Jump to content


Photo
- - - - -

being attacked by 208.73.210.29; MBAB blocking outbound access every 5-10 minutes

malicious site

  • This topic is locked This topic is locked
99 replies to this topic

#41 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 29 April 2012 - 03:50 PM

When you uninstalled Chrome and FF, did you still get the warnings??

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#42 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 29 April 2012 - 08:33 PM

Yes -- they are still popping up

#43 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 29 April 2012 - 10:00 PM

Actually, I noticed that the last pop up was for a different IP address. Unfortunately, I didn't get it before it disappeared. It started with 173.something.

And, I haven't seen another popup in nearly an hour.

#44 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 29 April 2012 - 10:02 PM

I found the blocked site IP address in MBAM's log:

173.192.183.196

#45 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 07:48 AM

Posted Image

Here's where that's from.

Delete your copy if ComboFix, download and run a fresh copy.......post the log.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#46 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 08:33 AM

will do right now. Do I need to turn off all the anti virus stuff again

#47 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 08:54 AM

turned off all anti virus and firewall. Re-ran CF. It rebooted, and then I had to beboot again as I was getting the "illegal ... marked for deletion" error.

here is the new CF log:

#48 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 09:01 AM

OK that looks OK.

I'm running out of ideas.....let me do some more research...I'll get back to you ASAP. MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#49 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 09:04 AM

thanks. I will check throughout the day.

I really do appreciate your time and assistance.

#50 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 09:39 AM

While I'm looking...please do this:

Download and run McAfee Labs Stinger:

http://www.mcafee.co...se-stinger.aspx

-------------------------------

Then.....

Please Update and run a Full Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#51 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 11:46 AM

under way right now. Will post log when it finishes

#52 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 11:52 AM

OK, take your time...let me know, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#53 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 01:03 PM

nothing detected. Here is the report:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.30.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421


Protection: Enabled

4/30/2012 11:45:25 AM
mbam-log-2012-04-30 (11-45-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 300865
Time elapsed: 43 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#54 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 01:04 PM

I have not seen the pop up box since about 6:09 this morning.

#55 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 01:40 PM

Did the Stinger find anything?? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#56 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 03:00 PM

Stinger did not give me a report, at least not one that popped up. Is there somewhere I should look on the system?

#57 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 03:06 PM

Re-ran Stinger. Here is the report

#58 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 03:11 PM

Neither program found anything, your still getting the pop-ups right?

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#59 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,196 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 03:16 PM

This is a long shot but lets do it....

Please download SystemLook from the link below and save it to your Desktop.
http://jpshortstuff....temLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    208.73.210.29
    13376694984709702142491016734454
    :regfind
    208.73.210.29
    13376694984709702142491016734454
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#60 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 03:17 PM

As I wrote a little earlier today, I haven't seen the popups for several hours. The last indication in the MBAM log of a blocked IP address is from 6:09 AM:

2012/04/30 05:46:05 -0500 MESSAGE IP Protection stopped
2012/04/30 05:46:07 -0500 MESSAGE Database refreshed successfully
2012/04/30 05:46:07 -0500 MESSAGE Starting IP protection
2012/04/30 05:46:09 -0500 MESSAGE IP Protection started successfully
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51064, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51071, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51087, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51094, Process: mcsvhost.exe)
2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51098, Process: mcsvhost.exe)
2012/04/30 06:09:47 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51109, Process: mcsvhost.exe)
2012/04/30 08:26:02 -0500 MESSAGE Starting protection
2012/04/30 08:26:05 -0500 MESSAGE Protection started successfully
2012/04/30 08:26:09 -0500 MESSAGE Starting IP protection
2012/04/30 08:26:10 -0500 MESSAGE IP Protection started successfully
2012/04/30 08:36:40 -0500 MESSAGE Stopping IP protection
2012/04/30 08:38:37 -0500 MESSAGE IP Protection stopped
2012/04/30 08:53:25 -0500 MESSAGE Starting protection
2012/04/30 08:53:28 -0500 MESSAGE Protection started successfully
2012/04/30 11:44:53 -0500 MESSAGE Starting database refresh
2012/04/30 11:44:55 -0500 MESSAGE Database refreshed successfully




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users