Security Software Help with this error threat

CA50 · May 1, 2011

From the past 15-20 days avast pops this message. What is this message, is my system compromised :S

i can't understand this threat, anyone care to explain this

Superbad · May 1, 2011

You are visiting a site which has been compromised. I think :S

CA50 · May 1, 2011

Mate this message is displayed when i visit TE/FB/SBI :S

Charun · May 1, 2011

maybe these sites are blocked by avast

try searching from the settings tab and unblocking these sites

hope this helps

CA50 · May 1, 2011

^mo mate i haven't blocked any sites. I am using AIS 5.1.899 and i have check the logs, these are the firewall logs. Here are all the logs

28.03.2011 19:27:49 LSASS Exploit (E2K) attack, from 220.214.143.227:445
29.03.2011 16:41:09 LSASS Exploit (E2K) attack, from 61.170.164.27:445
30.03.2011 12:22:54 LSASS Exploit (E2K) attack, from 98.124.82.51:445
08.04.2011 18:11:50 DCOM Exploit attack, from 89.106.221.146:135
08.04.2011 22:22:18 LSASS Exploit (E2K) attack, from 186.44.182.138:445
08.04.2011 22:33:09 LSASS Exploit (E2K) attack, from 186.44.182.138:445
08.04.2011 22:51:26 LSASS Exploit (E2K) attack, from 186.44.182.138:445
09.04.2011 23:43:08 LSASS Exploit (E2K) attack, from 74.235.173.80:445
12.04.2011 23:07:45 LSASS Exploit (E2K) attack, from 95.26.252.129:445
17.04.2011 23:12:09 LSASS Exploit (E2K) attack, from 186.9.2.93:445
18.04.2011 15:26:07 LSASS Exploit (E2K) attack, from 95.27.86.76:445
19.04.2011 01:58:19 LSASS Exploit (E2K) attack, from 95.27.86.76:445
20.04.2011 13:50:34 LSASS Exploit (E2K) attack, from 65.0.115.194:445
23.04.2011 21:35:50 LSASS Exploit (E2K) attack, from 89.178.244.153:445
24.04.2011 00:14:40 LSASS Exploit (E2K) attack, from 93.120.75.218:445
24.04.2011 02:47:45 LSASS Exploit (E2K) attack, from 61.231.221.76:445
24.04.2011 09:26:40 LSASS Exploit (E2K) attack, from 74.235.175.6:445
24.04.2011 20:22:16 LSASS Exploit (E2K) attack, from 70.248.29.2:445
27.04.2011 09:43:34 LSASS Exploit (E2K) attack, from 113.252.81.203:445
27.04.2011 16:42:18 LSASS Exploit (E2K) attack, from 113.252.81.203:445
29.04.2011 02:07:48 DCOM Exploit attack, from 49.133.128.198:135
01.05.2011 14:03:01 DCOM Exploit attack, from 49.238.31.17:135

--- Updated Post - Automerged ---

Edit: these are shown under the firewall section in the avast UI , but the actual log file name is nshield.log, so its related to network shield

Superbad · May 1, 2011

Do a whois Ip from the log.
By the way have you set your firewall security to maximum. Also from the log it seems you have installed some codec which is used for streaming which is trying to access the blocked ports or in this case the blacklisted ip in the firewall. Check the usage pattern in the case which applications are trying to access the internet.
My first guess is a malware.

