Sign in to follow this  
Followers 0
captarheel

MBAM frequently blocking outbound access to malicious site 208.73.210.29

66 posts in this topic

Welcome to the forum again, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!)

Post back the report.

MrC

Share this post


Link to post
Share on other sites

I don't see anything so far, lets run some scans.....

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

Share this post


Link to post
Share on other sites

Made System Restore point. Ran TDSSKiller. Only saw three items of medium risk. "Cure" was not an option, so I selected "skip" and continue. Report zipped and attached

Share this post


Link to post
Share on other sites

That scan was clean......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

ran combo fix as administrator from desktop.

Log attached:

Share this post


Link to post
Share on other sites

Okay. I reset IE again and deleted all personal data. I normally use Firefox, so don't know if resetting IE will do anything. I am still getting the MBAM blocking access message even after resettinng IE.

I never changed the hosts file after you gave me the MVPS link. I liked how that blocked even the sponsored ads on Google.

Last time we uninstalled Firefox and reinstalled it and that didn't seem to make any difference. That's a huge pain since I lose all bookmarks (I don't have many that I have created this time), but still . . . .

Will follow your directions -- what's next?

Share this post


Link to post
Share on other sites

also, just staring yesterday, I am getting strange spam emails with addresses like the following: 7069823922@vtext.com

Share this post


Link to post
Share on other sites

I don't think you have MVPS hosts installed anymore because RogueKiller shows the default host file:

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

Please do this.....

Download MiniToolBox:

http://download.blee...MiniToolBox.exe

Right click MiniToolBox and select " Run as administrator " to run it.

Check the following in the list:

List content of Hosts

Click Go

Please post the contents of the Result.txt in your next Reply.

MrC

Share this post


Link to post
Share on other sites

I may have deleted the MVPS hosts by telling Rogue Killer to reset the hosts file. My mistake. I did that yesterday. Here is the MiniToolbox report

MiniToolBox by Farbar Version: 25-06-2012

Ran by Craig Parker (administrator) on 05-07-2012 at 15:24:06

Microsoft Windows 7 Home Premium (X64)

Boot Mode: Normal

***************************************************************************

========================= Hosts content: =================================

127.0.0.1 localhost

**** End of log ****

Share this post


Link to post
Share on other sites

You should reinstall it.

Can you post the protection log from MB that shows the ip blocks. MrC

Share this post


Link to post
Share on other sites

will reinstall after this post.

Here is the MB log from today:

Share this post


Link to post
Share on other sites

I uninstalled FF and logged on using IE. Still getting MBAM blocking messages.

Share this post


Link to post
Share on other sites

Read through this post and see if any of it works for you:

http://forums.malwar...ndpost&p=546749

--------------------------------

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Share this post


Link to post
Share on other sites

Reading other post now. In the meantime, I ran OTL. I have attached the txt file. I could not find a file called "extra". Can you please tell me where to look?

Share this post


Link to post
Share on other sites

I totally deleted Firefox and all personal information. am now using IE. Still getting the IP block messages from MBAM. Same outbound address.

I read the other post, and saw the suggestion for some OTL fixes, but I was not able to fully copy the suggested fixes -- I couldn't figure out how to pick up the text outside the visible area of the text box and I couldn't get the scroll bar to work at the same time as trying to copy. As such, I have not run any of those suggested fixes.

Share this post


Link to post
Share on other sites

Not much showing.

Can you take a look at these two folders, let me know if you recognize them:

C:\Users\Craig Parker\AppData\Roaming\5E6DB

C:\Users\Craig Parker\AppData\Roaming\8875E

---------------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    :Commands
    [EMPTYJAVA]
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Share this post


Link to post
Share on other sites

I do not recognize those two folders. I opened them and they are both empty.

ran the fix -- here's the log:

All processes killed

Error: Unable to interpret <:OTLO3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.O18:64bit: - Protocol\Handler\ms-help - No CLSID value found:Commands[EMPTYJAVA][emptytemp]> in the current context!

OTL by OldTimer - Version 3.2.42.2 log created on 07062012_071209

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

By the way -- don't know if it helps, but I am still getting the IP block message even after that last OTL fix.

Share this post


Link to post
Share on other sites

It didn't work, here's the code to copy and paste in:

:OTL

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

:Commands

[EMPTYJAVA]

[emptytemp]

MrC

Share this post


Link to post
Share on other sites

tried again. Here is the txt file result:

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.

File Protocol\Handler\ms-help - No CLSID value found not found.

File PTYJAVA] not found.

File ptytemp] not found.

OTL by OldTimer - Version 3.2.42.2 log created on 07062012_084043

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

Lets clean out the temp files like this:

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

MrC

Share this post


Link to post
Share on other sites

Okay. I ran TFC. It said it cleaned out 32MB of files.

I am watching for more IP blocks. Will let you know what I see.

What about the two folders I did not recognize but which were empty?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.