Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My First Post - WILL


  • This topic is locked This topic is locked
6 replies to this topic

#1 WITHCO

WITHCO

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 17 February 2012 - 08:08 AM

Attached File  iEXPLORE2.log   15.97KB   2 downloadsI can't find what i wrote last night, i got so tired I fell asleep here at my pc. I wasn't even drunk either. I just wanted to get it done last night.

I know i didn't send my scan.

But GRINGO I think this is worse than i thought. [/b]I am racing around closing inbounds on my firewall as fast as this virus is opening them. If it want's to it can stop me by freezing open windows especially if i am going to malawarebytes and I even have a couple others, like symantics and ms emergency programs.

This thing is came in as guest on some of my folder permission with full permission status. A couple of days ago he came in as trusted installer.

I DON"T MEAN NOT APPRECIATE YOUR PREVIOUS FIX, I AM THANKFUL FOR THAT, BUT I WANTED TO MAKE YOU AWARE OF SOME OTHER THINGS.

HERE ARE A COUPLE OF QUOTES FROM THE EVENTS LOG THAT ARE THREATENING

IT GOT IN AND STARTED OPENING PACKAGES LIKE kb2633952, SUCCESSFULLY CHANGED TO THE INSTALLED STATE.


IN ANOTHER IT SAID THE FOLLOWING: Initiating changes for package KB2639417. Current state is Resolved. Target state is Installed. Client id: WindowsUpdateAgent.

>Initiating changes to turn on update WAS-NetFxEnvironment of package IIS-WebServer-Package. Client id: Windows Optional Component Manager.

>When i shut off the fax port it was using, the event security log was like this;

>>The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 1144
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: ff02::c
Source Port: 1900
Destination Address: ::1
Destination Port: 51225
Protocol: 17

Filter Information:
Filter Run-Time ID: 71171
Layer Name: Receive/Accept
Layer Run-Time ID: 46
>>The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0

>>The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17

Filter Information:
Filter Run-Time ID: 92179
Layer Name: Receive/Accept
Layer Run-Time ID: 44

THEN IT STARTED PERMITTING_

>>The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 4
Application Name: System

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 0
Destination Address: 192.168.1.156
Destination Port: 0
Protocol: 2

Filter Information:
Filter Run-Time ID: 91157
Layer Name: Receive/Accept
Layer Run-Time ID: 44


then a bind

>>The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
Process ID: 4572
Application Name: \device\harddiskvolume3\program files (x86)\internet explorer\iexplore.exe

Network Information:
Source Address: 0.0.0.0
Source Port: 55463
Protocol: 6

Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36

>>The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
Process ID: 4328
Application Name: \device\harddiskvolume3\program files (x86)\microsoft office\office14\outlook.exe

Network Information:
Source Address: 0.0.0.0
Source Port: 49643
Protocol: 6

Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36


IT LOOKS LIKE ITS TRYING TO GET FAR ENOUGH IN TO GET ON THE TAILS OF A PROGRAM SO IT CAN PENETRATE THE FIREWALL...

>>The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
Process ID: 4328
Application Name: \device\harddiskvolume3\program files (x86)\microsoft office\office14\outlook.exe

Network Information:
Source Address: 0.0.0.0
Source Port: 49643
Protocol: 6

Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36


>>The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.

Application Information:
Process ID: 2424
Application Name: \device\harddiskvolume3\windows\system32\tcpsvcs.exe

Network Information:
Source Address: ::
Source Port: 17
Protocol: 6

Filter Information:
Filter Run-Time ID: 0
Layer Name: Listen
Layer Run-Time ID: 42

>>The Windows Filtering Platform has permitted a bind to a local port.

Application Information:
Process ID: 2568
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
Source Address: 0.0.0.0
Source Port: 49167
Protocol: 17

Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36

AND NOW THE FIREWALL

>>Windows Firewall did not apply the following rule:

Rule Information:
ID: FPS-RPCSS-In-TCP
Name: File and Printer Sharing (Spooler Service - RPC-EPMAP)

Error Information:
Reason: Remote Addresses resolved to an empty set.


>> Windows Firewall did not apply the following rule:

Rule Information:
ID: FPS-RPCSS-In-TCP
Name: File and Printer Sharing (Spooler Service - RPC-EPMAP)

Error Information:
Reason: Remote Addresses resolved to an empty set.

