[IO-error]

Hi fellow geeks.

My computer has been showing some strange network activity and I ran Microsoft Network Monitor to see what it was.
Turns out my computer connects to a lot of IP-addresses endlessly.
I'm sure I'm infected, but nothing I found on this forum actually helped me.

I'm willing to go through steps, but as of now, nothing has found which executable or source this infection has.
All I can get is the following information, no matter what I do.

Note, all of them have different starting port, but the same destination port.

- All Traffic
- My Traffic
- <Unknown>
- IPv4 (122.18.52.194 - 192.168.50.100) ConvID = 1
UDP (58518 - 47816) ConvID = 2
- IPv4 (218.81.251.184 - 192.168.50.100) ConvID = 3
UDP (22935 - 47816) ConvID = 4
- IPv4 (78.236.12.145 - 192.168.50.100) ConvID = 5
UDP (56017 - 47816) ConvID = 6
- IPv4 (90.219.188.143 - 192.168.50.100) ConvID = 7
UDP (8400 - 47816) ConvID = 8
- IPv4 (114.42.232.135 - 192.168.50.100) ConvID = 9
UDP (23933 - 47816) ConvID = 10
- IPv4 (213.231.151.113 - 192.168.50.100) ConvID = 11
UDP (18566 - 47816) ConvID = 12
- IPv4 (188.123.245.143 - 192.168.50.100) ConvID = 13
UDP (25730 - 47816) ConvID = 14
- IPv4 (92.47.2.135 - 192.168.50.100) ConvID = 15
UDP (36987 - 47816) ConvID = 16
+ IPv4 (174.91.86.7 - 192.168.50.100) ConvID = 17
+ IPv4 (87.11.169.155 - 192.168.50.100) ConvID = 19
+ IPv4 (24.13.48.119 - 192.168.50.100) ConvID = 21
+ IPv4 (222.131.219.121 - 192.168.50.100) ConvID = 23
+ IPv4 (85.154.194.97 - 192.168.50.100) ConvID = 25
+ IPv4 (189.79.64.218 - 192.168.50.100) ConvID = 27
+ IPv4 (77.67.84.194 - 192.168.50.100) ConvID = 29
+ IPv4 (14.96.204.236 - 192.168.50.100) ConvID = 31
+ IPv4 (78.159.59.126 - 192.168.50.100) ConvID = 33
+ IPv4 (65.4.112.109 - 192.168.50.100) ConvID = 35
+ IPv4 (184.183.5.197 - 192.168.50.100) ConvID = 37
+ IPv4 (82.200.1.214 - 192.168.50.100) ConvID = 39
+ IPv4 (95.59.191.131 - 192.168.50.100) ConvID = 41
+ IPv4 (221.182.46.101 - 192.168.50.100) ConvID = 46
+ IPv4 (2.26.31.70 - 192.168.50.100) ConvID = 48
+ IPv4 (212.166.202.107 - 192.168.50.100) ConvID = 50
+ IPv4 (71.96.72.114 - 192.168.50.100) ConvID = 52
+ IPv4 (218.189.248.173 - 192.168.50.100) ConvID = 54
+ IPv4 (81.202.57.69 - 192.168.50.100) ConvID = 56
+ IPv4 (83.149.38.104 - 192.168.50.100) ConvID = 58
+ IPv4 (210.73.59.100 - 192.168.50.100) ConvID = 60
+ IPv4 (122.167.229.86 - 192.168.50.100) ConvID = 62
+ IPv4 (14.207.74.33 - 192.168.50.100) ConvID = 64
+ IPv4 (115.198.246.195 - 192.168.50.100) ConvID = 66
+ IPv4 (95.139.171.159 - 192.168.50.100) ConvID = 68
+ IPv4 (122.90.168.157 - 192.168.50.100) ConvID = 70
+ IPv4 (114.102.118.246 - 192.168.50.100) ConvID = 72
+ IPv4 (189.152.137.89 - 192.168.50.100) ConvID = 74
+ IPv4 (121.98.139.152 - 192.168.50.100) ConvID = 76
+ IPv4 (118.6.29.119 - 192.168.50.100) ConvID = 78
+ IPv4 (74.47.217.144 - 192.168.50.100) ConvID = 80
+ IPv4 (46.10.79.73 - 192.168.50.100) ConvID = 82
+ IPv4 (121.149.100.23 - 192.168.50.100) ConvID = 84
+ IPv4 (88.90.150.214 - 192.168.50.100) ConvID = 86
+ IPv4 (82.246.146.153 - 192.168.50.100) ConvID = 88
+ IPv4 (61.203.8.80 - 192.168.50.100) ConvID = 90
+ IPv4 (58.153.70.59 - 192.168.50.100) ConvID = 92
+ IPv4 (82.207.23.108 - 192.168.50.100) ConvID = 94
+ IPv4 (180.156.42.245 - 192.168.50.100) ConvID = 100
+ IPv4 (124.26.81.110 - 192.168.50.100) ConvID = 102
