system
August 4, 2007, 10:04am
1
Hi, I need some help regarding the matter below.
Last night, I got multiple pop up warnings from avast saying that DCOM exploits from 202.73.226.218:135 were blocked by avast’s network shield. Then suddenly my internet connection’s upload speed dropped drastically with increased ping delays.
All my ports are stealthed and I disabled DCOM service according to http://support.microsoft.com/kb/825750/en-us Here’s my hijackthis log:
Logfile of HijackThis v1.99.1
Running processes:
O1 - Hosts: 116.0.0.116 bf2web.gamespy.com @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)@btrez.dll ,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
I’m having suspicions to the “mmdmm.exe” service, but since I didn’t find any info about it in google, I’m not sure whether I should remove it.
I can’t upgrade to SP2 cause of financial reasons… and yes I know my Java is outdated, I’m planning to update it in the future.
Thanks in advance.
Hi hamzahhaz,
Have you run a scan with AVG Anti-Spyware recently?
If not, do so now.
Is Windows’ firewall activated? If not, activate it here:
http://www.geocities.com/dontsurfinthenude/firetut.htm
These entries from the log are very suspicious:
O4 - HKLM..\Run: [mmsass] mmdmm.exe
Can you find the file mmdmm.exe on your computer? (You may need to enable ‘View hidden files and folderds’ and uncheck ‘Hide system files’.
Windows XP
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.</blockquote>
http://xtra.co.nz/help/0,,4155-1916458,00.html
If you can find the file, upload it to VirusTotal and copy and post the report here.
http://www.virustotal.com/
All my ports are stealthed
Sorry, just noticed that.
How? Hardware firewall?
Messages like:
Which firewall do you use?
Network Shield of avast protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don’t infect files but instead they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.
Basically, it covers all Internet worms. Such as Win32.CodeRed, Win32.SQLSlammer, Win32.Blaster, in32.Welchia (Nachi) and Win32.Sasser.
system
August 4, 2007, 11:57am
5
All my ports are stealthed
Sorry, please ignore this. My ports used to be stealthed before I uninstalled Kerio Personal Firewall (which slowed my P2P applications down).
I’ve updated Avast, Spybot, and AVG-AS to the latest version & definition file then ran full scans but found nothing.
I couldn’t find “mmdmm.exe” anywhere on my hard drive with show hidden & system files enabled in the search panel and folder options.
I update my OS regularly with updates from http://windowsupdate.62nds.com/ (only taking the critical security patches), and I disabled the DCOM service, stealthed port 135 with DCOMBOBULATOR or something (http://www.grc.com/freeware/dcom.htm ) after the first attack.
I’m not using any software or hardware firewall right now.
system
August 4, 2007, 12:23pm
6
Logfile of HijackThis v1.99.1
O1 - Hosts: 116.0.0.116 bf2web.gamespy.com @btrez.dll ,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)@btrez.dll ,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm (file missing)
Help! That is the latest log and the O18 entries seem to be increasing rapidly.
As FwF has mentioned these entries are trouble:SP1 should be SP2 plus a truckload of other patches and hotfixes after SP2Hosts: 116.0.0.116 bf2web.gamespy.com O4 - HKLM..\Run: [mmsass] mmdmm.exeO4 - HKLM..\RunServices: [mmsass] mmdmm.exe
a google search of mmdmm.exe will offer some removal help
It is a very bad idea to using the InterNet without a Firewall you are asking for trouble.Sun Java Runtime Environment 6 Update 2 Sun Microsystems, Inc.
I would also have a good look at Utorrent form memory there were some security issues about it recently.Download Trend Micro HijackThis v2.0.2 Here
You can have a look at the results of your HijackThis Log Files here HijackThis Security Log File Results
I couldn't find "mmdmm.exe" anywhere on my hard drive with show hidden & system files enabled in the search panel and folder options.
Should I just remove both entries of "mmdmm.exe" with Hijackthis? I don't remember having it as a default startup process and I haven't installed any new software last month.
My advice would be to fix the entries with HijackThis, reboot and try and find the file C:\WINDOWS\System32\mmdmm.exe.
Send it to VirusTotal and to virus@avast.com if it’s malware.
Run HijackThis again and check that the entries haven’t come back.
system
August 5, 2007, 12:38am
9
Hosts: 116.0.0.116 bf2web.gamespy.com
I added this entry manually to hosts for BattleField2 private server ranking purposes. Is it unsafe?
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
I’ve removed both entries, restarted my computer but I still can’t find the file anywhere using the search function.
a google search of mmdmm.exe will offer some removal help
Which one? I google searched “mmdmm.exe” but I couldn’t find anything to help me. Could the removal help be in non-English entries?
system
August 5, 2007, 1:15am
10
Logfile of Trend Micro HijackThis v2.0.2
Running processes:
O1 - Hosts: 116.0.0.116 bf2web.gamespy.com
–
This is the latest log. I installed Comodo Personal Firewall Pro, found the mmdmm.exe, deleted it but the problem is still there (my connection is still slowed down).
