99 replies to this topic

[MrCharlie]

When you uninstalled Chrome and FF, did you still get the warnings??

MrC

[captarheel]

Yes -- they are still popping up

[captarheel]

Actually, I noticed that the last pop up was for a different IP address. Unfortunately, I didn't get it before it disappeared. It started with 173.something.

And, I haven't seen another popup in nearly an hour.

[captarheel]

I found the blocked site IP address in MBAM's log:

173.192.183.196

[MrCharlie]

Here's where that's from.

Delete your copy if ComboFix, download and run a fresh copy.......post the log.

MrC

[captarheel]

will do right now. Do I need to turn off all the anti virus stuff again

[captarheel]

turned off all anti virus and firewall. Re-ran CF. It rebooted, and then I had to beboot again as I was getting the "illegal ... marked for deletion" error.

here is the new CF log:

[MrCharlie]

OK that looks OK.

I'm running out of ideas.....let me do some more research...I'll get back to you ASAP. MrC

[captarheel]

thanks. I will check throughout the day.

I really do appreciate your time and assistance.

[MrCharlie]

While I'm looking...please do this:

Download and run McAfee Labs Stinger:

http://www.mcafee.co...se-stinger.aspx

-------------------------------

Then.....

Please Update and run a Full Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

[captarheel]

under way right now. Will post log when it finishes

[MrCharlie]

OK, take your time...let me know, MrC

[captarheel]

nothing detected. Here is the report:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.30.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421


Protection: Enabled

4/30/2012 11:45:25 AM
mbam-log-2012-04-30 (11-45-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 300865
Time elapsed: 43 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[captarheel]

I have not seen the pop up box since about 6:09 this morning.

[MrCharlie]

Did the Stinger find anything?? MrC

[captarheel]

Stinger did not give me a report, at least not one that popped up. Is there somewhere I should look on the system?

[captarheel]

Re-ran Stinger. Here is the report

[MrCharlie]

Neither program found anything, your still getting the pop-ups right?

MrC

[MrCharlie]

This is a long shot but lets do it....

Please download SystemLook from the link below and save it to your Desktop.
http://jpshortstuff....temLook_x64.exe

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  208.73.210.29
  13376694984709702142491016734454
  :regfind
  208.73.210.29
  13376694984709702142491016734454
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

[captarheel]

As I wrote a little earlier today, I haven't seen the popups for several hours. The last indication in the MBAM log of a blocked IP address is from 6:09 AM:

2012/04/30 05:46:05 -0500 MESSAGE IP Protection stopped
2012/04/30 05:46:07 -0500 MESSAGE Database refreshed successfully
2012/04/30 05:46:07 -0500 MESSAGE Starting IP protection
2012/04/30 05:46:09 -0500 MESSAGE IP Protection started successfully
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51064, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51071, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51087, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51094, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51098, Process: mcsvhost.exe)
2012/04/30 06:09:47 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51109, Process: mcsvhost.exe)
2012/04/30 08:26:02 -0500 MESSAGE Starting protection
2012/04/30 08:26:05 -0500 MESSAGE Protection started successfully
2012/04/30 08:26:09 -0500 MESSAGE Starting IP protection
2012/04/30 08:26:10 -0500 MESSAGE IP Protection started successfully
2012/04/30 08:36:40 -0500 MESSAGE Stopping IP protection
2012/04/30 08:38:37 -0500 MESSAGE IP Protection stopped
2012/04/30 08:53:25 -0500 MESSAGE Starting protection
2012/04/30 08:53:28 -0500 MESSAGE Protection started successfully
2012/04/30 11:44:53 -0500 MESSAGE Starting database refresh
2012/04/30 11:44:55 -0500 MESSAGE Database refreshed successfully