Jump to content


Photo
- - - - -

being attacked by 208.73.210.29; MBAB blocking outbound access every 5-10 minutes

malicious site

  • This topic is locked This topic is locked
99 replies to this topic

#1 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 11:29 AM

MBAM is showing a popup box every 5-10 minutes saying it has blocked outgoing access to a malicious site with address 208.73.210.29.

Sometimes the popup box shows the service, and it most frequently lists svchost.exe

Per the MBAM instructions I have run DDS. The results are attached. Please let me know if it would be helpful for me to copy and paste.



I would be grateful for any help possible.

Attached Files



#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 11:58 AM

Welcome to the forum, this infection has proven to sometimes be very difficult to fix.

Please go to your control panel > Java > Update Tab > Update Now.

Java™ 6 Update 29 <---should be 32

---------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, there not all bad!)
Post back the report.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 02:23 PM

thank you so much for the help. Sorry for the delay. I have been trying to find the "Update Tab" and cannot locate it.

#4 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 02:27 PM

I hope it wasn't a mistake to go ahead and run the RogueKiller scan, but i did. Here are the results:

RogueKiller V7.3.3 [04/22/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Craig Parker [Admin rights]
Mode: Scan -- Date: 04/28/2012 14:25:51

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

#5 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 02:31 PM

We'll deal with Java later.......

Please make sure system restore is running and create a new restore point before continuing.

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Posted Image

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

Posted Image

------------------------

Click the Start Scan button.

Posted Image

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

Posted Image

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Posted Image


--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:


If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#6 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 02:31 PM

Sorry for the flood of information. I learned how to get the update tab in the Java Control Panel. You were correct -- I am on version 29. Would you like me to update?

#7 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 02:38 PM

Yes, the latest version is 32.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#8 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 02:46 PM

I ran the TDSS Killer. I got three of the unsigned or locked file warnings, but nothing more serious.

Here is the report:

#9 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 02:53 PM

OK, that scan was clean.....

Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.
MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#10 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 02:54 PM

I also updated Jave to update 32

#11 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 03:01 PM

OK, did you see my post above yours to run ComboFix?? MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#12 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 03:21 PM

I ran ComboFix from the desktop and I did indeed get the Illegal operation attempted on registry key that has been marked for deletion.

I rebooted and here is the ComboFix log

#13 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 03:22 PM

Sorry for the slowness -- I am incredibly grateful for your help. Combo Fix took a long time.

#14 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 03:24 PM

By the way, I am still getting the MBAM pop up boxes about blocking access to the same malicious site.

#15 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 03:28 PM



By the way, I am still getting the MBAM pop up boxes about blocking access to the same malicious site.


Do you remember what said at the start....

this infection has proven to sometimes be very difficult to fix.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#16 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 03:32 PM

oh -- not complaining at all -- just thought you might want that information!

#17 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 03:51 PM

Mr. C:

I need to step away for a few hours. I sincerely apologize, but I have a commitment that I cannot miss.

I did not want you to be waiting on a response from me. When I get back, I will log back on and check for further instructions.

Again, I thank you very, very much for your assistance.

#18 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 03:52 PM

OK, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#19 captarheel

captarheel

    Regular Member

  • Honorary Members
  • PipPip
  • 92 posts

Posted 28 April 2012 - 06:10 PM

Thank you. Just let me know what I should do next.

#20 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,127 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 28 April 2012 - 09:40 PM

What browser does this happen in??

-----------------------------------

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.
Double click on the icon on your desktop.
Click the Scan All Users checkbox.
Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users