+ IPv4 (118.2.34.229 - 192.168.50.100) ConvID = 104
+ IPv4 (217.132.156.170 - 192.168.50.100) ConvID = 106
+ IPv4 (124.121.240.44 - 192.168.50.100) ConvID = 108
+ IPv4 (222.13.237.37 - 192.168.50.100) ConvID = 110
+ IPv4 (121.178.127.188 - 192.168.50.100) ConvID = 112
+ IPv4 (111.91.119.63 - 192.168.50.100) ConvID = 114
+ IPv4 (93.183.191.15 - 192.168.50.100) ConvID = 116
+ IPv4 (87.2.250.176 - 192.168.50.100) ConvID = 118
+ IPv4 (122.176.41.213 - 192.168.50.100) ConvID = 120
+ IPv4 (121.218.88.217 - 192.168.50.100) ConvID = 122
+ IPv4 (46.191.131.134 - 192.168.50.100) ConvID = 124
+ IPv4 (86.51.22.253 - 192.168.50.100) ConvID = 126
+ IPv4 (64.20.146.164 - 192.168.50.100) ConvID = 128
+ IPv4 (203.218.199.146 - 192.168.50.100) ConvID = 130
+ IPv4 (49.48.49.21 - 192.168.50.100) ConvID = 132
+ IPv4 (122.173.231.190 - 192.168.50.100) ConvID = 134
+ IPv4 (86.208.161.44 - 192.168.50.100) ConvID = 136
+ IPv4 (122.210.178.188 - 192.168.50.100) ConvID = 138
+ IPv4 (89.21.95.68 - 192.168.50.100) ConvID = 140
+ IPv4 (112.105.110.108 - 192.168.50.100) ConvID = 142
+ IPv4 (218.54.27.90 - 192.168.50.100) ConvID = 144
+ IPv4 (184.88.32.3 - 192.168.50.100) ConvID = 146
+ IPv4 (180.129.186.91 - 192.168.50.100) ConvID = 148
+ IPv4 (202.29.6.95 - 192.168.50.100) ConvID = 150
+ IPv4 (124.89.186.226 - 192.168.50.100) ConvID = 152
+ IPv4 (114.163.219.50 - 192.168.50.100) ConvID = 154
+ IPv4 (121.102.48.112 - 192.168.50.100) ConvID = 156
+ IPv4 (94.208.241.127 - 192.168.50.100) ConvID = 159
+ IPv6 (FE80:0:0:0:D943:6E9E:B4CA:B268 - FF02:0:0:0:0:0:1:2) ConvID = 161
+ IPv4 (89.216.165.40 - 192.168.50.100) ConvID = 163
+ IPv4 (94.10.19.2 - 192.168.50.100) ConvID = 165
+ IPv4 (219.164.45.172 - 192.168.50.100) ConvID = 167
+ IPv4 (59.44.138.133 - 192.168.50.100) ConvID = 169
+ IPv4 (108.125.28.99 - 192.168.50.100) ConvID = 171
+ IPv4 (76.234.77.130 - 192.168.50.100) ConvID = 173
+ IPv4 (194.44.127.214 - 192.168.50.100) ConvID = 175
+ IPv4 (116.53.253.229 - 192.168.50.100) ConvID = 177
+ IPv4 (79.182.192.213 - 192.168.50.100) ConvID = 179
+ IPv4 (220.131.153.224 - 192.168.50.100) ConvID = 181
+ IPv4 (125.24.185.5 - 192.168.50.100) ConvID = 183
+ IPv4 (115.165.205.187 - 192.168.50.100) ConvID = 185
+ IPv4 (27.97.220.231 - 192.168.50.100) ConvID = 187
+ IPv4 (92.85.206.212 - 192.168.50.100) ConvID = 189
+ IPv4 (112.230.250.19 - 192.168.50.100) ConvID = 192
+ IPv4 (125.24.39.196 - 192.168.50.100) ConvID = 194
+ IPv4 (223.167.118.248 - 192.168.50.100) ConvID = 196
+ IPv4 (87.126.245.246 - 192.168.50.100) ConvID = 198
+ IPv4 (2.61.112.89 - 192.168.50.100) ConvID = 200
+ IPv4 (27.124.29.172 - 192.168.50.100) ConvID = 202
+ IPv4 (90.165.148.218 - 192.168.50.100) ConvID = 204
+ IPv4 (46.63.48.60 - 192.168.50.100) ConvID = 206
+ IPv4 (198.82.8.195 - 192.168.50.100) ConvID = 208
+ IPv4 (125.163.250.195 - 192.168.50.100) ConvID = 210
+ IPv4 (216.123.247.10 - 192.168.50.100) ConvID = 212
+ IPv4 (118.172.15.21 - 192.168.50.100) ConvID = 214
+ IPv4 (222.161.66.193 - 192.168.50.100) ConvID = 216
+ IPv4 (210.254.70.250 - 192.168.50.100) ConvID = 218
+ IPv4 (178.49.158.60 - 192.168.50.100) ConvID = 220
+ IPv4 (81.175.224.209 - 192.168.50.100) ConvID = 222
+ IPv4 (117.82.107.21 - 192.168.50.100) ConvID = 224
+ IPv4 (192.168.50.100 - 8.8.8.8) ConvID = 226
+ IPv4 (201.50.26.91 - 192.168.50.100) ConvID = 233
