I'm INFECTED !

[rocketman3291]

I have been running the home version for a couple months now, I gotta say, you guys kick buttocks!
This is by far hands down the best freebie deal I've seen and I'm very happy with it, however, fyi..

I ummm got infected with something or other and I have no clue how, I can always restore my backup, but I thought I'd see if I can't isolate, identify and remove this bugger.

I'm running XP SP2 with all the updates, have windows firewall turned on, and I'm sitting behind a router, plus a wireless proxy machine, and then another router on the other end before finally getting to the DSL modem.

I have a router with my PC on the LAN side then out the WAN port to a switch/hub then from that outside about 130 ft of cat5 into the proxy server.  The proxy server connects wirelessly to a DSL connection 2 blocks away to a Tranzeo Access Point and then through another router before the modem.

The Proxy Server is running Windows 98se with WinProxy 6.1 R1c

A few months ago, I did a fresh install of XP, immediately installed ALL updates, and then installed Avast Home Version, all in one shot. 

Well, this after noon, I noticed the lights flashing away on my local router right after a fresh reboot, and got curious as to what was causing so much network traffic.  I rebooted again, made sure I didn't have anything running that would use the network, and then examined the processes running.  I didn't see anything unusual in there, but I terminated ANYTHING that could possibly be connecting.  Still, I see lots and lots of traffic... I look in the network properties and see it's like 50 packets per second in and ~ 50 out....  Ok, so now I went to the proxy, flushed all the logs, rebooted, reset all the routers/switches etc,   I watched the live view of winproxy's doings.  I am seeing many URL's being requested by the IP of my machine....... and my machine is just sitting there idling from a fresh boot, and skeleton processes running.

Here is a few lines from my proxy logs...  the date is wrong on it cuz the clock is off on that old machine out there in the woods.

Code: [Select]

