Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mcafee reported Fakealert-cm


  • This topic is locked This topic is locked
22 replies to this topic

#1 Larbin

Larbin

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 30 June 2009 - 12:36 PM

Mcafee reported Fakealert-cm and that it was removed.
But it I had to manually remove references to msivx and manually deal with dns-changer.
System is still acting aberrant.
And other systems on the same home network are reporting in their 'Mcafee Inbound Events Log' the following six events from this pc every 20 minutes (this may not even be related to the above, but we did notice it at the same time):
TCP port 2191
TCP port 9100
spooler
HOSTS2 Name Server
HTTP protocol over TLS/SSL
World Wide Web HTTP

Hijackthis.log is attached.

Any help and guidance would be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:01:11 PM

Posted 04 July 2009 - 01:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:11 AM

Posted 13 July 2009 - 11:54 AM

Topic reopened at member's request.

@ Larbin,

Please post the current DDS logs and an updated description of your computer issues.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Larbin

Larbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 15 July 2009 - 09:22 AM

After occurence, had to run Smitfraudfix
detected dns changer
ran ATF-cleaner
ran mbam but had to rename first
ran mcafeerootkitdetective
disabled registry msvix
manually deleted files on c drive of msvix
ran stinger1001546
ran spybot
ran superantispyware
mcafee was able to update and run

Attached are files as a result of dds.
in my first post explaining what's still occuring, i also posted hijackthis results.

thanks again for all your help,
larbin

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 16 July 2009 - 07:02 PM

Hello.

Could I see the previous Malwarebytes run? Then if you can, please update Malwarebytes again and do a quick-scan for me and post back with the log.

After that, please run GMER for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Larbin

Larbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 17 July 2009 - 10:42 AM

Thanks!

Attached are the three log files you requested.

Regards,
larbin

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 17 July 2009 - 11:04 AM

Hello.

Could you describe to me the current problem and symptoms you still have. Things must have changed since you running those tools you mentioned in the previous post?

Thanks.

The mbam and gmer log looks fine.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Larbin

Larbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 17 July 2009 - 11:36 AM

Thanks for your swift review and analysis here!

I noticed that other systems on the same home network are reporting in their 'Mcafee Inbound Events Log' the following six events from this pc every 20 minutes:
TCP port 2191
TCP port 9100
spooler
HOSTS2 Name Server
HTTP protocol over TLS/SSL
World Wide Web HTTP

Also, prior to running all the tools, I did notice in the 'active sessions' log of my routher ... that strange intl ips had open and connected sessions through various ports on the pc at issue. I don't see that anymore. My guess is we eradicated whatever it was on my pc that was allowing access in on those ports?

Thanks again,
larbin

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 17 July 2009 - 04:40 PM

Hello.

I'm not sure how McAfee exactly works but those ports/inbounds of "traffic" reported by McAfee are legititmate.

Please run an online scan for me.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterwards as well and post back with both of those logs.

Thanks. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 20 July 2009 - 10:42 AM

How's everything coming along?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Larbin

Larbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 21 July 2009 - 10:57 PM

Thanks for the follow-up. Sorry for the delay.
Ran ATF-CLeanup. 160mb was freed.
Kapersky online scan reports: "No malware has been detected. The scan area is clean. The selected area was scanned." Scan area 'My Computer' 'C:\'
DDS logs attached.


The thing about Mcafee is it's reporting attempted intrusions. And they all appear from the offending machine and no other machine. As follows:
"A computer at xxxx has attempted an unsolicited connection to TCP port 443 on your computer. The source IP is a 'non-routable' IP"
"A computer at xxxx has attempted an unsolicited connection to TCP port 81 on your computer. The source IP is a 'non-routable' IP"
"A computer at xxxx has attempted an unsolicited connection to TCP port 515 on your computer. The source IP is a 'non-routable' IP"
"A computer at xxxx has attempted an unsolicited connection to TCP port 9100 on your computer. The source IP is a 'non-routable' IP"
"A computer at xxxx has attempted an unsolicited connection to TCP port 2191 on your computer. The source IP is a 'non-routable' IP"
"A computer at xxxx has attempted an unsolicited connection to TCP port 80 on your computer. The source IP is a 'non-routable' IP"

It seems weird to me, since it's just this machine xxxx that is proding the other machines.

Thanks again,
Larbin

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 22 July 2009 - 10:19 AM

Hello.

Please uninstall these older versions of java via add/remove.

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1


Do not uninstall Java™ 6 update 14 as that is the latest version.

--

The thing about Mcafee is it's reporting attempted intrusions. And they all appear from the offending machine and no other machine. As follows:

I'm not exaclty sure what they are but do these messages appear randomly even when you are not doing anything?

Basically a computer or some sort of connection is trying to access on of your ports that your firewall is probably protecting. The Ip address is non-routable.

Some more information on IP address: http://support.easystreet.com/easydsl/gene...iptutorial.html

I'm not too sure but you might want to start a topic in the Firewall forum: http://www.bleepingcomputer.com/forums/f/25/antivirus-firewall-and-privacy-products-and-protection-methods/

The logs looks fine.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Larbin

Larbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 23 July 2009 - 07:16 PM

Thanks again for your help.

Yes. They appear every 20 minutes on the dot. All of them. Every time.
Weird. But it's like there's something automated there making these calls hoping to get through.

Any ideas?

Thanks,
Larbin

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:11 AM

Posted 24 July 2009 - 09:09 AM

Hello.

There was a rootkit related machine on your machine but it seems you have removed it already and from the scans we did. Here's some information regarding rootkits.

Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.
---

Let's run another rootkit scan tool to be sure.

Download and run RootRepeal CR

Please download RootRepeal to your desktop
Alternative Download Link 2
Alternative Download Link 3
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL SIX
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the log here in your reply.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 Larbin

Larbin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 24 July 2009 - 03:51 PM

Thanks for the update.

How did you come to the determination that I might need to format and start over?
(In that event, how do I salvage all my data files?)

Attached is the rootrepeal scan report.

Thanks again for your ongoing help.
Larbin

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users