Jump to content


Photo
- - - - -

being attacked by 208.73.210.29; MBAB blocking outbound access every 5-10 minutes

malicious site

  • This topic is locked This topic is locked
99 replies to this topic

#61 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 03:39 PM

That's related to McAfee SecurityCenter.

Here's the ip info on the address:

Posted Image

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#62 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 03:52 PM

Here is the log output from the SysLook scan:

SystemLook 30.07.11 by jpshortstuff
Log created at 15:50 on 30/04/2012 by
Administrator - Elevation successful

========== filefind ==========

Searching for "208.73.210.29"
No files found.

Searching for "13376694984709702142491016734454"
No files found.

========== regfind ==========

Searching for "208.73.210.29"
No data found.

Searching for "13376694984709702142491016734454"
No data found.

#63 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 04:19 PM

Run Systemlook again but use this code:

:filefind
mcsvhost.exe

post back the report, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#64 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 04:55 PM

here you go:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:55 on 30/04/2012 by
Administrator - Elevation successful

========== filefind ==========

Searching for "mcsvhost.exe"
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe --a---- 249936 bytes [18:49 29/07/2011] [23:28 27/01/2011] ACB01BF1A905356AB7F978C7FE852209

-= EOF =-

#65 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 05:17 PM

That's OK and in the right place

Lets reset Internet Explorer back to defaults:
http://windows.micro...rnet-Explorer-9

Let me know.....MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#66 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 05:28 PM

done. No errors or exceptions noted.

#67 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 05:33 PM

Well use and let me know...MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#68 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 05:57 PM

Thanks.

So do you think we have gotten as far as we are going to get?

I haven't seen any popup windows at all since 6:09 this am.

Doesn't seem like we ever found something specific. Or did you see something along the way that we finally nailed?

I am grateful for your assistance and patience -- thank you so much!

#69 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 06:04 PM

Not really, everyone of these infections is different, I'll look over everything again.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#70 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 30 April 2012 - 07:35 PM

thanks. If you find anything, please let me know!

#71 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 30 April 2012 - 07:57 PM

Well here's what we did:
  • ComboFix cleaned out a lot of malware.
  • I used OTL and cleaned out some folders from an old infection. ( from Nov. 11, 2011)
  • We cleared out all the temp files, reinstalled Chrome and FF
  • Reset Internet Explorer.

So let me know how it is tomorrow, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#72 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 01 May 2012 - 06:15 AM

Thank you

This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites?

I have not seen the 208.73.210.29 since Sunday night at 20:32.

What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?

#73 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 01 May 2012 - 07:11 AM

This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites?

I have not seen the 208.73.210.29 since Sunday night at 20:32.

What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?


No it wasn't a key-logger.


No,don't allow it until we know what it is.
Do they list any process with them?

What browser are you using when this pops up?

Does the pop-up come up when you're visiting a certain website or when you're just sitting there with an open browser.

Can you manually update McAfee......for data base and program update?
See if it uses those ip addresses to do so.

---------------------------------------


Download CKScanner & save it to your Desktop
http://downloads.mal...m/CKScanner.exe
Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#74 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 01 May 2012 - 08:35 AM

When I turned off McAfee automatic updates and manually updated, I could see the update progress but got no pop-up box from MBAM. I do not know how to see what address McAfee uses when it updates.

The pop up box does not seem to be particular to any given website. Over the past few days, the only websites I have been to are extremely limited -- and only news or very large commerce sites.

I have been running FF. Interestingly (perhaps), I have not seen the 208 address since Sunday night, but I did see the 173 .. 195 address yesterday morning at 6:09 and again this morning also at 6:09. I saw the 173 ... 196 address at 5:59 this morning, but not at all yesterday.

For all attempts the service listed was mcsvhost.exe

According to the MBAM log, in each of the three instances - yesterday morning at 6:09, this morning at 5:59 and this morning at 6:09, there were 6 blocks each time.

One more comment -- when I look at the Task Manager, show processes from all users, the svchost.exe under System name (not my individual user) is using (comparatively) a lot of ram usually well over 160,000k. I have no idea if that is meaningful or not, but it was that utilization that really started getting me suspicious.

Here is the log from CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.TTAPTW
----- EOF -----

#75 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 01 May 2012 - 08:43 AM

OK, let me think about this, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#76 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 01 May 2012 - 09:35 AM

Download and unzip silentrunners to a folder:

http://www.silentrun...t%20Runners.zip

Right click on Silent Runners.vbs and chose Run as Administrator, if that's not available just double click on it to run.

When asked about the supplementary scan....leave the default setting (we don't want to run it)

Post back the report.

-----------------------------------

Don't do it yet, but I would to try MVPS HOSTS


Lets try this.....Install MVPS HOSTS >> both of those sites are listed:


Softlayer Technologies

Oversee.net

http://winhelp2002.m...g/hostswin7.htm <---W7

http://winhelp2002.mvps.org/hosts.htm <--home page


MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#77 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 01 May 2012 - 11:40 AM

I ran SilentRunner and have attached the results.

I did not fully understand the second part of your last post. Is there something more you would like me to install/run relating to MVPS Host?

#78 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 01 May 2012 - 12:02 PM

I did not fully understand the second part of your last post. Is there something more you would like me to install/run relating to MVPS Host?


No don't do anything with it, I'm still looking over the log and thinking about what to do next....MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#79 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 01 May 2012 - 12:05 PM

Well . . . I screwed up, then. I re-read your post and thought at the end your instructions were to run the MVPS change. I just did that before I saw your post.

Is there a way to undo that?

#80 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,140 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 01 May 2012 - 12:38 PM

That's OK...there's no harm done and yes we can restore the original host file.

Let me know if you still get the pop-up warnings.

The log from SilentRunner was OK......MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users