Jump to content


Photo
- - - - -

208.73.210.29 blocked by M.Anti-Malvare, cannot open some sites in any browser

208.73.210.29 cannot open sites isohunt

  • This topic is locked This topic is locked
79 replies to this topic

#21 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 17 April 2012 - 11:14 AM

Use "Toggle editing mode" (button above the text box) before you start writing.

I will send you more information about AV when we complete here.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#22 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 17 April 2012 - 11:33 AM

I hope this will help:
I just got warning from nod32
Threat found
Alert
Object:
D:\System Volume Information\_restore... (it is probably the last System Restore Point XP made).
Threat:
probably a variant of Win32/Agent.LWMQUCE trojan
Comment:
Event occured on a file modified by the application C:\\Windows\system32\svchost.exe.

So, maybe it could be that one?

#23 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 17 April 2012 - 11:34 AM

ok, I go to download that tool.
thanks

#24 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 17 April 2012 - 11:37 AM

After that warning I got another one.
This one is about win32/Agent.DLCXJGL trojan, again at svchost.exe.

#25 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 17 April 2012 - 11:41 AM

<p>FSS</p>
<p> </p>
<p> </p>
<div>Farbar Service Scanner Version: 16-04-2012</div>
<div>Ran by User (administrator) on 17-04-2012 at 18:39:56</div>
<div>Running from &quot;C:\Documents and Settings\User\Desktop&quot;</div>
<div>Microsoft Windows XP Professional Service Pack 2 (X86)</div>
<div>Boot Mode: Normal</div>
<div>****************************************************************</div>
<div> </div>
<div>Internet Services:</div>
<div>============</div>
<div> </div>
<div>Connection Status:</div>
<div>==============</div>
<div>Localhost is accessible.</div>
<div>LAN connected.</div>
<div>Google IP is accessible.</div>
<div>Yahoo IP is accessible.</div>
<div> </div>
<div> </div>
<div>Windows Firewall:</div>
<div>=============</div>
<div> </div>
<div>Firewall Disabled Policy: </div>
<div>==================</div>
<div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]</div>
<div>&quot;EnableFirewall&quot;=DWORD:0</div>
<div> </div>
<div> </div>
<div>System Restore:</div>
<div>============</div>
<div> </div>
<div>System Restore Disabled Policy: </div>
<div>========================</div>
<div> </div>
<div> </div>
<div>Security Center:</div>
<div>============</div>
<div> </div>
<div>Windows Update:</div>
<div>============</div>
<div> </div>
<div>Windows Autoupdate Disabled Policy: </div>
<div>============================</div>
<div> </div>
<div> </div>
<div>File Check:</div>
<div>========</div>
<div>C:\WINDOWS\system32\dhcpcsvc.dll</div>
<div>[2007-01-15 04:31] - [2007-01-15 04:31] - 0112128 ____N (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE</div>
<div> </div>
<div>C:\WINDOWS\system32\Drivers\afd.sys</div>
<div>[2004-08-04 14:00] - [2008-08-14 11:48] - 0138368 ____N (Microsoft Corporation) 6A0397376853E604DE8E1E7A87FC08AC</div>
<div> </div>
<div>C:\WINDOWS\system32\Drivers\netbt.sys</div>
<div>[2004-08-04 14:00] - [2004-08-04 14:00] - 0162816 ____N (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B</div>
<div> </div>
<div>C:\WINDOWS\system32\Drivers\tcpip.sys</div>
<div>[2007-01-15 07:32] - [2008-06-20 12:44] - 0360960 ____N (Microsoft Corporation) 744E57C99232201AE98C49168B918F48</div>
<div> </div>
<div>C:\WINDOWS\system32\Drivers\ipsec.sys</div>
<div>[2004-08-04 14:00] - [2004-08-04 14:00] - 0074752 ____N (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1</div>
<div> </div>
<div>C:\WINDOWS\system32\dnsrslvr.dll</div>
<div>[2004-08-04 14:00] - [2008-02-20 20:49] - 0045568 ____N (Microsoft Corporation) 6333C7E182E5B6247500188D28214DEF</div>
