Constant attempts to access malware IPs
#91
Posted 08 July 2010 - 12:53 PM
#92
Posted 08 July 2010 - 01:57 PM
ok, well there goes that hope. From what we know now it very probably is a program, and one that is disabled in safe mode, but not in clean boot mode.
Can you please upload this file to virustotal:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.
C:\windows\br.dll
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Please also go through your uninstall list and remove programs you no longer need. I see several installs of Netscape for example, whose development has been stopped some time in 2007.
regards myrti
Edited by myrti, 08 July 2010 - 01:59 PM.
#93
Posted 08 July 2010 - 03:54 PM
#94
Posted 08 July 2010 - 09:36 PM
Very sneaky!
#95
Posted 09 July 2010 - 01:22 PM
coming back to an earlier idea: You said you had tried Process Monitor. Do you remember if iExplore.exe did not show up at all or if it did only show up as started process?
Could you please post the "additional information" from the br.dll upload, it should have the md5 that gives us a possibility to identify the file.
regards myrti
#96
Posted 09 July 2010 - 03:55 PM
I've been out all day fixing OTHER people's virus problems. Just good old fashioned rootkits, host hijacks, and registry corruptions.
Back to my little nightmare...
Here's the br.dll info:
File size: 1846 bytes
Filetype: Windows Registry text (Win95 or above)
MD5: 2636c65ff73a1573445f0a6e36d5e3e1
SHA1: 75d3e0c75a5452a64ec97bf1c344f63d8322158a
None of it matches known malware versions of br.dll.
Regarding Process Monitor - iexplore.exe does appear, frequently. Unfortunately, I can't figure out how to trace the requesting dll that's calling it.
#97
Posted 09 July 2010 - 04:44 PM
Download Bootkit Remover to your desktop.
Note: This is a rar file if you do not have a program to open it then download and install Peazip
- Extract Remover.exe to your desktop
- Double click Remover.exe to run it
- It will show a Black screen with some data on it
- Right click on the screen and select > Select All
- Press Control + C <--- This will copy the contents of the screen to your clipboard.
- Go to Start > Run > Notepad.exe (followed by enter) and press Control + V to paste the contents of your clipboard into the notepad window.
- Post the resultant log here please.
Please also download Process Monitor again, restore iexplore to its original name and run a scan until mbam blocks an outgoing connection:
Please download ProcessMonitor and save it to your desktop.
Next please unzip it and run it by doubclicking, when asked please accept their license agreement.
Once the program is opened please click on Filter and then on Filter... again. A window will open. In that window, from the dropdown menues choose:
First Operation and is not then type CreateFile and finally choose Exclude. When done, please click Add
Repeat the same for the following Entries:
- Event Class is Process then Exlcude. When done, please click Add.
- Event Class is Registry then Exlcude. When done, please click Add.
- Event Class is Profiling then Exlcude. When done, please click Add.
Go to Edit and click on Clear Display.
The program should now be logging every created file on your system.
Now go to my pictures and delete the recently changed folder.
Once the pictures have reappeared please select File->Save. For Events to save check Events displayed using current filter. For Format please select Comma-Separated Values (CSV).
Select a path of your choice and hit OK
Please zip the file and attach it to your next reply.
regards myrti
Edited by myrti, 09 July 2010 - 04:50 PM.
#98
Posted 10 July 2010 - 08:56 AM
Here's the log from Remover, as well as the additional info about the drive it didn't recognize the boot info from.
Not sure I understand your instructions:
Now go to my pictures and delete the recently changed folder.
Once the pictures have reappeared please select File->Save. For Events to save check Events displayed using current filter. For Format please select Comma-Separated Values (CSV).
My pictures? Recently changed folder? Am I missing something?
