Need help with a mysterious infection on TCP 5152, 1036, 30606...

Need help with a mysterious infection on TCP 5152, 1043, 30606...

So my main PC is infected with a virus/trojan that's making me pull out my hair just to identify it. I'm using an older NOD32 v3 on that system and it has definitions dated from March 27 2009.

This malware is real annoying because it blocks all DNS translation so I can only ping IP numbers from the command prompt. Whenever I enable the network card netstat -n displays activity to and from IP 127.0.0.1 on TCP ports 5152 primarily, and ports 30606 and 1043. I can't download any definition updates due to this malware blocking web access and I need a way to download to a floppy or CD/DVD the latest definitions so that I can install it on the main PC. Safe Mode with network support also cannot browse webpages.

I need some major help on how to tackle this problem.

Forgot to add I'm using Windows 2000 SP4

 

Start here and make sure you follow the instructions before posting there.

http://www.dslreports.com/forum/cleanup

 

just discovered something interesting, when I uninstalled all the network clients, services, and protocols. Rebooted and reinstalled them I was able to ping internal IPs and my ISP's gateway addresses on the internet (not the dsl modem but a 207.*.*.* address). However once I rebooted after reinstalling those network components I could no longer ping those locations anymore and 127.0.0.1:5152 was listening to 0.0.0.0:0 when I used netstat -n -a

 

Try installing Sysinspector, and take a look at the processes associated with those high port numbers.

 

I don't think that's possible bradtech, that system is using NOD32 v3 and I looked through NOD32 v4 on another computer I have but it doesn't offer port activity stats. More importantly the infected PC does not have web access due to this infection blocking network traffic. I have no way to update it from v3 to v4 NOD32. Also I have 2GB of log data and false positive quarantine files (unrelated to this infection) that I must sort through before uninstalling the v3 NOD32 on that system. I never tested to see if uninstalling v3 and installing v4 will maintain the v3 log data.

I can't afford that risk right now but I still don't see how NOD32 v4 can monitor that port traffic, afterall I was using v3 with March 27 definitions when this infection got through.

I still have to follow the first suggestion about requesting help from dslreports but I was hoping to get an ESET agent to help guide me through this diagnosis since I'm using their anti-virus. A diagnosis is my biggest issue, if I knew what I had and maybe where it was located I could likely manually clean it myself as I usually do on PCs.

 

one more important detail I forgot to mention I already tried both ESET's and TrendMicro's online scanners to detect for infections. I did this way back when I first noticed the long list of activities on TCP port 5152 connecting with both internet IPs and other ports back into the same PC. Both scanning programs did not detect anything.

EDIT 1:09AM ET:
Also just discovered on the infected system I can ping its own IP address successfully using ping -l 1472 -f 192.168.2.10. Any larger block size and I get the "needs fragmenting" error message.

I'm still reading the overly lengthy set of rules on that dslreports help request link another user posted higher up, believe me I'm trying to follow it but it's so damn lengthy it's taken me all day to find spare time to read some of it and download (on a non-infected PC) the software tools that DSLR/BBR instructs me to do before posting.

 

Hello Ghetto_Child,

I'd like to help get this fixed. I have sent you a pm.

Thank you,
Richard

 

another discovery I just made thanks to SysInspector. The Java Quick Start program (jqs.exe) was performing activity on TCP 5152. Now that I've disabled the service in the Services control panel there's no more listening activity on 127.0.1:5152 to 0.0.0.0:0 anymore but my web browsers still don't get through and I still get the "cannot find hostname" when I try to ping a domain like yahoo.ca or dslreports.com etc

 

mabe try reinstalling TCP/IP or simple things you might not have tried yet like:

netsh int ip reset c:\resetlog.txt

netsh winsock reset

at the command prompt.

something got in and corrupted your settings perhaps?

I would try all of the above first.

to reinstall TCP/IP, right click a network adapter in my network places go to properties, click install protocol, then add and have disk and point it to your INF folder like c:\windows\INF and click ok.you should now see TCP/IP along with TCP/IP V6, just select the other, not V6 and let er rip, then reboot.

also uninstall your firewall from safe mode if you can and once it's back up reinstall, might want to uninstall the firewall first if it's messing with your ports, you allready said you have no virus .... ?

