Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What the **** is this?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Partikkeli

Partikkeli

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 19 December 2013 - 07:42 AM

Ok, so I'm having these weird outbound connection attempts on port 41, sourcing from various applications I happen to have running.

 

Wireshark reveals connections that are not shown in Comodo's connections list.

 

The applications were not running simultaneously at time of screenshot, but the 92.242.144.50 connections only appeared in Wireshark. NMapping 92.242.144.50 showed a linux box with two open ports one being http, both being identified as some sort of redirect service, but it didn't respond with webpage when connected on.

 

Could this be a rootkit? (Can't see a suspicious entry in LOCAL_MACHINE or CURRENT_USER run entries, or startmenu. Didn't check ActiveX listing.)

 

I temporally globally disallowed ip 92.242.144.50.

 

 

 

4smutd.jpg


Edited by Partikkeli, 19 December 2013 - 07:46 AM.


BC AdBot (Login to Remove)

 


#2 Partikkeli

Partikkeli
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 19 December 2013 - 09:22 AM

Comodo anti-virus reports

Rootkit.HiddenValue@0 HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version

By using GMER to view the entry, there seems to a binary value of

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version]
"Version"=hex:62,23,2d,86,9e,9f,96,d9,8b,0c,8a,ab,4d,88,24,29,c5,f0,5d,e0,72,1b,a7,5b,b2,d5,e8,6b,66,e6,3a,a4,a0,fb,45,26,d4,1b,17,66,6d,8d,68,6a,2a,2b,71,2b,3b,f5,d2,0f,48,f6,13,e6,e0,14,c2,dd,0f,e2,40,53,7e,2b,5d,8e,bc,9c,c5,02,d7,81,38,90,c0,a7,b9,c4,17,12,d7,dd,c5,66,b1,08,f9,97,35,94,50,13,ff,aa,c1,a0,42,b6,2e,5e,62,09,2d,f8,fa,7c,64,6a,76,a6,4a,96,e3,aa,5d,2f,e3,26,e8,2d,d0,9d,95,ea,ca,3f,90,c6,1b,dc,9f,6a,98,e1,2b,16,90,85,69,7b,c4,15,63,50,c3,d3,a8,db,11,d2,ce,74,f4,b3,f6,08,e2,f3,41,a4,26,0e,d1,b9,6d,02,75,12,c4,50,7a,b2,0a,47,2e,55,44,e5,eb,cf,22,9a,e3,f7,c4,2c,1a,60,aa,0d,32,cf,b3,47,86,4e,c1,c7,20,5d,b4,58,63,60,3f,ec,e8,6f,2b,6e,c6,2b,e8,f7,4f,d7,16,b8,3b,3e,79,96,b2,87,e0,c8,c4,ed,68,2f,41,53,b2,ed,67,d5,83,db,92,9e,f3,0b,2b,d2,f3,f7,da,41,bc,8a,b7,ec,86,46,20,a3,ff,0d

hidden inside the key...


Edited by Partikkeli, 19 December 2013 - 09:44 AM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:02 AM

Posted 19 December 2013 - 11:08 AM

Hello, lets also run this

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Partikkeli

Partikkeli
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 26 December 2013 - 12:26 PM

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-12-26 19:14:00
-----------------------------
19:14:00.857    OS Version: Windows x64 6.1.7601 Service Pack 1
19:14:00.857    Number of processors: 16 586 0x2C02
19:14:00.858    ComputerName: WHITE-RAINDROP  UserName: alias
19:14:03.176    Initialize success
19:15:55.129    AVAST engine defs: 13122600
19:16:06.279    Disk 0  \Device\Harddisk0\DR0 -> \Device\00000007
19:16:06.279    Disk 0 Vendor: (  Size: 2048MB BusType: 0
19:16:06.279    Disk 1 (boot) \Device\Harddisk1\DR0 -> \Device\Ide\IdeDeviceP0T1L0-4
19:16:06.279    Disk 1 Vendor: WDC_WD1001FALS-41Y6A0 05.03D06 Size: 953869MB BusType: 3
19:16:06.369    Disk 1 MBR read successfully
19:16:06.369    Disk 1 MBR scan
19:16:06.379    Disk 1 Windows 7 default MBR code
19:16:06.379    Disk 1 Partition 1 00     EE          GPT               200 MB offset 1
19:16:06.399    Disk 1 Partition 2 00     AF   HFS / HFS+            110626 MB offset 409640
19:16:06.439    Disk 1 Partition 3 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 226973696
19:16:06.459    Disk 1 Partition 4 00     07    HPFS/NTFS NTFS       842941 MB offset 227178496
19:16:06.469    Disk 1 scanning C:\Windows\system32\drivers
19:16:14.829    Service scanning
19:16:30.219    Modules scanning
19:16:30.229    Disk 1 trace - called modules:
19:16:30.239    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 
19:16:30.249    1 nt!IofCallDriver -> \Device\Harddisk1\DR0[0xfffffa800d65e060]
19:16:30.249    3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa800d246e40]
19:16:30.259    5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-4[0xfffffa800d260060]
19:16:32.079    AVAST engine scan C:\Windows
19:16:36.349    AVAST engine scan C:\Windows\system32
19:20:14.089    AVAST engine scan C:\Windows\system32\drivers
19:20:25.939    AVAST engine scan C:\Users\alias
19:28:45.270    AVAST engine scan C:\ProgramData
19:30:30.870    Scan finished successfully
19:32:48.670    Disk 1 MBR has been saved successfully to "F:\MBR.dat"
19:32:48.680    The log file has been saved successfully to "F:\26-12-2013_aswMBR.txt"

Nothing.... but based on the screenshot I posted earlier, I'm pretty sure something's going on... wtf is port 41 for anyway?

Also, it's NOT my external IP listed in wireshark.


Edited by Partikkeli, 26 December 2013 - 12:40 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:02 AM

Posted 26 December 2013 - 12:46 PM

Ok among it's normal use as a data transfer it is a common route for malware..

There must be something deeper than we can see with these tools. Let's get a deeper look. Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Partikkeli

Partikkeli
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 26 December 2013 - 01:03 PM

Well that was probably useless...

 

http://www.bleepingcomputer.com/forums/t/518663/yeah-so-should-i-now-go-waste-myself-or-something/



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:02 AM

Posted 26 December 2013 - 01:07 PM

Hopefully not....

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 5 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users