192.168.100.10, -, -, N, 2008-03-01, 16:17:42, 1, -, -, sb.google.com, 216.239.51.91, 80, 89, 0, 790, http, -, GET, http://sb.google.com/safebrowsing/update?client=navclient-auto-ffox&appver=2.0.0.12&version=goog-white-domain:1:29,goog-white-url:1:371,goog-black-url:1:18893,goog-black-enchash:1:45611, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:35:57, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 1085, 251, 288, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwywwo0htx9c1qmuye8eo0w4&ad=&to=414&rpo,a4, -, Unknown, 503
192.168.100.10, -, -, N, 2008-03-01, 16:35:58, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 1447, 251, 283, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwywwo0htx9c1qmuye8eo0w4&ad=&to=454&rpo,b2, -, Unknown, 503
192.168.100.10, -, -, N, 2008-03-01, 16:36:01, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 3076, 251, 287, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?to=579&ad=&do=&sh=47744&pp=jwywsv0nc5lo0fla2cz80cks&bx=&pid=390322;10002411&rf=1&lpt=4, -, Unknown, 503
192.168.100.10, -, -, N, 2008-03-01, 16:36:05, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 4215, 251, 672, http, -, GET, http://www.arrowhead-lakes.com/siteedirp.htm?p=28&w&enc=1&vars=/37~twppkpi"urtkpiu"ecnkhqtpkc~jvvr<11yyy0iqqing0eqo1cenmAuc?N(ck?D{KUO9EdJTaRtQKp6riUg4uY\EN{Oiz4m3KdWC[FuutOHyKuTGCO[C{E6m\GHMCSyCViDWOE2vqN:aaaaayHi{[cCiOiluiGV[ZL{d5fq\YHmNYzjc4X|NoPxdeiDCfqDG4H{eo;5cIXj\E3u[Yvne{7ld44CCiJ\C8/VQDGucut36COC;SPCCCCC(pwo?5(s?jvvr<11yyy0cevkkkuqnwvkqpu0eqo(uki?CIkYsvz:Tu:T;XcWqij;iSxVwUkooHg;:S~2~2~5~~~69966~2~2~/3~ly{yxg35f99q3c|v8jw4:u2y~3426455;87~5;2544=32233429~2~4:~930770360374~32328~8~~cevkkkuqnwvkqpu0eqo~z<chu~~228~242, -, Unknown, 503
192.168.100.10, -, -, N, 2008-03-01, 16:36:19, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 12808, 27055, 671, http, -, GET, http://www.arrowhead-lakes.com/siteedirp.htm?p=28&w&enc=1&vars=/37~twppkpi"urtkpiu"ecnkhqtpkc~jvvr<11yyy0iqqing0eqo1cenmAuc?N(ck?DV[h{9EdJTaRtQKp6riUg4uY\EOaOuTIF2aJtDNRH{/[DyPfNGCK[CkE6m\GHMCS6CXEF/qZ4D4FLjqEC{EQ{CTPjepLxf4jn[YSvdIHt\ZOw[4;v{CGD4iGV[ZL{d5fq\YHmNYzjc4X|NoPxd[CECfmFt7O6GUzs{xZ3C2CCCCC(pwo?4(s?jvvr<11yyy0rtguvkigoqwpvckpjqogu0eqo1(uki?CIkYsv|PZCg7mSivgrNYnLQSan4tjaUFRy~2~2~4~~~69966~2~2~/3~ly{yxg35f99q3c|v8jw4:u2y~3426455;87~5;2544=32233429~2~4:~930770360374~32328~8~~yyy0rtguvkigoqwpvckpjqogu0eqo~z<chu~~228~242, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:36:35, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 14806, 31244, 289, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx2q0dvqcs06nejxuy8swc&ad=&to=453&rpo,a9, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:37:01, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 25953, 32126, 289, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx2q0dvqcs06nejxuy8swc&ad=&to=580&rpo,a11, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:37:08, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 5802, 208, 526, http, -, GET, http://www.arrowhead-lakes.com/common/roar/redirp.htm?&u=/4~Ygkijv"Ocpcigogpv~jvvr<11ogvc09ugctej0eqo1enkem1enkem0curzAwtnkf?36374495(chhknkcvgkf?5;229(mg{yqtf?ygkijv-ocpcigogpv(u?rnu(w?jvvr'5c'4h'4hyyy0rciguggmgt0eqo(tcpm?4(tkf?4:5933(uf?24'4h4:'4h2:-37'5c52'5c43077:~2~2~6~~~69966~~~203~ly{z4s2fxseu28pglzw{:uye~3426456482~5;2544=32224633~7:2~7~8803870343088~~~yyy0cttqyjgcf/ncmgu0eqo, -, Unknown, 302
192.168.100.10, -, -, N, 2008-03-01, 16:37:23, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 15284, 208, 474, http, -, GET, http://www.arrowhead-lakes.com/common/roar/redirp.htm?&u=/34~Qpnkpg"Ugtxkegu~jvvr<11yyy0ugctejhggf0eqo1tf1Enm0lurAkf?62388:67(m?qpnkpg-ugtxkegu(t?322(c?96474(u?uhh(r?8924(ukf?4655;8(gz?3426456372:;4(upkf?433~2~2~32~~~69966~~~2024~ly{z4s2fxseu28pglzw{:uye~3426456458~5;2544=32224633~675~39~8803870343088~~~yyy0cttqyjgcf/ncmgu0eqo, -, Unknown, 302
192.168.100.10, -, -, N, 2008-03-01, 16:37:49, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 25968, 31599, 289, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx2q0dvqcs06nejxuy8swc&ad=&to=372&rpo,a12, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:38:19, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 29242, 39028, 284, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx2q0dvqcs06nejxuy8swc&ad=&to=440&rpo,a10, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:38:39, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 19000, 208, 537, http, -, GET, http://www.arrowhead-lakes.com/common/roar/redirp.htm?&u=/34~Ect"Ugewtkv{~jvvr<11yyy0ugctejhggf0eqo1tf1Enm0lurAc?9648:(nkf?377:6;:9(m?ect-ugewtkv{(kf?6282;797(ch?tgngxcf(nc?4'494J(npm4?tjjG'5H00qg{j/rmz/uE{kzmErg/7kFjg{'49Fzi0(r?8924(ukf?39766:(gz?3426456259653(upkf?454~2~2~;~~~69966~~~2025~ly{yyq2jvz;e3sow{g:gq2y6~3426456276~5;2544=32224633~35;9~39~8803870343088~~~yyy0cttqyjgcf/ncmgu0eqo, -, Unknown, 302
192.168.100.10, -, -, N, 2008-03-01, 16:38:52, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 12992, 27059, 583, http, -, GET, http://www.arrowhead-lakes.com/siteedirps.htm?p=36&w&enc=1&vars=/37~iqfcff{~1eqooqp1hcdwnqwufqockpu1Ahqtofcvc]fqockp_?cttqyjgcfoqwpvckpu0eqo(hqtofcvc]tgh_?3(hqtofcvc]uqwteg_?dcppgttgncvgf(hqtofcvc]jcuj_?937g38:e9f4:ddg36;84f95c7:76f;f2(hqtofcvc]tghwtn_?(hqtofcvc]chhq_?9:6(hqtofcvc]chhjcuj_?3426455;68(hqtofcvc]fguv_?if~2~2~4~~~69966~2~2~2~ly{ywr2|:5r63v;2z;zxiiq2~3426455;68~5;2544=2~2~58~930770360374~32322~7~~cttqyjgcfoqwpvckpu0eqo~~~~, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:39:24, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 30803, 262, 284, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx6y0pxtto0ixcf7z44ko8&ad=&to=468&rpo,a13, -, Unknown, 500
192.168.100.10, -, -, N, 2008-03-01, 16:39:41, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 16578, 44494, 289, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx6y0pxtto0ixcf7z44ko8&ad=&to=545&rpo,a6, -, Unknown, 200
192.168.100.10, -, -, N, 2008-03-01, 16:40:01, 1, -, -, www.arrowhead-lakes.com, 216.15.148.36, 80, 19451, 0, 288, http, -, GET, http://www.arrowhead-lakes.com/common/roar/results.htm?rf=1&lpt=4&sh=47744&pp&pid=390322;10002411&pp=jwyx6y0pxtto0ixcf7z44ko8&ad=&to=425&rpo,b7, -, Unknown, 0

What Should I Do???

[rocketman3291]

After I spent a little time UTFSE, I used the Secunia scanner and found that 2 programs were in need of updates, Adobe Reader, and the JRE.  Now that I think about it, I was on a web page a couple days ago that had some java code on it and it locked up the browser (Firefox).  I suspect that's how it got in.

I ran Windows Advanced Care, and immunized (although I'm curious as to just how this is done)
Used Trend Micro rootbusterkit and was clean
Used HiJackThis and removed two 016 listings.

My router lights (and winproxy logs) are now as they should be (yeaaaaaaah)

Thank goodness I had your software installed, otherwise I KNOW for FACT this would have been quite a messy ordeal

YOU GUYS ROCK!

[Gort]

Hi,

It might be a good idea to go to http://www.grc.com/intro.htm and use Shields up!
and leak test to check the security of your ports and how "leak-proof"
your fire wall is...the one with Win XP isn't.

Good luck

[CharleyO]

***

Welcome to the forums,  rocketman3291.   

You seen to have your problem corrected. If you have any other problems, please come back and post again.


***