+ IPv4 (188.29.36.34 - 192.168.50.100) ConvID = 273
+ IPv4 (46.147.154.1 - 192.168.50.100) ConvID = 277
+ IPv4 (192.168.50.100 - 74.125.77.100) ConvID = 269
+ IPv4 (188.36.131.244 - 192.168.50.100) ConvID = 286
+ IPv4 (173.35.212.39 - 192.168.50.100) ConvID = 347
+ IPv4 (82.34.193.66 - 192.168.50.100) ConvID = 349
+ IPv4 (79.116.62.188 - 192.168.50.100) ConvID = 351
+ IPv4 (87.139.89.60 - 192.168.50.100) ConvID = 353
+ IPv4 (24.138.134.57 - 192.168.50.100) ConvID = 355
+ IPv4 (221.133.27.59 - 192.168.50.100) ConvID = 357
+ IPv4 (59.177.40.233 - 192.168.50.100) ConvID = 359
+ IPv4 (202.62.109.67 - 192.168.50.100) ConvID = 384
+ IPv4 (88.131.66.182 - 192.168.50.100) ConvID = 398
+ IPv4 (94.240.167.139 - 192.168.50.100) ConvID = 409
+ IPv4 (50.54.199.0 - 192.168.50.100) ConvID = 411
+ IPv4 (60.247.43.169 - 192.168.50.100) ConvID = 413
+ IPv4 (85.186.126.153 - 192.168.50.100) ConvID = 415
+ IPv4 (218.35.151.176 - 192.168.50.100) ConvID = 417
+ IPv4 (95.24.36.61 - 192.168.50.100) ConvID = 419
+ IPv4 (64.246.64.71 - 192.168.50.100) ConvID = 425
+ IPv4 (78.8.41.179 - 192.168.50.100) ConvID = 459
+ IPv4 (183.89.199.144 - 192.168.50.100) ConvID = 466
+ IPv4 (108.77.144.165 - 192.168.50.100) ConvID = 483
+ IPv4 (78.30.201.87 - 192.168.50.100) ConvID = 485
+ IPv4 (49.48.114.103 - 192.168.50.100) ConvID = 497
+ IPv4 (74.209.46.46 - 192.168.50.100) ConvID = 499
+ IPv4 (59.115.129.181 - 192.168.50.100) ConvID = 501
+ IPv4 (210.128.78.143 - 192.168.50.100) ConvID = 503
+ IPv4 (180.180.221.104 - 192.168.50.100) ConvID = 505
+ IPv4 (89.190.222.174 - 192.168.50.100) ConvID = 507
+ IPv4 (193.91.149.100 - 192.168.50.100) ConvID = 509
+ IPv4 (124.169.100.147 - 192.168.50.100) ConvID = 511
+ IPv4 (124.26.232.186 - 192.168.50.100) ConvID = 513
+ IPv4 (111.249.47.50 - 192.168.50.100) ConvID = 515
+ IPv4 (14.207.205.47 - 192.168.50.100) ConvID = 517
+ IPv4 (72.12.163.164 - 192.168.50.100) ConvID = 519
+ IPv4 (180.25.17.37 - 192.168.50.100) ConvID = 521
+ IPv4 (194.44.216.102 - 192.168.50.100) ConvID = 523
+ IPv4 (83.49.191.175 - 192.168.50.100) ConvID = 525
+ IPv4 (121.1.11.171 - 192.168.50.100) ConvID = 527
+ IPv4 (114.36.176.132 - 192.168.50.100) ConvID = 529
+ IPv4 (94.59.57.195 - 192.168.50.100) ConvID = 531
+ IPv4 (82.12.88.118 - 192.168.50.100) ConvID = 533
+ IPv4 (77.127.222.47 - 192.168.50.100) ConvID = 535
+ IPv4 (190.134.20.204 - 192.168.50.100) ConvID = 537
+ IPv4 (119.92.253.106 - 192.168.50.100) ConvID = 539
+ IPv4 (119.153.17.112 - 192.168.50.100) ConvID = 561
+ IPv4 (189.27.64.217 - 192.168.50.100) ConvID = 563
+ IPv4 (123.240.126.194 - 192.168.50.100) ConvID = 565
+ IPv4 (88.168.205.43 - 192.168.50.100) ConvID = 587
+ IPv4 (189.26.121.39 - 192.168.50.100) ConvID = 589
+ IPv4 (61.24.81.184 - 192.168.50.100) ConvID = 593
+ IPv4 (142.162.201.20 - 192.168.50.100) ConvID = 595
+ IPv4 (219.78.160.129 - 192.168.50.100) ConvID = 615
+ IPv4 (58.64.51.203 - 192.168.50.100) ConvID = 617
+ IPv4 (94.59.22.61 - 192.168.50.100) ConvID = 619
+ IPv4 (125.82.183.93 - 192.168.50.100) ConvID = 621
+ IPv4 (124.6.181.111 - 192.168.50.100) ConvID = 623
+ IPv4 (93.159.246.155 - 192.168.50.100) ConvID = 625
+ IPv4 (80.109.100.225 - 192.168.50.100) ConvID = 627
+ IPv4 (64.183.196.193 - 192.168.50.100) ConvID = 629
+ IPv4 (180.159.101.191 - 192.168.50.100) ConvID = 631