<div> </div>
<div>C:\WINDOWS\system32\ipnathlp.dll</div>
<div>[2004-08-04 14:00] - [2004-08-04 14:00] - 0331264 ____N (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF</div>
<div> </div>
<div>C:\WINDOWS\system32\netman.dll</div>
<div>[2007-01-15 04:32] - [2007-01-15 04:32] - 0197632 ____N (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1</div>
<div> </div>
<div>C:\WINDOWS\system32\wbem\WMIsvc.dll</div>
<div>[2007-10-04 05:10] - [2004-08-04 14:00] - 0144896 ____N (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E</div>
<div> </div>
<div>C:\WINDOWS\system32\srsvc.dll</div>
<div>[2007-10-04 05:12] - [2004-08-04 14:00] - 0170496 ____N (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838</div>
<div> </div>
<div>C:\WINDOWS\system32\Drivers\sr.sys</div>
<div>[2007-10-04 05:12] - [2004-08-04 14:00] - 0073472 ____N (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24</div>
<div> </div>
<div>C:\WINDOWS\system32\wscsvc.dll</div>
<div>[2007-01-15 04:33] - [2007-01-15 04:33] - 0080896 ____N (Microsoft Corporation) 478995B4555958E52388496618D9C678</div>
<div> </div>
<div>C:\WINDOWS\system32\wbem\WMIsvc.dll</div>
<div>[2007-10-04 05:10] - [2004-08-04 14:00] - 0144896 ____N (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E</div>
<div> </div>
<div>C:\WINDOWS\system32\wuauserv.dll</div>
<div>[2007-10-04 05:12] - [2007-01-15 04:33] - 0018392 ____N (Microsoft Corporation) B72508649DAD03BCB5D708EDB1E3E57E</div>
<div> </div>
<div>C:\WINDOWS\system32\qmgr.dll</div>
<div>[2007-10-04 05:12] - [2004-08-04 14:00] - 0382464 ____N (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA</div>
<div> </div>
<div>C:\WINDOWS\system32\es.dll</div>
<div>[2007-01-15 04:31] - [2008-07-07 22:06] - 0253952 ____N (Microsoft Corporation) A4AB3DCA4A383F0DF4988ABDEB84F9A4</div>
<div> </div>
<div>C:\WINDOWS\system32\cryptsvc.dll</div>
<div>[2007-01-15 04:31] - [2007-01-15 04:31] - 0062464 ____N (Microsoft Corporation) 87F3E2D2A3231F820F9248DB90090F42</div>
<div> </div>
<div>C:\WINDOWS\system32\svchost.exe</div>
<div>[2004-08-04 14:00] - [2004-08-04 14:00] - 0014336 ____N (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716</div>
<div> </div>
<div>C:\WINDOWS\system32\rpcss.dll</div>
<div>[2007-01-15 04:32] - [2009-02-09 12:01] - 0401408 ____N (Microsoft Corporation) 24B5D53B9ACCC1E2EDCF0A878D6659D4</div>
<div> </div>
<div>C:\WINDOWS\system32\services.exe</div>
<div>[2004-08-04 14:00] - [2009-02-06 12:22] - 0110592 ____N (Microsoft Corporation) 4712531AB7A01B7EE059853CA17D39BD</div>
<div> </div>
<div> </div>
<div>Extra List:</div>
<div>=======</div>
<div>AegisP(12) Epfwndis(14) epfwtdi(15) Gpc(6) IPSec(4) irda(8) NetBT(5) PSched(7) Tcpip(3) VPCNetS2(13) </div>
<div>0x0F000000040000000100000002000000030000000F00000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E000000</div>
<div>IpSec Tag value is correct.</div>
<div> </div>
<div>**** End of log ****</div>


#26 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 17 April 2012 - 11:42 AM

sorry, again

#27 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 17 April 2012 - 03:31 PM

It seems NOD32 "knows" for the problem. Please follow the instructions here:
http://kb.eset.com/e...d=1334694578811

Finally, post the log file.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#28 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 18 April 2012 - 05:37 AM

Hi :)
Eset finished scan and cleaning, and there are 3 threats which couldn't be cleaned automatically.
D:\NEW DOWNLOADS 5\Portable Flash4D v5.1 Pro Edition.rar probably a variant of Win32/Agent.LWMQUCE trojan No action
D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401895.exe a variant of Win32/Induc.A virus No action
D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401896.exe a variant of Win32/Induc.A virus No action
Should I try to delete those in "Action"?