CA50 · May 1, 2011

@ggt thanks mate, did a search at www[.]whois[.]sc
here are the results

220.214.143.227:445 - Japan Sapporo Dion (kddi Corporation)
61.170.164.27:445 - China Shanghai Chinanet Shanghai Province Network
98.124.82.51:445 - United States Moncks Corner Home Telephone Company Inc
89.106.221.146:135 - Germany Sindelfingen Klinikverbund Suedwest Gmbh
186.44.182.138:445 - Trinidad And Tobago Telecommunication Services Of Trinidad And Tobago
186.44.182.138:445 - Trinidad And Tobago Telecommunication Services Of Trinidad And Tobago
186.44.182.138:445 - Trinidad And Tobago Telecommunication Services Of Trinidad And Tobago
74.235.173.80:445 - United States Charlotte Clt Adsl Cbb
95.26.252.129:445 - Russian Federation Dynamic Ip Pool For Broadband Customers
186.9.2.93:445 - Chile Santiago Entel Pcs Telecomunicaciones S.a
95.27.86.76:445 - Russian Federation Dynamic Ip Pool For Broadband Customers
95.27.86.76:445 - Russian Federation Dynamic Ip Pool For Broadband Customers
65.0.115.194:445 - United States Starkville Jan Adsl Cbb
89.178.244.153:445 - Russian Federation Moscow Broadband Customers In Moscow
93.120.75.218:445 - Romania Sc Webnet Telecom Srl
61.231.221.76:445 - Taiwan Taipei Chunghwa Telecom Data Communication Business Group
74.235.175.6:445 - United States Charlotte Clt Adsl Cbb
70.248.29.2:445 - United States Laredo Webb County
113.252.81.203:445 - Hong Kong Hong Kong Hutchison Global Communications
113.252.81.203:445 - Hong Kong Hong Kong Hutchison Global Communications
49.133.128.198:135 - Japan Nagoya Kddi Corporation
49.238.31.17:135 - Japan Oita Oita Cable Telecom Co. Ltda

About my firewal settings, avast have 3 settings Home/Work/Public. I have selected Home (Low risk zone).
No idea about any codec for streaming purpose, i browse through aircel gprs and i don't stream videos.

Also from the log it seems you have installed some codec which is used for streaming which is trying to access the blocked ports or in this case the blacklisted ip in the firewall. Check the usage pattern in the case which applications are trying to access the internet.

How to check for that??

About malware i have scaned my system few days back with Malwarebytes' Anti-Malware, found two malwares, i deleted those, even today i have done a quick scan using Windows Defender, everything is OK, no threats. I will scan again using spybot search and destroy.

Here is a log file from Hijack this, this might be handy for further analysis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 04:25:31 PM, on 01 May 2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.7930.16406)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\FastStone Capture\FSCapture.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\System32\osk.exe
C:\Windows\system32\notepad.exe
U:\Hijack this\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys\EVEREST Ultimate Edition\everest_start.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0555F8E-AEF6-4867-A436-5B9A2D89D443}: NameServer = 202.148.200.3 202.148.202.3
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Program Files\Alwil Software\Avast5\afwServ.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd. - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

Superbad · May 2, 2011

I guess the last option would be to format your pc.
Here are some things i would like you to suggest.
Reset all your permission for the firewall in terms of the applications accessing the internet.
Set your firewall to higher firewall setting where each application will ask you for the permission to access the internet.
Use the gprs through their proxy i.e through wap.
Else format your pc.

CA50 · May 2, 2011

ggt said:
I guess the last option would be to format your pc.
Here are some things i would like you to suggest.
Reset all your permission for the firewall in terms of the applications accessing the internet.
Set your firewall to higher firewall setting where each application will ask you for the permission to access the internet.
Use the gprs through their proxy i.e through wap.
Else format your pc.

Thanks mate, i don't want to reinstall windows, thats the most boring part of my life

MY current selling is like that, any application that want to connect to net must be authorized by me

Carbon · May 2, 2011

CA50 said:
Thanks mate, i don't want to reinstall windows, thats the most boring part of my life

MY current selling is like that, any application that want to connect to net must be authorized by me

Why don't you use ESET Smart Security ?

asingh · May 3, 2011

Try a re-install of the Virus Client. Else try another client. Something is hyper-tripping it. Could be that the virus definition DB is corrupt. Happens at times.

CA50 · May 3, 2011

^mate i am using avast internet security and i some kind of like it, so don't want to change it and my virus DB get updates almost twice a day.

What i want to know exactly, if i am in some threat ??
Also i scanned my pc and found two two suspected files , kmservice, i removed those and also removed their firewall permission , and after that i haven't faced such reports from avast

asingh · May 3, 2011

Kmservice shows up as a malicious program. Usually associated with MS Office activation. I think you solved the issue your self.

You seem fine.

CA50 · May 3, 2011

thanks mate

asingh · May 3, 2011

^^

Kewl..!

Also when you get time, DeFrag your registry. CCleaner is decent.

pauldmps · May 3, 2011

It is nothing to be worried about. Those are ISP pings (or something like that). It is normal. Avast & Norton cries out loud on such issues.