Jump to content

Woohookitty

Members
  • Posts

    8
  • Joined

  • Last visited

Everything posted by Woohookitty

  1. I just received this on my stickynote, same type of my pc crashing and having relentless number 2s being entered, however this time i pressed the F1 key then it stopped... this is part of what was entered in the note (enlarged for viewing purposes): 22222222☻22☻2222☻22222222222
  2. Hi, i'm waiting to change my static IP address, because i contacted my ISP and they told me that they changed my IP address yesterday , yet the IP attacks kept coming! These are the new IPs, along with the Ecatel ones: 46.246.111.54 port 808093.174.93.139, 94.102.51.225 port 19109.230.220.126 port 5060211.198.225.149 port 21869222.186.34.31 port 1433218.7.37.194 port 22As well, my PC froze twice on the Nov. 5th and 6th , with my input devices disabled, and any text box that i have open (like a web browser address bar, stickynote i'm writing on) would have number 2's being entered continuously non-stop (ie 2222222222222222222...), and i had to power-off the machine abruptly to stop it. I ran MBAM Anti-rootkit and logs attached below (i ran it twice). The ISP tech assistance rep told me that my problem is likely working in a 2 way direction, just like addressed in the previous post, and told me i probably have deeply-hidden malicious code on my pc that's contacting the hacker IPs, and the IPs keep pinging, port-scanning and contacting my machine, and he proposed that i have my PC cleaned or reformatted, and have my IP change simultaneously, to prevent any contact with the malicious IPs whatsoever. However, my IP would change only at times when my IP lease expires (November-07-13 10:41:34 PM New York time, mentioned from my Networking Sharing Center's LAN details), and having my modem disconnected for 4 - 24hrs to release my IP to someone else... I'll make updated posts as soon as i can mbar-log-2013-11-03 (14-25-05).txt system-log.txt mbar-log-2013-11-06 (23-08-00).txt system-log.txt
  3. From the time my internet connection was fixed Saturday morning, these were the additional IPs that were attempting inbound connections to svchost, atop of the first ecatel ip mentioned in the first post, and some attempted outbound connections from my web browser: *93.174.88.31 port 4921, port 28223 *94.102.49.213 port 19*222.186.34.28 port 8080*222.186.42.43 port 1433*94.102.48.167 port 14075
  4. Hi, sorry for the delay in posting. Here's the zoek log. Zoek.exe Version 4.0.0.5 Updated 26-October-2013Tool run by WL on 11/03/13 at 2:36:39.62.Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64Running in: Normal Mode Internet Access DetectedLaunched: C:\Users\WL\Desktop\zoek\zoek.exe [script inserted] ==== Older Logs ====================== C:\zoek-results2013-10-30-055647.log 128735 bytes ==== Deleting CLSID Registry Keys ====================== ==== Deleting CLSID Registry Values ====================== ==== Deleting Services ====================== ==== Firefox Extensions Registry ====================== [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]"ffpwdman@bitdefender.com"="C:\Program Files\Bitdefender\Bitdefender\Antispam32\ffpwdman" [10/17/13 02:03 PM] ==== Chrome Look ====================== HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensionsccahoghmggldkcdjiebjkidpfongdfbl - C:\Program Files\Bitdefender\Bitdefender\Antispam32\pmbxcr.crx[09/25/13 03:05 PM] Bejeweled - WL - Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigmYour Second Phone - WL - Default\Extensions\afgcliennfocnaoenlkmlhoakpaflpgoBIODIGITAL HUMAN - WL - Default\Extensions\agoenciogemlojlhccbcpcfflicgnaakAngry Birds - WL - Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghlojGoogle Docs - WL - Default\Extensions\aohghmighlieiainnegkcijnfilokakeTask Timer - WL - Default\Extensions\aomfjmibjhhfdenfkpaodhnlhkolngifLucidchart Diagrams Online - WL - Default\Extensions\apboafhkiegglekeafbckfjldecefkhnGoogle Drive - WL - Default\Extensions\apdfllckaahabafndbhieahigkjlhalfTV - WL - Default\Extensions\beobeededemalmllhkmnkinmfembdimhDesmos Graphing Calculator - WL - Default\Extensions\bhdheahnajobgndecdbggfmcojekgdkoWOT - WL - Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnpSKiD Racer - WL - Default\Extensions\bhoaojooagiaaiidlnfhkkafjpbbnnnoYouTube - WL - Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeoBitdefender Wallet - WL - Default\Extensions\ccahoghmggldkcdjiebjkidpfongdfblLast updated at time on date - WL - Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddbBouncy Mouse - WL - Default\Extensions\cgdllcbmneiklcmbeclfegccdjholombYendo Accounting - WL - Default\Extensions\cgllmndceblpkjnakpnceoafddbechmpUseful Periodic Table - WL - Default\Extensions\chachkegffmilnmdlonllkhkfkakghieOneTab - WL - Default\Extensions\chphlpgkkbolifaimnlloiipkdnihallGoogle Search - WL - Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpfMaskMe - WL - Default\Extensions\dpkiidbpeijnaaacjlfnijncdlkicejgGmail Offline - WL - Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimkZenMate for Google Chrome\u2122 - WL - Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebmeFull Screen Weather - WL - Default\Extensions\fkkaebihfmbofclegkcfkkemepfehibgSpringpad - WL - Default\Extensions\fkmopoamfjnmppabeaphohombnjcjglaDigital Clock - WL - Default\Extensions\gdkjifoifglkpcdffkenpinlbjgephloPicadilo - WL - Default\Extensions\geljjpapbfokifgnlnpdbiplebdhleinAdBlock - WL - Default\Extensions\gighmmpiobklfepjocnamgkkbiglidomClock - WL - Default\Extensions\hoihofapbdnldlhecnhefifbcddgdkhmPixlr Editor - WL - Default\Extensions\icmaknaampgiegkcjlimdiidlhopknpkConcentrate - WL - Default\Extensions\idfmgklhndkcggamadboiaepmohpjhjjStealthy - WL - Default\Extensions\ieaebnkibonmpbhdaanjkmedikadnojeButtonBass Xylophone - WL - Default\Extensions\indlkficjfpogfdndmffegpjapkfaeohWave Accounting - WL - Default\Extensions\knpkfcpnjfbniadmfchjpcigfhookhaaBuild with Chrome - WL - Default\Extensions\lbbbhbjeecagnlfgggogfclkdjamoapfEvernote Web - WL - Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbolPlanner 5D - WL - Default\Extensions\mcafejemebbngbglfoinpoaannbihjnaChemReference Periodic Table - WL - Default\Extensions\mjpnebljmdbglkmlnijcaplhfhkhdnibGoogle Wallet - WL - Default\Extensions\nmmhkkegccagdldgiimedpiccmgmiedaDocs PDFPowerPoint Viewer by Google - WL - Default\Extensions\nnbmlagghjjcbdhgmkedmbmedengocbnBackground Tab - WL - Default\Extensions\oehpjpccmlcalbenfhnacjeocbjdonicTetris 3D - WL - Default\Extensions\pdkeccfoknbfheljdlnicdlbflmfkdpmGmail - WL - Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia ==== Set IE to Default ====================== Old Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] New Values:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157" ==== All HKCU SearchScopes ====================== HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}" ==== Reset Google Chrome ====================== C:\Users\WL\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfullyC:\Users\WL\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully ==== Empty IE Cache ====================== C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Users\WL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Users\WL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfullyC:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfullyC:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully ==== Empty FireFox Cache ====================== No FireFox Profiles found ==== Empty Chrome Cache ====================== C:\Users\WL\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully ==== Empty All Flash Cache ====================== Flash Cache Emptied Successfully ==== Empty All Java Cache ====================== Java Cache cleared successfully ==== After Reboot ====================== ==== Empty Temp Folders ====================== C:\Windows\Temp successfully emptiedC:\Users\WL\AppData\Local\Temp successfully emptied ==== Empty Recycle Bin ====================== C:\$RECYCLE.BIN successfully emptied ==== EOF on 11/03/13 at 2:49:11.65 ======================
