Jump to content

unknow malware 146.185.220.85


Recommended Posts

Hey, 

 

just started to encounter a nasty virus on a friends computer

 

on regular pages it displays an "flash is outdated, download... " which appears on hover to be located on that same site ex. google.exe\flash.exe ; yahoo.com\flash.exe 

 

i have run frst which logs you see attached, and also i have exported the log from malware bytes 

 

ps. the page looks similar to this one http://malwarerescue.com/wp-content/uploads/2014/02/codwide.com_pop-up.png 

Addition.txt

FRST.txt

malware.txt

Shortcut.txt

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

Please run a Threat Scan with Malwarebytes

Start Malwarebytes 2.0..........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log

Then.......

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button and post the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

i have copied this 3:

- Malwarebytes Anti-Malware - threat scan

- log of active protection from Malwarebytes Anti-Malware

- Rogue Killer log

please advise me on next move

ty

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 26.08.2014

Scan Time: 09:42:21

Logfile: threat scan.txt

Administrator: Yes

Version: 2.00.2.1012

Malware Database: v2014.08.26.01

Rootkit Database: v2014.08.21.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

OS: Windows 7

CPU: x86

File System: NTFS

User: x

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 260856

Time Elapsed: 15 min, 52 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

Physical Sectors: 0

(No malicious items detected)

(end)

Malwarebytes Anti-Malware

www.malwarebytes.org

Protection, 26.08.2014 09:33:38, SYSTEM, X-PC, Protection, Malware Protection, Starting,

Protection, 26.08.2014 09:33:38, SYSTEM, X-PC, Protection, Malware Protection, Started,

Protection, 26.08.2014 09:33:38, SYSTEM, X-PC, Protection, Malicious Website Protection, Starting,

Protection, 26.08.2014 09:34:06, SYSTEM, X-PC, Protection, Malicious Website Protection, Started,

Detection, 26.08.2014 09:34:11, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 61709, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:34:11, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 61709, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:34:29, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 52253, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:34:31, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 49399, Outbound, C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe,

Detection, 26.08.2014 09:34:37, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 57340, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:34:40, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 65028, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:34:54, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 57631, Outbound, C:\Windows\System32\svchost.exe,

Update, 26.08.2014 09:35:12, SYSTEM, X-PC, Scheduler, Malware Database, 2014.8.25.3, 2014.8.26.1,

Detection, 26.08.2014 09:35:14, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 59689, Outbound, C:\Windows\System32\svchost.exe,

Protection, 26.08.2014 09:35:16, SYSTEM, X-PC, Protection, Refresh, Starting,

Protection, 26.08.2014 09:35:16, SYSTEM, X-PC, Protection, Malicious Website Protection, Stopping,

Protection, 26.08.2014 09:35:16, SYSTEM, X-PC, Protection, Malicious Website Protection, Stopped,

Protection, 26.08.2014 09:35:43, SYSTEM, X-PC, Protection, Refresh, Success,

Protection, 26.08.2014 09:35:43, SYSTEM, X-PC, Protection, Malicious Website Protection, Starting,

Protection, 26.08.2014 09:35:43, SYSTEM, X-PC, Protection, Malicious Website Protection, Started,

Detection, 26.08.2014 09:36:05, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63266, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:36:05, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63266, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:36:05, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 58124, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:36:06, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63059, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:36:08, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 61622, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:36:22, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 49890, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:08, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 65158, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:09, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 56305, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:50, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 52680, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:51, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 50620, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:54, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63030, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:54, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 57449, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:54, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 64486, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:37:55, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 59332, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:40:18, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 50973, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:41:01, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63300, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:41:38, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 55209, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:41:57, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63537, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:42:11, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 59828, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:42:14, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 63140, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:42:25, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 55006, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:42:47, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 54661, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:49:02, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 64663, Outbound, C:\Windows\System32\svchost.exe,

Detection, 26.08.2014 09:58:15, SYSTEM, X-PC, Protection, Malicious Website Protection, IP, 146.185.220.85, 53930, Outbound, C:\Windows\System32\svchost.exe,

(end)

RogueKiller V9.2.8.0 [Jul 11 2014] by Adlice Software

mail : http://forum.adlice.com

Website : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 32 bits version

Started in : Normal mode

User : x [Admin rights]

Mode : Scan -- Date : 08/26/2014 10:43:46

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 13 ¤¤¤

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 146.185.220.85 8.8.8.8 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 146.185.220.85 8.8.8.8 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 146.185.220.85 8.8.8.8 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6599CB8C-914D-45D0-9A72-72253A0763FB} | DhcpNameServer : 146.185.220.85 8.8.8.8 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C68BEB06-15DD-40C6-80AB-CA5B3C2A3E89} | DhcpNameServer : 95.77.94.88 78.96.7.88 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6599CB8C-914D-45D0-9A72-72253A0763FB} | DhcpNameServer : 146.185.220.85 8.8.8.8 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C68BEB06-15DD-40C6-80AB-CA5B3C2A3E89} | DhcpNameServer : 95.77.94.88 78.96.7.88 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6599CB8C-914D-45D0-9A72-72253A0763FB} | DhcpNameServer : 146.185.220.85 8.8.8.8 -> FOUND

