Address blocked worknssrv.cn/dd/mod_ddos

Discussion in 'ESET Smart Security' started by Rickzkm, Dec 6, 2008.

Thread Status:
Not open for further replies.
  1. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    Hi,

    I have Eset security alert popping up every second or so with this message:
    Address blocked worknssrv.cn/dd/mod_ddos

    cut.gif

    I am concerned, but Eset full PC scan revealed my computer is clean.

    could someone help please?
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Something is trying to dial home, as to what, is a mystery. I think the best thing is to download ESET SysInspector, produce a log and email it to support("at")eset.com with this threads URL in the subject.
     
  3. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    Thank you. Good job that Eset stopped it!

    just yesterday searching for "worknssrv.cn/dd/mod_ddos" but today Google shows more forums people ask about this.

    by the way I have noticed it's schvost.exe process which I understand is system process.

    Oh and today I have periods with alerts but now it seems to be quiet. I have never seen anything like this.
     
  4. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7
    I am also getting this message that continually flashes up. I have done full system scan with ESET SysInspector and it come up with nothing, and also a full in-depth scan as suggested by Eset Support and again nothing.
    Does anyone have any suggestions what to try next as this is becoming a real pain.
     
  5. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    It seems like computer is infected and file infected is:
    c:\windows\system32\admparset.exe

    ESET support advised me to zip this file and send it to them but moment I created the zip file ESET deleted the infected file.
    May be try doing same thing but I would definitely contact ESET support.
     
  6. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7
    Thanks for your reply, unfortunately I don't seem to have that file when I did a search for it, so the search for a fix continues :(
     
  7. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    It is a hidden file so you need to make sure when viewing that location you can see hidden files (I personally don't use the explorer to browse PC).
    I'm sure you can google it up how to enable viewing hidden files.
     
  8. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    I have just finished online session of remote assistance with ESET technical support and If you get this kind of message popping up, you are infected by a trojan.
    When this happened to me, there was no signature of this in Eset database but three days after Eset actually detected this trojan and quarantined infected file.
    In conclusion this matter should be resolved if you have latest database signature from Eset, otherwise you should contact support and ask for help.

    My PC is clean now.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Can you please explain in more detail what happened? Firstly you say it wasn't detected then it was? It's quite confusing. If it was detected it should have been cleaned, if not then send the file to samples("at")eset.com in a zip file with the password "infected". You can also disable nod32 and restore files from quarantine if it was a random heuristic detection.
     
  10. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    The PC was infected all along but Eset did not have this file and behavior in database of threats so I did not detected it.
    Three days after, signature was added to Eset database and only then infected file was detected and quarantined.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    What was the name of the infection in your quarantine? Also, are you fine now?
     
  12. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    admparset.exe was infected Win32/IRCBot trojan

    Yep, clean now.
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Is yours detected now? If it's not try locating the file and submitting it to ESET as directed in my previous post.
     
  14. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7
    I have not detected the file yet, every search I have done comes up blank and so does the Eset scan.
     
  15. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    May be you could try locating that file manually at specified location in above post, don't forget to enable hidden files view.

    By the way if your scan revealed no infection, are you still getting the messages popups?
     
  16. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7

    I have done all that, but the file mentioned above is not there. Yes i I am still getting the popups, it lasts for about 1 hour then stops.
     
  17. Rickzkm

    Rickzkm Registered Member

    Joined:
    Dec 6, 2008
    Posts:
    9
    Seems like you might have different version of the trojan. Definitely contact Eset for support.
     
  18. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7
    How did you find the infected file?
     
  19. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I'm curious - it was good that ESS blocked the address, but how did it do it?
     
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I would think it would be in your statup processes? Anyway, download ESET Sysinspector, create a log, send it to support("at")eset.com with this threads URL as the subject.

    Not sure I understand the question, it's probably a known abused IP, well it seems different trojans all use the same one.
     
  21. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Ok - so I guess there's a blocklist built into ESS.
     
  22. CivilTaz

    CivilTaz Registered Member

    Joined:
    Nov 19, 2008
    Posts:
    146
    Yes, there is.
     
  23. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7
    I have tried that as well but Sysinspector is not finding anything. Its looking like a reformat of my hard drive :'(
     
  24. Derek_M

    Derek_M Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    7
    Finally got them, after browsing for more info into malware I found out about Malwarebytes-anti-malware. I installed and run the program and it came up with this log below. So far the problem has not reappeared.:D


    Malwarebytes' Anti-Malware 1.31
    Database version: 1492
    Windows 5.1.2600 Service Pack 3

    12/12/2008 11:11:54
    mbam-log-2008-12-12 (11-11-54).txt

    Scan type: Quick Scan
    Objects scanned: 44323
    Time elapsed: 2 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cs.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\rc.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ps1.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cmds.txt (Malware.Trace) -> Quarantined and deleted successfully.
     
  25. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    That's good! Now that you're clean, disable MB, restore the files to a location you're not going to execute, preferably all in one folder. Zip up that folder with all the files with a password "infected" and send it to samples("at")eset.com with this threads URL n the subject. Hopefully in a few days eset will pick up the folder and delete the entire thing.
     
Thread Status:
Not open for further replies.