Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Malware. Possible rootkit... strange .com files and other suspicious activity


  • Please log in to reply
16 replies to this topic

#1 effingmalware

effingmalware

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 25 August 2013 - 01:08 PM

Hi.  I have been messing around with windows xp again on one of my slower comps having downgraded it from win7.  I have reformatted several times and I believe I need to flash my bios as it seems likely I may have a brutal firmware virus because strange symptoms always return.  I'm not entirely sure how to do this and ASUS website seems to have it's own flash utilities for my model, but they don't seem to think I have the correct model on their flash utilities....
 
woah... as I am writing this I happened to have malwarebytes open (I don't keep it open) and it just said ''successfully blocked connection to 'incoming' suspicious site''.  geez... I guess I am infected?  Maybe I should leave it up permenantly. heh.
 
Anyway, the PRIMARY symptom I notice is that occasionally I get these hard drive sounding shut down/restarts.  Maybe it's a cpu fan shut down/re-activate, I'm not sure.  What happens is the pc fan will entirely stop for several seconds, then I will hear a winding whine type noise and it will reactivate.  During this point the os temporarily freezes (even the touchpad) and It sometimes happens repeatedly over and over and over and then will not happen for hours.  Does this sound like suspicious activity?  I have run many many scanners and anti-rootkit scanners and adware malware scanners.   One thing to note is when I run mbar, it halts at desktop.ini and seems to get stuck there. 
 
Some things I've ran : mbam, JRT, aswMBR, Sophos, farbar, security check, tdsskiller, and several others I have been adding to my arsenal. 
 
JRT found some ie type things which it deleted.  nothing else really reports anything.  Is there a scanner which will scan the chipset/bios/hardware?  I guess this can't exist but I have read that a virus can attach itself to the firmware of even a videocard or hard drive (in addition to bios). 
 
Thanks for help getting me started... wow, mbam just said it successfully blocked access to a suspicious site (AGAIN).  I haven't been doing anything else while writing this article and it is the only web page up.  I guess I will leave it up permenantly, heh.  thanks again...

Edit: Moved topic from Windows XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:52 AM

Posted 25 August 2013 - 01:19 PM

What is the full message of MBAM blocking?

Some of this sounds more like hardware problems, but I'm not an expert on that field. Have you tried a hard drive and RAM check yet?

 

By the way, it's unlikely to be a piece of firmware malware - see this post that Elise (a malware analysis and removal expert) made on them: http://securitysnapshots.blogspot.co.uk/

Of course it's possible, but hardware issues are far more likely in my opinion. There is a forum for checking out malware though, so you could post there (or ask for this topic to be moved via the report button).

 

Edit: Okay, it got moved to the section for checking out malware. Ignore the last sentence then, but it may be still a good idea to run a hard drive test.

 

xXToffeeXx~


Edited by xXToffeeXx, 25 August 2013 - 01:31 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 25 August 2013 - 01:49 PM

hi.  it says 'mbam successfully blocked access to a potentially malicious website 'outgoing' or 'incoming' : and it lists the ip. they are always different.  the last time it did it, I noticed firefox was trying to load an ad.doubleclick thing.  maybe that is related?  It seems to happen when firefox is open, which is my browser I use for cookies.  (I also use dragon and chrome but I have them set to not allow any cookies or set any data or java things, etc) 

 

anyway, I believe it IS malware because of strange symptoms.  I also just found a creepy looking file in my SuperAntiSpyware directory.  It had a long name and was running in task manager.  It's name was something like, b4452-5bfth250-324gfd-23bgrf43-fgg543.com and it said it was an ms-dos executable.  I deleted it, (maybe that was a bad idea, I don't know. I know normal deletion doesn't do the trick for viruses...)  Doesn't that seem suspicious? I have never seen this file running before and after deleting it SAS was still able to scan so it didn't seem to affect anything :/

 

As for the fan, I know that it could also be dust clogged causing it to restart constantly, and I believe my HD said it has like 4% fragmentation.  Would that be enough to cause it constantly make shut down/restart noises?  I would like to check that too but I have had these problems for years and years and they always come back.  It is also constantly reading even when nothing is going on.

