Jump to content

Something is calling home


hape

Recommended Posts

When I do a Flash-Scan with MAM something seems to get triggered. Shortly after I get message from MAM that an IP get blocked. An Antivir scan yesterday detected two suspicious files and quarantined them but today the same thing has happened again. With autoruns I could see a process named aujasnky.sys with the message that it can't found aujasnky.sys. I couldn't delete it but it diappeared after a reboot. So here are my results with my hope that you can help me:

07:40:20 hape MESSAGE Protection started successfully

07:40:25 hape MESSAGE IP Protection started successfully

14:20:01 hape MESSAGE Protection started successfully

14:20:06 hape MESSAGE IP Protection started successfully

19:05:27 hape MESSAGE Protection started successfully

19:05:32 hape MESSAGE IP Protection started successfully

20:21:23 hape MESSAGE IP Protection stopped

20:21:31 hape MESSAGE Database updated successfully

20:21:35 hape MESSAGE IP Protection started successfully

20:21:59 hape IP-BLOCK 221.192.199.46

20:22:14 hape IP-BLOCK 221.192.199.48

20:24:04 hape IP-BLOCK 89.28.118.111

20:26:14 hape IP-BLOCK 221.192.199.46

20:28:17 hape IP-BLOCK 222.76.218.84

20:28:18 hape IP-BLOCK 94.96.25.219

20:30:29 hape IP-BLOCK 221.192.199.46

20:30:40 hape IP-BLOCK 89.28.50.69

20:32:14 hape IP-BLOCK 61.164.108.130

20:56:44 hape MESSAGE Protection started successfully

20:56:48 hape MESSAGE IP Protection started successfully

21:47:16 (null) MESSAGE Protection started successfully

21:47:22 hape MESSAGE IP Protection started successfully

22:12:08 (null) MESSAGE Protection started successfully

22:12:14 hape MESSAGE IP Protection started successfully

22:29:19 hape MESSAGE Protection started successfully

22:29:24 hape MESSAGE IP Protection started successfully

DDS (Ver_10-03-17.01) - NTFSx86

Run by hape at 10:04:31,40 on 20.08.2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.2046.1533 [GMT 2:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

AV: Panda Cloud Antivirus *On-access scanning disabled* (Updated) {5AD27692-540A-464E-B625-78275FA38393}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programme\Avira\AntiVir Desktop\sched.exe

C:\Programme\Avira\AntiVir Desktop\avguard.exe

C:\Programme\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Programme\Sandboxie\SbieSvc.exe

C:\Programme\IDT\6102008214149\STacSV.exe

C:\Programme\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Programme\IDT\WDM\sttray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Programme\Avira\AntiVir Desktop\avgnt.exe

C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\Sandboxie\SbieCtrl.exe

C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Programme\Autoruns\autoruns.exe

C:\Programme\Malwarebytes' Anti-Malware\mbam.exe

C:\Programme\Mozilla Firefox\firefox.exe

C:\Programme\Sandboxie\SandboxieRpcSs.exe

C:\Programme\Sandboxie\SandboxieDcomLaunch.exe

C:\Dokumente und Einstellungen\hape\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

BHO: AutorunsDisabled - No File

BHO: {02BAF305-241B-4901-9C77-6A4F0B4CFD93} - No File

BHO: {0AB41BA3-B4CE-43E8-99F0-22509E129B82} - No File

BHO: {42AD0538-54B4-487A-88DB-D62ECACEEFA4} - No File

BHO: {490BF944-292B-4129-A122-8A1C448C0F62} - No File

BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\programme\oxford\quickfind\plugins\IEHelp.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [sandboxieControl] "c:\programme\sandboxie\SbieCtrl.exe"

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [<NO NAME>]

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Malwarebytes' Anti-Malware] "c:\programme\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min

mRun: [Acrobat Assistant 8.0] "c:\programme\adobe\acrobat 8.0\acrobat\Acrotray.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\dokume~1\alluse~1.win\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe

IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe

Trusted Zone: gedichte-fuer-alle-faelle.de\www

TCP: {5B1E56BA-87ED-4E6A-A0AD-715C87FB4BA0} = 62.109.123.196 213.191.74.18

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\programme\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\hape\anwend~1\mozilla\firefox\profiles\vpr3iszs.default\

FF - plugin: c:\programme\vlc\videolan\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2010-8-19 11608]

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe [2010-8-19 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2010-8-19 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-19 60936]

R2 MBAMService;MBAMService;c:\programme\malwarebytes' anti-malware\mbamservice.exe [2008-12-28 304464]

R3 AVMDSLPPPOE;AVM DSL PPPoE CAPI Treiber;c:\windows\system32\drivers\avmdsloe.sys [2005-6-3 45440]

R3 AVMNDSL;AVM DSL NDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmndsl.sys [2005-6-3 38992]

R3 FDLUBASE;AVM FRITZ!Card DSL SL USB (WinXP/2000);c:\windows\system32\drivers\fdlubase.sys [2005-6-3 704128]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-28 20952]

R3 SbieDrv;SbieDrv;c:\programme\sandboxie\SbieDrv.sys [2010-7-4 119016]

S4 NanoServiceMain;Panda Cloud Antivirus Service;c:\programme\panda security\panda cloud antivirus\PSANHost.exe [2010-4-30 136448]

S4 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]

S4 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-4-30 97032]

S4 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-5-4 129928]

S4 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111624]

S4 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-5-12 110920]

