Page 1 of 3 123 LastLast
Results 1 to 15 of 41
  1. #1
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Virus infection: My IP address is in the black hole range

    I have an HP pc here which will not connect to the internet. It had something called Awola on it that showed me a win32.blackhole.aa virus, along with a couple of other virii. I have learned that Awola is malware, and it seems to be removed now. Using another pc to download, I ran hijackthis! and removed 13 entries. Now I am able to install firefox and ad-aware without the pc saying the install files are corrupt. However, I am still unable to connect to the net, so ad-aware cannot update (will web update next using my other pc) and spybot cannot install. Obviously I can't get to Trend Micro Housecall.

    What I find interesting is in my network connections, I see my ip is "manually configured" and my ip address is reported by whois? to be in the range of the black hole servers. My IP is reported as 172.18.38.5, with the default gateway being the same except the last number is 1 instead of 5.

    Any suggestions? Thanks in advance.

  2. #2
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    Sounds like you have some other infections there. Can you rename Hijackthis and then run it and post a logfile here. Also can you download Smitfraudfix (scan, clean and post log here), VundoFix (scan and clean) and Combofix (scan and post log here).

    Before doing that, run ATF-Cleaner (clean all options) and turn System Restore off and then on again.

    Links can be found here:
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    http://www.atribune.org/content/section/4/30/
    http://www.techsupportforum.com/sect...s/ComboFix.exe

  3. #3
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    Yes, I will do everything you said....tomorrow...lol. Thanks so much Mjolnir, you've been at this a while haven't you? I'm so looking forward to fixing this without wiping the hard drive.
    Out of curiosity, why rename hijackthis? I don't understand that part. Forgive me for being ignorant; I don't keep up with all the pc security topics out there.

  4. #4
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    Some malicious software hides itself from various scanners, including HijackThis. One way to help get around this is to rename HijackThis Sneaky, eh?

  5. #5
    Joined
    Nov 2004
    Posts
    5,171

    Re: Virus infection: My IP address is in the black hole range

    how do you rename hijack this?
    Max Plank: "A new scientific truth does not
    triumph by convincing its opponents and making them
    see the light,
    but rather because its opponents eventually die"
    Arthur Shopenhauer: "Every truth passes through three stages before it is recognized.
    First, it is ridiculed. Second, it is opposed. Third, it is regarded as self evident."
    Martin Niemöller:
    "When the Nazis came for the communists,
    I remained silent;I was not a communist.
    When they locked up the social democrats,I remained silent;
    I was not a social democrat.When they came for the trade unionists,I did not speak out;
    I was not a trade unionist.When they came for the Jews,
    I remained silent;I wasn't a Jew.When they came for me,
    there was no one left to speak out."

  6. #6
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    Wow ATF Cleaner freed up a gig! I can see your experience has become wisdom! Awesome stuff man, and I'm only through step 1 so far...

    Right-click, rename

    Hey but my firewall blocks the SmitFraudFix download and says its a spy site...I guess now I have to go into my firewall and find it and allow it.
    Last edited by nickdank; 02-22-2008 at 03:28 AM.

  7. #7
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    Vundofix found nothing, and Combofix...does it need to be run command-line from dos before windows? I get an error.

    Also....should I be concerned about having this HP connected to my router, with my other pc's? Are they at risk of being infected too?
    Last edited by nickdank; 02-22-2008 at 03:26 AM.

  8. #8
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Virus infection: My IP address is in the black hole range

    Quote Originally Posted by nickdank View Post
    What I find interesting is in my network connections, I see my ip is "manually configured" and my ip address is reported by whois? to be in the range of the black hole servers. My IP is reported as 172.18.38.5, with the default gateway being the same except the last number is 1 instead of 5.
    This is perfectly normal for any PC connected to a router. The router will have a public IP address assigned on it's WAN interface and will use private IP address space on it's internal LAN interface. Common IP address space reserved for private use includes the following ranges:

    10.0.0.0/8
    172.16.0.0/12
    192.168.0.0/16

    These are addresses that are not publicly addressable and are reserved for private use (ie, behind domestic NAT routers). Most domestic routers either use the 192.168 range (eg, netgear) or 10.0 range (eg, linksys), but many sysadmins prefer to manually configure in the 172 range for the very reason that it's less commonly used.

  9. #9
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    OK, thanks Ned. I read through that on the iana site, but I'm used to seeing my ip's always at 192.168.x.x as assigned through dhcp. And this lady, the owner of this pc...I can't imagine her setting up an address manually. She doesn't know much of anything technical about pc's. So with the name of the virus, I thought it might have something to do with that. No word yet on ZoneAlarm blocking that SmitFraudFix site? I didn't see anything new in HJT after renaming it and running it again.

