Jump to content

Persistent IP Blocks: 94.75.228.175


Recommended Posts

I would greatly appreciate help with stopping persistent malware IP accesses, that are evidenced by MBAM IP block messages. The blocked IP address is usually 94.75.228.175 but others sometimes occur.

The affected computer is a Dell XPS 700 running WinXP SP3. The IP blocks always occur when browsing, however only with a search results page showing (Google, Bing, Yahoo, etc). This is the trigger that starts the blocks - I do not have to visit any site other than Google for the blocking to start

Key point: I have been told this situation is "normal" however the problem occurs only on this one computer. I have worked with five other computers (similarly configured) in the past two years and none of them have this problem.

I have never knowingly installed any P2P software, don't have IM enabled, have never run Skype. I am using a Draytek router in full stealth mode, therefore I believe the malicious IP accesses are being triggered by something running on this computer.

Actions:

I have run Defogger and disabled CD-ROM emulation software

I have attached a Zip file containing the following logs: Atach.txt, DDS.txt, mbam-info.txt

I am currently running GMER but it is taking a long time - I will post the log as follow up. I am very happy to provide other logs as necessary'

Thanks very much!

Perkins_Logs1.zip

Link to post
Share on other sites

Thank you, I really appreciate your help! Re: "Disable your security programs" .. I should have asked what security programs you mean. The only non-Windows program in the security genre I have running is MBAM - I left this running. Please tell me if I should disable anything else and I will scan again. Herewith the contents of the Rootkit Unhooker log:

--

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xDDFD7000 C:\WINDOWS\System32\nv4_disp.dll 3977216 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 84.40 )

0xF5319000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3653632 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 84.40 )

0xE0BA3000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0xE0BA3000 PnpManager 2150400 bytes

0xE0BA3000 RAW 2150400 bytes

0xE0BA3000 WMIxWDM 2150400 bytes

0xDDE00000 Win32k 1855488 bytes

0xDDE00000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF46A5000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)

0xF5197000 C:\WINDOWS\system32\DRIVERS\VMHybrid.sys 1060864 bytes (Compro Technology, Inc., VMHybrid)

0xF5064000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)

0xF4FBD000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)

0xF5CBC000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xED349000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)

0xEE403000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF4EB7000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xEE574000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xEC97F000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xDE3A2000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xEC1F2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF5163000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)

0xF4F15000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF5E5B000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xECA37000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF5C8F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xEB4DC000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xEE473000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF4F95000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xEE54C000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF5E05000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xEE526000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xF52E1000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 147456 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)

0xEB507000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF4681000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF52BD000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF529A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xEE504000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xE0B82000 ACPI_HAL 134400 bytes

0xE0B82000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF5D88000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF5E2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF5C75000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF5DA8000 nvatabus.sys 102400 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Hi,

Are the IP blocks by MBAM the only symptom you are having? I don't see anything alarming in your logs. Let's run this scan to be sure though:

icon11.gifYour Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

  • Go to this page.
  • Scroll down to where it says "Java Platform, Standard Edition."
  • Click the "Download JRE" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log

Link to post
Share on other sites

Thanks! I really appreciate your time and help - very generous! Yes, the IP blocks by MBAM are the only symptom I have discovered. This symptom has persisted for about 4 months. Before that everything was normal. The following may be pointers to something untoward:

1) After running GMER it came up with an error at the end: "Windows was unable to save all the data for the file: \WINDOWS\system32\config\SysEvent.Evt. The data has been lost...." Then immediately the keyboard and mouse became unresponsive. Nothing worked, Ctrl-Alt-Del did not work. I had to shut the system down manually. But the system seemed to restart normally and did not come up with "Use last good configuration, etc..." This has not happened before.

2) In April this year MBAM found and quarantined 10 items:

- Trojan.Downloader (4 instances)

- Trojan.FraudPack.Gen (2 instances)

- Rogue.AKMAntivirus

- Malware.Packer.Gen

- Trojan.Agent.Gen

- Rootkit.Dropper

I did not notice anything untoward immediately but I think this is the time the IP blocks started.

Actions:

I updated Java as described

I ran the Kaspersky scan as described and have appended the report:

--

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, August 14, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, August 14, 2010 03:16:25

Records in database: 4132424

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

Scan statistics:

Objects scanned: 128509

Threats found: 4

Infected objects found: 2

Suspicious objects found: 5

Scan duration: 02:00:35

File name / Threat / Threats count

C:\Data Files\Astro&Personal\Archive.fol\In Box 00.mbx Infected: Email-Worm.VBS.KakWorm 1

C:\Data Files\Astro&Personal\eBAY.fol\General.mbx Infected: Trojan-Spy.HTML.Bayfraud.s 1

C:\Data Files\Astro&Personal\In.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Data Files\Astro&Personal\In.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2

C:\Data Files\Astro&Personal\Old_Astrocrs.zip Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Data Files\Astro&Personal\Out.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Selected area has been scanned.

--

PP: All of those mailboxes can actually be deleted because they are primarily used on another system.

--

Link to post
Share on other sites

Hi Phillip,

That was helpful information. If you have something lingering in there from April it would possibly be outside of the scope of my initial diagnostic tools. Please run this:

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Thanks very much! Could not get Combofix to run. Followed instructions, ran it from desktop etc. The first time I tried there was a small window with a progress bar. Then a DOS window appeared saying there was a new version of Combofix - did I want to download? I accepted. It downloaded then said "Combofix shall restart.." There was another small progress window but then nothing. I waited several minutes. I checked running processes - could not see it. System Idle Process was dominant. The disk activity light showed the system was idling. I ran HJT - could not see it there either. I tried a second time - more or less the same result. The third and fourth times there was no advice about a new version being available - just the small progress bar and then nothing. I downloaded a fresh version each time. Combofix seems to 'self-extinguish' for me.

Before this I stopped MBAM protection and exited via the GUI. But I noticed the mbamservice.exe process was still running. I did not want to go as far as forcibly terminating it. Could this truly stop Combofix from working?

Combofix never got as far as checking for the Recovery Console but I installed it manually from the Windows media and it worked fine. I browsed around under the DOS prompt and everything seemed as it should. Back under Windows it seems the same - nothing untoward except for the persistent IP blocks when browsing. I just re-checked three other XP Pro systems in this house and nothing else has this problem.

--

Link to post
Share on other sites

Update: Combofix did run - eventually! Went back to computer after a couple of hours, rebooted (again) and Combofix decided to work. Sorry about this - haven't a clue what went wrong before. Combofix made a deletion, rebooted system, and made a log file. I have attached the zip file to avoid clogging up the text area. The IP block is still present however..

ComboFix_Log.zip

Link to post
Share on other sites

Sorry, yet another update, but this may be significant: The date when MBAM quarantined the 10 malware items was not April (I was going by memory). The date was actually May 17 and 18. I noticed in the "Find3M Report" of the Combofix log there are four entries with precisely these dates and they look suspicious IMHO:

2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-17 21:19 . 2010-05-17 21:19 55808 --sha-r- c:\windows\system32\Dell2.dll

--

Link to post
Share on other sites

Hello,

Those are normally legitimate. Let's check to be certain though:

icon11.gif Go to My Computer-> Tools-> Folder Options-> View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)

Please go to one of the below sites to scan the following files:

virscan.org

Virus Total

Click on Browse, and upload the following files, one at a time, for analysis:

c:\windows\system32\dnssdX.dll

c:\windows\system32\Dell2.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

icon11.gif Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Please include the following in your next post:

  • MBRCheck log
  • File analysis results

Link to post
Share on other sites

Many thanks! MBRCheck was scary - it seemed to run OK at first but then completely hung the system - could not end the process. Could not restart the system. Had to manually power down. The system restarted OK... whew! But it produced a log file before hanging - attached herewith as zip file (let me know if you'd prefer it in the text area).

VirSCAN.org:

c:\windows\system32\dnssdX.dll produced nothing at all from any scanner. I have not uploaded the log (but can if you want)

c:\windows\system32\Dell2.dll -- much more interesting. Would not upload to VirSCAN - said the file was not found. I tried to copy the file to another location - said access was denied. I tried to copy it under DOS (Recovery Console) - said access was denied. The DOS file attributes are -arhs--- This file has no description and no digital signature.

The other three files I thought suspicious all have descriptions and digital signatures (Apple Inc, part of Bonjour service).. not sure why they were created at exactly the same time as the Malware event.

Thanks!

MBRCheck_08.15.10_14.23.52.zip

Link to post
Share on other sites

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\system32\Dell2.dll

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Next, navigate to this file and submit it for analysis:

C:\Qoobox\Quarantine\C\windows\system32\Dell2.dll.vir

Please include the following in your next post:

  • ComboFix log
  • File analysis results

Link to post
Share on other sites

Thanks so much for the kind words. My AV called it a generic trojan dropper. This will submit it to the developer of ComboFix so he can add it:

icon11.gif Please visit this site

  • In the Link to topic where this file was requested: field, enter the following:
    http://forums.malwarebytes.org/index.php?showtopic=60240
  • In the Browse to the file you want to submit: field, click on browse and navigate to the following file:
    C:\Qoobox\Quarantine\C\windows\system32\Dell2.dll.vir
  • In the comments field enter the following:
    Undetected malware
  • Press the send file button.

Now I have some very important housekeeping and cleanup work for you to take care of:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Go HERE to scan for any other out of date and/or vulnerable applications on your computer and follow the instructions given for updating them.

report.gif Several infections were identified by Kaspersky in your email. Unfortunately Kaspersky is unable to identify which particular email is infected, so delete any emails from anyone you don't know or any that have attachments, such as jokes, videos etc. (don't open them to check).

icon11.gif Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, AVG, Avira and Microsoft all offer free AV products.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER
  • Rootkit Unhooker
  • MBRCheck

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.