#29 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 18 April 2012 - 08:10 AM

Yes, please use Delete option for them.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#30 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 19 April 2012 - 06:36 AM

Hi :)
Please, sorry for pause, I have problem with internet (ISP, not related to viruses).
I will try to post log now (I use neighbours PC pc connected to slow dial-up...
Please, sorry for delay, again...

#31 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 19 April 2012 - 06:46 AM

It is okay. Thanks for letting me know!
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#32 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 19 April 2012 - 07:02 AM

It seems log is too big for dial up...
At least I can say news: from the moment nod32 cleaned that Win32/Agent.LWMQUCE trojan I didn't get anymore those warnings from Anti-Malware about blocking connection to that IP.
I think its great news :)
I will check out connectivity to those sites after i get internet connection and I will come here to let you know, and to proceed with cleaning and tweaking, if needed.
Thank you os much, again :)
DejanS

#33 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 19 April 2012 - 07:02 AM

p.s. End of log is here (if it helps)

D:\NEW DOWNLOADS 5\Portable Flash4D v5.1 Pro Edition.rar » RAR » Portable Flash4D v5.1 Pro Edition\Flash4D v5 - Flash Intro Builder.exe » THINAPP » Patch.exe - probably a variant of Win32/Agent.LWMQUCE trojan - was a part of the deleted object
D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401895.exe - error opening [4]
D:\System Volume Information\_restore{42BC42E3-B2DE-461B-93D2-D12BCB23D028}\RP1911\A0401896.exe - error opening [4]
Number of scanned objects: 2202748
Number of threats found: 5
Number of cleaned objects: 1
Time of completion: 3:14:01 PM Total scanning time: 57189 sec (15:53:09)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.

#34 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 19 April 2012 - 10:10 AM

Good! :)

Monitor your system and come back tomorrow to tell how is the situation now.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#35 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 20 April 2012 - 10:02 PM

Hi
Here is report...
I was so happy to inform you that we got rid of that IP location warning/malware... It didnt appeear at all (I didnt have access to internet) and when I got internet todaz it was all ok. I could get to all those sites, no any warnings from Anti-malwareb... Bad surprise came 2h ago. First I couldn't open facebook home page, then isohunt... Then I couldn't post here from that PC... I restarted PC and I saw that warning (Anti-malware's) again... About that IP...
I don't understand. It started to work fine after cleaning with nod32. It worked flawless until now,page on internet opened so fast..
I will try to post eset's log here.
So, here we go again...

#36 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 20 April 2012 - 10:21 PM

I tried few times to paste here that Eset's log... I even separated it into 6 smaller parts and then tried,,,... its still too big (4.5MB txt file in total).
Can i attach it here as rar or zip file?its just 170KB that way... Or, any other idea?
Do you think it would be wice to scan PC again with nod32, just in safe mode?

#37 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 21 April 2012 - 01:32 AM

I don't know, but maybe this will mean something:
on infected PC I cannot measure upload speed at Speeedtest.net site anymore.
It was possible to do before infection, I did it many times.
Surfing goes more or less ok.
Other PC on same cable can measure upload speed and there are no any problems like on infected machine.
On infected PC, download speed and pings are ok.
Strange thing is that I cannot post replies to this forum on infected PC. I do it from other PC.
Is it possible that 'virus 'blocks outcoming traffic for some sites?

#38 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 21 April 2012 - 05:22 AM

Please run NOD32, make sure is up-to-date and perform a smart scan. Next, go to the log file, click on right mouse button on it there will be filter or something that which will show the information you want. Select to show information only for malware and then posted here.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif

#39 DejanS

DejanS

    Regular Member

  • Honorary Members
  • PipPip
  • 54 posts

Posted 22 April 2012 - 05:23 AM

Sorry for pause, please...
NOD32 just finished scan. No infected files or threats.
It seems in previous scan NOD cleaned what that AV can clean now.
Of course, I updated it before scan.
Situation now: I cannot send emails, my upload is not measurable, I cannot go to some sites (isohunt, facebook, etc).
It seems it is not connected to ISP - other PC attached to the same router/access point works fine.
After first cleaning, infected PC worked just fine.
Any ideas?

#40 Maniac

Maniac

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 21,392 posts
  • Gender:Male
  • Location:Bulgaria, EU

Posted 22 April 2012 - 08:46 AM

Delete your ComboFix copy and then again:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here paypal.gif





Also tagged with one or more of these keywords: 208.73.210.29, cannot open sites, isohunt

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users