I would also have a good look at Utorrent form memory there were some security issues about it recently.
What security issue? If you mean the uTorrent and MPAA/RIAA issue, even if that’s true, I don’t think that would be a problem for me because I never downloaded warez/movies/ anything illegal (at least from the US & Europe) using utorrent.
This is the latest log. I installed Comodo Personal Firewall Pro, found the mmdmm.exe, deleted it but the problem is still there (my connection is still slowed down).
Are you sure you don’t mean you killed mmdmm.exe with Process Explorer?
Any suspicious processes asking for connection, or any suspicious network traffic in Comodo?
Some more things to try:
Look for and remove rootkits (hidden malware):
Panda Antirootkit Blacklight AVG Anti-Rootkit
Try some online scans. (Disable avast! while scanning.)
F-Secure BitDefender Panda Trend Micro Housecall
I saw this as an unusual HOSTS file entry however you have answered the query I had
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
I’ve removed both entries, restarted my computer but I still can’t find the file anywhere using the search function.
a google search of mmdmm.exe will offer some removal help
You may like to have a look here for some useful info on mmdmm.exe removal etchttp://spywarefiles.prevx.com/RRHHIH043313370/MMDMM.EXE.htm
Which one? I google searched "mmdmm.exe" but I couldn't find anything to help me. Could the removal help be in non-English entries?
Yes there are a few No-English entries ;) however the Prevx info in the link about will be of some help I hope
system
August 5, 2007, 11:47am
13
Are you sure you don't mean you killed mmdmm.exe with Process Explorer?
No, I found mmdmm.exe in /System32 and deleted it, and RERT.exe too according to tednelly’s link.
Any suspicious processes asking for connection, or any suspicious network traffic in Comodo?
There are some suspicious network traffic in Comodo… a lot of them. Generated in about every five seconds, even when I don’t run any applications that may use internet connection (with exception of Avast & Comodo in background).
Description: Outbound Policy Violation (Access Denied, ICMP = Port Unreachable)changes every time
Description: Inbound Policy Violation (Access Denied, IP = changes every time Port = 17635 (always the same port))changes every time
Description: Inbound Policy Violation (Access Denied, IP = changes every time , Port= 17635)changes every time
Sometimes explorer.exe (parent: winlogon.exe) tried to do TCP outbound connections to various IPs, I don’t know what to do so I denied it all.
When I test my bandwidth with speedtest.net , it appears that only my upload bandwidth is cut down by 90% (whew).
I’m trying the rootkits, I’ll post the results with my latest hijackthis log later.
system
August 5, 2007, 11:51am
14
I couldn’t find the Panda one in their site, do you mean the online scan?.
Blacklight Rootkit Eliminator found one hidden entry in system32:lzx32.sys. What should I do?
Do I need to worry about the O18 protocol hijack entries?
This is my latest log.
Running processes:
O1 - Hosts: 116.0.0.116 bf2web.gamespy.com
–
DavidR
August 5, 2007, 3:01pm
16
There is also, Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip , download the .zip file unpack to a folder you can find again and run PAVARK.exe.
Combofix will remove the lz rootkitHere Here
[*]Double click combofix.exe and follow the prompts.
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
The main symptom of the trojan Rustock.b rootkit infection (sometimes identifed as pe386, lzx32 or msguard), is heavy network-activity without any obvious reason. When analysing the computer, the traditional malware tools do not typically find anything. However, tools like Gmer, Combofix, Smitfraudfix and SDfix are able to detect the infection:
This seems to be the case here, so run the tool advised here:
Rustock.b (pe386, lzx32, msguard) Removal Instructions:
Download - rustbfix.exe …and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
http://www.geekstogo.com/forum/How-to-Remove-Rustock-b-pe386-lzx32-msguard-infections-t140682.html
Sorry about the dead link from Panda; the tool is also available from MajorGeeks (and other download sites):
http://www.majorgeeks.com/Panda_Anti-Rootkit_d5457.html
Run the tool mentioned above, then re-scan with avast!, AVG Anti-spyware, Spybot etc. (because once the rootkit is removed, other malware can be detected).
system
August 6, 2007, 2:02pm
19
Sorry for the replying delay, I had to go to work.
Woah. After I removed the lzx32.sys with rustbfix.exe then ran combofix.exe, the suspicious inbound connections decreased in amount. And there were no suspicious outbound connections anymore. My internet connection felt A LOT lighter than before.
And… uh… I closed my combofix log accidentally after I read it and now I can’t find it anywhere. Does anyone know where the log is located? I checked C:\Combofix but the log was not there. I’ll run combofix.exe again if necessary.
It will generate a new log, without that problems. But, anyway, it’s good to make sure you’re clean.