=============== Created Last 30 ================

2010-08-20 08:01:51 0 ----a-w- c:\dokumente und einstellungen\hape\defogger_reenable

2010-08-19 20:25:50 55611552 ----a-w- c:\windows\backup08.reg

2010-08-19 19:04:53 0 d-----w- c:\windows\system32\NtmsData

2010-08-19 19:02:43 0 d-----w- c:\dokume~1\hape\anwend~1\Avira

2010-08-19 18:59:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-08-19 18:59:21 0 d-----w- c:\programme\Avira

2010-08-02 06:48:17 0 d-----w- c:\windows\system32\GroupPolicy

2010-07-23 08:08:28 34 ----a-w- c:\windows\cdplayer.ini

2010-07-23 08:05:32 0 d-----w- c:\programme\Audiograbber

==================== Find3M ====================

2009-10-31 17:43:57 240640 ----a-w- c:\programme\verkleinerer17.exe

============= FINISH: 10:04:51,26 ===============

Last remark: I can't be sure that the gmer-log is complete. I can't save the file after a complete scan, but it seemed to me that the first entries which I send are also the last. The list doesn't get any longer during the full scan.

Attach.zip

Link to post
Share on other sites

Hello ,

And ^_^ My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Do you still get the IP blocks now?

At the moment I do not get IP-Blocks, but I've just found 2 services via autoruns with no trustworthy names. I killed them and after a reboot everything was fine. I could do another Flash-Scan with MBAM to see what happens.

Link to post
Share on other sites

I'm sorry, MBAM didn't found anything, so there isn't any log to show. But there weren't started any suspicious processes either and I haven't get any new IP-Blocks. At the moment it's all quiet at the western front. So I guess there's nothing we can do till something happens again.

I've looked for some process watches which give more information about running processes. So I'll download Process Monitor from sysinternals. Perhaps it can show who starts those suspicious processes if that happens again. Thank you so far.

Link to post
Share on other sites

Hi, it looked like you had a hijacked BITS service (which is the way Microsoft updates uses to download updates).

This may have caused the IP blocks. Please give it some time to see if they come back and in the mean time run a full scan with MBAM to check for leftovers. Please post me the resulting log.

Link to post
Share on other sites

Ok, I did it again and here are the results. Sorry, it's in german, but I guess there are no difficulties to understand the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Datenbank Version: 4452

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

20.08.2010 18:31:27

mbam-log-2010-08-20 (18-31-27).txt

Art des Suchlaufs: Vollst

Link to post
Share on other sites

Hi, that looks good. ;) Any problems left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hello again,

no problems and I tried ESET. It found something and killed the files:

C:\Dokumente und Einstellungen\hape\Anwendungsdaten\Qualcomm\Eudora\dreigutelinks.fol\linkvorschlag.mbx JS/IEStart.G trojan contained infected files

E:\alter pc\C\Eudora\dreigutelinks.fol\linkvorschlag.mbx JS/IEStart.G trojan contained infected files

But I don't know. These were storages of E-Mails without attachements. I'm happy that something was found but I'm sceptical. We'll see what the next days will bring. Again a big thank you so far.

Link to post
Share on other sites

Okay, please give it a bit of time and let me know how things are.

According to ESET your Eudora linkvorschlag folder contains infected mails. I strongly recommend to delete any mail from unknown sender/with unknown attachments/html content.

Link to post
Share on other sites

Good morning Elise,

my ghost is here again:

09:47:23 hape IP-BLOCK 221.192.199.46

10:04:01 hape IP-BLOCK 221.192.199.46

10:08:10 hape IP-BLOCK 221.192.199.46

10:12:17 hape IP-BLOCK 221.192.199.46

After closing the connection and reopening it nothing has happened anymore. A full scan of C: brought no results. I had no luck with the Process Monitor. At first it wasn't started, then I filtered too much to get useful information. I need to practice with the software. So I'll watch carefully. Any ideas besides that?

Link to post
Share on other sites

I don't think you will find anything iwth any scan or process monitor.

Those IP's attempt to connect to your computer and MBAM picks them up because you are missing a router/third party firewall. Windows XP's inbuild firewall is not adequate.

INSTALL FIREWALL

--------------------------

Install and use a firewall with outbound protection

While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers

I therefore strongly recommend that you install one of the following free firewalls: Outpost Firewall Free, Sygate Personal Firewall Free or Zonealarm

See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here

Note - If you connect to the internet using a router, you are already behind a hardware firewall.

Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

Link to post
Share on other sites

Hello Elise,

I don't get any alarms anymore, but the log of the Firewall shows something. It blocked incoming calls from one of the suspicios IPs like 221.192.199.46 which tries to intrude through port 8085 but there no outgoing actions to these chinese IPs. What do you think about this?

Link to post
Share on other sites

This is normal and exactly the reason why you need a firewall. Things like port scanning attacks and so on are normal. A firewall filters these things out so they cannot "reach" your computer.

It depends a bit on your location/ISP, but its unfortunately normal that unprotected computers will encounter regular attempts to intrude.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean ;)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file).

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

So all this was about port scanning which apparently came through the windows firewall? I would like to throw a fireball to mocrisoft ;)

I've read your instructions and thank you again for your help to put me on the safe way again. The internet is a strange place where strangers try to destroy and others try to help. The last I like better ;)

Alles Gute,

Best wishes,

hape

Link to post
Share on other sites

  • Staff

Glad we could help. :P

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.