Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware contacting IP addresses outside my network


  • This topic is locked This topic is locked
2 replies to this topic

#1 jim7jim

jim7jim

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 06 May 2011 - 11:50 AM

I first noticed a problem when Trend Micro Officescan v10 popped up blocking access to websites and I didn't even have a browser open. I checked network connections and noticed my pc was trying to contact several IP addresses outside my network even when a browser wasn't open. Searches for the IP addresses yielded computers in Russia and other foreign countries. And while Trend Micro was blocking access to some of them, it did not look like it was blocking all of them. I ran Spybot S&D and Malware Bytes scans but they didn't fix the issue. Looking for some help. TIA.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by dougm at 10:33:01.09 on Fri 05/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.646 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {2865E415-A26A-48ED-8304-AF9E3AADDE8C}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Auto Close Idle Client\ACIClient.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\STCHost.exe
C:\Program Files\Shoreline Communications\ShoreWare Client\CSISCMGR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Documents and Settings\dougm\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ShoreTel Personal Call Manager] c:\program files\shoreline communications\shoreware client\StartCli.exe
mRun: [ACIClient] c:\program files\auto close idle client\ACIClient.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {3AC3D009-2E89-4F1E-9F51-04D4FBD50122} - hxxp://nts02/shorewaredirector/clientinstall/ShoretelClientInstall.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292877735734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292943014436
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dougm\applic~1\mozilla\firefox\profiles\hwurt23o.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-4 64512]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2010-10-20 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2010-10-20 36432]
R3 PciSPorts;High-Speed PCI Serial Port;c:\windows\system32\drivers\PciSPorts.sys [2008-5-22 119808]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-7-15 689416]
S3 dev03edb;USB-I2C/IO Driver (dev03edb.sys);c:\windows\system32\drivers\dev03edb.sys [2011-2-22 20500]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2010-12-21 3567]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-8-29 14336]
S4 AutoCloseIdleUpdater;Auto Close Idle Updater;c:\program files\common files\ultimate net tools\auto close idle updater\ACIUpdater.exe [2010-12-21 450560]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-24 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-24 136176]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2146496]
.
=============== Created Last 30 ================
.
2011-05-05 23:50:59 -------- d-----w- c:\windows\pss
2011-05-04 13:20:29 -------- d-----w- c:\program files\CCleaner
2011-05-04 12:49:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-04 10:16:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-04 10:15:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-04 10:14:55 -------- d-----w- c:\program files\Lavasoft
2011-05-03 11:20:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-03 11:20:18 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-03 11:20:18 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-03 11:20:18 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-03 11:20:18 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-03 11:20:18 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-03 11:20:18 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-03 11:20:18 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-03 10:18:03 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-03 10:18:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-03 10:17:41 -------- d-----w- c:\program files\The Weather Channel Toolbar
2011-05-03 10:17:41 -------- d-----w- c:\program files\The Weather Channel FW
2011-05-03 10:17:41 -------- d-----w- c:\docume~1\dougm\locals~1\applic~1\The Weather Channel
2011-05-02 17:27:04 -------- d-----w- c:\docume~1\dougm\applic~1\Malwarebytes
2011-05-02 17:26:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
.
==================== Find3M ====================
.
2011-03-11 23:00:39 102400 ----a-w- c:\windows\RegBootClean.exe
.
============= FINISH: 10:34:12.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jim7jim

jim7jim
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 06 May 2011 - 04:06 PM

I believe I have fixed this by running tdsskiller from Kaspersky. I tried this after reading a post on this forum. :thumbsup:

Thanks to all who participate here and help out others! This forum is a great resource for computer users!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:13 PM

Posted 06 May 2011 - 05:18 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users