captarheel

being attacked by 208.73.210.29; MBAB blocking outbound access every 5-10 minutes

100 posts in this topic

MBAM is showing a popup box every 5-10 minutes saying it has blocked outgoing access to a malicious site with address 208.73.210.29.

Sometimes the popup box shows the service, and it most frequently lists svchost.exe

Per the MBAM instructions I have run DDS. The results are attached. Please let me know if it would be helpful for me to copy and paste.

I would be grateful for any help possible.

DDS.txt

Attach.txt

Share this post


Link to post
Share on other sites

Welcome to the forum, this infection has proven to sometimes be very difficult to fix.

Please go to your control panel > Java > Update Tab > Update Now.

Java 6 Update 29 <---should be 32

---------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, there not all bad!)

Post back the report.

MrC

Share this post


Link to post
Share on other sites

thank you so much for the help. Sorry for the delay. I have been trying to find the "Update Tab" and cannot locate it.

Share this post


Link to post
Share on other sites

I hope it wasn't a mistake to go ahead and run the RogueKiller scan, but i did. Here are the results:

RogueKiller V7.3.3 [04/22/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User: Craig Parker [Admin rights]

Mode: Scan -- Date: 04/28/2012 14:25:51

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

Share this post


Link to post
Share on other sites

We'll deal with Java later.......

Please make sure system restore is running and create a new restore point before continuing.

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Sorry for the flood of information. I learned how to get the update tab in the Java Control Panel. You were correct -- I am on version 29. Would you like me to update?

Share this post


Link to post
Share on other sites

Yes, the latest version is 32.

MrC

Share this post


Link to post
Share on other sites

I ran the TDSS Killer. I got three of the unsigned or locked file warnings, but nothing more serious.

Here is the report:

Share this post


Link to post
Share on other sites

OK, that scan was clean.....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

OK, did you see my post above yours to run ComboFix?? MrC

Share this post


Link to post
Share on other sites

I ran ComboFix from the desktop and I did indeed get the Illegal operation attempted on registry key that has been marked for deletion.

I rebooted and here is the ComboFix log

Share this post


Link to post
Share on other sites

Sorry for the slowness -- I am incredibly grateful for your help. Combo Fix took a long time.

Share this post


Link to post
Share on other sites

By the way, I am still getting the MBAM pop up boxes about blocking access to the same malicious site.

Share this post


Link to post
Share on other sites

By the way, I am still getting the MBAM pop up boxes about blocking access to the same malicious site.

Do you remember what said at the start....

this infection has proven to sometimes be very difficult to fix.

MrC

Share this post


Link to post
Share on other sites

oh -- not complaining at all -- just thought you might want that information!

Share this post


Link to post
Share on other sites

Mr. C:

I need to step away for a few hours. I sincerely apologize, but I have a commitment that I cannot miss.

I did not want you to be waiting on a response from me. When I get back, I will log back on and check for further instructions.

Again, I thank you very, very much for your assistance.

Share this post


Link to post
Share on other sites

What browser does this happen in??

-----------------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Share this post


Link to post
Share on other sites

Good morning.

I have been using Firefox.

I started OTL from my desktop and clicked the Scan All Users box. The scan was humming along and then just seemed to crash when it got to 'scanning Chrome settings'.

I got an error message that did not stay on screen long but sadi something like "File List out of bounds"

Now the scan seems to just be stuck.

Share this post


Link to post
Share on other sites

I stopped OTL and re-ran. The same message appeared:

LIst index out of bounds 433

Share this post


Link to post
Share on other sites

OK, OTL doesn't like your system, here's what seems to fix the ip blocking problem.

Uninstall Firefox and any related file/folders and reinstall.

Let me know, MrC

Share this post


Link to post
Share on other sites

I have removed both Firefox and Chrome from the Control Panel - Remove a Program, and run OTL from the desktop, but still get the same Linst Index Out of Bounds - 433 message when it gets to 'scanning Chrome settings'

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.