Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Peerblock alerting me to several ap2p and botnets..


  • This topic is locked This topic is locked
3 replies to this topic

#1 evilfix

evilfix

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 18 February 2015 - 06:31 PM

Hello all

 

I followed the guide from a previous thread.

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by User (administrator) on 18-02-2015 at 17:23:19
Running from "C:\Documents and Settings\User\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


127.0.0.1       localhost
127.0.0.1     mpa.one.microsoft.com

========================= IP Configuration: ================================

3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) = Local Area Connection (Disconnected)
VIA Compatable Fast Ethernet Adapter = Local Area Connection 2 (Connected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=static addr=192.168.1.100 mask=255.255.255.0
set address name="Local Area Connection 2" gateway=192.168.1.1 gwmetric=0
set dns name="Local Area Connection 2" source=static addr=192.168.1.1 register=PRIMARY
set wins name="Local Area Connection 2" source=static addr=none


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : computer_1

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Unknown

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : VIA Compatable Fast Ethernet Adapter

        Physical Address. . . . . . . . . : 00-0C-76-5C-B0-DF

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 192.168.1.100

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.1

        DNS Servers . . . . . . . . . . . : 192.168.1.1

Server:  DD-WRT
Address:  192.168.1.1

Name:    google.com
Addresses:  173.194.64.113, 173.194.64.139, 173.194.64.102, 173.194.64.100
      173.194.64.101, 173.194.64.138



Pinging google.com [173.194.64.138] with 32 bytes of data:



Reply from 173.194.64.138: bytes=32 time=34ms TTL=46

Reply from 173.194.64.138: bytes=32 time=34ms TTL=46



Ping statistics for 173.194.64.138:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 34ms, Maximum = 34ms, Average = 34ms

Server:  DD-WRT
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  206.190.36.45, 98.138.253.109, 98.139.183.24



Pinging yahoo.com [98.139.183.24] with 32 bytes of data:



Reply from 98.139.183.24: bytes=32 time=61ms TTL=48

Reply from 98.139.183.24: bytes=32 time=52ms TTL=48



Ping statistics for 98.139.183.24:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 52ms, Maximum = 61ms, Average = 56ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=64

Reply from 127.0.0.1: bytes=32 time<1ms TTL=64



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 76 5c b0 df ...... VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.100      20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
      169.254.0.0      255.255.0.0    192.168.1.100   192.168.1.100      20
      192.168.1.0    255.255.255.0    192.168.1.100   192.168.1.100      20
    192.168.1.100  255.255.255.255        127.0.0.1       127.0.0.1      20
    192.168.1.255  255.255.255.255    192.168.1.100   192.168.1.100      20
        224.0.0.0        240.0.0.0    192.168.1.100   192.168.1.100      20
  255.255.255.255  255.255.255.255    192.168.1.100   192.168.1.100      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/16/2015 05:18:12 PM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 1596: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:56:21 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 2656: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:55:46 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 1304: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:55:27 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 3768: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:54:16 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 3920: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:54:09 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 3544: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:54:00 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 3136: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:53:27 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 3032: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:53:09 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 2504: fatal: Read from socket failed: Connection reset by peer [preauth]

Error: (02/11/2015 07:52:58 AM) (Source: sshd) (User: NT AUTHORITY)
Description: sshd: PID 3980: fatal: Read from socket failed: Connection reset by peer [preauth]

 

The above sshd status probably has to me disabling the SSH server within cygwin

System errors:
=============
Error: (02/18/2015 03:35:27 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%3

Error: (02/18/2015 00:24:18 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (02/18/2015 00:03:30 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (02/18/2015 00:02:56 AM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%3

Error: (02/17/2015 11:52:20 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (02/17/2015 11:51:48 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%3

Error: (02/17/2015 11:14:36 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (02/17/2015 10:59:35 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%3

Error: (02/17/2015 05:34:36 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%3

Error: (02/16/2015 09:18:56 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%3


Microsoft Office Sessions:
=========================
Error: (01/21/2015 01:51:32 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3689 seconds with 1140 seconds of active time.  This session ended with a crash.


========================= Memory info: ===================================

Percentage of memory in use: 21%
Total physical RAM: 2303.48 MB
Available physical RAM: 1798.22 MB
Total Pagefile: 2920.51 MB
Available Pagefile: 2224.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.82 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:152.66 GB) (Free:126.5 GB) NTFS
5 Drive h: (My Passport) (Fixed) (Total:465.73 GB) (Free:408.17 GB) NTFS

========================= Users: ========================================

User accounts for \\COMPUTER_1

Administrator            ASPNET                   Guest                    
HelpAssistant            sshd                     SUPPORT_388945a0         
User                     


**** End of log ****
 

TDSSKiller says no threats found.

