| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 137024 | 2014-05-14 10:54:00 | HJT Log - Very high upload usage | radium (8645) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1374992 | 2014-05-14 10:54:00 | Hello Guys Can you please take a look at this Log, I have Windows Server 2008R2 Server that has abnormal upload. like 3GB per day typical is 300MB, I have used TCPview and have identified turbodns.uk entry running as svchost.exe I have run many virus & malware dection programs but nothing has been identified. To date I have run Trend Micro House Call Kaspersky AV Malwarebytes Spybot Spyware Terminator All report Server as clean, Log file is below; Thanks Logfile of Trend Micro HijackThis v2.0.5 Scan saved at 9:40:17 PM, on 5/14/2014 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v9.00 (9.00.8112.16526) Boot mode: Normal Running processes: C:\Program Files (x86)\Flow Software\FlowMonitor.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Administrator\Documents\HJT\HijackThis.ex e C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe, O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\ContentBlocker\ie_content_blocker_plugin.d ll O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin .dll O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\UrlAdvisor\klwtbbho.dll O4 - HKLM\..\Run: [WinVNC] "C:\Program Files (x86)\UltraVNC\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [Cobian Backup 10 Interface] "C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe" -service O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\avp.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-21-2370433984-202841576-1820059870-1115\..\Run: [~] C:\Users\pos\Desktop\DeskLock.exe (User 'pos') O4 - Global Startup: FlowMonitor.lnk = C:\Program Files (x86)\Flow Software\FlowMonitor.exe O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin .dll O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\UrlAdvisor\klwtbbho.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - ESC Trusted Zone: http://www.100percent.co.nz O15 - ESC Trusted Zone: http://*.feed2js.org O15 - ESC Trusted Zone: ftp.flow.net.nz O15 - ESC Trusted Zone: http://*.furnituretogo.co.nz O15 - ESC Trusted Zone: http://www.google.co.nz O15 - ESC Trusted Zone: http://dhl.df.lth.se O15 - ESC Trusted Zone: http://3347-mozilla.voxcdn.com O16 - DPF: {3141A4B9-16D5-4B76-B1EB-B595C8308D42} (Security Server Management Console) - serverexo.dimockh.local:4343 O16 - DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} (RSVideo Control) - 10.17.1.68:8080 O16 - DPF: {8157E81A-275D-4BE8-A7A9-E36E62DF9C68} (Encrypt Class) - serverexo.dimockh.local:4343 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dimockh.local O17 - HKLM\System\CCS\Services\Tcpip\..\{CAA41F4A-35AC-42A7-BBBF-85ABDABE09FB}: NameServer = 10.17.1.254 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dimockh.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dimockh.local O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing) O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\avp.exe O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe O23 - Service: Cobian Backup 10 (CobianBackup10) - Luis Cobian, CobianSoft - C:\Program Files (x86)\Cobian Backup 10\cbService.exe O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv. exe O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing) O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing) O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: FlowMonitorService - Flow Software Limited - C:\Program Files (x86)\Flow Software\FlowMonitorS.exe O23 - Service: FlowService (ACL Member:3569) (FlowWinService$8FEA168F-5265-4242-9435-1B64B69DC425$3569) - Flow Software Limited - C:\Program Files (x86)\Flow Software\FlowService.exe O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing) O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing) O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing) O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Unknown owner - C:\Windows\system32\sysdown.exe (file missing) O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files (x86)\UltraVNC\winvnc.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) -- End of file - 10090 bytes Thanks, Guys |
radium (8645) | ||
| 1374993 | 2014-05-14 11:44:00 | Drop your Hijack report / log into www.computerhope.com There are some suspect items in the DNS, but you may know what they are, so they could be legit. | wainuitech (129) | ||
| 1374994 | 2014-05-14 22:00:00 | What does desklock do?? Do you need it? I wouldnt use Kaspersky myself These dont have to run on startupo O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" If S&D still uses teatimer, I would disable it |
Speedy Gonzales (78) | ||
| 1374995 | 2014-05-14 22:29:00 | I'd get rid of Spybot altogether, It's one of the originals and I'd like to support it but recent reviews have declared it essentially useless. As to the upload issue, I can't help you with that. |
dugimodo (138) | ||
| 1374996 | 2014-05-15 01:46:00 | CryptoStorage,is this the cause of your problems,see it is off line storage software | Lawrence (2987) | ||
| 1374997 | 2014-05-15 08:57:00 | Thanks Guys, I have removed Desklock - Virus but not the cause of my problems. I will remove S&D which I haven't used for years, but I was running low on things to use. Thanks Lawrence! I will remove Crypostorage now! I'm hoping this is the cause... Will get back to you LL |
radium (8645) | ||
| 1374998 | 2014-05-15 09:11:00 | Speedy What AV do you recommend for Servers? | radium (8645) | ||
| 1374999 | 2014-05-15 12:26:00 | Infowatch cryptolocker is a Kaspersky process... I think it's a high jack or some sort of DNS routing, DNS forwarders are fine on the server... | radium (8645) | ||
| 1375000 | 2014-05-16 02:30:00 | Umm pass Radium. The ? is do any run on servers? If trojan remover can be installed on it, I would install it for now, update it then scan. See if it picks anything else up since you say desklock is / was a virus | Speedy Gonzales (78) | ||
| 1375001 | 2014-05-16 04:44:00 | Nod32/Eset have several AV editions designed for servers. Thats what I would recommend If you want exchange/mail scanning, they charge per mailbox for that . What I would recommend, if its a server in a business environment.. dont use your sever as a workstation O15 - ESC Trusted Zone: http://www.100percent.co.nz O15 - ESC Trusted Zone: http://*.feed2js.org O15 - ESC Trusted Zone: ftp.flow.net.nz O15 - ESC Trusted Zone: http://*.furnituretogo.co.nz :-) Also look for domain user a/c's with stupid passwords, restrict remote access to those who need it. Worst case is it been hacked & is spitting out spam, possibly gained remote entry via bad passwords. Is it the sever or another PC on the network with the high uploads ? |
1101 (13337) | ||
| 1 2 | |||||