I traced some of them and I noticed they come from all over the world, Haiti, Japan, Bulgaria, etcetera.
Whosis Lookup resulted in the same outcome.


I also posted something about this several months ago, but it has since been resolved temporarily, after I reinstalled my OS.
It has then been suggested that it might be programs trying to update. Which is obviously bogus.

I tried several deep scanners, but nothing can decypher the packages that were sent.
Thnx in advance, I hope somebody has some hints and tips on this superhidden infection.

Edited by IO-error, 04 May 2011 - 10:27 PM.

[Advertisements]

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Close all programs including the browser you use to read this then:

Start, (All) Programs, Accessories, Command Prompt (Vista or Win 7 => right click on Command Prompt and Run As Administrator)

netstat  -rn  >  \junk.txt

notepad  \junk.txt

Copy and paste the text from notepad.

Ron

[RKinner]

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Close all programs including the browser you use to read this then:

Start, (All) Programs, Accessories, Command Prompt (Vista or Win 7 => right click on Command Prompt and Run As Administrator)

netstat  -rn  >  \junk.txt

notepad  \junk.txt

Copy and paste the text from notepad.

Ron

[IO-error]

I'm terribly annoyed by the fact the network activity has now disappeared just as soon as it came.
Maybe it silently uninstalled itself, like you can do with those Remote Administration Tools (RAT).

