Jump to content

Recommended Posts

Hello.

Yesterday, I got infected with an IRCBot Backdoor. Malwarebytes detected it and quarantined it. To make sure, I made an account here for extra help. I downloaded RougeKiller and here's what I found.

 

RogueKiller V10.2.0.0 [Jan 19 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Richard [Administrator]
Mode : Scan -- Date : 01/19/2015  19:04:46
 
¤¤¤ Processes : 1 ¤¤¤
[suspicious.Path] sh_installer.exe(5688) -- C:\Users\Richard\AppData\Roaming\Enigma Software Group\sh_installer.exe[x] -> Killed [TermProc]
 
¤¤¤ Registry : 8 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: NVIDIA  JBOD     465.76G +++++
--- User ---
[MBR] bceca8cb81d6fc821cdea0a7a5f62c04
[bSP] 6b0c872cdc523322c3eb2d9ef0633fd2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
 
============================================
RKreport_SCN_01192015_185524.log
 
Please tell me if there is anything dangerous. Also, the Engima Software is Spyhunter I already uninstalled it.
 
What is really interesting is this...
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F19E28F5-00FD-42EC-BE4B-63F56AB56A3F} | DhcpNameServer : 192.168.1.254 75.153.176.1 [uNITED STATES (US)]  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
There are IP's here.
The IP 75.153.176.1 got me a location of Quebec, Canada. I am unable to find the ones starting with 192.
Because of these hackers, I went through a painful day and lost $30.
Should I take revenge, or are these innocent people's IP?
 
Also, should I delete these viruses? 
 
Thank you for reading. I hope you can help me on this.
 

 

Link to post
Share on other sites

75.153.176.1 is a DNS Server on the Telus Network, Canada.

 

192.168.1.254 is the IP address of your router.  The network 192.168.x.y  is a Private IP Address range often found on the LAN side of a Router using Network Address Translation (NAT).

 

If you think you are infected, the ONLY sub-forum for Malware removal assistance is; Malware Removal Help

 

"Also, should I delete these viruses?"

 

You need to do your homework.  Unless the "IRCBot Backdoor" autonomously spreads, there are no viruses shown in the above.

 

"Because of these hackers..."
 
There is no proof or evidence of hacking.
 
"Should I take revenge, or are these innocent people's IP?"

 

NEVER take revenge and yes, they are innocent IP addresses !

Link to post
Share on other sites

You PRESUME you were hacked.  Just like you presumed a Private IP Address such as 192.168.1.254 was bad.

 

So they know your IP address.  Big deal !

 

Chances are the WAN address provided by your ISP is a Dynamic assignment and will change.

 

Who is your ISP ?

What kind of Internet access are you provided ?

What is the Make and Model(s) of your Router or Router+Modem, etc ?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.