timberwolf

Scamware popup - verify Comcast IP within 10 days

8 posts in this topic

A couple days ago, I started getting this annoying "popup" in my IE browser. It looks more like an image than a popup and there is no way to close it. It will go away on its own sometimes, but will return. It shows up in Firefox and Chrome too. Firefox would block it like it was a popup at first, but doesn't anymore. It doesn't appear until I open a browser. I have a good knowledge of computers, but this one is putting me to the test. I have Norton Internet Security and MalwareBytes Anti-Malware. I talked to Comcast and it's not from them. The number goes to "MarketLink" and I got a recording to call back M-F from 8-5. I've tried Norton (and Power Eraser), Eset, BitDefender, Malwarebytes, MS Security Essentials, HiJackThis, SpyBot Search & Destroy, Kaspersky, and SuperAntiSpyware in regular & safe modes. Nothing catches it. If I run Safe Mode w/ Networking and open a browser, it will still show up. One interesting detail is that if I switch to a proxy server in my browser, the "popup" goes away immediately and doesn't return. Obviously, I can't run through a proxy all the time, so I need my normal IP to work normally again. I'll try to post a screenshot of the "popup". The image was taken at Comcast.net, but it stays with me no matter what site I go to. I'm running XP, service pack 3.

post-113535-0-17037700-1340097023.jpg

Share this post


Link to post
Share on other sites

Please run the following scanner and attach back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

Share this post


Link to post
Share on other sites

I called Comcast and had them assign me a new IP#. The 'popup' doesn't show up anymore, but I'm sure it's still on the system, even though there are no signs of it. Here is the info. you requested. Thanks for your reply!

attach.txt

dds.txt

Share this post


Link to post
Share on other sites

The computer is infected. You need to follow the directions below and have someone assist you in cleaning it.

This software is also highly suspect in probably helping you to get the box infected and you will need to uninstall it to have one of the helpers help you to clean your computer.

µTorrent

==== Event Viewer Messages From Past Week ========

.

6/18/2012 3:24:32 PM, error: Dhcp [1002] - The IP address lease 192.168.100.10 for the Network Card with network address 001676B8A6CC has been denied by the DHCP server 68.87.75.36 (The DHCP Server sent a DHCPNACK message).

6/18/2012 3:21:17 PM, error: Dhcp [1002] - The IP address lease 98.235.171.62 for the Network Card with network address 001676B8A6CC has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

6/18/2012 12:19:10 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.2148.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

6/18/2012 12:10:45 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccSet_NIS eeCtrl Fips intelppm MpFilter SRTSPX SymIRON

6/18/2012 1:47:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.2148.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

6/18/2012 1:47:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.2148.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

6/18/2012 1:47:40 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.2148.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

6/18/2012 1:35:41 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

6/18/2012 1:13:55 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.2148.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

6/18/2012 1:13:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

6/17/2012 12:27:40 AM, error: SRTSP [5] - Error loading Symantec real time Anti-Virus driver.

6/17/2012 12:27:40 AM, error: SRTSP [4] - Error loading virus definitions.

6/17/2012 10:50:01 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.127.2148.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

6/17/2012 10:41:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccSet_NIS eeCtrl Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON Tcpip

6/17/2012 10:41:41 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

6/17/2012 10:41:41 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/17/2012 10:41:41 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

6/17/2012 10:41:41 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

6/17/2012 10:40:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

6/16/2012 11:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip

6/16/2012 10:57:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

6/16/2012 10:52:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

6/16/2012 10:46:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

6/16/2012 10:46:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

6/16/2012 10:38:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter

.

==== End Of File ===========================

Here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the

Malware Removal forum
so a qualified helper can help you fix any malware related problems or infections you may have.

  • Please read and follow the directions here, skipping any steps you are unable to complete.
  • After posting your new post, make sure under options, you select Follow this topic and choose Instantly,
    so that you're alerted when someone has replied to your post.

NOTE: Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.


    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
      Or
    • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk
from here
or
here
.

OPTION 3

If you would like to use our
Malwarebytes Premium Consumer Services
partner, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
Malwarebytes Premium Services
support site.

Please be patient, someone will assist you as soon as possible.

Share this post


Link to post
Share on other sites

Thanks for all of the information! I knew it was still infected. What in that code proves it, or is it more than one thing? I guess I'll start a new post in the other forum you suggested.

Share this post


Link to post
Share on other sites

There are a lot of indicators. You're helper will help you to get it cleaned up. Thanks

Share this post


Link to post
Share on other sites

There are a lot of indicators. You're helper will help you to get it cleaned up. Thanks

I hope so! Thanks again.

Share this post


Link to post
Share on other sites

OK, I guess it's a legit alert from MarketLink, who is in fact a vendor of Comcast. I called Comcast's security department after reading a more recent post on Comcast's forum by someone else with a similar problem. Turns out they are doing account audits and mine had the wrong modem MAC number listed. He said this is a new program they are using and not all techs are familiar with it yet, which is why I was originally told by 2 different techs that it wasn't from them. I asked how it got past my AV programs/Firewall and he said it's something that's pushed through from Comcast and sent directly to the modem. So, if anyone else is having similar issues, you'll have to call the number listed for MarketLink to resolve the issue. If in doubt, call Comcast's security department and have them verify it first. Don't just call 1-800-COMCAST, though, call the security dept. directly. 1-888-565-4329.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.