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 136
Application Name: \device\harddiskvolume3\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:
Filter Run-Time ID: 73970
Layer Name: Receive/Accept
Layer Run-Time ID: 44


>>Windows Firewall did not apply the following rule:

Rule Information:
ID: CoreNet-Teredo-In
Name: Core Networking - Teredo (UDP-In)

Error Information:
Reason: Local Port resolved to an empty set.


---------

AFTER THAT JUST A SAME OF THE EXAMPLES WITH THE FIREWALL INVOLVED. SO I JUST WENT TO THE FIREWALL AND BLOCKED ALL INCOMING, JUST SO I COULD BE ONLINE WITHOUT THINKING THAT EvERY MINUTE THIS THING IS TEARING MY SYSTEM DOWN.

OK, HeRe is the most up-to-date hijack file. If you want you can just write for me to go try the fixes on your first reply and I will do so.

THANK YOU SO MUCH FOR THE TIME YOU PUT IN TO HELP - WILL



+WHEN THIS ALL STARTED I HAD THAT "SECURITY SEARCH" OR SOMETHING LIKE THAT AND I FIXED IT EXCEPT THE SECURITY SETTING WOULD BE TURNED OFF AFTER EVERY REBOOT.

+I am now running a full deep scan with Malwarebytes. None of these over the week have found anything except MAL found one called pup.keyless or keywire...can't recall.

I am also doing a full backup on files (can you load a program onto an external like "passport" and run it there?)

fyi: i GET A MESSAGE DURING THE HIJACK SCAN THAT SAYS "For some reason your system denied write acccess to the Hosts file.If any hijacked domains are in this file, hijack this may not be able to fix it. THEN goes on to propose a manual way to get that info.

OK, THANKS

THANKS AGAIN

BC AdBot (Login to Remove)

 


#2 WITHCO

WITHCO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 18 February 2012 - 05:13 AM

Gringo,

I have attached my log as per your request.

I had no problems with the process, except I did have to perform a restart due to error "Illegal Op...Restart Computer" as mentioned in your instructions.

So far, maybe 10 min in, I have had no problems - however, I do still have my incoming connections blocked in order to give us time to perform test without any other breaches of my firewall.

I cannot unblock an monitor at this moment - i will in a few hours. Would you like for me to open incoming connections back up when I do return and use the computer?

I'll be back online and will check in about 5 hrs.

Thanks, Hope the report tells u something -- I was reading about the virus out there and I came across this one called CONFIKER (? not sure of spelling) but you probably know what i mean. Anyway, the sypmtoms for this were very similar to mine.

AGAIN THANKS,

CHAT SOON
WILLIAM

P.S. Two htm logs were produced so I just attached both, just in case. Hope that is ok.

Attached Files



#3 WITHCO

WITHCO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 18 February 2012 - 11:37 PM

Bad news, this thing is not at all being picked up by any malaware.

I has hijacked my security permissions added several users and it is almost like a game. I go after a user permission or delete - he creates 2 more.

And if you watch the processes and pick him out

It seems as though he has involoved the MSL files

He has at least 10 "iexplore.exe*32 " open on my task manager'

I still have my firewall blocking any incoming. How do I fix this and fight this at the same time?

I hope it is ok, i attach clips of my taskmngr, maybe it would.


THANKS

#4 WITHCO

WITHCO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 18 February 2012 - 11:41 PM

GRINGO:


I forgot to finish about the virus -- it does seem to go into i guess more used folders, i click on it IT is like the files are all gone.
it is upsetting, but it turned on parental controls in Services to hide files.

MANY THANKS

#5 WITHCO

WITHCO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 18 February 2012 - 11:50 PM

GRINGO

AGAIN, I AM SORRY GRINGO BUT HERE IS SOMETHING SIGNIFICANT - IT CREATED A FOLDER IN PROGRAMS AND WROTE THE LOG I AM SENDING YOU he / it wrote program for things to happen, you shall see

Thanks
William

Attached Files


Edited by Orange Blossom, 19 February 2012 - 12:02 AM.
Merged 3 topics. ~ OB


#6 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 23 February 2012 - 08:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/442983 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#7 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 28 February 2012 - 08:15 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users