99 replies to this topic

[captarheel]

MBAM is showing a popup box every 5-10 minutes saying it has blocked outgoing access to a malicious site with address 208.73.210.29.

Sometimes the popup box shows the service, and it most frequently lists svchost.exe

Per the MBAM instructions I have run DDS. The results are attached. Please let me know if it would be helpful for me to copy and paste.



I would be grateful for any help possible.

Attached Files

•  DDS.txt   22.36K   12 downloads
•  Attach.txt   14.82K   8 downloads

[MrCharlie]

Welcome to the forum, this infection has proven to sometimes be very difficult to fix.

Please go to your control panel > Java > Update Tab > Update Now.

Java™ 6 Update 29 <---should be 32

---------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
Click Scan to scan the system (don't run any other options, there not all bad!)
Post back the report.

MrC

[captarheel]

thank you so much for the help. Sorry for the delay. I have been trying to find the "Update Tab" and cannot locate it.

[captarheel]

I hope it wasn't a mistake to go ahead and run the RogueKiller scan, but i did. Here are the results:

RogueKiller V7.3.3 [04/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Craig Parker [Admin rights]
Mode: Scan -- Date: 04/28/2012 14:25:51

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

[MrCharlie]

We'll deal with Java later.......

Please make sure system restore is running and create a new restore point before continuing.

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.



-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.



------------------------

Click the Start Scan button.



-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.



----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.





--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:


If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[captarheel]

Sorry for the flood of information. I learned how to get the update tab in the Java Control Panel. You were correct -- I am on version 29. Would you like me to update?

[MrCharlie]

Yes, the latest version is 32.

MrC

[captarheel]

I ran the TDSS Killer. I got three of the unsigned or locked file warnings, but nothing more serious.

Here is the report:

[MrCharlie]

OK, that scan was clean.....

Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.
MrC

[captarheel]

I also updated Jave to update 32

[MrCharlie]

OK, did you see my post above yours to run ComboFix?? MrC

[captarheel]

I ran ComboFix from the desktop and I did indeed get the Illegal operation attempted on registry key that has been marked for deletion.

I rebooted and here is the ComboFix log

[captarheel]

Sorry for the slowness -- I am incredibly grateful for your help. Combo Fix took a long time.

[captarheel]

By the way, I am still getting the MBAM pop up boxes about blocking access to the same malicious site.

[MrCharlie]

captarheel, on 28 April 2012 - 03:24 PM, said:

By the way, I am still getting the MBAM pop up boxes about blocking access to the same malicious site.

Do you remember what said at the start....

this infection has proven to sometimes be very difficult to fix.

MrC

[captarheel]

oh -- not complaining at all -- just thought you might want that information!

[captarheel]

Mr. C:

I need to step away for a few hours. I sincerely apologize, but I have a commitment that I cannot miss.

I did not want you to be waiting on a response from me. When I get back, I will log back on and check for further instructions.

Again, I thank you very, very much for your assistance.

[MrCharlie]

OK, MrC

[captarheel]

Thank you. Just let me know what I should do next.

[MrCharlie]

What browser does this happen in??

-----------------------------------

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users checkbox.
Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

MrC