jimsturtz

208.87.149.250 being blocked

35 posts in this topic

Hello and :welcome:

Lets first do a rootkit scan as well.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Share this post


Link to post
Share on other sites

sorry to be so long replying, but i thought i would get an email on your post. anyway, i tried downloading via the .scr & .pif, the scr takes me to an 'about blank' page in chrome, the pif takes me to a spanish language website when i try the download i get an 'about blank' page. have another link? thanks. jim

Share this post


Link to post
Share on other sites

In your browser right click the DDS.scr link and select "save link/target as". Save the file to your desktop and launch it by double clicking. Let me know if it works this way.

You can select Notification options by clicking the drop down menu next to your username (top right corner of the forum page) and selecting My Settings. In the right panel, select Notification Options and select the options of your choice.

Share this post


Link to post
Share on other sites

Lets also do a rootkit scan here.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Share this post


Link to post
Share on other sites

TDSSKiller.2.7.13.0_20.02.2012_09.39.35_log.txt

file attached. i didnt delete it (cure) as i wasnt sure what it is yet, figured id let you look at the info. when i browse the file i see that it appears to be a verisign/thawte certificate (VeriSign, Inc.1402U+VeriSign Time Stamping Services Signer - G20Ÿ0). should i kill it? thanks. jim

Share this post


Link to post
Share on other sites

No need to delete that. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Can you please have a look at the Scheduled Tasks part of the log and let me know if these are tasks you added yourself (or another user of the computer)?

Share this post


Link to post
Share on other sites

jobs i created

2012-02-20 c:\windows\Tasks\TonyLocalBackup.job

2012-02-20 c:\windows\Tasks\nfromDaily.job

2012-02-20 c:\windows\Tasks\logstojimz.job

2012-02-20 c:\windows\Tasks\jennifer.job

2012-02-20 c:\windows\Tasks\errsiowa.job

2012-02-20 c:\windows\Tasks\defrgz.job

2012-02-20 c:\windows\Tasks\closem.job

2012-02-20 c:\windows\Tasks\caresourceemail.job

2012-02-20 c:\windows\Tasks\blogstojimz.job

2012-02-20 c:\windows\Tasks\BKH2Z.job

2012-02-20 c:\windows\Tasks\_Who.Booked.job

2012-02-20 c:\windows\Tasks\__daverep.job

2012-02-19 c:\windows\Tasks\tfromallSunday.job

2012-02-19 c:\windows\Tasks\nfromallSunday.job

2011-12-23 c:\windows\Tasks\defrge.job

2011-12-23 c:\windows\Tasks\defrgd.job

2011-12-04 c:\windows\Tasks\defrgu.job

2011-12-04 c:\windows\Tasks\defrgn.job

2011-09-25 c:\windows\Tasks\_movwelletc.job

2011-07-25 c:\windows\Tasks\defrgc.job

2011-04-29 c:\windows\Tasks\COPYIT.job

jobs created by that software, ok w/ me if ok w/ you

2012-02-20 c:\windows\Tasks\MP Scheduled Scan.job

2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

2011-11-12 c:\windows\Tasks\prismShakeIcon.job

thanks. jim

Share this post


Link to post
Share on other sites

Thank you for the clarification! :)

How are things running at this point?

Share this post


Link to post
Share on other sites

well the original issue is still there. i have an htm page with alot of my frequent links on it. recently, whenever i open it i get a message saying malware bytes is blocking access to 208.87.149.250 (type: outgoing). ive scanned thru the page of links and cant find that ip anywhere, so im at a loss on what it is doing. within the last couple days ive noticed that when i open a link on my desktop, IE puts up a note about 'connecting' but then nothing ever happens. if i rite-clik the link grap the properties and paste that into the address bar then i get the page. actually happened w/ the link for this thread. not sure if its ALL ie calls or just some, but it can be consistant, like the link for this. thanks. jim

Share this post


Link to post
Share on other sites

Is that the only IP that gets blocked or are there others too?

Share this post


Link to post
Share on other sites

Have you anything on the .htm page containing firstlook.com?

Share this post


Link to post
Share on other sites

post-108314-0-01687600-1330006645.jpg

hi elise,

nope. used frontpage to do a 'find' for '208.' or 'firstlook'.

thats the reason i started checking the web, trying to find out how something is 'looking out at that site' (so that mb blocks it) and i cant find what is causing it.

i can zip and send the file if you like.

jim

Share this post


Link to post
Share on other sites

Could you post me the part of MBAMs protection log showing the blog (can be found in MBAM > Logs tab).

Share this post


Link to post
Share on other sites

2012/02/24 08:33:19 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 08:33:20 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 08:33:23 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 08:33:23 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 08:33:29 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 08:33:29 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:51:41 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:51:41 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:51:44 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:51:44 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:51:50 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:51:50 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:52:00 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:52:03 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:52:10 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:19 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:19 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:22 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:22 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:28 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:28 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:40 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:43 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 09:54:49 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 11:24:14 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 11:24:14 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 11:24:17 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 11:24:17 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 11:24:23 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 11:24:23 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 14:02:02 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 14:02:02 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 14:02:05 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 14:02:05 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 14:02:11 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

2012/02/24 14:02:11 -0500 JIMHOME rjs IP-BLOCK 208.87.149.250 (Type: outgoing)

Share this post


Link to post
Share on other sites

Hi again,

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Share this post


Link to post
Share on other sites

Please click Start > Control Panel > Windows Firewall. Make sure the firewall is turned on.

With the firewall turned on, do you still get the blocks?

Share this post


Link to post
Share on other sites
Please click Start > Control Panel > Windows Firewall. Make sure the firewall is turned on.

With the firewall turned on, do you still get the blocks?

Thats not what I asked you. :)

Share this post


Link to post
Share on other sites

sorry wasnt seeing page 2 :)

firewall is on, just checked to make sure. my net guy would have a fit if i left it off.

tx. jim

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.