I'm sure it was such an attack, as I got quite some experience with it myself and got familiar how the traffic will look in Taskmanager ^{(when upload and download graphs are individually enabled and the total network load graph disabled.)}

I enclosed the documents you requested anyhow, because I feel unsure whether I'm clean or not.
There's a service installed, also enclosed as a jpg. The bottom part of the service properties is left out, because it holds no useful info.
The service is disabled and the file isn't there.

There was, however, a file called "GkSui18.EXE". I've sent it to virustotal.com and they say it's clean.
It really is NOT clean and it's the culprit. I removed it now, together with two files with the extension .rat.

I zipped up the files you requested and the things I found, I'll PM you the password of the zip. The reason there's a password on it is simple, I like my privacy and power to control who knows what about me.
Unfortunately, that power has been compromised by individuals who believe they have the right to install junk on my property and listen/view my webcam and control my files.

I also found two weird files in windows\system32 which I can't upload anywhere, it'll crash the browser. They also can't be packed, renamed or removed. Also no shortcuts can find them.
7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

***EDIT***
I should inform that I checked the CPU-usage graphs extensively and found no unexplained resources being lost to hidden programs.
I tested this with 4 distributed computing programs to fully utilize the CPU. (got a quadcore)
When I was infected the previous time, the pc also couldn't keep the CPU stable, meaning it was spending those lost cycles on hidden programs.

When I turn the DC programs off, the CPU shows no usage. But it can't keep the load effectively at 100%, which it could do without a problem before the infection started.

Attached Files

•  OTL.zip   248.46KB   140 downloads

Edited by IO-error, 05 May 2011 - 09:52 AM.

[RKinner]

GkSui18.EXE is a standard windows file from Microsoft. I've seen it used to uninstall some odd programs usually associated with Distribute Computing:
http://[email protected]

7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

are also standard windows files. I see them all the time and they don't hurt anything. The .rat files were something important. It may have something to do with your windows license since you are now getting:
Error - 1-5-2011 19:36:47 | Computer Name = System | Source = Winlogon | ID = 4103
Description = Het activeren van de licentie van Windows is mislukt. Fout 0x80070005. You will need to get this fixed. A System Restore might do it otherwise you will need to try and reactivate your software which may require a phne call to Microsoft.

Another harmless use of the .rat extension: http://file-extensio...e-Extension-rat

No idea what your missing service does. I'd make sure it has Startup Type: Disabled just in case the exe file is just hiding somewhere.

What I think you are seeing is a distributed computing program doing its thing and talking to a bunch of other computers. Near as I can tell this is supposed to use your idle cpu cycles to do its thing so I'm not surprised that it runs and hides when you start to use the PC. For some one as paranoid as you are I don't understand why you are allowing Muon Cockpit, µTorrent, and Unreal Tournament 2004.

Install the free Online Armor firewall. It will prevent a lot of attacks and will alert you if something tries to go out. http://www.online-armor.com/


I think there is also something that is not happy with SuperAntiSpyware:
Error - 1-5-2011 19:13:33 | Computer Name = System | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = De service Cryptografische services is mislukt tijdens het verwerken
van aanroep OnIdentity() op het object System Writer. Details: AddLegacyDriverFiles:
Unable to back up image of binary SASDIFSV. System Error: Het systeem kan het opgegeven
bestand niet vinden. .

Error - 1-5-2011 19:13:33 | Computer Name = System | Source = Microsoft-Windows-CAPI2 | ID = 513
Description = De service Cryptografische services is mislukt tijdens het verwerken
van aanroep OnIdentity() op het object System Writer. Details: AddLegacyDriverFiles:
Unable to back up image of binary SASKUTIL. System Error: Het systeem kan het opgegeven
bestand niet vinden. .

Then it looks like some game you have is not happy:

ShippingPC-SanctumGame.exe


Looks like you have done something to the Function Discovery
Provider Host-service which means the HomeGroup Provider-service can't run. If you don't want the HomeGroup Provider-service to run then change its StartupType to Disabled.

Error - 4-5-2011 19:11:03 | Computer Name = System | Source = Service Control Manager | ID = 7001
Description = De HomeGroup Provider-service is afhankelijk van de Function Discovery
Provider Host-service, die vanwege de volgende fout niet kan worden gestart: %%1058

IF you still think you are infected then:

Use IE or Firefox and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Rightclick on Malwarebytes' Anti-Malware and select Run As Administrator to start and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here if it finds anything.

