Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dos attacks on router


  • This topic is locked This topic is locked
21 replies to this topic

#1 needsalittlehelp

needsalittlehelp

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 29 November 2009 - 11:11 PM

I am using a belkin router. In my firewall log report I keep getting the following listings:

Firewall log:
Sun Nov 29 20:04:19 2009 1 Blocked by DoS protection 98.226.54.49
Sun Nov 29 20:04:22 2009 1 Blocked by DoS protection 62.80.229.26
Sun Nov 29 20:04:22 2009 1 Blocked by DoS protection 41.130.177.163
Sun Nov 29 20:04:25 2009 1 Blocked by DoS protection 83.251.242.106
Sun Nov 29 20:04:25 2009 1 Blocked by DoS protection 41.130.177.163
Sun Nov 29 20:04:27 2009 1 Blocked by DoS protection 78.105.248.103
Sun Nov 29 20:04:28 2009 1 Blocked by DoS protection 62.80.229.26
Sun Nov 29 20:04:28 2009 1 Blocked by DoS protection 205.217.238.235
Sun Nov 29 20:04:31 2009 1 Blocked by DoS protection 205.217.238.235
Sun Nov 29 20:04:31 2009 1 Blocked by DoS protection 41.130.177.163
Sun Nov 29 20:04:32 2009 1 Blocked by DoS protection 99.232.57.144
Sun Nov 29 20:04:32 2009 1 Blocked by DoS protection 189.122.162.7
Sun Nov 29 20:04:32 2009 1 Blocked by DoS protection 66.17.155.17
Sun Nov 29 20:04:32 2009 1 Blocked by DoS protection 173.16.83.61
Sun Nov 29 20:04:35 2009 1 Blocked by DoS protection 99.232.57.144
Sun Nov 29 20:04:36 2009 1 Blocked by DoS protection 87.156.240.6
Sun Nov 29 20:04:37 2009 1 Blocked by DoS protection 205.217.238.235

As you can see all these happened in less than 30 seconds.

My questions are:

Why am I getting them--

How much do they affect my network bandwidth--

How do I stop them from happening

I've already restarted the router and power cycled the router.


EDIT: Moved to a more appropriate forum

Edited by garmanma, 01 December 2009 - 01:03 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 01 December 2009 - 02:56 PM

Hello,, First I will move this to the Am I Infected forum. We need to be sure it's not malware and reset the router,
Is this an old router? and are you fully updated eg. Vista SP2

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:08:31 PM

Posted 01 December 2009 - 06:43 PM

You are experiencing a barrage of DoS (Denial of Service) attacks. You probably have a virus on your system that is currently trying to call in other variants or exploit weaknesses, and these are coming from a plethora of different IP addresses. The good news: your router is blocking them, for now. The bad news: the fault is more than likely not with your router, and if you don't clean the infection and stop the attacks, your router could actually fail to stop them, and possibly fail altogether...hence the name Denial of Service.

The only reason someone would be so aggressively trying to attack your network (assuming you aren't infected) would be because you either host a website or a corporate network, and are probably holding important information (credit card numbers, SSNs, or other sensitive data) behind your router.

If the above isn't true, then it is probably a local infection on one or more of the computers on your network, so if you have more than one, they will all need to be thoroughly cleaned. As you are cleaning your PCs, you need to pull the others off of the network while you isolate and clean one. Then you need to take the one you have cleaned back off, and put the next PC in line back on. Repeat this process until all PCs are cleaned, and do not put any 2 of them back on the network together until you are sure they are all cleaned; otherwise, the virus could replicate across the network and reinfect a PC you just finished cleaning.

Edited by Eric ~ Computer Guy, 01 December 2009 - 06:56 PM.


