Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes blocking incoming and outgoing


  • Please log in to reply
14 replies to this topic

#1 Noney

Noney

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 27 July 2011 - 01:28 PM

Hi
Im running Windows XP Pro

I picked up some malware last friday, and have been trying to clean since then.
I have run updated and run MBAM SAS and ESET, all of which fixed multiple things.
They now run and don't find anything, but I keep getting Successfully blocked
messages mostly outgoing, and at least 1 incomming. some of the IPs:
67.29.139.153
208.87.32.75
208.73.210.29
91.213.29.63
195.3.145.252
69.6.27.100

These occur even before opening Internet explorer and while surfing.

I am also being redirected from google search results...
Not every time but maybe 1 out of ten.
I also have gotten popup congratulations you have won an walmart gift card windows. the site was webprizegiveaways or something like that.

Edited by Noney, 27 July 2011 - 02:43 PM.


BC AdBot (Login to Remove)

 


#2 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 27 July 2011 - 03:27 PM

I followed the Guide for the google redirects and ran TDSSKiller.
It Found something attached to my disk driver? and Cured It.
\Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

System seems better now. no more redirects or Malwarebytes blocking
of potentially malicious websites.

Will run MBAM full scan again...
MBAM came back clean
Symantec AV just caught Trojan.Zefarch

Should I be concerned about password theft for like online banking and stuff?

Edited by Noney, 27 July 2011 - 04:29 PM.


#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:01 PM

Posted 27 July 2011 - 10:11 PM

Should I be concerned about password theft for like online banking and stuff?

Absolutely.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 28 July 2011 - 08:46 AM

Thanks for your response.

I am now symptom free, and can run multiple scanners and tools without warnings.
(MBAM, SAS, ESET, Symantec AV, SpyBot S&D) (all updated)
Also updated java, and think I have all OS software updated.

Should I feel confident enough to use this computer to access banking sites?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 PM

Posted 28 July 2011 - 09:33 AM

Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer as a precaution, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

If using a router, you also need to reset it with a strong logon/password before connecting again. Consult these links to find out the default username and password for your router, and write down that information so it is available when doing the reset:These are general instructions for how to reset a router,:
  • Unplug or turn off your DSL/cable modem.
  • Locate the router's reset button.
  • Press, and hold, the Reset button down for 30 seconds.
  • Wait for the Power, WLAN and Internet light to turn on (On the router).
  • Plug in or turn on your modem (if it is separate from the router).
  • Open your web browser to see if you have an Internet connection.
  • If you don't have an Internet connection you may need to restart your computer.
For more specific information on your particular model, check the owner's manual. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Edited by quietman7, 28 July 2011 - 09:34 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 28 July 2011 - 12:17 PM

Thanks quietman7. Very good advice.

Question:
How do you determine if a computer is clean?

Surely if a rogue was trying to steal sensitive data, they would not
want their malware exhibiting obvious symptoms like redirecting pages?

At what point will I be able to trust a computer that has been infected?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 PM

Posted 28 July 2011 - 12:32 PM

There are no guarantees or shortcuts when it comes to malware removal. Infections and severity of damage will vary. The longer malware remains on your system, the more time it has to download additional malicious files. Depending on the infection, especially when dealing with backdoor Trojans and rootkits, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous and security tools may not find all the remnants.

This is the pertinent section of your log which indicates a TDSS rootkit infected the Master Boot Record (MBR) on your computer and that it will be cured after reboot.

\Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

This particular malware alters the MBR of the system drive to ensure persistent execution of malicious code. Essentially, it overwrites the MBR of the hard disk with its own code and stores a copy of the original MBR at another sector using rootkit techniques to hide itself. For more specific analysis and explanation of the infection and it's history, please refer to:
We can only go by what the scan logs show (what was detected/removed) and your description of whatever signs or symptoms of infection you are experiencing.

If you want a more detailed look at your system, then more advanced tools are needed to investigate. Before that can be done you will need you to follow the instructions in the Preparation Guide and post a DDS log for further investigation in the Virus, Trojan, Spyware, and Malware Removal Logs forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 28 July 2011 - 12:41 PM

Thanks again.

I have another quick question concerning ie browser addons.

Is there a way to remove them? I see how to disable them, but i would like to selectively remove them.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 PM

Posted 28 July 2011 - 12:49 PM

Many toolbars and Add-ons come bundled with other software and can be removed via Add/Remove Programs in Control Panel or Programs and Features in Vista/Windows 7 so check there first.

If you're using Firefox, please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 28 July 2011 - 02:43 PM

Score one for msert.

This sucks I will never be able to trust this install again.

Just ran Microsoft Saftey Scanner and it found:
Trojan:Win32/Wimpixo.F

Link

MBAM SAS and others did not find it.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 PM

Posted 28 July 2011 - 02:47 PM

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. Just because one anti-virus detected threats that another missed, does not mean its more effective. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-vendors. Security vendors use different scanning engines and different detection methods such as heuristic analysis or behavioral analysis which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus database is updated can also account for differences in threat detections.

Further, each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense, safe computing and safe surfing habits provides the most complete protection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 28 July 2011 - 02:57 PM

Agreed. Did not mean to imply otherwise. And really appreciate you and this forum and all the good tools fighting the good fight!

In my control panel (add remove programs) I have an entry for "Tango" if I click to try to remove the application it tries to open a url which MBAM Blocks (Yay MBAM) however I cannot get rid of this entry. I seem to remember a Power Toy that would remove the entry. Is it still around? and is this a worthy exercise?

Update: TweakUI Powertoys No longer contains this feature. Why? idk
But I was able to eliminate the entry from the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Thank you.

I have yet another question.

when running Security Check...
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET Online Scanner v3
Symantec AntiVirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````End of Log````````````

Is this telling me that my Java is out of date ?? I just installed it. and the Java Site says that it is current.

and

Is Running Windows Security Center recommended?

Edited by Noney, 28 July 2011 - 05:14 PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 PM

Posted 28 July 2011 - 06:45 PM

But I was able to eliminate the entry from the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

I was about to post these instructions from Microsoft for doing that.


Is this telling me that my Java is out of date ?? I just installed it. and the Java Site says that it is current.

Java was just updated to SE 7 JRE. See here.


Is Running Windows Security Center recommended?

A disabled Windeows Security Center does not necessarily mean malware.

Some anti-virus vendors (i.e. McAfee, ESET, Norton/Symantec) allow their programs to manage the Security Center by default so it has complete control in order to prevent conflicts and duplicate warnings. This management action is normally taken during installation and many users are unaware of this fact.

For example NOD32 manages the Security Center by default and provides an orange alert icon when Windows updates are available. See these ESET Knowledgebase articles:In order to take full control and management, the anti-virus makes changes to certain registry keys related to the Security Center. As a result of these registry key modifications, some security tools (i.e. Malwarebytes, Spybot, and others) will detect those changes and let you know the Security Center has been disabled.

Check you Symantec anti-virus settings or read the vendor's user guide for information about Security Center Management.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Noney

Noney
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:01 PM

Posted 06 August 2011 - 11:19 AM

Thanks for all the help.

This post may be closed now

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:01 PM

Posted 06 August 2011 - 11:26 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users