbound)
09/13/2010 18:50:00 **UDP flood** 192.168.2.104, 60149->> 89.148.204.95, 19628 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 113.68.49.236, 14686 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 76.181.44.118, 6112 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 173.80.188.43, 10264 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 210.132.195.153, 19536 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 70.66.4.157, 60893 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 89.135.29.139, 38951 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 78.90.169.235, 20091 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 95.111.9.11, 42347 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 68.43.83.4, 42290 (from WAN Outbound)
09/13/2010 18:49:59 **UDP flood** 192.168.2.104, 60149->> 85.69.187.29, 45946 (from WAN Outbound)
09/13/2010 18:49:58 **UDP flood** 192.168.2.104, 60149->> 24.36.15.56, 55757 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 125.196.38.66, 25729 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 78.31.181.72, 6889 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 122.164.52.185, 44156 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 24.121.79.2, 19649 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 83.222.175.62, 15472 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 220.134.10.101, 25432 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 79.86.84.169, 41251 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 83.53.85.210, 11081 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 82.224.43.78, 64913 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 62.169.253.192, 23276 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 192.188.242.163, 53819 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 99.198.107.58, 53463 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 218.171.240.209, 21283 (from WAN Outbound)
09/13/2010 18:49:57 **UDP flood** 192.168.2.104, 60149->> 70.191.243.58, 31567 (from WAN Outbound)
09/13/2010 18:49:56 **UDP flood** 192.168.2.104, 60149->> 79.175.75.54, 48500 (from WAN Outbound)
09/13/2010 18:49:56 **UDP flood** 192.168.2.104, 60149->> 81.25.35.39, 45891 (from WAN Outbound)
09/13/2010 18:49:55 **UDP flood** 192.168.2.104, 60149->> 124.193.204.250, 47046 (from WAN Outbound)
09/13/2010 18:49:55 **UDP flood** 192.168.2.104, 60149->> 123.204.207.164, 14406 (from WAN Outbound)
09/13/2010 18:49:55 **UDP flood** 192.168.2.104, 60149->> 173.51.255.141, 57560 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 213.114.103.232, 28002 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 24.200.83.142, 47837 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 219.78.186.76, 25821 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 94.66.233.30, 13276 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min) Stop** (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 94.66.233.30, 13276 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 79.181.40.49, 20386 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 79.181.40.49, 20386 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 88.233.150.39, 48124 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 88.233.150.39, 48124 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 178.94.187.24, 24137 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 178.94.187.24, 24137 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 91.148.116.66, 48540 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 91.148.116.66, 48540 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 67.174.117.66, 55405 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 67.174.117.66, 55405 (from WAN Outbound)
09/13/2010 18:49:53 **UDP Flood (per Min)** 192.168.2.104, 60149->> 82.42.213.118, 45915 (from WAN Outbound)
09/13/2010 18:49:53 **UDP flood** 192.168.2.104, 60149->> 82.42.213.118, 45915 (from WAN Outbound)
09/13/2010 18:49:52 **UDP Flood (per Min)** 192.168.2.104, 60149->> 78.88.64.154, 52750 (from WAN Outbound)
09/13/2010 18:49:52 **UDP flood** 192.168.2.104, 60149->> 78.88.64.154, 52750 (from WAN Outbound)
09/13/2010 18:49:52 **UDP Flood (per Min)** 192.168.2.104, 60149->> 96.244.67.24, 40733 (from WAN Outbound)
09/13/2010 18:49:52 **UDP flood** 192.168.2.104, 60149->> 96.244.67.24, 40733 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 61.231.232.127, 40904 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 61.231.232.127, 40904 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 123.204.207.164, 14406 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 123.204.207.164, 14406 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 190.203.251.202, 56102 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 190.203.251.202, 56102 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 86.218.206.206, 7291 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 86.218.206.206, 7291 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 90.190.41.34, 45751 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 90.190.41.34, 45751 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 162.39.197.129, 14952 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 162.39.197.129, 14952 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 115.87.81.139, 10024 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 115.87.81.139, 10024 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 65.184.95.152, 10122 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 65.184.95.152, 10122 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 188.186.193.85, 36667 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 188.186.193.85, 36667 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 220.136.104.209, 17085 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 220.136.104.209, 17085 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 187.13.162.16, 60408 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 187.13.162.16, 60408 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 87.58.131.3, 16518 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 87.58.131.3, 16518 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 62.201.107.23, 32874 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 62.201.107.23, 32874 (from WAN Outbound)
09/13/2010 18:49:51 **UDP Flood (per Min)** 192.168.2.104, 60149->> 77.50.50.204, 60495 (from WAN Outbound)
09/13/2010 18:49:51 **UDP flood** 192.168.2.104, 60149->> 77.50.50.204, 60495 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 219.78.186.76, 25821 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 219.78.186.76, 25821 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 83.166.32.85, 63888 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 83.166.32.85, 63888 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 98.178.164.18, 45361 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 98.178.164.18, 45361 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 61.224.204.127, 19999 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 61.224.204.127, 19999 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 182.52.151.102, 27161 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 182.52.151.102, 27161 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 118.100.172.43, 10334 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 118.100.172.43, 10334 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 99.247.10.64, 45682 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 99.247.10.64, 45682 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 92.135.195.220, 40518 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 92.135.195.220, 40518 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 123.243.76.192, 33363 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 123.243.76.192, 33363 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 121.114.163.107, 24119 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 121.114.163.107, 24119 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 82.155.82.151, 33831 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 82.155.82.151, 33831 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 180.14.111.177, 12209 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 180.14.111.177, 12209 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 82.46.107.1, 47134 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 82.46.107.1, 47134 (from WAN Outbound)
09/13/2010 18:49:49 **UDP Flood (per Min)** 192.168.2.104, 60149->> 125.172.230.87, 11367 (from WAN Outbound)
09/13/2010 18:49:49 **UDP flood** 192.168.2.104, 60149->> 125.172.230.87, 11367 (from WAN Outbound)
09/13/2010 18:49:48 **UDP Flood (per Min)** 192.168.2.104, 60149->> 75.109.32.113, 6881 (from WAN Outbound)
09/13/2010 18:49:48 **UDP flood** 192.168.2.104, 60149->> 75.109.32.113, 6881 (from WAN Outbound)
09/13/2010 18:49:48 **UDP Flood (per Min)** 192.168.2.104, 60149->> 24.176.45.107, 32755 (from WAN Outbound)
09/13/2010 18:49:48 **UDP flood** 192.168.2.104, 60149->> 24.176.45.107, 32755 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 92.118.246.69, 29639 (from WAN Outbound)
09/13/2010 18:49:47 **UDP flood** 192.168.2.104, 60149->> 92.118.246.69, 29639 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 65.32.205.42, 10241 (from WAN Outbound)
09/13/2010 18:49:47 **UDP flood** 192.168.2.104, 60149->> 65.32.205.42, 10241 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 91.77.17.181, 17537 (from WAN Outbound)
09/13/2010 18:49:47 **UDP flood** 192.168.2.104, 60149->> 91.77.17.181, 17537 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 142.162.36.211, 31595 (from WAN Outbound)
09/13/2010 18:49:47 **UDP flood** 192.168.2.104, 60149->> 142.162.36.211, 31595 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 24.57.22.252, 16518 (from WAN Outbound)
09/13/2010 18:49:47 **UDP flood** 192.168.2.104, 60149->> 24.57.22.252, 16518 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 93.156.128.166, 18788 (from WAN Outbound)
09/13/2010 18:49:47 **UDP flood** 192.168.2.104, 60149->> 93.156.128.166, 18788 (from WAN Outbound)
09/13/2010 18:49:47 **UDP Flood (per Min)** 192.168.2.104, 60149->> 219.78.10.57, 6889 (from WAN Outbound)

 

[sregan]

After searching this forum I ran Anti_Malware, Hijack this and Combo fix...

ComboFix Log:

ComboFix 10-09-13.01 - Shawn 09/13/2010 20:50:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.513 [GMT -5:00]
Running from: c:\documents and settings\Shawn\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shawn\Application Data\inst.exe
C:\Thumbs.db
c:\windows\Imgtask.exe
c:\windows\system\Thelc___.fon
c:\windows\tbu1\CoUPonsbar.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-08-14 to 2010-09-14 )))))))))))))))))))))))))))))))
.

2010-09-14 01:04 . 2010-09-14 01:04 -------- d-----w- c:\documents and settings\Shawn\Application Data\Malwarebytes
2010-09-14 01:04 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 01:04 . 2010-09-14 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-14 01:04 . 2010-09-14 01:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 01:04 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-29 14:18 . 2010-08-29 14:18 -------- d-sh--w- c:\documents and settings\Carmen\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-14 01:30 . 2009-12-20 15:18 -------- d-----w- c:\documents and settings\Elle\Application Data\DNA
2010-09-14 01:30 . 2009-12-20 02:21 -------- d-----w- c:\documents and settings\Adrian\Application Data\DNA
2010-09-13 20:37 . 2009-12-20 02:21 -------- d-----w- c:\program files\DNA
2010-09-13 02:11 . 2009-12-21 15:58 -------- d-----w- c:\documents and settings\Lily\Application Data\DNA
2010-09-12 17:37 . 2010-02-18 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-09-07 15:12 . 2010-07-26 14:38 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2008-11-09 01:04 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2008-11-09 01:05 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2008-11-09 01:05 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2008-11-09 01:05 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2008-11-09 01:05 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2008-11-09 01:04 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2008-11-09 01:05 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2008-11-09 01:05 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-05 04:22 . 2009-12-24 02:33 -------- d-----w- c:\documents and settings\Carmen\Application Data\DNA
2010-08-29 14:34 . 2010-06-27 22:29 -------- d-----w- c:\documents and settings\Carmen\Application Data\ATTTOOLBAR
2010-07-29 16:40 . 2010-02-22 00:36 -------- d-----w- c:\documents and settings\Adrian\Application Data\ATTTOOLBAR
2010-07-26 18:42 . 2010-03-09 13:58 -------- d-----w- c:\documents and settings\Elle\Application Data\ATTTOOLBAR
2010-07-24 23:13 . 2010-07-24 23:13 -------- d-----w- c:\documents and settings\Shawn\Application Data\GRETECH
2010-07-24 22:53 . 2005-01-28 09:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-24 22:52 . 2010-07-24 22:52 -------- d-----w- c:\program files\Mediostream
2010-07-24 22:51 . 2010-07-24 22:50 -------- d-----w- c:\program files\movieshop
2010-07-24 22:51 . 2010-07-24 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\broderbund
2010-06-30 12:31 . 2004-08-26 16:12 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-26 16:12 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-26 16:12 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-26 16:12 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-26 16:11 80384 ----a-w- c:\windows\system32\iccvid.dll
2005-10-18 21:14 . 2005-10-18 21:14 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-16 77824]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPHCP Discovery Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/8/2008 8:05 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/8/2008 8:05 PM 17744]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [4/19/2009 8:53 PM 91830]
S2 mrtRate;mrtRate; [x]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/29/2008 1:14 PM 22528]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/29/2008 1:14 PM 22528]
S3 DCamUSB20;AVerDVD EZMaker USB 2.0 Video Capture;c:\windows\system32\drivers\CsMini20.sys [3/18/2003 3:55 PM 46248]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/5/2007 1:30 AM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-540281588-830768957-3459225370-1015Core.job
- c:\documents and settings\Elle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-20 20:05]

2010-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-540281588-830768957-3459225370-1015UA.job
- c:\documents and settings\Elle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-20 20:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
IE: Save with Download Manager... - c:\program files\J River\Media Jukebox\DMDownload.htm
Trusted Zone: intuit.com\ttlc
DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} - hxxp://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
FF - ProfilePath - c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\wc0nwv5h.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/All%20Users/Documents/launch.htm
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-13 20:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-13 20:59:09
ComboFix-quarantined-files.txt 2010-09-14 01:59

Pre-Run: 15,911,215,104 bytes free
Post-Run: 17,651,167,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CF3B26A6F50F9F1C4C7FC97DE8A0623B

 

[sregan]

Hijack This Reports:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:01 PM, on 9/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3863 bytes

 

[sregan]

Anti-Malware found one file in my Son's directory. I've removed and yet to see another UPD outbound flood.

 

[johnb35]

Please post a hijackthis log from each user account on the machine. Are there other pc's in the house?