 

My last format I tried to run a locked down comodo firewall set permenantly to HIPS and figure out a ruleset and block everything not absolutely necessary for running my applications, but I screwed it up messing with it's autoruns and disabled some critical os things and was unable to use system restore. (which also seemed kind of FISHY if you ask me, but I'm not sure if it was just my fault).  The start menu disappeared and I had to run windowskey+r to start any programs.  Still found no viruses at that point


Edited by effingmalware, 25 August 2013 - 01:56 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:52 AM

Posted 25 August 2013 - 02:08 PM

I'm certainly not saying you that you could not being infected; just a firmware rootkit is very unlikely and your hard drive problems are more likely to be caused by it failing.

 

I'm more interesting in the process if you can find that out (open malwarebytes, click on logs, look for today's date and then it should list the ip block, the ip, incoming or outgoing, and process) and post that. I don't think ad.doubleclick would be causing the problems (it's part of Google advertising I believe), but maybe it is something to look into.

 

Normally if you are behind a router then you shouldn't need a 3rd party firewall, and as you can see they can be hard to manage if you don't complete know what blocking a program/process can do. Was there an error code/message with attempting to use system restore just out of interest? Also, did you complete wipe the hard drive before reinstalling Windows?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 25 August 2013 - 05:14 PM

the mbam log shows this :

 

2013/08/25 10:43:11 -0700    COMPUTER-3815    Owner    MESSAGE    Starting protection
2013/08/25 10:43:11 -0700    COMPUTER-3815    Owner    MESSAGE    Protection started successfully
2013/08/25 10:43:11 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/25 10:43:19 -0700    COMPUTER-3815    Owner    MESSAGE    Executing scheduled update:  Daily
2013/08/25 10:45:33 -0700    COMPUTER-3815    Owner    MESSAGE    Scheduled update executed successfully:  database updated from version v2013.04.04.07 to version v2013.08.25.05
2013/08/25 10:53:44 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
2013/08/25 10:53:44 -0700    COMPUTER-3815    Owner    MESSAGE    Starting database refresh
2013/08/25 10:53:44 -0700    COMPUTER-3815    Owner    MESSAGE    Stopping IP protection
2013/08/25 10:53:48 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection stopped successfully
2013/08/25 10:54:07 -0700    COMPUTER-3815    Owner    MESSAGE    Database refreshed successfully
2013/08/25 10:54:07 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/25 10:55:14 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
2013/08/25 10:55:14 -0700    COMPUTER-3815    Owner    MESSAGE    Stopping IP protection
2013/08/25 10:55:15 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection stopped successfully
2013/08/25 10:55:15 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/25 10:56:16 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
2013/08/25 10:56:49 -0700    COMPUTER-3815    Owner    IP-BLOCK    188.64.170.220 (Type: incoming)
2013/08/25 11:07:01 -0700    COMPUTER-3815    Owner    IP-BLOCK    188.130.177.7 (Type: incoming)
2013/08/25 11:08:55 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.101.136 (Type: outgoing)
2013/08/25 11:10:43 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.84.110 (Type: outgoing)
2013/08/25 11:12:20 -0700    COMPUTER-3815    Owner    IP-BLOCK    109.163.231.236 (Type: outgoing)
2013/08/25 11:12:35 -0700    COMPUTER-3815    Owner    IP-BLOCK    109.163.231.236 (Type: outgoing)
2013/08/25 11:13:05 -0700    COMPUTER-3815    Owner    IP-BLOCK    109.163.231.236 (Type: outgoing)
2013/08/25 11:22:13 -0700    COMPUTER-3815    Owner    IP-BLOCK    188.130.177.7 (Type: incoming)
2013/08/25 11:42:08 -0700    COMPUTER-3815    Owner    IP-BLOCK    91.188.48.225 (Type: outgoing)
2013/08/25 11:46:30 -0700    COMPUTER-3815    Owner    IP-BLOCK    109.163.231.236 (Type: outgoing)
2013/08/25 11:46:45 -0700    COMPUTER-3815    Owner    IP-BLOCK    109.163.231.236 (Type: outgoing)
2013/08/25 11:47:15 -0700    COMPUTER-3815    Owner    IP-BLOCK    109.163.231.236 (Type: outgoing)
2013/08/25 12:04:24 -0700    COMPUTER-3815    Owner    IP-BLOCK    98.142.251.232 (Type: incoming)
2013/08/25 12:04:32 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.124.97 (Type: incoming)
2013/08/25 12:11:12 -0700    COMPUTER-3815    Owner    MESSAGE    Starting protection
2013/08/25 12:11:12 -0700    COMPUTER-3815    Owner    MESSAGE    Protection started successfully
2013/08/25 12:11:12 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/25 12:11:30 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
 