No more attachments. It's too hard to work with them and there is nothing in your logs that's sensitive.

Ron

[IO-error]

If those files are standard windows files, then why do they keep getting changed every 2-3 seconds, at the same time with the data transfers?
It's to suspicious.

What I think you are seeing is a distributed computing program doing its thing and talking to a bunch of other computers. Near as I can tell this is supposed to use your idle cpu cycles to do its thing so I'm not surprised that it runs and hides when you start to use the PC.

Believe me, I know more about it than that...
I start the programs myself and see their usage in the process list.
It used to do it's work at full 100% CPU-usage without a hick-up.

The hick-ups are caused by the hidden program, not the distributed computing project itself, as it has worked flawless on many clients 24/7 for years. (at 99-100% cpu-usage)
The program itself does not communicate with other clients. It's Muon1.exe from the Large Hadron Collider-project from CERN. http://stephenbrooks.org/muon1/
The only time it'll connect to the internet is when it needs new lattices and send results and it'll get the URL from the config.txt.

Looks like you have done something to the Function Discovery
Provider Host-service which means the HomeGroup Provider-service can't run. If you don't want the HomeGroup Provider-service to run then change its StartupType to Disabled.

I forgot to disable that homegroup listener and a few others, after I did system restore, thnx for spotting that.

Yeah, I must be paranoid if I download with µTorrent, play Sanctum, check my results with Muon Cockpit and play UT2004.
For somebody as paranoid as I am, it sure is suspicious behavior the random spikes and hickups stop when I scan it with a popular scanner and doesn't come back for exactly 7 minutes and 27 seconds each time.

The website that let me scan did the same thing as all other scanners.
Find nothing and disable the virus and with that, the CPU-usage and network traffic, for 7 minutes and 27 seconds.
I'm gonna write a script for that, lol.

Thnx for the help so far, it's really heading the right way.
Really, I appreciate your help and I downloaded the other programs, the logs are coming soon.
I'll stop with the attachments, btw .


***EDIT***
As stated before, the Bitdefender found nothing.

Neither did MBAM:
Scantype: Quick Scan
Objects scanned: 135382
Elapsed Time: 2 minutes, 9 seconds

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0


I have a valid reason for being paranoid. I've made such programs myself, so I know how hidden they are.
It's just a new development that their packages can't be decyphered.

Edited by IO-error, 05 May 2011 - 12:37 PM.

[RKinner]

utorrent is a P2P program which means you are getting files from other people's pcs and letting them get files from you. There is no guarantee that their PC is not infected not that the file itself is what it is supposed to be. P2P programs are the major sources of infections.`

Any kind of distributed computing program where you do not control all of the computers is a security danger.

You are aware that you have Logmein on this PC are you not?

"Yeah, I must be paranoid if I allow download with µTorrent, play Sanctum, check my results with Muon Cockpit and play UT2004."

You misunderstand. A true paranoid would be more security conscious than to take those risks.


Have you tried GMER?

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Download aswMBR.exe ( 511KB ) to your desktop.

Also aswMBR:

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply


Unless SuperAntiSpyware has added anti-virus I do not see one on your PC.

Install the free Avast! Their boot-time scan is one of the best in the business:

http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows.

Ron

[IO-error]

Thank you for your help in your free time.
I should have said, in my first post, that I'm not the average computer user, done proper schooling and have worked in a computerstore for a year.
It might have shaped a different opinion about me.

I am cautious what programs I run and use virustotal and various others, frequently, if not daily.
Most games that I download have been verified by hundreds others and I keep track of what my network traffic does after I install something.
If something shows up, I simply re-install Win7 and let my post-install script do the settings and such.

I keep track of CPU-stability and lost resources, such as CPU and RAM.
And I was looking really hard for a rootkit scanner, thanks a lot! I'm gonna test it out right now.
I'm getting more and more interested in how the hel my system got infected, that's why I'm not reinstalling yet.
If nothing turns up, then I guess it's another reinstall of Win7.

Any kind of distributed computing program where you do not control all of the computers is a security danger.

Nah, I understand why people are weary about distributed computing programs, but I know Muon1.exe can't behave like that, because it really doesn't connect with internet unless you trigger it. And that's a million users talking there, not just me.