******************************************************************
Windows XP
Reset the TCP/IP Stack
From a command prompt, type the following:


netsh int ip reset log.txt
Other Windows XP netsh commands include:

netsh diag connect mail
Will connect to the default incoming and outgoing mail server then drop the connection. Easier for customers than trying to telnet to the mail server ports

netsh diag ping dns
Will ping the default DNS servers progressively. (Saves having to re-type ping multiple times)

netsh diag connect iphost
Will make a connection to the host on the specified port, then disconnect. Example: To test http connectivity, type netsh diag connect iphost yahoo.com 80 will return

IPHost (yahoo.com)
IPHost = yahoo.com
Port = 80
Server appears to be running on port(s) [80]
netsh int ip show config
Shows the current IP address and additional config info

netsh int ip delete arpcache
Deletes the arp cache entries for all available adapters (including the dial up adapter) Works well with DSL if you are able to ping the loopback address, and your own IP but nothing else.

netsh diag gui
Launched the GUI Network Diagnostic Program

netsh diag show mail
Shows default mail servers

netsh diag show dns
Shows default DNS servers

Windows 2000
From a command prompt, type the following:


netsh <enter>
interface reset all
routing reset all
exit

****************************************************************

 

thanks definately gonna try these commands, I recall seeing netsh mentioned by other users for other issues but this is the first time I've been given an explanation and examples of what it does

 

if you're talking about the NOD32 the infected PC is using v3 but the PC I'm posting from is a clean PC using v4. If ESET could make a manual file download I'd have no problem downloading it to a usb flash drive and carrying it to the infected PC. Do you have any idea how/where to get a manual download for ESET NOD32 v3? I looked all over the website and all I can find is a listing of new virus additions to each definition release but no way to download the definition itself

 

just download malwarebytes 1.40, it will come with definitions from this month " august 2009 " and is small setup file, install it on that machine and scan, no need to update it yet.Or Just fix your internet on the other pc, those commands should work with changing back whatever any virus did.check your startup and " load " locations to stop any virus that may be running ever time you reboot.Also try getting an NTFS reader driver or download bart or one of the other boot repair cd's online and they will load an NTFS driver, unless you have FAT32 as your drives.Then download and put in a directory on your C drive, the NOD32 for DOS and just run that, they are updated once a week or more and should be current if you go get that now and put on flash drive.One of these solutions has to work for you.

 

I have windows 2000 so most of the netsh commands you list don't work. The windows 2000 list you posted I followed in that exact order with no change. I still can't ping my dsl modem from that PC. Packets are sent but 0 packets are ever received. From bootup till I give up and shutdown/restart the packets received counter for the adaptor always remains at 0.

 

I don't know why your so hung up on getting these definitions onto that computer, I sent you a PM.You don't even know if you go through all the trouble if anything will be detected, and there are other programs you can put on there that may even stand a better chance than eset at finding it, you never know.How about a rootkit that eset might not be able to detect yet, you could have one.try a rootkit tool and see what that brings as well, sophos anti rootkit or mcafee rootkit detective or root repeal.

I thought mabe they added more commands for netsh, but apparently not.but mabe since it's so easy to uninstall TCP/IP in win2k, mabe a virus allready did that for you, so try putting it back.

go to the registry and navigate to local machine current control set services and delete tcp/ip and both of the winsocks, if you can't do it from regular mode, do it from safe mode.then reboot and put this into a note pad and save to your desktop as a .reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NV Hostname"="put computer name here"
"Hostname"="put computer name here"

and double click and click yes to add that to the registry, then follow the steps to reinstall tcp/ip and reboot.
after you reboot uninstall your network card from device manager and reboot again, and let me know if that changes anything.

 

well here's where I'm at now, replacing all the em00_#.dat files has updated all definitions and other modules to the latest version but kept NOD32 at v3 so that's good. However NOD32 now keeps quarantining "PowerReg Scheduler.exe" originally in the Startup folder in the Start Menu. I don't know why it's an Epson printer driver not a virus. NOD32 says it's infected with W32/PowerReg application . Is this normal for NOD32 or is it because I imported all those em00_#.dat files?

I tried uninstalling TCP components for the 2nd time and can't remember why but was trying to reinstall the network device driver, unfortunately that driver is now lost from the system and was my latest one (I must have gotten it from windows update and not a driver file I downloaded). It was the Intel Pro LAN drivers I was using version 8.0.21.0 now I've had to revert down to 7.x.x.x with a huge reduction in advanced/performance options.

ProSet II froze during uninstall and re-running uninstall now refuses to remove it because the install log is missing (probably got deleted during the first uninstall attempt ).

 

Hello Ghetto_Child,
please read this thread about W32/PowerReg:
https://www.wilderssecurity.com/showthread.php?t=159874
Cheers

 

This is potentially unwanted or unsafe application - this is how ESET classifies programs - kind of adware but not exactly malicious .

The detection has nothing to do with the fact you imported the em00_??.dat files.

I strongly advise you try Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It can remove very severe infections as well as perform some changes (restore stuff damanged by malware) . I am not sure if it will run on Windows 2000 - I have never had the chance to try it on Windows 2000 OS. Hope it will

 

well I can correct you about those em00_??.dat files. You see my PowerReg Scheduler.exe program in my start menu startup folder has been there since installing the drivers for my epson printer years ago. I've had NOD32 since 2008 and up till this March 29 it never detected that program in my startup folder of the start menu. It only detected it right after replacing all the em00_##.dat files and then rebooting. Just to clarify your statement.

It will be a little while before I have more questions because at the moment I'm manually removing all found results of intel PROSet from the registry since the uninstall log file got damaged and is unusable.