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-02-18 16:24:29
-----------------------------
16:24:29.937    OS Version: Windows 5.1.2600 Service Pack 3
16:24:29.937    Number of processors: 1 586 0x801
16:24:29.937    ComputerName: COMPUTER_1  UserName: User
16:24:32.750    Initialize success
16:24:32.984    VM: initialized successfully
16:24:32.984    VM: Amd CPU virtualization not supported
16:32:34.875    AVAST engine defs: 15021802
16:34:56.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:34:56.359    Disk 0 Vendor: Maxtor_4G160J8 DAK019K0 Size: 156334MB BusType: 3
16:34:56.359    Disk 1  \Device\Harddisk1\DR2 -> \Device\0000006b
16:34:56.359    Disk 1 Vendor:   Size: 156334MB BusType: 0
16:34:56.578    Disk 0 MBR read successfully
16:34:56.593    Disk 0 MBR scan
16:34:56.687    Disk 0 Windows XP default MBR code
16:34:56.703    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       156319 MB offset 63
16:34:56.703    Disk 0 default boot code
16:34:56.718    Disk 0 scanning sectors +320143320
16:34:56.984    Disk 0 scanning C:\WINDOWS\system32\drivers
16:35:36.171    Service scanning
16:36:27.859    Modules scanning
16:36:27.859    Disk 0 trace - called modules:
16:36:27.875    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
16:36:27.875    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d25ab8]
16:36:27.875    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000005f[0x89d43f18]
16:36:27.875    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89d28940]
16:36:30.656    AVAST engine scan C:\WINDOWS
16:36:40.687    AVAST engine scan C:\WINDOWS\system32
16:51:22.625    AVAST engine scan C:\WINDOWS\system32\drivers
16:51:59.968    AVAST engine scan C:\Documents and Settings\User
17:11:33.171    AVAST engine scan C:\Documents and Settings\All Users
17:12:08.656    Disk 0 statistics 2112525/0/0 @ 0.72 MB/s
17:12:08.656    Scan finished successfully
17:21:07.593    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
17:21:07.593    The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"


aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-02-18 16:24:29
-----------------------------
16:24:29.937    OS Version: Windows 5.1.2600 Service Pack 3
16:24:29.937    Number of processors: 1 586 0x801
16:24:29.937    ComputerName: COMPUTER_1  UserName: User
16:24:32.750    Initialize success
16:24:32.984    VM: initialized successfully
16:24:32.984    VM: Amd CPU virtualization not supported
16:32:34.875    AVAST engine defs: 15021802
16:34:56.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:34:56.359    Disk 0 Vendor: Maxtor_4G160J8 DAK019K0 Size: 156334MB BusType: 3
16:34:56.359    Disk 1  \Device\Harddisk1\DR2 -> \Device\0000006b
16:34:56.359    Disk 1 Vendor:   Size: 156334MB BusType: 0
16:34:56.578    Disk 0 MBR read successfully
16:34:56.593    Disk 0 MBR scan
16:34:56.687    Disk 0 Windows XP default MBR code
16:34:56.703    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       156319 MB offset 63
16:34:56.703    Disk 0 default boot code
16:34:56.718    Disk 0 scanning sectors +320143320
16:34:56.984    Disk 0 scanning C:\WINDOWS\system32\drivers
16:35:36.171    Service scanning
16:36:27.859    Modules scanning
16:36:27.859    Disk 0 trace - called modules:
16:36:27.875    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
16:36:27.875    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d25ab8]
16:36:27.875    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\0000005f[0x89d43f18]
16:36:27.875    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89d28940]
16:36:30.656    AVAST engine scan C:\WINDOWS
16:36:40.687    AVAST engine scan C:\WINDOWS\system32
16:51:22.625    AVAST engine scan C:\WINDOWS\system32\drivers
16:51:59.968    AVAST engine scan C:\Documents and Settings\User
17:11:33.171    AVAST engine scan C:\Documents and Settings\All Users
17:12:08.656    Disk 0 statistics 2112525/0/0 @ 0.72 MB/s
17:12:08.656    Scan finished successfully
17:21:07.593    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
17:21:07.593    The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
17:25:33.875    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
17:25:33.875    The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

 

on top of all of the above i have also ran Vipere Rescue, CCE, ClanWinPortable all to no avail.

 

 

any assistance would be appreciated!

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 AM

Posted 19 February 2015 - 12:12 PM

Hello evilfix, I feel should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 evilfix

evilfix
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 February 2015 - 04:41 PM

Working on this now. look for it in 10 mins or so.

 

Thanks!!

 

link to the deeper scan:

http://www.bleepingcomputer.com/forums/t/567633/peerblock-alerts-me-to-all-kinds-of-ap2p-and-botnet-ranges-coming-from-my-source/


Edited by evilfix, 19 February 2015 - 04:52 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 AM

Posted 19 February 2015 - 08:47 PM

Very good!!

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 3 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users