Jump to content

being attacked by 208.73.210.29; MBAB blocking outbound access every 5-10 minutes


Recommended Posts

  • Replies 99
  • Created
  • Last Reply

Top Posters In This Topic

nothing detected. Here is the report:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.30.06

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

Protection: Enabled

4/30/2012 11:45:25 AM

mbam-log-2012-04-30 (11-45-25).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 300865

Time elapsed: 43 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

This is a long shot but lets do it....

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    208.73.210.29
    13376694984709702142491016734454
    :regfind
    208.73.210.29
    13376694984709702142491016734454


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

As I wrote a little earlier today, I haven't seen the popups for several hours. The last indication in the MBAM log of a blocked IP address is from 6:09 AM:

2012/04/30 05:46:05 -0500 MESSAGE IP Protection stopped

2012/04/30 05:46:07 -0500 MESSAGE Database refreshed successfully

2012/04/30 05:46:07 -0500 MESSAGE Starting IP protection

2012/04/30 05:46:09 -0500 MESSAGE IP Protection started successfully

2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51064, Process: mcsvhost.exe)

2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51071, Process: mcsvhost.exe)

2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51087, Process: mcsvhost.exe)

2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51094, Process: mcsvhost.exe)

2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51098, Process: mcsvhost.exe)

2012/04/30 06:09:47 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51109, Process: mcsvhost.exe)

2012/04/30 08:26:02 -0500 MESSAGE Starting protection

2012/04/30 08:26:05 -0500 MESSAGE Protection started successfully

2012/04/30 08:26:09 -0500 MESSAGE Starting IP protection

2012/04/30 08:26:10 -0500 MESSAGE IP Protection started successfully

2012/04/30 08:36:40 -0500 MESSAGE Stopping IP protection

2012/04/30 08:38:37 -0500 MESSAGE IP Protection stopped

2012/04/30 08:53:25 -0500 MESSAGE Starting protection

2012/04/30 08:53:28 -0500 MESSAGE Protection started successfully

2012/04/30 11:44:53 -0500 MESSAGE Starting database refresh

2012/04/30 11:44:55 -0500 MESSAGE Database refreshed successfully

Link to post
Share on other sites

Here is the log output from the SysLook scan:

SystemLook 30.07.11 by jpshortstuff

Log created at 15:50 on 30/04/2012 by

Administrator - Elevation successful

========== filefind ==========

Searching for "208.73.210.29"

No files found.

Searching for "13376694984709702142491016734454"

No files found.

========== regfind ==========

Searching for "208.73.210.29"

No data found.

Searching for "13376694984709702142491016734454"

No data found.

Link to post
Share on other sites

here you go:

SystemLook 30.07.11 by jpshortstuff

Log created at 16:55 on 30/04/2012 by

Administrator - Elevation successful

========== filefind ==========

Searching for "mcsvhost.exe"

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe --a---- 249936 bytes [18:49 29/07/2011] [23:28 27/01/2011] ACB01BF1A905356AB7F978C7FE852209

-= EOF =-

Link to post
Share on other sites

Thanks.

So do you think we have gotten as far as we are going to get?

I haven't seen any popup windows at all since 6:09 this am.

Doesn't seem like we ever found something specific. Or did you see something along the way that we finally nailed?

I am grateful for your assistance and patience -- thank you so much!

Link to post
Share on other sites

Well here's what we did:

  1. ComboFix cleaned out a lot of malware.
  2. I used OTL and cleaned out some folders from an old infection. ( from Nov. 11, 2011)
  3. We cleared out all the temp files, reinstalled Chrome and FF
  4. Reset Internet Explorer.

So let me know how it is tomorrow, MrC

Link to post
Share on other sites

Thank you

This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites?

I have not seen the 208.73.210.29 since Sunday night at 20:32.

What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?

Link to post
Share on other sites

This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites?

I have not seen the 208.73.210.29 since Sunday night at 20:32.

What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?

No it wasn't a key-logger.

No,don't allow it until we know what it is.

Do they list any process with them?

What browser are you using when this pops up?

Does the pop-up come up when you're visiting a certain website or when you're just sitting there with an open browser.

Can you manually update McAfee......for data base and program update?

See if it uses those ip addresses to do so.

---------------------------------------

Download CKScanner & save it to your Desktop

http://downloads.mal...m/CKScanner.exe

Doubleclick CKScanner.exe then click Search For Files

When the cursor hourglass disappears, click Save List To File

A message box will verify the file saved

Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

MrC

Link to post
Share on other sites

When I turned off McAfee automatic updates and manually updated, I could see the update progress but got no pop-up box from MBAM. I do not know how to see what address McAfee uses when it updates.

The pop up box does not seem to be particular to any given website. Over the past few days, the only websites I have been to are extremely limited -- and only news or very large commerce sites.

I have been running FF. Interestingly (perhaps), I have not seen the 208 address since Sunday night, but I did see the 173 .. 195 address yesterday morning at 6:09 and again this morning also at 6:09. I saw the 173 ... 196 address at 5:59 this morning, but not at all yesterday.

For all attempts the service listed was mcsvhost.exe

According to the MBAM log, in each of the three instances - yesterday morning at 6:09, this morning at 5:59 and this morning at 6:09, there were 6 blocks each time.

One more comment -- when I look at the Task Manager, show processes from all users, the svchost.exe under System name (not my individual user) is using (comparatively) a lot of ram usually well over 160,000k. I have no idea if that is meaningful or not, but it was that utilization that really started getting me suspicious.

Here is the log from CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad

scanner sequence 3.MN.11.TTAPTW

----- EOF -----

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.