Xettu Posted January 20, 2015 ID:930993 Share Posted January 20, 2015 Hello.Yesterday, I got infected with an IRCBot Backdoor. Malwarebytes detected it and quarantined it. To make sure, I made an account here for extra help. I downloaded RougeKiller and here's what I found. RogueKiller V10.2.0.0 [Jan 19 2015] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits versionStarted in : Normal modeUser : Richard [Administrator]Mode : Scan -- Date : 01/19/2015 19:04:46 ¤¤¤ Processes : 1 ¤¤¤[suspicious.Path] sh_installer.exe(5688) -- C:\Users\Richard\AppData\Roaming\Enigma Software Group\sh_installer.exe[x] -> Killed [TermProc] ¤¤¤ Registry : 8 ¤¤¤[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: NVIDIA JBOD 465.76G +++++--- User ---[MBR] bceca8cb81d6fc821cdea0a7a5f62c04[bSP] 6b0c872cdc523322c3eb2d9ef0633fd2 : Windows Vista/7/8 MBR CodePartition table:0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]User = LL1 ... OKError reading LL2 MBR! ([1] Incorrect function. ) ============================================RKreport_SCN_01192015_185524.log Please tell me if there is anything dangerous. Also, the Engima Software is Spyhunter I already uninstalled it. What is really interesting is this...[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)] -> Found[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found There are IP's here.The IP 75.153.176.1 got me a location of Quebec, Canada. I am unable to find the ones starting with 192.Because of these hackers, I went through a painful day and lost $30.Should I take revenge, or are these innocent people's IP? Also, should I delete these viruses? Thank you for reading. I hope you can help me on this. Link to post Share on other sites More sharing options...
David H. Lipman Posted January 20, 2015 ID:930994 Share Posted January 20, 2015 75.153.176.1 is a DNS Server on the Telus Network, Canada. 192.168.1.254 is the IP address of your router. The network 192.168.x.y is a Private IP Address range often found on the LAN side of a Router using Network Address Translation (NAT). If you think you are infected, the ONLY sub-forum for Malware removal assistance is; Malware Removal Help "Also, should I delete these viruses?" You need to do your homework. Unless the "IRCBot Backdoor" autonomously spreads, there are no viruses shown in the above. "Because of these hackers..." There is no proof or evidence of hacking. "Should I take revenge, or are these innocent people's IP?" NEVER take revenge and yes, they are innocent IP addresses ! Link to post Share on other sites More sharing options...
Xettu Posted January 20, 2015 Author ID:930996 Share Posted January 20, 2015 Hello Dave. Thank you for replying. I'm just really upset they hacked me. And yes, it did happen. I posted about it on a forum. Because people know my IP adress now, should I delete this post immediately? I don't want people knowing my location. Link to post Share on other sites More sharing options...
David H. Lipman Posted January 20, 2015 ID:930998 Share Posted January 20, 2015 You PRESUME you were hacked. Just like you presumed a Private IP Address such as 192.168.1.254 was bad. So they know your IP address. Big deal ! Chances are the WAN address provided by your ISP is a Dynamic assignment and will change. Who is your ISP ?What kind of Internet access are you provided ?What is the Make and Model(s) of your Router or Router+Modem, etc ? Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now