I got an alert that Net Guard had blocked a connection yesterday (see Attachment 1) and noticed that it had blocked one 6 days earlier at almost the exact same time, although I didn't see that alert (maybe a fullscreen program blocked it?).
I scanned my computer with Mcafee, Avira and Malwarebytes and none of them discovered anything, except Avira came up with a load of warnings, mostly that access was denied to folders that don't exist, but no detections were made.
I then used Syetem Restore to restore to the earliest point I could, and scanned again with those three programs and with Windows Defender, Stinger (it just said Number of clean files: 704212, so I assume that means it's all clear) and none of them discovered anything again, except for the same Avira warnings.
I gave GetSusp a go and it said there were 23 suspicious and 4 unknown files, but I can account for all of them. I can post them here if it might help though.
All scans were run in safe mode.
I noticed that there are a couple of similar threads, so other people seem to be having something similar happen to them too:
Looking at the second thread, its creator seemed to have the connection associated with a particular trojan. If you have a look at my Attachment 2, I had a similar incoming event just before the 10 March blocked connection, which might be connected. I had another after I had system restored (Attachment 3).
Now, I would have just left it and assumed that it was some same software phoning home, but
a) Other people seem to be having the same problem, and the creater of the first thread reported that they found a virus.
b) One of the IPs is located in the Seychelles, which seems a bit odd.
Now either the System Restore worked, or it was an unknown legitimate program all along, or I still have a virus. Given the possibility that it could be option 3, what further steps could I take? Would HijackThis be the next step? If so, which forum would you recommend to pursue it on?
In addition, as you can see from Attachments 2 and 3, there are a very large number of 'Incoming Events' - dozens every minute at times. Is this unusual?
Thank you for your time.
(Just to add, I did a scan with Kaspersky TDSSKiller and it flagged up gdrv.sys as an 'Unsigned file'.
I assume it is just a motherboard driver and just a false positive though.)
on 11/03/12 23:17:25 GMT