99 replies to this topic

[MrCharlie]

That's related to McAfee SecurityCenter.

Here's the ip info on the address:



MrC

[captarheel]

Here is the log output from the SysLook scan:

SystemLook 30.07.11 by jpshortstuff
Log created at 15:50 on 30/04/2012 by
Administrator - Elevation successful

========== filefind ==========

Searching for "208.73.210.29"
No files found.

Searching for "13376694984709702142491016734454"
No files found.

========== regfind ==========

Searching for "208.73.210.29"
No data found.

Searching for "13376694984709702142491016734454"
No data found.

[MrCharlie]

Run Systemlook again but use this code:

:filefind
mcsvhost.exe

post back the report, MrC

[captarheel]

here you go:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:55 on 30/04/2012 by
Administrator - Elevation successful

========== filefind ==========

Searching for "mcsvhost.exe"
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe --a---- 249936 bytes [18:49 29/07/2011] [23:28 27/01/2011] ACB01BF1A905356AB7F978C7FE852209

-= EOF =-

[MrCharlie]

That's OK and in the right place

Lets reset Internet Explorer back to defaults:
http://windows.micro...rnet-Explorer-9

Let me know.....MrC

[captarheel]

done. No errors or exceptions noted.

[MrCharlie]

Well use and let me know...MrC

[captarheel]

Thanks.

So do you think we have gotten as far as we are going to get?

I haven't seen any popup windows at all since 6:09 this am.

Doesn't seem like we ever found something specific. Or did you see something along the way that we finally nailed?

I am grateful for your assistance and patience -- thank you so much!

[MrCharlie]

Not really, everyone of these infections is different, I'll look over everything again.

MrC

[captarheel]

thanks. If you find anything, please let me know!

[MrCharlie]

Well here's what we did:

• ComboFix cleaned out a lot of malware.
  
• I used OTL and cleaned out some folders from an old infection. ( from Nov. 11, 2011)
  
• We cleared out all the temp files, reinstalled Chrome and FF
  
• Reset Internet Explorer.

So let me know how it is tomorrow, MrC

[captarheel]

Thank you

This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites?

I have not seen the 208.73.210.29 since Sunday night at 20:32.

What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?

[MrCharlie]

captarheel, on 01 May 2012 - 06:15 AM, said:

This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites?

I have not seen the 208.73.210.29 since Sunday night at 20:32.

What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?

No it wasn't a key-logger.


No,don't allow it until we know what it is.
Do they list any process with them?

What browser are you using when this pops up?

Does the pop-up come up when you're visiting a certain website or when you're just sitting there with an open browser.

Can you manually update McAfee......for data base and program update?
See if it uses those ip addresses to do so.

---------------------------------------


Download CKScanner & save it to your Desktop
http://downloads.mal...m/CKScanner.exe
Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

MrC

[captarheel]

When I turned off McAfee automatic updates and manually updated, I could see the update progress but got no pop-up box from MBAM. I do not know how to see what address McAfee uses when it updates.

The pop up box does not seem to be particular to any given website. Over the past few days, the only websites I have been to are extremely limited -- and only news or very large commerce sites.

I have been running FF. Interestingly (perhaps), I have not seen the 208 address since Sunday night, but I did see the 173 .. 195 address yesterday morning at 6:09 and again this morning also at 6:09. I saw the 173 ... 196 address at 5:59 this morning, but not at all yesterday.

For all attempts the service listed was mcsvhost.exe

According to the MBAM log, in each of the three instances - yesterday morning at 6:09, this morning at 5:59 and this morning at 6:09, there were 6 blocks each time.

One more comment -- when I look at the Task Manager, show processes from all users, the svchost.exe under System name (not my individual user) is using (comparatively) a lot of ram usually well over 160,000k. I have no idea if that is meaningful or not, but it was that utilization that really started getting me suspicious.

Here is the log from CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.TTAPTW
----- EOF -----

[MrCharlie]

OK, let me think about this, MrC

[MrCharlie]

Download and unzip silentrunners to a folder:

http://www.silentrun...t%20Runners.zip

Right click on Silent Runners.vbs and chose Run as Administrator, if that's not available just double click on it to run.

When asked about the supplementary scan....leave the default setting (we don't want to run it)

Post back the report.

-----------------------------------

Don't do it yet, but I would to try MVPS HOSTS


Lets try this.....Install MVPS HOSTS >> both of those sites are listed:


Softlayer Technologies

Oversee.net

http://winhelp2002.m...g/hostswin7.htm <---W7

http://winhelp2002.mvps.org/hosts.htm <--home page


MrC

[captarheel]

I ran SilentRunner and have attached the results.

I did not fully understand the second part of your last post. Is there something more you would like me to install/run relating to MVPS Host?

[MrCharlie]

Quote

I did not fully understand the second part of your last post. Is there something more you would like me to install/run relating to MVPS Host?

No don't do anything with it, I'm still looking over the log and thinking about what to do next....MrC

[captarheel]

Well . . . I screwed up, then. I re-read your post and thought at the end your instructions were to run the MVPS change. I just did that before I saw your post.

Is there a way to undo that?

[MrCharlie]

That's OK...there's no harm done and yes we can restore the original host file.

Let me know if you still get the pop-up warnings.

The log from SilentRunner was OK......MrC