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C68BEB06-15DD-40C6-80AB-CA5B3C2A3E89} | DhcpNameServer : 95.77.94.88 78.96.7.88 -> FOUND

[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND

[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤

[PUM.HomePage][FIREFX:Config] xfgu0rta.default : user_pref("browser.startup.homepage", "https://www.google.ro/?gws_rd=ssl"); -> FOUND

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ST9160821AS ATA Device +++++

--- User ---

[MBR] be9ad601471cb2bfd537b3cc9ea44ec4

[bSP] 7bbe13a9254adb3703e35dbeac8323ea : Windows Vista/7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 74900 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 153602048 | Size: 77625 MB

User = LL1 ... OK

User = LL2 ... OK

Link to post
Share on other sites

very interesting, looking at the logs from rogue killer i saw that dhcp server with the same ip, and tried to look for it in the adapter tcp ip 

 

i have attached a file with it

 

connection is set to obtain automatically IP 

 

the laptop is of a cousin  ( i try to repair it over team viewer ) and at the moment i don't have access to her router to see if there is a setting there that is assigned automatically.

 

post-171952-0-69219400-1409042274_thumb.

Link to post
Share on other sites

more interesting stuff found. at this moment i am pretty positive the router was altered somehow but the person which made the initial configuration is not available yet, still waiting for that password to see the configuration 

 

few things saw:

- connecting to google default page > as i am from romania will redirect me to google.ro > works 

if i change the .ro to .com > it goes to SSL connection HTTPS > works

if i go to http://www.google.com >> i get the virus page ( attached in those 2 screenshots ) 

 

the source of the page i copied here:  ( tried to attached here, but it failed as a .txt file ) 

http://pastebin.com/pdFdQrN8 

 

at this moment i dont know any safe way to download that virus file to upload it to virustotal to get it scanned, and i think the first time that my cousin meet this virus was while trying to "update flash" on a boogy page like this and BitDefender said the file contains a virus which trigger the phone call to me :D 

 

 

 

post-171952-0-84878600-1409045625_thumb.

post-171952-0-91986000-1409045626_thumb.

Link to post
Share on other sites

https://www.virustotal.com/en/file/ffa1f4feab70b9222afdef4808908e3e303d0e0d9ca4021f76ad98854e268833/analysis/1409046434/

that text file ( source of the virus landing page ) uploaded to virustotal  ( very intrigued by the pastebin fast deletion which i never encountered so far ) 

 

Detection ratio:

1 / 55

ESET-NOD32 JS/TrojanDownloader.FakeAlert.NAK 20140826
Link to post
Share on other sites

Lets run some scans:

Make sure you have created a restore point and.....

bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • [color-red]Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ======================

    Make sure you have created that system restore point before you continue!

    Please read the directions carefully so you don't end up deleting something that is good!!

    If in doubt about an entry....please ask or choose Skip!!!!

    Don't Delete anything unless instructed to!

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

    Skip and click on Continue

    If a suspicious object is detected, the default action will be Skip, click on Continue

    Please note that TDSSKiller can be run in safe mode if needed.

    Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

      tds2.jpg

    • Put a checkmark beside loaded modules.

      13040712472913819.png

    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.

      clip.jpg

    • Click the Start Scan button.

      tds2.jpg

    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.

      tdsskiller_guide_5.gif

      Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

      If in doubt about an entry....please ask or choose Skip

    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      tdsskiller_guide_3.gif

      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
    • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    Here's a summary of what to do if you would like to print it out:

    If in doubt about an entry....please ask or choose Skip

    Don't Delete anything unless instructed to!

    If a suspicious object is detected, the default action will be Skip, click on Continue

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

    Skip and click on Continue

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    ~~~~~~~~~~~~~~~~~~~~

    You can attach the logs if they're too long:

    Bottom right corner of this page.

    reply1.jpg

    New window that comes up.

    replyer1.jpg

    Then...........

    Please download and run ComboFix.

    The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

    Please visit this webpage for download links, and instructions for running ComboFix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

    Please make sure you click download buttons that look similar to this, not "sponsored ad links":

    bleep-crop.jpg

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Information on disabling your malware programs can be found Here.

    Make sure you run ComboFix from your desktop.

    Give it at least 30-45 minutes to finish if needed.

    Please include the C:\ComboFix.txt in your next reply for further review.

    ---------->NOTE<----------

    If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

    MrC

Link to post
Share on other sites

just talked with a friend, i sent him there ( 500km from my home ), and did the router reset + reconfiguration 

 

all is working good now, tried with different addresses, MalwareBytes is not alerting me of any traffic at all 

 

Huawei EchoLife HG520s is the router, probably an exploit is available and the ISP that offered them as free equipment left the default password + remote management active :( 

 

thank you for your time MrCharlie

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.