  10. #10
    Joined
    Nov 2004
    Posts
    5,171

    Re: Virus infection: My IP address is in the black hole range

    do you mean rename as in how you'd normally just rename a file?
    Max Plank: "A new scientific truth does not
    triumph by convincing its opponents and making them
    see the light,
    but rather because its opponents eventually die"
    Arthur Shopenhauer: "Every truth passes through three stages before it is recognized.
    First, it is ridiculed. Second, it is opposed. Third, it is regarded as self evident."
    Martin Niemöller:
    "When the Nazis came for the communists,
    I remained silent;I was not a communist.
    When they locked up the social democrats,I remained silent;
    I was not a social democrat.When they came for the trade unionists,I did not speak out;
    I was not a trade unionist.When they came for the Jews,
    I remained silent;I wasn't a Jew.When they came for me,
    there was no one left to speak out."

  11. #11
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    Yes normal file rename procedure. Highlight the file and hit F2 also works.

    Quote Originally Posted by nickdank View Post
    No word yet on ZoneAlarm blocking that SmitFraudFix site? I didn't see anything new in HJT after renaming it and running it again.
    Highly unlikely. One way to tell would be to shutdown ZoneAlarm. By the sounds of your infection, it's more likely to be a bogus HOSTS file designed to block legitimate sites.

    Replace the existing HOSTS file with the one from this site

    C:\WINDOWS\system32\drivers\etc\HOSTS

    When you've done that, open ZoneAlarm, go to Firewall, click the Advanced button and then choose the option to Lock hosts file. Should make it a little bit more difficult for nasty programs to swap the HOSTS file with their own.

    What error do you get with combofix? Please either post a picture of the error or be descriptive. You probably should be trying to run all of these tools in Safe Mode (when starting the PC, press F8 just before the Windows loading bar appears).

    Also I would still like to see the full HijackThis log. Sometimes it can provide clues as to what you've been infected with.

    Also, download AVG Anti-Rootkit Free and run that.

    Probably best if you disconnect the infected PC from the network until you get it cleaned. Use a clean PC to download the tools and then copy them to the infected PC using a USB thumbdrive or perhaps a CD.

  12. #12
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    61
    Posts
    7,290

    Re: Virus infection: My IP address is in the black hole range

    Quote Originally Posted by nickdank View Post
    OK, thanks Ned. I read through that on the iana site, but I'm used to seeing my ip's always at 192.168.x.x as assigned through dhcp. And this lady, the owner of this pc...I can't imagine her setting up an address manually. She doesn't know much of anything technical about pc's. So with the name of the virus, I thought it might have something to do with that. No word yet on ZoneAlarm blocking that SmitFraudFix site? I didn't see anything new in HJT after renaming it and running it again.
    As an example, many older 2wire dsl modem/routers use the 172.x.x.x IP range as default.

  13. #13
    Joined
    Oct 2003
    Location
    Dallas, TX
    Posts
    390

    Re: Virus infection: My IP address is in the black hole range

    Here's the HJT log, I'll come back later with the rest of the info.
    Remember, I still can't connect to the net with the HP. My PC has ZoneAlarm on it, and is uninfected as far as I know. It is my PC that blocks the SmitFraudFix site.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:39:45 AM, on 2/22/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\DOCUME~1\Home\MYDOCU~1\STEM32~1\winword.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Documents and Settings\Home\Desktop\RenameMe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Iaea] "C:\DOCUME~1\Home\MYDOCU~1\STEM32~1\winword.exe" -vt yazb
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1151708376562
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151941461734
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: iPod Service (iPodService) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 5330 bytes
    Last edited by nickdank; 02-24-2008 at 03:36 PM.

  14. #14
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    61
    Posts
    7,290

    Re: Virus infection: My IP address is in the black hole range

    This bad boy doesn't belong here:

    O4 - HKCU\..\Run: [Iaea] "C:\DOCUME~1\Home\MYDOCU~1\STEM32~1\winword.exe" -vt yazb

  15. #15
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Virus infection: My IP address is in the black hole range

    Quote Originally Posted by nickdank View Post
    O4 - HKCU\..\Run: [Iaea] "C:\DOCUME~1\Home\MYDOCU~1\STEM32~1\winword.exe" -vt yazb
    Looks like a Vundo infection. Fix that entry with HijackThis, then restart the PC back into Safe mode and then remove that STEM32~1 folder (only the first 6 characters are likely to be the same when you view it in Windows Explorer). Have you run Vundofix yet? Also AVG Antivirus Free apparently catches that one.

    Here's a page with comprehensive removal instructions for removing some strains of Vundo, including the variant that your PC is infected with:
    http://www.exterminate-it.com/malped...ndo-virtumondo

    What was the error you got with combofix? Try running it again after fixing that Vundo entry. If it still doesn't work, please post the error here.

    As for your PC not getting onto the Smitfraudfix page, can you get through if you disable ZoneAlarm?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •