PDA

View Full Version : HJT Log - Very high upload usage



radium
14-05-2014, 10:54 PM
Hello Guys

Can you please take a look at this Log,
I have Windows Server 2008R2 Server that has abnormal upload. like 3GB per day typical is 300MB, I have used TCPview and have identified turbodns.uk entry running as svchost.exe
I have run many virus & malware dection programs but nothing has been identified.

To date I have run

Trend Micro House Call
Kaspersky AV
Malwarebytes
Spybot
Spyware Terminator

All report Server as clean, Log file is below; Thanks


Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:40:17 PM, on 5/14/2014
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16526)


Boot mode: Normal

Running processes:
C:\Program Files (x86)\Flow Software\FlowMonitor.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Administrator\Documents\HJT\HijackThis.ex e
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\ContentBlocker\ie_content_blocker_plugin.d ll
O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin .dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\UrlAdvisor\klwtbbho.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files (x86)\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [Cobian Backup 10 Interface] "C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe" -service
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\avp.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2370433984-202841576-1820059870-1115\..\Run: [~] C:\Users\pos\Desktop\DeskLock.exe (User 'pos')
O4 - Global Startup: FlowMonitor.lnk = C:\Program Files (x86)\Flow Software\FlowMonitor.exe
O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin .dll
O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\UrlAdvisor\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://www.100percent.co.nz
O15 - ESC Trusted Zone: http://*.feed2js.org
O15 - ESC Trusted Zone: ftp.flow.net.nz
O15 - ESC Trusted Zone: http://*.furnituretogo.co.nz
O15 - ESC Trusted Zone: http://www.google.co.nz
O15 - ESC Trusted Zone: http://dhl.df.lth.se
O15 - ESC Trusted Zone: http://3347-mozilla.voxcdn.com
O16 - DPF: {3141A4B9-16D5-4B76-B1EB-B595C8308D42} (Security Server Management Console) - https://serverexo.dimockh.local:4343/SMB/console/html/root/AtxConsole.cab?ver=18,0,0,1315
O16 - DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} (RSVideo Control) - http://10.17.1.68:8080/RSVideoOcx.cab
O16 - DPF: {8157E81A-275D-4BE8-A7A9-E36E62DF9C68} (Encrypt Class) - https://serverexo.dimockh.local:4343/SMB/console/html/root/AtxEnc.cab?ver=18,0,0,1315
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dimockh.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAA41F4A-35AC-42A7-BBBF-85ABDABE09FB}: NameServer = 10.17.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dimockh.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dimockh.local
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\avp.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe
O23 - Service: Cobian Backup 10 (CobianBackup10) - Luis Cobian, CobianSoft - C:\Program Files (x86)\Cobian Backup 10\cbService.exe
O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv. exe
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: FlowMonitorService - Flow Software Limited - C:\Program Files (x86)\Flow Software\FlowMonitorS.exe
O23 - Service: FlowService (ACL Member:3569) (FlowWinService$8FEA168F-5265-4242-9435-1B64B69DC425$3569) - Flow Software Limited - C:\Program Files (x86)\Flow Software\FlowService.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Unknown owner - C:\Windows\system32\sysdown.exe (file missing)
O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files (x86)\UltraVNC\winvnc.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 10090 bytes


Thanks, Guys

wainuitech
14-05-2014, 11:44 PM
Drop your Hijack report / log into http://www.computerhope.com/cgi-bin/process.pl There are some suspect items in the DNS, but you may know what they are, so they could be legit.

Speedy Gonzales
15-05-2014, 10:00 AM
What does desklock do?? Do you need it?

I wouldnt use Kaspersky myself

These dont have to run on startupo


O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN

O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun

O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

If S&D still uses teatimer, I would disable it

dugimodo
15-05-2014, 10:29 AM
I'd get rid of Spybot altogether, It's one of the originals and I'd like to support it but recent reviews have declared it essentially useless.
As to the upload issue, I can't help you with that.

Lawrence
15-05-2014, 01:46 PM
CryptoStorage,is this the cause of your problems,see it is off line storage software

radium
15-05-2014, 08:57 PM
Thanks Guys, I have removed Desklock - Virus but not the cause of my problems. I will remove S&D which I haven't used for years, but I was running low on things to use.

Thanks Lawrence! I will remove Crypostorage now! I'm hoping this is the cause...

Will get back to you LL

radium
15-05-2014, 09:11 PM
Speedy What AV do you recommend for Servers?

radium
16-05-2014, 12:26 AM
Infowatch cryptolocker is a Kaspersky process... I think it's a high jack or some sort of DNS routing, DNS forwarders are fine on the server...

Speedy Gonzales
16-05-2014, 02:30 PM
Umm pass Radium. The ? is do any run on servers? If trojan remover can be installed on it, I would install it for now, update it then scan. See if it picks anything else up since you say desklock is / was a virus

1101
16-05-2014, 04:44 PM
Nod32/Eset have several AV editions designed for servers. Thats what I would recommend
If you want exchange/mail scanning, they charge per mailbox for that .

What I would recommend, if its a server in a business environment..
dont use your sever as a workstation
O15 - ESC Trusted Zone: http://www.100percent.co.nz
O15 - ESC Trusted Zone: http://*.feed2js.org
O15 - ESC Trusted Zone: ftp.flow.net.nz
O15 - ESC Trusted Zone: http://*.furnituretogo.co.nz
:-)

Also look for domain user a/c's with stupid passwords, restrict remote access to those who need it.
Worst case is it been hacked & is spitting out spam, possibly gained remote entry via bad passwords.
Is it the sever or another PC on the network with the high uploads ?

1101
16-05-2014, 05:02 PM
Edit: if this is a business sever
get this forums moderator to remove all references to your company/domain/etc in that Hijack this log file

:-)