 



#6 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 25 August 2013 - 05:21 PM

so you don't think that bizarre filename in SAS dir is of any concern?  I am pretty sure I've never seen it before...

 

I have a few system restore points I've made... should I delete them?  What else should I scan with?  I can post logs of whatever, I have most of the scanners I believe... but maybe I'm missing one that would find whatever-it-is...?  (lol)

 

thanks for the help again,  I truly want to flash my bios at least but the bios flashing utilities offered for my mobo/laptop don't seem to recognize my laptop as mine.  I'm also kinda fearful to do it on my own manually as I do not want to crap out my comp.


Edited by effingmalware, 25 August 2013 - 05:22 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 26 August 2013 - 04:12 AM

The most common of IP blocks belongs to Voxility, are you using or have you used that service?

 

Besides that I see a few IP blocks that definitely are suspicious. Are you using any peer-to-peer or file sharing application?

 

 

What happens is the pc fan will entirely stop for several seconds, then I will hear a winding whine type noise and it will reactivate.

 

 

That is hardware and I'd say based on your description the HD, not the fan, although its hard to say. You could try to upgrade the BIOS firmware, if an update is available, you can find it on the manufacturer's site for your motherboard.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 MzLindyOne

MzLindyOne

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:52 AM

Posted 26 August 2013 - 05:00 AM

so you don't think that bizarre filename in SAS dir is of any concern?  I am pretty sure I've never seen it before...

 

 

If it reappears as a different name each time you run SAS, it's part of the program's functionality.  Leave it be.



#9 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 26 August 2013 - 06:09 PM

well the ip blocks seem to have stopped... and I will admit I occasionally do have file sharing program applications open, but the ip blocks would happen whether that kind of software was open or not.  I haven't seen one for awhile, however I did do a reboot.  It makes me wonder if maybe whatever it is found a way to get around the mbam blocks.  Maybe I seem paranoid, but I don't know, I feel infected.  Should I run combofix ?  I'm always hesitant to run it because of that screen it leaves at the bootup after running.  I realize that is so you can be safe and have a way to recover but I don't like it there and resist running it because of this lol.  I also know that it isn't always wise to run such an intense fix program without being sure what it's doing. 

 

Thanks for any more suggestions, I am currently running defraggler on my hd which it reads as being 11% fragmented.  Could this maybe fix the fan hd wind up noises?   The wind up fan sound hasn't happened for awhile but I did hear it several times repeatedly earlier.  When it happens it starts to go constantly on/off on/off and it doesn't seem to be related to whether I am doing any cpu-intense applications or not. 



#10 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 26 August 2013 - 06:12 PM

I now realize the strange file is probably just a part of SAS normal operation, thanks for clarifying that. 

 

I did notice that I installed a toolbar by accident after installing a shareware cd burner.  I had some trouble removing it even after running jrt but adwcleaner seems to have nuked it, which is good. (it was entrusted11)  I guess my comp might be clean... but it seems strange the mbam alerts have stopped when I didn't fix anything.  oh well I guess..

 

one other question I had at least was about TFC.  I tried to run it and it seemed to begin to work the first time and prompted me for a reboot.  I clicked to reboot but it just froze there and wouldn't shut down so I did a manual reset through task manager.  Upon rebooting nothing happened, so I tried to run it again but now it just freezes after killing all the background processes.  Any ideas on this?  I realize it might not be a fully bug free cleaner but I would have liked to have something to wipe all my temp bs.  Thanks for responses, learning more every day.  cheers


Edited by effingmalware, 26 August 2013 - 09:24 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 27 August 2013 - 02:09 AM

No idea what the matter is with TFC, have you tried running it from Safe Mode. It is possible its being blocked by MBAM/SAS.

 

You could also just run Windows's inbuild cleanmanager, that will not get every last file, but does a decent cleanup as well (the difference usually is a few MBs, not GBs :)).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 August 2013 - 05:30 AM

thanks, I will try that yeah.  It's not a question of space for me, it's a matter of principal.  If I can get random craps in my system out, I feel better.  That brings me to a wish I have... why isn't there a program called like, ''killprocess'' or something?   What I mean is, say you want to just eradicate any/all running services except the vital ones... why can't we have this?  it would be a great feature to install new programs/drivers/etc.  or... to run a movie without any other background interruption or etc.  I would LOVE this.  I want a program that could kill all/any background processes.  Meaning all auto-updates all auto-whatever.  My goal in using my computer is to eradicate ALL background bs.  I don't want any of it running ever.  I just wish there was an option to do this.  I constantly scroll thru my task manager and services.msc and autoruns to see if theres anything new I can *disable* without my system ruining itself.

 

I rarely have the patience to get into safe mode lol.  I know I should do more of these scans there... will give a try soon.  Anyway, I guess for now theres nothing to say.  The wind ups haven't happened for hours.  I did however, finally dare to log in to facebook today.... so now I am sure I am skrewed with malware and any hackers that may be stalking me. lol.  It's just a repeat cycle of cleaning/formating/repeating for life i guess.  thanks for the help and ideas... but if you know of any ''killallprocess'' type freewares?  I would love to find something like that.  cheers



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 27 August 2013 - 09:52 AM

What I mean is, say you want to just eradicate any/all running services except the vital ones... why can't we have this?

Because doing something like that would severely affect system performance. Service/driver components are loaded in normal mode, you can't just stop them and expect Windows to run normally afterwards.

 

There are two things you can do to accomplish this: a clean boot (this is mainly used for troubleshooting) or creating a hardware profile (this is a more permanent solution).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 effingmalware

effingmalware
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 27 August 2013 - 11:58 PM

ok actually... I AM still getting these ip outgoing/incoming blocks from mbam.  still always different ip's.  I suppose I can post the newer updated log.  What can I do ?

 

mbam log :

 

