malicious website blocked 95.215.1.57

[remargable]

Two machines here had mbytes block access to 95.215.1.57 this morning. One, a laptop, (MHM5) had access blocked only once. Scans by mbytes (w/rootkit option) as well as RogueKiller, AdwCleaner, MSRT and ComboFix (scan only, no fix) found no infections (logs available).

 

The other, a desktop (AMP) has been trying to connect to that IP address every few seconds all day (internet access was removed as soon as it became apparent that there was more than just a simple block occurring),

 

I've repeatedly tried to copy/paste or cut/paste the results of the FRST scan of that desktop here without success so have attached the file instead.

 

Thanks! ~Margaret

 

 

 

 

[Maurice Naggar]

Hello Margaret and welcome to Malwarebytes forum.

I need for you to attach the FRST logs. Kindly do not copy / paste. Just attach.

I am needing the FRST.txt + Addition.txt

In order to attach files you click on the button on the bottom right of your reply called "More Reply Options".

After you will be taken to a new screen and you can attach files by clicking on the button "Choose Files" at the bottom.

NOTE: IP Blocks happen for a reason.

The Malwarebytes Anti-Malware Website Blocking feature will advise users when an known malicious IP is attempted to be reached(outgoing) or is trying access your PC(incoming).

Incoming threats can be ignored, our software is blocking the attack and there is nothing more that can be done.

No action is required unless you're also experiencing malware symptoms or there are multiple IPs(ex;123.23.34 and 4.44.56).

A browser is not required to be running, just an active Internet connection with processes running,

such as Instant messenger clients, SKYPE or P2P software to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert

Windows Vista and Windows 7 & 8 will show the process, but Windows XP does not have the structure in place for this to be displayed by our software

Please see/review this reference on MBAM's IP blocks

https://helpdesk.malwarebytes.org/hc/en-us/articles/202325608

[remargable]

Thank you Maurice. I am not were the computers are right now so will post the FRST logs in about 1.5 hours.

[remargable]

Maurice,

 

Neither computer generated an additions.txt file, just the FRST ones. AMP5_frst.txt and MHM4_frst.txt are attached. Should I run FRST again on each machine?

 

 I also have scan logs from other removal programs available for MHM4 if you would like to see them and hijackthis.logs for both.

 

The other thing I did not mention was the AMP5 computer block dialog indicated it was trying to go to fff5ee.com.

 

MHM4_FRST.txt

AMP5_FRST.txt

[remargable]

And the AMP5 process being blocked was c:\windows\system64wow\dllhost.exe

[Maurice Naggar]

Let's slow down.  I can only address one computer at a time.

Give me some bit of time.  I will first address the one marked MHM4.

 

Meantime, do not do any web surfing / no shopping online / no games online.

[Maurice Naggar]

This is only for the computer you ID-d as MHM4.  Only that one.

We can work on that 1 pc  all the way until that one is cleared up  ---- so please await for my all clear & until then keep off the other computer.

 

FOR MHM4 only:

 

Save the attached file Fixlist.txt    to the same location where you have FRST.exe   ---- thats important for the Fix to work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite an existing one please allow)

Run FRST again but this time press the "Fix" button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST.
Please attach the Fixlog.txt  into a reply.

 

NEXT

 

Start the Anti-Malware program.
on the Dashboard, click the **Scan Now >>** ( link)  button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click **Apply Actions** to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.



Click on the **History tab** > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click **'Copy to Clipboard'**
Paste the contents of the clipboard into your reply.
then in the body of  reply box, do a Paste by pressing CTRL+V keys on the keyboard.

or if it is easier, attach the actual scan log file.

 

Fixlist.txt

[remargable]

OK

[Maurice Naggar]

See my reply just ahead of yours --- just posted.

[remargable]

Got it, am following instructions now and will post back asap.

[Maurice Naggar]

Take your time.  There is no rush.  Also, please know that I am not on at all time.

Just post the reports when you are done.

Have lots of infinite patience.

It will be late this evening before I have another visit here.

[remargable]

A dialog box told me the computer should be rebooted, so I did so.

 

fixlog.txt attached.

 

I will run mbam next and attach the scan log file to my next reply.

[remargable]

FRST scan and MBAM scan logs attached.

Fixlog.txt

mbam_2014-1019_1346.txt

[Maurice Naggar]

Hello,

 

Good run of fix with FRST.  Excellent result from MBAM.

 

You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for  member Remargable  only. If you are a casual viewer, do NOT try this on your system!
If you are not  and have a similar problem, do NOT post here;  start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere.  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Have infinite patience during the run & scan by Combofix. It has many phases:  some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power  (AC power)or a UPS system


Important:  Have no other programs running.  Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

• A window may open with a warning or prompts.  Accept the EULA and follow the prompts during the start phase of Combofix.
  
  When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
  

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.  
 

A file will be created at => C:\Combofix.txt.  

Notes:
[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh

Reply & Copy & Paste contents of the C:\Combofix.txt log
and tell me, How is the system now

Re-enable your antivirus program.

[remargable]

Maurice,

 

I rightclicked and selected disable on the SEP tray icon, but Combofix still detects the computer as running a real time antivirus/antimalware scanner.

 

I tried to stop Combofix so I could simply uninstall SEP altogether, but when I clicked the close button on the Combofix dialog it didn't stop, it instead moved on and now is warning that "antivirus/antimalware is still active but Combofix shall continue to run, Kindly note that this at your own risk."

 

What's my next step?

 

Thanks!

[remargable]

I needed to move the laptop so not knowing if was would be more dangerous to force close Combofix rather than to let it run, I let it run and the log is attached. I also sent a PM... am anxiously awaiting your response. Thanks again. ~Margaret

ComboFix.txt

[Maurice Naggar]

Very good. We can wrap up the case for MHM4.

The following procedures will implement some cleanup procedures to remove the tools I had you use.

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

 

 

 

For the computer marked as AMP5

Save the attached file Fixlist.txt    to the same location where you have FRST.exe   ---- thats important for the Fix to work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite an existing one please allow)

Run FRST again but this time press the "Fix" button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST.
Please attach the Fixlog.txt  into a reply.

 

NEXT for AMP5

Start the Anti-Malware program.
on the Dashboard, click the **Scan Now >>** ( link)  button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click **Apply Actions** to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.



Click on the **History tab** > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click **'Copy to Clipboard'**
Paste the contents of the clipboard into your reply.
then in the body of  reply box, do a Paste by pressing CTRL+V keys on the keyboard.

 

 

Fixlist.txt

[remargable]

Maurice~

 

I'm so very grateful for the time you've invested in helping me. As there was great concern about infection transmission and its impact on other computers here, I decided this morning to purchase a business license for AMP5 and submit a business support ticket. David P. has responded and I have sent him the fixlist.txt file you've provided. A lesson was learned by our firm... and our consultant is reviewing the business product offerings with a sales rep at this time.

 

Best regards do you and to all the Moderators, Deities, etc. who are so willing to help out others like myself for nothing in return. I truly appreciate it.

 

~Margaret

[Maurice Naggar]

Hello Margaret,

 

That is very good news, indeed, all around.  You are in fine hands with David.

 

I salute you and wish you the best.

Regards,

Maurice