  5. ***UPDATE***: There's aggressive attempts by another Dutch IP 88.208.33.4, from Advancedhosters Limited trying to make my web browser have an outbound connection to this ip thru port 50457, about once/twice per hour, which were blocked by Mbam. (Less but still aggressive) attempts by Dutch IP 141.0.172.225 from Amsterdam ServerStack, once every 1 - 2 hrs, also blocked. 2 inbound connection attempts by IP 74.118.193.38There's slightly decreased attempts by the Ecatel IP mentioned above trying to make inbound connections under svchost.My Bitdefender AV can no longer update, even upon a manually executed update attempt.I'll run Zoek in ~1 hr from this post. I'm just wondering, if i had my IP address changed, would these Dutch IP hackers "follow me" to my new address?
  6. Here's the report: RogueKiller V8.7.6 [Oct 28 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : WL [Admin rights] Mode : Scan -- Date : 10/31/2013 01:39:09 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD7500BPKT-75PK4T0 +++++ --- User --- [MBR] 3835b3083c0c127b8a6b07735ad80c8f [bSP] 16f4024e34566a678ac684a349fe1701 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 212992 | Size: 20000 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41172992 | Size: 439298 Mo 3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 940857344 | Size: 256000 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_10312013_013909.txt >> RKreport[0]_S_10282013_214302.txt
  7. Hi there, i just ran zoek with results attached. Also i would like to note, for 2 days now the blocked IP connections are all fromthe IP listed above, targeting port 21320 zoek-results.log
  8. Hi everyone, i'm having a chronic problem with Svchost.exe having connections with random IPs. For the past 3 days now Mbam has been blocking many incoming IP connections under the Svchost process, with all IP addresses coming from Ecatel LTD in the Netherlands (except for 1 attempt yesterday from Harbin, China). I'm seeing these blocked connections about 10 times per day, and they seem to be from different Ecatel IPs each time. The latest IP was 93.174.93.67. All ports targeted were different each time. Also, today after another IP connection block, that same IP ended up invoking my BitDef firewall to prompt for permission for Chrome having an outgoing connection to that same IP few seconds later! I blocked it. Yesterday I disconnected my internet and scanned my pc with MBAM, Bitdefender AV, Malwarebytes Anti-rootkit, TDSSkiller, Kaspersky Virus Removal tool, Microsoft Safety Scanner (msert.exe), Microsoft Malware Removal tool, and all these scans found nothing. Today i scanned using Rkill, Combofix, and Adwcleaner with results attached below. This is a very chronic problem i've had for the past year, with Mbam blocking svchost connections or my former Comodo firewall prompting for svchost connections from random IPs from Brazil, China, Russia, Iceland, and now Ecatel, and each time i run an AV, MBAM, Rkill and Combofix scan it found no malware (except once combofix deleted a worm few months ago). The majority of these were inbound, although many were outbound too. I also reformatted my pc many times in the past few months ( as recently as 4 days ago), because I didn't know what problem is going on, but i don't think the marathon of reformatting is a lasting solution because it'll reoccur again sooner or later. I also tried blocking svchost from having any incoming connections with my firewall, but it only worked for last night. For some reason, right after i made that firewall rule, i couldn't find it in the list of firewall rules... Is there any way I can make this problem stop once and for all? What is it that causes svchost to make these connections? Can i just block svchost altogether from connecting to the web? I would greatly appreciate any help to stop this madness. Thanks Rkill.txt Rkill.txt ComboFix.txt AdwCleanerR0.txt AdwCleanerS0.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.