2013/08/27 03:48:46 -0700    COMPUTER-3815    Owner    MESSAGE    Executing scheduled update:  Daily
2013/08/27 03:50:46 -0700    COMPUTER-3815    Owner    MESSAGE    Scheduled update executed successfully:  database updated from version v2013.08.26.01 to version v2013.08.27.03
2013/08/27 03:50:46 -0700    COMPUTER-3815    Owner    MESSAGE    Starting database refresh
2013/08/27 03:50:46 -0700    COMPUTER-3815    Owner    MESSAGE    Stopping IP protection
2013/08/27 03:50:46 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection stopped successfully
2013/08/27 03:51:11 -0700    COMPUTER-3815    Owner    MESSAGE    Database refreshed successfully
2013/08/27 03:51:11 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/27 03:52:31 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
2013/08/27 03:54:21 -0700    COMPUTER-3815    Owner    IP-BLOCK    222.186.19.12 (Type: incoming)
2013/08/27 03:55:27 -0700    COMPUTER-3815    Owner    IP-BLOCK    222.186.19.12 (Type: incoming)
2013/08/27 04:04:57 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.17.74 (Type: incoming)
2013/08/27 04:19:56 -0700    COMPUTER-3815    Owner    IP-BLOCK    58.240.158.245 (Type: outgoing)
2013/08/27 04:26:14 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.17.74 (Type: incoming)
2013/08/27 04:41:54 -0700    COMPUTER-3815    Owner    IP-BLOCK    213.55.114.183 (Type: incoming)
2013/08/27 04:42:16 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.113.111 (Type: incoming)
2013/08/27 04:48:54 -0700    COMPUTER-3815    Owner    IP-BLOCK    121.10.90.200 (Type: outgoing)
2013/08/27 05:04:55 -0700    COMPUTER-3815    Owner    IP-BLOCK    219.146.123.130 (Type: outgoing)
2013/08/27 05:05:04 -0700    COMPUTER-3815    Owner    IP-BLOCK    31.133.39.232 (Type: outgoing)
2013/08/27 05:06:19 -0700    COMPUTER-3815    Owner    IP-BLOCK    218.8.123.239 (Type: outgoing)
2013/08/27 05:06:37 -0700    COMPUTER-3815    Owner    IP-BLOCK    58.241.54.209 (Type: outgoing)
2013/08/27 05:20:15 -0700    COMPUTER-3815    Owner    IP-BLOCK    31.133.53.221 (Type: outgoing)
2013/08/27 05:20:44 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.108.24 (Type: incoming)
2013/08/27 05:24:19 -0700    COMPUTER-3815    Owner    IP-BLOCK    194.165.0.6 (Type: incoming)
2013/08/27 05:35:10 -0700    COMPUTER-3815    Owner    IP-BLOCK    218.8.122.186 (Type: outgoing)
2013/08/27 05:36:38 -0700    COMPUTER-3815    Owner    IP-BLOCK    98.142.251.47 (Type: outgoing)
2013/08/27 06:06:51 -0700    COMPUTER-3815    Owner    IP-BLOCK    77.78.210.41 (Type: outgoing)
2013/08/27 06:11:14 -0700    COMPUTER-3815    Owner    IP-BLOCK    218.9.97.203 (Type: incoming)
2013/08/27 06:15:01 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.17.74 (Type: incoming)
2013/08/27 06:16:58 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.93.175 (Type: incoming)
2013/08/27 06:19:04 -0700    COMPUTER-3815    Owner    IP-BLOCK    78.26.187.252 (Type: outgoing)
2013/08/27 06:19:11 -0700    COMPUTER-3815    Owner    IP-BLOCK    194.165.0.3 (Type: outgoing)
2013/08/27 06:34:51 -0700    COMPUTER-3815    Owner    IP-BLOCK    194.165.0.3 (Type: outgoing)
2013/08/27 06:36:00 -0700    COMPUTER-3815    Owner    IP-BLOCK    212.36.9.163 (Type: outgoing)
2013/08/27 06:39:56 -0700    COMPUTER-3815    Owner    IP-BLOCK    89.28.17.74 (Type: incoming)
2013/08/27 07:08:10 -0700    COMPUTER-3815    Owner    MESSAGE    Starting protection
2013/08/27 07:08:10 -0700    COMPUTER-3815    Owner    MESSAGE    Protection started successfully
2013/08/27 07:08:10 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/27 07:08:39 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
2013/08/27 08:47:28 -0700    COMPUTER-3815    Owner    MESSAGE    Starting protection
2013/08/27 08:47:28 -0700    COMPUTER-3815    Owner    MESSAGE    Protection started successfully
2013/08/27 08:47:28 -0700    COMPUTER-3815    Owner    MESSAGE    Starting IP protection
2013/08/27 08:47:55 -0700    COMPUTER-3815    Owner    MESSAGE    IP Protection started successfully
 

 

 

what could be going on? I am not using that program you mentioned nor any other file sharing etc types... I looked a few of them up, seems to be all over the place.  moldovia, ethiopia, china, etc.  what is this junk? any ideas?


Edited by effingmalware, 28 August 2013 - 12:03 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:52 AM

Posted 28 August 2013 - 02:03 AM

 

Are you using any peer-to-peer or file sharing application?

 

 

Please answer this question. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users