Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help required: MBAM blocked IPs and browser infections


  • Please log in to reply
4 replies to this topic

#1 jonamafun

jonamafun

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 02 December 2010 - 06:51 AM

I think my PC may be infected with something that is hijacking my browsers.

I am running Windows 7 64-bit, Microsoft Security Essentials, and Malwarebytes's Anti-Malware. I upgraded MBAM to 1.50 just before posting this issue.

Periodically, MBAM will block IPs per the log below emanating from both svchost.exe and firefox.exe. Furthermore, new browser windows will open trying to open certain websites. These websites are almost always blocked by MBAM.

Finally, sometimes I try to open my browsers (IE8 and Firefox) but nothing happens. I check Task Manager and the process is running, but the memory used will only be 1-2mb. Clicking several times to start the app sometimes gets it going, and I manually have to kill each of the redundant processes.

What have I done so far? A few weeks ago, I installed MBAM 1.47 and ran a quick scan and this was the result:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5104

Windows 6.1.7600
Internet Explorer 9.0.7930.16406

13/11/2010 3:53:08 PM
mbam-log-2010-11-13 (15-53-08).txt

Scan type: Quick scan
Objects scanned: 139175
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\programdata\application data\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spservice (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{96afbe69-c3b0-4b00-8578-d933d2896ee2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96afbe69-c3b0-4b00-8578-d933d2896ee2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\cleanswepx.exe (Trojan.SpyEye) -> Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Application Data\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.
C:\cleanswepx.exe\config.bin (Trojan.SpyEye) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\dkfjasdfshd.bat (Malware.Trace) -> Quarantined and deleted successfully.



Today I installed MBAM 1.50 and here's the MBAM log after running a quick scan:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5232

Windows 6.1.7600
Internet Explorer 9.0.7930.16406

2/12/2010 10:26:36 PM
mbam-log-2010-12-02 (22-26-36).txt

Scan type: Quick scan
Objects scanned: 152181
Time elapsed: 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Finally, here's the MBAM log of websites blocked today:

00:03:31 pegus IP-BLOCK 91.212.226.6
00:12:19 pegus IP-BLOCK 193.27.232.75
00:13:31 pegus IP-BLOCK 193.27.232.72
00:23:31 pegus IP-BLOCK 193.27.232.75
00:32:20 pegus IP-BLOCK 91.212.226.6
00:33:32 pegus IP-BLOCK 193.27.232.72
00:42:20 pegus IP-BLOCK 193.27.232.75
00:52:20 pegus IP-BLOCK 193.27.232.72
01:01:24 pegus IP-BLOCK 194.60.205.232
01:01:24 pegus IP-BLOCK 194.60.205.233
01:01:24 pegus IP-BLOCK 194.60.205.234
01:01:24 pegus IP-BLOCK 194.60.205.232
01:01:25 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.234
01:01:33 pegus IP-BLOCK 194.60.205.232
01:01:33 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.232
01:01:33 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.234
01:01:33 pegus IP-BLOCK 194.60.205.232
01:01:33 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.234
01:01:33 pegus IP-BLOCK 194.60.205.232
01:01:33 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.232
01:01:33 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.234
01:01:33 pegus IP-BLOCK 194.60.205.232
01:01:33 pegus IP-BLOCK 194.60.205.233
01:01:33 pegus IP-BLOCK 194.60.205.234
01:02:21 pegus IP-BLOCK 91.212.226.6
01:12:21 pegus IP-BLOCK 193.27.232.72
01:22:22 pegus IP-BLOCK 193.27.232.75
01:32:22 pegus IP-BLOCK 193.27.232.72
01:41:42 pegus IP-BLOCK 194.60.205.232
01:41:42 pegus IP-BLOCK 194.60.205.233
01:41:42 pegus IP-BLOCK 194.60.205.234
01:41:42 pegus IP-BLOCK 194.60.205.232
01:41:42 pegus IP-BLOCK 194.60.205.233
01:41:50 pegus IP-BLOCK 194.60.205.232
01:41:50 pegus IP-BLOCK 194.60.205.233
01:41:50 pegus IP-BLOCK 194.60.205.234
01:41:50 pegus IP-BLOCK 194.60.205.232
01:41:50 pegus IP-BLOCK 194.60.205.233
01:42:06 pegus IP-BLOCK 194.60.205.232
01:42:06 pegus IP-BLOCK 194.60.205.233
01:42:07 pegus IP-BLOCK 194.60.205.234
01:42:07 pegus IP-BLOCK 194.60.205.232
01:42:07 pegus IP-BLOCK 194.60.205.233
01:42:23 pegus IP-BLOCK 62.122.75.137
01:42:31 pegus IP-BLOCK 194.60.205.232
01:42:31 pegus IP-BLOCK 194.60.205.233
01:42:31 pegus IP-BLOCK 194.60.205.234
01:42:31 pegus IP-BLOCK 194.60.205.232
01:42:31 pegus IP-BLOCK 194.60.205.233
01:42:55 pegus IP-BLOCK 62.122.75.137
02:02:31 pegus IP-BLOCK 193.27.232.72
02:12:32 pegus IP-BLOCK 91.212.226.6
02:32:40 pegus IP-BLOCK 193.27.232.75
16:33:55 pegus MESSAGE Protection started successfully
16:33:58 pegus MESSAGE IP Protection started successfully
16:34:54 pegus IP-BLOCK 91.212.226.6
16:44:54 pegus IP-BLOCK 193.27.232.72
16:46:14 pegus IP-BLOCK 91.212.226.6
16:54:54 pegus IP-BLOCK 193.27.232.75
16:56:14 pegus IP-BLOCK 193.27.232.75
17:04:54 pegus IP-BLOCK 193.27.232.72
17:06:14 pegus IP-BLOCK 193.27.232.72
17:16:15 pegus IP-BLOCK 91.212.226.6
17:26:15 pegus IP-BLOCK 193.27.232.72
17:36:15 pegus IP-BLOCK 193.27.232.75
17:46:15 pegus IP-BLOCK 193.27.232.72
18:16:24 pegus IP-BLOCK 193.27.232.72
18:26:24 pegus IP-BLOCK 91.212.226.6
18:46:24 pegus IP-BLOCK 193.27.232.75
19:06:25 pegus IP-BLOCK 91.212.226.6
19:16:25 pegus IP-BLOCK 193.27.232.75
19:26:09 pegus IP-BLOCK 91.212.226.6
19:26:26 pegus IP-BLOCK 193.27.232.72
19:36:18 pegus IP-BLOCK 193.27.232.72
19:36:26 pegus IP-BLOCK 91.212.226.6
19:46:19 pegus IP-BLOCK 193.27.232.75
19:46:27 pegus IP-BLOCK 193.27.232.72
19:56:19 pegus IP-BLOCK 193.27.232.72
19:56:27 pegus IP-BLOCK 193.27.232.75
20:06:28 pegus IP-BLOCK 193.27.232.72
20:36:38 pegus IP-BLOCK 193.27.232.72
20:46:38 pegus IP-BLOCK 91.212.226.6
21:06:38 pegus IP-BLOCK 193.27.232.75
21:24:07 pegus IP-BLOCK 194.60.205.232
21:24:07 pegus IP-BLOCK 194.60.205.233
21:24:07 pegus IP-BLOCK 194.60.205.234
21:24:07 pegus IP-BLOCK 194.60.205.232
21:24:07 pegus IP-BLOCK 194.60.205.233
21:24:07 pegus IP-BLOCK 194.60.205.234
21:26:39 pegus IP-BLOCK 91.212.226.6
21:36:39 pegus IP-BLOCK 193.27.232.75
21:46:39 pegus IP-BLOCK 193.27.232.72
21:56:39 pegus IP-BLOCK 91.212.226.6
22:06:40 pegus IP-BLOCK 193.27.232.72
22:16:40 pegus IP-BLOCK 193.27.232.75
22:17:20 pegus IP-BLOCK 91.212.226.6
22:18:24 pegus IP-BLOCK 209.222.8.217
22:23:56 pegus MESSAGE Protection started successfully
22:23:59 pegus MESSAGE IP Protection started successfully
22:25:07 pegus MESSAGE IP Protection stopped
22:25:09 pegus MESSAGE Database updated successfully
22:25:09 pegus MESSAGE IP Protection started successfully
22:26:53 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49188, Process: svchost.exe)
22:28:05 pegus IP-BLOCK 209.222.8.217 (Type: outgoing, Port: 49239, Process: firefox.exe)
22:29:09 pegus IP-BLOCK 194.60.205.232 (Type: outgoing, Port: 49270, Process: firefox.exe)
22:29:09 pegus IP-BLOCK 194.60.205.233 (Type: outgoing, Port: 49271, Process: firefox.exe)
22:29:09 pegus IP-BLOCK 194.60.205.234 (Type: outgoing, Port: 49272, Process: firefox.exe)
22:29:17 pegus IP-BLOCK 194.60.205.232 (Type: outgoing, Port: 49274, Process: firefox.exe)
22:29:17 pegus IP-BLOCK 194.60.205.233 (Type: outgoing, Port: 49275, Process: firefox.exe)
22:29:17 pegus IP-BLOCK 194.60.205.234 (Type: outgoing, Port: 49276, Process: firefox.exe)
22:36:53 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 49375, Process: svchost.exe)
22:40:53 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49417, Process: firefox.exe)
22:46:53 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 49455, Process: svchost.exe)
22:50:54 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 49467, Process: firefox.exe)



Many thanks in advance!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:26 AM

Posted 02 December 2010 - 08:22 AM

IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a malicious website, Malwarebytes will block the attempt and provide an alert. These events are stored in the "protection-log".

Information that explains this feature can be found in the Malwarebytes Anti-Malware IP Protection FAQs.

What does IP Protection do?
IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges...

What does this notification mean?
This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address...

Other FAQs about IP Protection
How does it do this?
How does it inform you?
I got an alert and I wasn't even surfing, how's that happen?
I received a notification on a safe site, why?
How do I disable this?
I got an alert for an IP or website I think is safe, how can I report it?
Does the IP Protection replace my firewall?
Where do I find the IP Protection logs?
How can I add an IP so it won't be detected and can access a site I need to?[/b]


If you are using peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze, etc) or an (IM) client, be aware they can trigger alerts. Why? Because these kind of programs are a security risk which can make your system susceptible to a smörgåsbord of malware infections and remote attacks for several reasons to include pop-up ads and malicious Flash ads that can lead to rogue sites where the IP address has been blocked. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Even your Browser is susceptible to ads so just surfing the net or going to unsafe sites may trigger alerts in order to protect you. Please read How Malware Spreads - How did I get infected.

The best way to eliminate these risks is to avoid using IM and P2P applications.
Since your browser is opening on its own and many of those IPs are going to Russia, I recommend further investingation.

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
If you previously used Norman, delete that version and download it again as the tool is frequently updated!
  • Be sure to read all the information Norman provides on that same page.
  • Double-click on Norman_Malware_Cleaner.exe to start. Vista/Windows 7 users right-click and select Run As Administrator.
    The tool is very slow to load as it uses a special driver. This is normal so please be patient.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
-- Note: If you need to scan a usb flash drives or other removable drives not listed, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jonamafun

jonamafun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 03 December 2010 - 09:55 AM

Hi quietman7 - many thanks for taking the time to assist. I did the steps that you requested. Here's the Norman log:

Norman Malware Cleaner
Version 1.8.3
Copyright © 1990 - 2010, Norman ASA. Built 2010/12/02 11:24:20

Norman Scanner Engine Version: 6.06.07
Nvcbin.def Version: 6.06.00, Date: 2010/12/02 11:24:20, Variants: 8241337

Scan started: 2010/12/03 01:22:32

Running pre-scan cleanup routine:
Operating System: Microsoft Windows 7 6.1.7600
Logged on user: atlas\pegus

Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000

Scanning kernel...

Kernel scan complete



Scanning running processes and process memory...

Number of processes/threads found: 2643
Number of processes/threads scanned: 2643
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 59s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\32788R22FWJFW\catchme.cfxxe (Infected with W32/Smalltroj.ZLDK)
Deleted file

C:\System Volume Information\{38088~1 (Error opening file: Access denied)

C:\System Volume Information\{68EF5~1 (Error opening file: Access denied)

C:\System Volume Information\{8F67C~1 (Error opening file: Access denied)

C:\System Volume Information\{E3C43~1 (Error opening file: Access denied)

Scanning: D:\*.*

D:\Download\Old\avidemux_2.5.3_win32.exe/noname.nsis/file1 (Error whilst scanning file: I/O Error (0x00220000))

D:\Download\Old\FinePrint.PdfFactory.Pro.v3.49.Incl.Keymaker-ZWT.rar/FinePrint.PdfFactory.Pro.v3.49.Incl.Keymaker-ZWT\zfpfp349.zip/zwt.rar/keygen.exe (Infected with W32/DLoader.AHAFF)
Deleted file

D:\Download\Old\MediaMonkey%20Gold%20v3.1.0.1256%20Multilingual%20Incl%20Keymaker-CORE.rar/MediaMonkey Gold v3.1.0.1256 Multilingual Incl Keymaker-CORE\keygen.exe (Infected with W32/Suspicious_Gen2.BZJEM)
Deleted file

D:\Download\Old\NWPLz0.rar/Nullsoft.Winamp.Pro.v5.56.Incl.Keygen-Lz0\Lz0\KeyGen.exe (Infected with Suspicious_F.gen)
Deleted file

D:\Download\Old\NWPLz0.rar/Nullsoft.Winamp.Pro.v5.56.Incl.Keygen-Lz0\nfoviewer.exe (Infected with Suspicious_Gen.SJL)
Deleted file

D:\Download\Old\Replay_Media.rar/Replay Media\RMC301\Replay Media Catcher 3.0.1\RCATSetup.exe (Infected with Suspicious_Gen2.RYMV)
Deleted file

D:\Download\Old\ST404WINAMP.rar/Stereo.Tool.v4.04.Plugin.for.Winamp.WinAll.Incl.Keygen-CRD\cna1007a.zip/cna1007a.rar/crd.exe (Infected with Suspicious_Gen.BG)
Deleted file

D:\Download\Old\ST404WINAMP.rar/Stereo.Tool.v4.04.Plugin.for.Winamp.WinAll.Incl.Keygen-CRD\cna1007a.zip/cna1007a.rar/Keygen.zip/Keygen/kg.exe (Infected with W32/Malware.GDPZ)
Deleted file

D:\Download\Old\ST404WINAMP.rar/Stereo.Tool.v4.04.Plugin.for.Winamp.WinAll.Incl.Keygen-CRD\cna1007a.zip/cna1007a.rar/Keygen.zip (Empty archive after cleaning)
Deleted file

D:\Download\Old\Winamp.Pro.v5.571.Multilingual.Incl.Keymaker-CORE.rar/Winamp.Pro.v5.571.Multilingual.Incl.Keymaker-CORE\cr-w5571.zip/keygen.exe (Infected with W32/Agent.ANOG)
Deleted file

D:\Download\Old\SignSISTool\55_Application.rar/55_Application\Handy Alarm\keygen.exe (Infected with W32/Suspicious_Gen3.JUKZ)
Deleted file

D:\Download\Old\SignSISTool\55_Application.rar/55_Application\Handy Zip\keygen.exe (Infected with W32/Suspicious_Gen3.JUKZ)
Deleted file

D:\Download\Old\SignSISTool\55_Application.rar/55_Application\Handy Profiles\keygen.exe (Infected with W32/Suspicious_Gen3.JUKZ)
Deleted file

D:\Download\Old\SignSISTool\55_Application.rar/55_Application\MP3 Dictaphone v2.50\keygen.exe (Infected with W32/Suspicious_Gen.QXM)
Deleted file

D:\Download\Old\SignSISTool\55_Application\55_Application\Handy Alarm\keygen.exe (Infected with W32/Suspicious_Gen3.JUKZ)
Deleted file

D:\Download\Old\SignSISTool\55_Application\55_Application\Handy Profiles\keygen.exe (Infected with W32/Suspicious_Gen3.JUKZ)
Deleted file

D:\Download\Old\SignSISTool\55_Application\55_Application\Handy Zip\keygen.exe (Infected with W32/Suspicious_Gen3.JUKZ)
Deleted file

D:\Download\Old\SignSISTool\55_Application\55_Application\MP3 Dictaphone v2.50\keygen.exe (Infected with W32/Suspicious_Gen.QXM)
Deleted file

D:\Download\usenet\Folders\Xilisoft Video Converter Ultimate\Xilisoft.Video.Converter.Ultimate.6.0.3.build.0416_CRK-FFF.zip/video.converter.ultimate.6-patch.exe (Infected with W32/Suspicious_Gen.NHP.dropper)
Deleted file

Scanning: E:\*.*

Scanning: F:\*.*

F:\System Volume Information\{0DF72~1 (Error opening file: Access denied)

F:\System Volume Information\{1F5A0~1 (Error opening file: Access denied)

F:\System Volume Information\{1F5A0~2 (Error opening file: Access denied)

F:\System Volume Information\{35DDF~1 (Error opening file: Access denied)

F:\System Volume Information\{35DDF~2 (Error opening file: Access denied)

F:\System Volume Information\{38088~1 (Error opening file: Access denied)

F:\System Volume Information\{4EBCA~1 (Error opening file: Access denied)

F:\System Volume Information\{5CCB8~1 (Error opening file: Access denied)

F:\System Volume Information\{9D6DC~1 (Error opening file: Access denied)

F:\System Volume Information\{9D6DC~2 (Error opening file: Access denied)

F:\System Volume Information\{9D6DC~3 (Error opening file: Access denied)

F:\System Volume Information\{9D6DC~4 (Error opening file: Access denied)

Scanning: G:\*.*

Scanning: I:\*.*

Scanning: postscan


Running post-scan cleanup routine:

Number of files found: 816430
Number of archives unpacked: 6895
Number of files scanned: 816356
Number of files not scanned: 74
Number of files skipped due to exclude list: 0
Number of infected files found: 19
Number of infected files repaired/deleted: 19
Number of infections removed: 19
Total scanning time: 2h 23m 46s



And here's the Eset log:

D:\Download\Old\FFSetup1_80.zip a variant of Win32/Adware.ADON application deleted - quarantined
D:\Download\Old\FoxIt.Reader.Pro.v3.0.1817-DOA.rar a variant of Win32/Keygen.AL application deleted - quarantined
D:\Download\Old\Replay_Media.rar probably a variant of Win32/Agent.JZSZCHX trojan deleted - quarantined
D:\Download\Old\youtube_flv_downloader_install.exe probably a variant of Win32/Agent.BDXASRA trojan deleted - quarantined
D:\Download\Old\FoxIt.Reader.Pro.v3.0.1817-DOA\FoxIt.Reader.Pro.v3.0.1817-DOA\Puran.Defrag.v6.1.WinXP2k3Vista.Incl.Keygen-CRD.rar a variant of Win32/Keygen.AL application deleted - quarantined
D:\Download\Old\Replay Media\RMC301\Replay Media Catcher 3.0.1\MediaCatcher.exe probably a variant of Win32/Agent.JZSZCHX trojan cleaned by deleting - quarantined
D:\Download\torrents\Diskeeper Pro Premier 2009-[h33t]-{xFire}-\Diskeeper Pro Premier 2009-[h33t]-{xFire}-.rar a variant of Win32/Keygen.AF application deleted - quarantined
D:\Download\torrents\Diskeeper Pro Premier 2009-[h33t]-{xFire}-\Keygen.exe a variant of Win32/Keygen.AF application cleaned by deleting - quarantined
D:\Download\usenet\IRONMAN.iso probably a variant of Win32/Adware.Agent.NOWTBDL application deleted - quarantined


After running these scans, IE9 still refuses to load properly. When I click the icon, it looks like it's loading but then does nothing. In Task Manager, the process is running with about 1.3-1.5mb memory used.

Lastly, here's the MBAM logs of blocked IPs since running the scans:

10:45:09 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 62000, Process: firefox.exe)
12:42:40 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 63388, Process: svchost.exe)
12:52:40 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 63507, Process: svchost.exe)
13:02:41 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 63620, Process: svchost.exe)
13:12:41 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 63742, Process: svchost.exe)
15:33:41 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 65359, Process: svchost.exe)
15:43:41 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 65481, Process: svchost.exe)
15:53:41 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 49229, Process: svchost.exe)
16:03:41 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 49351, Process: svchost.exe)
18:24:49 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 50984, Process: svchost.exe)
18:34:49 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 51099, Process: svchost.exe)
18:44:49 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 51216, Process: svchost.exe)
18:54:50 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 51340, Process: svchost.exe)
21:16:05 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 52991, Process: svchost.exe)
21:26:05 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 53119, Process: svchost.exe)
21:36:06 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 53236, Process: svchost.exe)
21:46:06 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 53359, Process: svchost.exe)
00:07:22 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 55067, Process: svchost.exe)
00:17:22 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 55192, Process: svchost.exe)
00:27:22 pegus IP-BLOCK 193.27.232.75 (Type: outgoing, Port: 55312, Process: svchost.exe)
00:37:22 pegus IP-BLOCK 193.27.232.72 (Type: outgoing, Port: 55435, Process: svchost.exe)
01:52:12 pegus MESSAGE Protection started successfully
01:52:16 pegus MESSAGE IP Protection started successfully
01:53:11 pegus IP-BLOCK 91.212.226.6 (Type: outgoing, Port: 49221, Process: svchost.exe)



#4 jonamafun

jonamafun
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 03 December 2010 - 10:01 AM

Another Firefox tab just opened itself again!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:26 AM

Posted 03 December 2010 - 10:21 AM

IMPORTANT NOTE: Your scan log results indicate you are using keygens/crack tools.

The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Using these types of programs or the websites you visited to get them is almost a guaranteed way to get yourself infected!!

Before continuing, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

When you have removed them, please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users