You are aware that you have Logmein on this PC are you not?

In short: Yes.
LogMeIn is built into hamachi². It's also generating a lot of traffic, 1 MB an hour, but I know the packages being sent and they showed up perfectly at <HAMACHI>.
The packages that were being sent to the IP-Addresses from the first post were not from hamachi, the ones showing up in <UNKNOWN> that DO come from hamachi are always in the 5.255.255.255 range.
There are only a few IP-addresses in my hamachi server, which is just a group of 4 friends.

"Yeah, I must be paranoid if I allow download with µTorrent, play Sanctum, check my results with Muon Cockpit and play UT2004."

You misunderstand. A true paranoid would be more security conscious than to take those risks.

I run all programs and games in a sandbox, called Sandboxie.
It's the best way to prevent being hijacked in this manner. That's why I find it extremely strange that I am infected.
Any game that refuses to play in a sandbox is a game I won't play, as I don't even trust them of putting clean files on the discs.
Remember the companies and countries that placed rootkit installers, keyloggers and crap on the USB-sticks they gave as relationgifts?

http://msmvps.com/bl...uscert2010.aspx
http://www.guru3d.co...ted-usb-sticks/

I'm waiting for the first game-company who accidentally puts the stuxnet worm in a game that's aimed for nuclear powerplant co-workers in Iran.
(Joking of course ... I would never play games that are made for co-workers of nuclear powerplants in Iran.)

With a sandbox, like Sandboxie, it's pretty much impossible something leaks out of it and comes in the Windows installation.
As all paths that the program can call for will be redirected to inside the sandbox, as will all program calls and DLL calls, program creation, booting, termination and examination will be redirected to paths inside the sandbox. And seriously, Sandboxie should be a recommended program by Geekstogo and should be examined to see if it can help prevent the rapid spread of malware.

I tried quitting the sandbox (as it could be holding the malware in question, but that didn't help. That means either it has leaked out, or nothing I opened in the sandbox was infected.

I know Avast you mentioned, but always install when I need it and it didn't find anything so uninstalled again. I do this weekly as I don't like the way how the current anti-virus programs all clings onto your files and slows file-transfer down in Win7 by quite a lot.


I'm really thankful for your help and I will write back the results of GMER and aswMBR tomorrow, it's late over at the Netherlands.

***EDIT***
I forgot to mention that I did close down ALL programs and the services that go with it, while that strange network traffic occured.
And I just had a BSoD when the Avast was done installing.

Edited by IO-error, 05 May 2011 - 04:23 PM.

[RKinner]

You might be interested in TCPView:

http://technet.micro...ernals/bb897437 It should show you who you are talking to in a lot more detail than that monitor program you had.

Process Explorer might also be of use to you. Process Explorer can probably tell you what program is using the internet. If you right click on a process and select Properties then you usually can find a tab that says TCP/IP and shows who they connect to.

http://live.sysinter...com/procexp.exe

You might also do better if it really is a rootkit with a bootable CD scanner such as AVG's:
http://www.geekstogo...ystem-tutorial/

Ron

[IO-error]

Yep, TCPViewer is a very helpful program, thank you, it helped me get rid of the source rather fast.
Nothing else I tried worked as fast as this one.

Procexp works fine at first, but it keeps crashing after a week and I need to re-install windows before I can fix that, appearantly.
It's already not working anymore, so I gotta wait for that.
I think it keeps conflicting with services it needs.

I'm certainly going to try that bootable CD, right now.
The other programs named yesterday are going to to help me a lot as well with future problems.
I will need to be sure, before I re-install Windows 7 again, that my harddisk isn't infected with rootkit malware/.
But I

Thanks, I won't forget you.

[RKinner]

What was the source by the way?

Some other programs you might find handy along with my usual instructions for users:

Get SIW

http://www.snapfiles.com/get/siw.html

Run it (Vista or Win 7 => Right click and Run As Administrator) and under Hardware look for Sensors. Click on Sensors and look in the right pane there should be some temperature readings. What are they? Watch a video or run a scan for a little bit then look again. Are the temps going up?

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe (Vista or Win 7 => Right click and Run As Administrator)
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.



Process Explorer is usually pretty stable and just came out with an update so you might try it again.

It could be stumbling over a disk error:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, and restart.

Ron