Anyway, here are the logs:
Bootkit Remover version 1.0.0.1
© 2009 eSage Lab
www.esagelab.com
\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\D: -> \\.\PhysicalDrive1
MD5: 5d9594a33e2f887568d746c37788d009
\\.\E: -> \\.\PhysicalDrive0
\\.\F: -> \\.\PhysicalDrive0
\\.\G: -> \\.\PhysicalDrive0
\\.\H: -> \\.\PhysicalDrive0
\\.\I: -> \\.\PhysicalDrive0
\\.\J: -> \\.\PhysicalDrive1
\\.\K: -> \\.\PhysicalDrive1
\\.\L: -> \\.\PhysicalDrive1
\\.\M: -> \\.\PhysicalDrive1
\\.\N: -> \\.\PhysicalDrive1
\\.\Q: -> \\.\PhysicalDrive2
MD5: 6def5ffcbcdbdb4082f1015625e597bd
\\.\W: -> \\.\PhysicalDrive3
MD5: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
74 GB \\.\PhysicalDrive1 Unknown boot code
465 GB \\.\PhysicalDrive2 OK (DOS/Win32 Boot code found)
149 GB \\.\PhysicalDrive3 OK (DOS/Win32 Boot code found)
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Press any key to quit...
Drive 1:
00000010: bf 1b 06 50 57 b9 e5 01 f3 a4 cb bd be 07 b1 04 | ...PW...........
00000020: 38 6e 00 7c 09 75 13 83 c5 10 e2 f4 cd 18 8b f5 | 8n.|.u..........
00000030: 83 c6 10 49 74 19 38 2c 74 f6 a0 b5 07 b4 07 8b | ...It.8,t.......
00000040: f0 ac 3c 00 74 fc bb 07 00 b4 0e cd 10 eb f2 88 | ..<.t...........
00000050: 4e 10 e8 46 00 73 2a fe 46 10 80 7e 04 0b 74 0b | N..F.s*.F..~..t.
00000060: 80 7e 04 0c 74 05 a0 b6 07 75 d2 80 46 02 06 83 | .~..t....u..F...
00000070: 46 08 06 83 56 0a 00 e8 21 00 73 05 a0 b6 07 eb | F...V...!.s.....
00000080: bc 81 3e fe 7d 55 aa 74 0b 80 7e 10 00 74 c8 a0 | ..>.}U.t..~..t..
00000090: b7 07 eb a9 8b fc 1e 57 8b f5 cb bf 05 00 8a 56 | .......W.......V
000000a0: 00 60 bb aa 55 b4 41 cd 13 72 0b 81 fb 55 aa 75 | .`..U.A..r...U.u
000000b0: 05 f6 c1 01 75 49 61 8a 56 00 b4 08 cd 13 72 23 | ....uIa.V.....r#
000000c0: 8a c1 24 3f 98 8a de 8a fc 43 f7 e3 8b d1 86 d6 | ..$?.....C......
000000d0: b1 06 d2 ee 42 f7 e2 39 56 0a 77 4e 72 05 39 46 | ....B..9V.wNr.9F
000000e0: 08 73 47 b8 01 02 bb 00 7c 8b 4e 02 8b 56 00 cd | .sG.....|.N..V..
000000f0: 13 73 38 4f 74 35 32 e4 8a 56 00 cd 13 eb e4 61 | .s8Ot52..V.....a
00000100: 60 6a 00 6a 00 ff 76 0a ff 76 08 6a 00 68 00 7c | `j.j..v..v.j.h.|
00000110: 6a 01 6a 10 b4 42 8b f4 cd 13 61 61 73 0d 4f 74 | j.j..B....aas.Ot
00000120: 0a 32 e4 8a 56 00 cd 13 eb d6 f9 c3 49 6e 76 61 | .2..V.......Inva
00000130: 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74 61 | lid partition ta
00000140: 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e | ble.Error loadin
00000150: 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 | g operating syst
00000160: 65 6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 | em.Missing opera
00000170: 74 69 6e 67 20 73 79 73 74 65 6d 00 00 00 00 00 | ting system.....
00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001b0: 00 00 00 00 00 2c 44 63 85 bd 85 bd 00 00 80 01 | .....,Dc........
000001c0: 01 00 0c fe ff ff 3f 00 00 00 f6 33 95 01 00 fe | ......?....3....
000001d0: ff ff 0f fe ff ff 35 34 95 01 8c b0 bb 07 00 00 | ......54........
000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa | ..............U.
512 bytes written to drive1.txt
Press any key to quit...
Please let me know about that instruction regarding the My Pictures folder. Thanks!
#99
Posted 10 July 2010 - 10:26 AM
not sure how those instructions crept into there. Please ignore that. Just keep the Logging up until mbam blocks an outgoing iexplore-connection.
The bootkit scanner found nothing wrong with your booted mbr, however something seems wrong with the second hard drive containing your partition D:\.
Do you have alternative OS installed on the drive?
regards myrti
#100
Posted 10 July 2010 - 11:10 AM
I can't attach the log, because it's bigger than 100k. It shows that Iexplore.exe started and did various things. When I checked my running processes, it was not listed, so it must have done whatever nefarious thing it wanted to and then exited. I started Process Blocker again so that it can't start.
You can download the log from this link:
logfile
Please let me know what you find, and thanks for the continuing help!
#101
Posted 10 July 2010 - 12:08 PM
if you haven't rebooted yet, please do the following:
please download process explorer: http://technet.micro...s/bb896653.aspx
Extract to your desktop and launch it by double-clicking. It is a more advanced task manager in sorts. It should show you which files are executed by svchost.exe, from the log this should include iexplore.exe. Hovering over the svchost.exe should give you more information as well.
Please provide the information shown when hovering over it, especially for the process with PID:5824. (Let me know if that PID is not assigned or not belonging to a svchost.exe
regards myrti
#102
Posted 11 July 2010 - 01:43 PM
I set Comodo to block iexplore, stopped Process Blocker, and am waiting for Iexplore to start again. This time, I'll look for the svchost, and hopefully it will have the same PID.
I'm attaching the logs in a zip file.
Attached Files
#103
Posted 11 July 2010 - 04:30 PM
no, they won't have the same PID. You need to check with process monitor again probably.
From the log you gave me it appears:
"12:55:07.3691736","svchost.exe","5824","QueryNameInformationFile","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS","Name: \Program Files\Internet Explorer\iexplore.exe"
"12:55:07.3694153","svchost.exe","5824","CloseFile","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS",""
"12:55:07.3694306","svchost.exe","5824","IRP_MJ_CLOSE","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS",""
"12:55:07.3696393","cmdagent.exe","1668","CreateFile","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
"12:55:07.3704082","cmdagent.exe","1668","CloseFile","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS",""
"12:55:07.3704197","cmdagent.exe","1668","IRP_MJ_CLOSE","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS",""
"12:55:07.3808108","IEXPLORE.EXE","4676","QueryNameInformationFile","C:\Program Files\Internet Explorer\iexplore.exe","SUCCESS","Name: \Program Files\Internet Explorer\iexplore.exe"
It appears as if it might be svchost.exe opening iexplore (and then being checked by comodo before starting the process). You will see that iexplore and svchost have different PIDs too, so you will need to check for the one from svchost.
PIDs change with every reboot, so you need to run a new scan with process monitor, I'm afraid.
regards myrti
#104
Posted 11 July 2010 - 11:12 PM
Tricky, indeed. When it couldn't connect, I did notice that the source port was different every time. I looked at the Comodo log and saw that. I'm going to keep it going, and see if I can find the source.
Any ideas on how I can filter Process Monitor so that it will only capture both the iexplore process and the svchost that initiates it? That way, I can find the PID for it.
Bet you haven't run into something like this for awhile. I stopped my GTG studies since this started, because I figured if I could get this sorted out, everything else would be a breeze!
#105
Posted 12 July 2010 - 06:05 AM
Think I should clear my hosts file to see where it's actually trying to go?
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users