Something Going On!

Discussion in 'Malware Help (A Specialist Will Reply)' started by stevegun, Dec 28, 2005.

  1. stevegun

    stevegun Private E-2

    I am convinced that despite running all the relevent scanners and removers, there is something trying to communicate with the internet, as i am constantly being asked (through zone alarm) for access to the internet by a variety of programmes including word/excel/powerpoint, and also ccleaner, which asked for access to a specific site ip address.

    I have attached a HT log.

    Any suggestions?

    Many thanks.

    Steve.
     

    Attached Files:

    stevegun, Dec 28, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis

    .
     
    chaslang, Dec 28, 2005
    #2
  3. stevegun

    stevegun Private E-2

    I have carried out all 7 points you highlighted, the only points of note were the "Bitdefender" scan where a virus was found in the MWAV scanner, which i have deleted.

    I attach HT and Bitdefender logs for your information.

    Many thanks.

    Steve.
     

    Attached Files:

    stevegun, Dec 28, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was more than likely a false positive. It probably detected some virus description info in the mwav.exe file.

    Where is the PandaActiveScan log?
     
    chaslang, Dec 28, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O16 - DPF: ppctlcab -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

    After clicking Fix, exit HJT.

    There are no malware items present in your HJT log. Your comment about programs look for access to the internet is just normal behavior. Just either allow or deny (as appropriate) and tell your firewall to always take the same action.
     
    chaslang, Dec 28, 2005
    #5
  6. stevegun

    stevegun Private E-2

    I have carried out the above using Hijack This as you suggest, and note the points you mention about requests from Zone Alarm for access to the internet, although sometimes it is difficult to know whether to say yes or no as i am unaware which are legitimate requests, with some destinations (through Zone Alarm) such as "loopback"!

    I understood from various sources that requests from programmes such as word/excel to access the internet could be examples of zombie activity by malware, as programmes such as word/excel should never require access to the internet, especially when they are not even running!

    Any comments on the above would be appreciated.

    Many thanks for your help.

    Steve.
     
    stevegun, Dec 29, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it is true that some users will not know whether to allow or deny access to the internet. When in doubt, always deny and tell it to always do the same to avoid it from always happening. You can always just open ZA and change the deny to approve.

    Loopback is just a local IP address for your PC which is 127.0.0.1

    Normally programs like word/excel etc do not require access to the internet accept to possibly check for updates or if you were doing printing over the net. So you can just deny them. If you were getting requests for them while they were not running, that is unusual and perhaps something else is at play. Are you getting requests when they are not running? Are you sure the some application like Office is not running and looking for updates?

    If you had CCleaner set to automatically check for updates, it will obviously need internet access to do that. The same goes for any other program trying to autoupdate.
     
    chaslang, Dec 29, 2005
    #7
  8. stevegun

    stevegun Private E-2

    Hi,

    Thanks, I have had word/excel/powerpoint ask thru ZA for access to the internet before (they are now blocked in ZA) and none were running!

    I had a particularly weird thing the other day when CCleaner asked to access the internet and the ip address was my online bank!! - any ideas on this could there be something taking control of programs for malicious intent, and if so, how do i find and remove them? Or was it just a one-off quirk?

    There also seems to be a lot of attempted communication (thru ZA but blocked) with a source called "cache1.ntli.net" - is this a legitimate source or something more malicious?

    Many thanks.

    Steve.
     
    stevegun, Dec 30, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure it was Ccleaner trying to contact you bank? Do you have it in a log?
    Ccleaner will only try to look for updates for its own software. I'm not wondering if anything else is hiding. I'm going to give you something else run further down.

    What direction was the "cache1.ntli.net" communication? You said a source of that URL so I assume it was incoming. Is that correct? If so, you got on someones list at some point before being properly protected. How do you connect to the internet (dial-up, DSL, cable)? And do you use a router?


    Run the below and attach the log:

    Running Ewido Security Suite
     
    chaslang, Dec 31, 2005
    #9
  10. stevegun

    stevegun Private E-2

    Hi,

    I have done what you suggested - logs attached.

    Yes the entry for CCleaner was in ZA as outgoing and the destination was generic ip address of my bank.

    The "cache1.ntli.net" entries in ZA are all incoming (from source 194.168.8.100:53) but blocked by ZA, although interestingly there is an entry for tonite involving Ewido as outgoing with the destination of "cache1.ntli.net" which was allowed. Most entries on ZA relate to "cache1.ntli.net" (lots) or "loopback".

    I am on Broadband, although only for the last month or so, was on dial-up prior to that.

    I connect straight to Broadband and don't have a router, although i understand from others that using one would reduce the incidence of being infected, if that is so, do you have any instructions or guidance on what i need?

    Many thanks.

    Steve.
     

    Attached Files:

    stevegun, Dec 31, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When and why did you enable Spybot's Teatimer? Disable it and then use HJT to fix the below lines that I asked you to fix earlier in message # 5. They are still here.
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O16 - DPF: ppctlcab -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -

    Then reboot and post a new HJT log.

    Yes a router is a very good idea. You should get one.
     
    chaslang, Dec 31, 2005
    #11
  12. stevegun

    stevegun Private E-2

    Hi,

    Unsure when enabled Spybot's Teatimer, have disabled and will leave off - my apologies.

    Have done what you asked and new HJT log attached.

    Many thanks.

    Steve.
     

    Attached Files:

    stevegun, Jan 1, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's better! Are you still having any problems?

    I have a feeling that "cache1.ntli.net" may be related to your ISP. Are the messages being sent ICMP traffic? That's called a ping. Sometimes your ISP will ping you to see if your connection is active. The actual URL may be more that just "cache1.ntli.net"
     
    chaslang, Jan 1, 2006
    #13
  14. stevegun

    stevegun Private E-2

    Hi,

    Unsure how to find out where "cache1.ntli.net" orginates, any ideas how i might find out? A sample copied from the ZA alert is:
    Description Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (194.168.8.100:DNS).
    Rating Medium
    Date / Time 2006/01/01 15:25:14-0:00 GMT
    Type Program Access
    Program svchost.exe
    Source IP 194.168.8.100:53
    Destination IP
    Direction Incoming (accept)
    Action Taken Blocked
    Count 1
    Source DNS cache2.ntli.net
    Destination DNS

    - although that was one, these are quite frequent!

    With regards to the router, i am looking at getting a Netgear DG834G, 54MBPS, ADSL, Firewall Router, not sure if you are familiar with this model in the US, if you are, i would appreciate any comments you might have as to its suitablility as a router/firewall?

    Many thanks.

    Steve.
     
    stevegun, Jan 1, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Similar to what I suspected, it is your ISP's Domain Name Server.

    194.168.8.100 is probably the IP address of your PC and the port (53) is for a DNS.

    See: http://www.linklogger.com/TCP53.htm
     
    chaslang, Jan 1, 2006
    #15
  16. stevegun

    stevegun Private E-2

    Ok thanks - thats a relief!

    Hopefully once i have the router in place i will see less of the nasties in the first place, although i will continue to regularly use and update the utilities i have.

    Many thanks for all your help!

    Steve.
     
    stevegun, Jan 2, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 3, 2006
    #17
  18. stevegun

    stevegun Private E-2

    I will - many thanks.

    Steve.
     
    stevegun, Jan 4, 2006
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds