Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes keeps blocking access to a malicious IP... Am I infected?


  • This topic is locked This topic is locked
8 replies to this topic

#1 mgkidw0

mgkidw0

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 02 October 2009 - 05:45 PM

I am running Windows XP. I have intalled several new programs over the past couple of weeks. I have Malwarebytes' Anti-Malware and have the IP protection enabled. I also have Avira AntiVir Personal - Free Antivirus and keep them updated.

I have been having an issue with my computer being very slow and freezing up over the past couple of weeks. Everytime I attempt to open a new site or start IE, it prompts and states it has blocked access to a malicious IP = 95.211.1.176 (it is 80% of the time this IP, but sometimes it is another one; can't remember it though). Also, when I run IE, Avira will alert me stating it has detected a "pattern of the HTML/Infected.WebPage.Gen.HTML script virus" and I will quarantine this. This has alerted me on sites such as Google, eBay, eBates and others. I am unsure what is going on. I have gone into my Windows\Temp folder and have found "Perflib_Perfdata_34c" which is unable to delete due to it "being used by another program." Also, Malwarebytes' has found several items that it has quarantined, and I would list them right now, but I am running a full scan and can't access the quarantine files. I don't really see anything different in the task manager, but I am not sure.

Avira and Malwarebytes' don't find anything during scans. I also have TuneUp Utilities 2009 and try to keep my computer "cleaned up" through the workings of that program as well.

I am unsure this has anythig to do with the problems I have mentioned above, but my keyboard is now skipping many letters. I have to watch what I type and it does not type about every 8th letter or so. This has never done this before and it started doing this only when my computer stared slowing down. I just thought it might have something to do with it.

Any help or advice would be greatly appreciated. Thank you, in advance, for your time, attention and reply to my issues.

Sincerely,
mgkidw0

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:31 AM

Posted 03 October 2009 - 08:09 PM

Update mbam and run a FULL scan
Please post the results
-------------------------------


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

------------------------------

follow up with a Dr Web Cureit scan


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 mgkidw0

mgkidw0
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 04 October 2009 - 08:54 PM

I am working on performing these tasks. It has already taken 3.5 hour and still running to perform the SUPERAntiSPyware scan; I am running the first scan righ now and I have to do it again for the "administrator's" account; I was unaware there were two accounts on my computer until I had to choose when putting it into safe mode.

Also, just a little hint what Malwarebytes' found was Trojan.Tracur. I will be posting all the logs of the scans as soon as they get done scanning.

#4 mgkidw0

mgkidw0
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 05 October 2009 - 12:11 PM

Malwarebytes log

Malwarebytes' Anti-Malware 1.41
Database version: 2907
Windows 5.1.2600 Service Pack 3

10/4/2009 6:04:50 PM
mbam-log-2009-10-04 (18-04-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198883
Time elapsed: 1 hour(s), 0 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dot3cfg32.dll (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\c0180230684 (Trojan.Tracur) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\dot3cfg32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\dot3cfg32.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dot3cfg32.dll (Trojan.Tracur) -> Delete on reboot.

________________________________________________________________

SUPER AntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/04/2009 at 10:11 PM

Application Version : 4.29.1002

Core Rules Database Version : 4144
Trace Rules Database Version: 2075

Scan type : Complete Scan
Total Scan Time : 03:57:38

Memory items scanned : 225
Memory threats detected : 0
Registry items scanned : 5695
Registry threats detected : 0
File items scanned : 99477
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Missy\Cookies\missy@doubleclick[1].txt

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

______________________________________________________________________________________________________________

Dr.Web CureIt Log

CouponPrinter.exe\data012;C:\Documents and Settings\Missy\Desktop\CouponPrinter.exe;Adware.Coupons.34;;
CouponPrinter.exe\data013;C:\Documents and Settings\Missy\Desktop\CouponPrinter.exe;Adware.Coupons.34;;
CouponPrinter.exe\data015;C:\Documents and Settings\Missy\Desktop\CouponPrinter.exe;Adware.Coupons.34;;
CouponPrinter.exe\data016;C:\Documents and Settings\Missy\Desktop\CouponPrinter.exe;Adware.Coupons.34;;
CouponPrinter.exe;C:\Documents and Settings\Missy\Desktop;Container contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Moved.;

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:31 AM

Posted 05 October 2009 - 08:24 PM

Update mbam and run a FULL scan
Please post the results
---------------------------------------



We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 mgkidw0

mgkidw0
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 05 October 2009 - 11:17 PM

Thanks for your help. It is greatly appreciated. It looks as though my computer is even more infected than I thought.

Here are those reports you requested:

Malwarebytes' Anti-Malware 1.41
Database version: 2912
Windows 5.1.2600 Service Pack 3

10/6/2009 12:00:42 AM
mbam-log-2009-10-06 (00-00-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198679
Time elapsed: 49 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\MSN Gaming Zone\Windows\bckg.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufat.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\bckg.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\voicesub.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\ufat.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ServicePackFiles\i386\lang\voicesub.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ime\IMJP8_1\APPLETS\voicesub.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtServicePackUninstall$\voicesub.dll (Spyware.Zbot) -> Quarantined and deleted successfully.


________________________________________________________________________________


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 00:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF53C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BAA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8842000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf8c81b1e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf8c81b14

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf8c81b23

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf8c81b2d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf8c81b32

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf8c81b00

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf8c81b05

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf8c81b3c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf8c81b37

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf8c81b28

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf8c81b0f

==EOF==

___________________________________________________________________________

Once again, thanks so much for everything you have already done and any other help you can give me.

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:31 AM

Posted 06 October 2009 - 04:29 PM

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 mgkidw0

mgkidw0
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 06 October 2009 - 08:34 PM

Here is the log of peek.bat. Thanks again for all your help. You guys (and girls?) on here are life (computer) savers.

______________________________________________________________________

Volume in drive C has no label.
Volume Serial Number is C018-0230

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 22,990,897,152 bytes free

#9 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:31 AM

Posted 07 October 2009 - 05:11 PM

Now that you were successful in creating those two logs you need to post them in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck

Edited by garmanma, 07 October 2009 - 05:17 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users