#4 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 03 January 2010 - 11:24 AM

Hello here is a recent report form my routers security log.
\
Firewall log:
Sun Jan 3 07:56:02 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:05 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:06 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:14 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:21 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:30 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:31 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:31 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:36 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:36 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:39 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:45 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:45 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:50 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:50 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:56:58 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:02 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:16 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:18 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:40 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:42 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:42 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:42 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:58 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:58 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:58 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:57:59 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:58:06 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:58:07 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:58:17 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:58:18 2010 1 Blocked by DoS protection 10.4.88.1
Sun Jan 3 07:58:22 2010 1 Blocked by DoS protection 10.4.88.1

since this is a unroutable address I tried figuring out why I was getting a ping from this address.

I then did a couple of tracert's and the second hop is always 10.4.88.1 ( the first is my router) here is an example


Tracing route to google.com [66.102.7.103]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.2.1
2 26 ms 14 ms 7 ms 10.4.88.1
3 15 ms 9 ms 7 ms ip98-190-162-118.ri.ri.cox.net [98.190.162.118]

4 11 ms 13 ms 10 ms ip68-9-7-237.ri.ri.cox.net [68.9.7.237]
5 10 ms 11 ms 15 ms provdsrj02-ge600.0.rd.ri.cox.net [68.9.14.109]
6 16 ms 19 ms 15 ms nyrkbbrj02-ae0.0.r2.ny.cox.net [68.1.0.253]
7 17 ms 17 ms 17 ms 209.85.255.68
8 43 ms 73 ms 48 ms 209.85.251.9
9 87 ms 98 ms 89 ms 216.239.43.124
10 88 ms 87 ms 88 ms 72.14.239.246
11 93 ms 92 ms 93 ms lax04s01-in-f103.1e100.net [66.102.7.103]

Trace complete.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 03 January 2010 - 01:43 PM

The MBAM and Smit logs would be handy also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 04 January 2010 - 11:04 PM

here is the mbam log:

Malwarebytes' Anti-Malware 1.43
Database version: 3495
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/4/2010 11:03:00 PM
mbam-log-2010-01-04 (23-03-00).txt

Scan type: Quick Scan
Objects scanned: 128882
Time elapsed: 11 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\W32xgl2 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\W32xgl2 (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I am working on the other one now

#7 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 04 January 2010 - 11:10 PM

here is the smit log:

SmitFraudFix v2.424

Scan done at 23:07:03.78, Mon 01/04/2010
Run from C:\Documents and Settings\KEN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\KEN\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\KEN


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KEN\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\KEN\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KEN\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Rhine II Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{B9CEFD90-6102-4F3A-9E04-9A8FDB685D56}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B9CEFD90-6102-4F3A-9E04-9A8FDB685D56}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B9CEFD90-6102-4F3A-9E04-9A8FDB685D56}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks,
Ken

Edited by needsalittlehelp, 04 January 2010 - 11:11 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 05 January 2010 - 12:05 AM

hello you had a couple of back door Bots..
Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 January 2010 - 03:39 PM

I understand both options. In the near future I will reformat and reload the os but until then I would like to try to clean it. There is a lot of info /pics /songs/ videos that need to be backed up. I will probably have to invest in an external drive and move all of it to that.

So for now I would like to clean the computer.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 05 January 2010 - 04:17 PM

Ok, we get to it. These two scans will be long and are run in Safe mode preferably. If you cannot access Safe Mode run in normal but let me know.

First run this to set up tool.

RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Now Drweb-cureit
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 05 January 2010 - 07:45 PM

I am ready to perform the sas scan- In the directions you said to check c drive. I just want to make sure that you want only c drive selected... I have 3 fixed drives on this computer. I will start the scan with only c selected for now.

I have another computer that I will use to look for your response and change to all drives if necessary

Thanks,
Ken

Edited by needsalittlehelp, 05 January 2010 - 07:46 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 05 January 2010 - 10:23 PM

Ok ,You will most likely need to sca each drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 07 January 2010 - 02:54 AM

here is Dr web post:

Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
Combo-Fix.exe/data003\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\KEN\Desktop\Combo-Fix.exe/data003;Program.PsExec.171;;
data003;C:\Documents and Settings\KEN\Desktop;Archive contains infected objects;;
Combo-Fix.exe;C:\Documents and Settings\KEN\Desktop;Container contains infected objects;Moved.;
ComboFix.exe/data003\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\KEN\Desktop\ComboFix.exe/data003;Program.PsExec.171;;
data003;C:\Documents and Settings\KEN\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\KEN\Desktop;Container contains infected objects;Moved.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\KEN\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\KEN\Desktop\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\KEN\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\KEN\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\KEN\Desktop\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
TrueImage11.8101_s_en.exe\setup.exe;C:\Documents and Settings\KEN\My Documents\Downloads\Acronis True Image Home Version11.0.8101(Keygen)\TrueImage11.8101_s_en.exe;Trojan.DownLoad.22372;;
TrueImage11.8101_s_en.exe;C:\Documents and Settings\KEN\My Documents\Downloads\Acronis True Image Home Version11.0.8101(Keygen);Archive contains infected objects;Moved.;
process.exe;C:\HaxFix;Tool.Prockill;Incurable.Moved.;
psexec.cfexe;C:\newgame;Program.PsExec.171;Incurable.Moved.;
A0057429.exe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Tool.Prockill;Incurable.Moved.;
A0057430.exe/data003\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984\A0057430.exe/data003;Program.PsExec.171;;
data003;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Archive contains infected objects;;
A0057430.exe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Container contains infected objects;Moved.;
A0057431.exe/data003\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984\A0057431.exe/data003;Program.PsExec.171;;
data003;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Archive contains infected objects;;
A0057431.exe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Container contains infected objects;Moved.;
A0057432.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984\A0057432.exe;Tool.Prockill;;
A0057432.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984\A0057432.exe;Tool.ShutDown.14;;
A0057432.exe;C:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Archive contains infected objects;Moved.;
newgame.exe/data003\327882R2FWJFW\psexec.cfexe;J:\New Folder\newgame.exe/data003;Program.PsExec.171;;
data003;J:\New Folder;Archive contains infected objects;;
newgame.exe;J:\New Folder;Container contains infected objects;Moved.;
A0057433.exe/data003\327882R2FWJFW\psexec.cfexe;J:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984\A0057433.exe/data003;Program.PsExec.171;;
data003;J:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Archive contains infected objects;;
A0057433.exe;J:\System Volume Information\_restore{9B982FB4-87BF-47E5-BE21-FA22980B12DA}\RP984;Container contains infected objects;Moved.;


and th e sas report:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/06/2010 at 00:16 AM

Application Version : 4.26.1000

Core Rules Database Version : 4449
Trace Rules Database Version: 2271

Scan type : Complete Scan
Total Scan Time : 04:38:04

Memory items scanned : 221
Memory threats detected : 0
Registry items scanned : 4462
Registry threats detected : 0
File items scanned : 69729
File threats detected : 1

Unclassified.Unknown Origin
C:\DOCUMENTS AND SETTINGS\KEN\MY DOCUMENTS\DOWNLOADS\VOICE RECOGNITION AND SPEECH FOR WINDOWS JANUARY 2007\VOICE RECOGNITION\GAME COMMANDER 2.0.014\KEYGEN.NFO

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:31 PM

Posted 07 January 2010 - 12:00 PM

Ok,looking good. Do one more and tell me how it's running.
first remove comboFix and some others.

Remove the ComboFix..
Please download OTCleanIt and save it to desktop.
•Double-click OTCleanIt.exe.
•Click the CleanUp! button.
•Select Yes when the "Begin cleanup Process?" prompt appears.
•If you are prompted to Reboot during the cleanup, select Yes.
•The tool will delete itself once it finishes, if not delete it by yourself.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 needsalittlehelp

needsalittlehelp
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 07 January 2010 - 08:35 PM

I have 2 questions:

1. Safe mode or not for the scan

2. when startings the scanner it warns that "another anti-virus software was detected. This may afect the performance and quality of the scan"

I have avg anti-virus on my pc should I leave it enabled or disable/ uninstall.

Also just to let you know -- The original problem is still happening. when this computer is on I get the d.o.s. hits from many different ip addresses. When it is off, I only get it from the single number.

Thnaks,
Ken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users