Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outgoing IP blocked by Malwarebytes Anti-Malware


  • This topic is locked This topic is locked
10 replies to this topic

#1 Sadface576

Sadface576

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of Nowhere
  • Local time:08:46 PM

Posted 15 May 2012 - 03:54 AM

Hello, I am new here. Several days ago I noticed I was being blocked from certain pages because I was suspected that I had malware and it turned out to be true. So I downloaded Malwarebytes Anti-Malware,restarted in safe mode,and ran all the possible scans. It found and deleted about 5 infections,2 of them pointing the name Packer Kruncky and others being PUP. Anyway,I quarantined them and then deleted them.

After a day or two I saw outgoing ip's being blocked by Malwarebytes when I was playing TF2,searching for servers and also when I was playing,but only when TF2 was open.

This morning Malwarebytes did not block any outgoing IP addresses whatsoever,no matter how hard I tried to replicate the results of last night. What exactly does this indicate?

I have a log with all the blocked IP's,if you need it.

Anyway,I see it always blocks the same IP's,over and over. I am really scared that someone is trying to hijack my Steam account,so I need some help ASAP.

Also,should I change all my passwords and stop connecting this laptop to the internet until this problem is solved?

Edited by Sadface576, 15 May 2012 - 12:05 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 PM

Posted 17 May 2012 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#3 Sadface576

Sadface576
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of Nowhere
  • Local time:08:46 PM

Posted 17 May 2012 - 01:18 PM

Here's some logs:

DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Admin at 21:13:16 on 2012-05-17
Microsoft Windows XP Professional 5.1.2600.3.1250.40.1033.18.3067.2374 [GMT 3:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\IObit\Game Booster 3\gbtray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ro/
mStart Page = about:blank
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 193.231.100.130 193.231.100.134
TCP: Interfaces\{67BF6AE8-4400-4E52-B0A5-B4AE40DD468F} : DhcpNameServer = 193.231.100.130 193.231.100.134
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mm\application data\mozilla\firefox\profiles\85svomcv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\mm\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-13 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-13 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-13 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-13 44768]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-2-28 1373576]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-13 654408]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-4-1 99856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-13 22344]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-8-9 51160]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-8-9 43736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-3-28 1684736]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2010-4-11 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2010-4-11 12672]
S3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [2010-4-11 40320]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\iobit\game booster 3\driver\WinRing0.sys [2012-5-8 14416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
=============== Created Last 30 ================
.
2012-05-14 15:17:35 -------- d-sha-r- C:\cmdcons
2012-05-13 12:59:01 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 12:59:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-13 12:51:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-05-13 12:51:08 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-13 12:45:58 -------- d-----w- c:\program files\LogMeIn Hamachi
2012-05-13 08:44:33 -------- d-----w- c:\documents and settings\mm\application data\Malwarebytes
2012-05-13 08:44:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-08 17:46:02 -------- d-----w- c:\documents and settings\mm\application data\LS
2012-05-05 04:52:31 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-29 10:59:45 -------- d-----w- c:\program files\Terraria
2012-04-28 14:01:22 -------- d-----w- c:\program files\Mount&Blade Warband
2012-04-18 21:04:07 -------- dc----w- c:\program files\common files\Java(2)
.
==================== Find3M ====================
.
2012-05-17 17:25:11 2874 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-05-05 11:03:45 99856 ----a-w- c:\windows\system32\drivers\AtihdXP3.sys
2012-05-05 04:52:18 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 20:19:07 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 20:19:07 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
============= FINISH: 21:15:17.82 ===============


Security Check:
Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 11.2.202.235
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 PM

Posted 17 May 2012 - 03:53 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#5 Sadface576

Sadface576
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of Nowhere
  • Local time:08:46 PM

Posted 18 May 2012 - 01:51 AM

Your post has "default procedures" written all over it. If you read my first post,you would have already known that I already have Malwarebytes and already ran a couple of scans and removed a number of threats,although not all,as it seems.

Here's the log of a quick scan in safe mode,that I ran just to be sure that the virus cannot fight back:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.17.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
:: M [administrator]

Protection: Disabled

5/17/2012 9:05:27 PM
mbam-log-2012-05-17 (21-05-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244134
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I also have logs from a number of full scans,also in safe mode,but I'll wait for you to ask for them.


Combofix log:

ComboFix 12-05-14.02 - Admin 05/14/2012 18:18:43.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1250.40.1033.18.3067.2661 [GMT 3:00]
Running from: c:\documents and settings\All Users\Documents\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\MM\Application Data\PriceGong
c:\documents and settings\MM\Application Data\PriceGong\Data\1.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\a.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\b.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\c.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\d.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\e.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\f.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\g.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\h.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\i.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\J.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\k.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\l.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\m.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\n.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\o.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\p.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\q.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\r.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\s.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\t.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\u.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\v.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\w.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\x.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\y.xml
c:\documents and settings\MM\Application Data\PriceGong\Data\z.xml
c:\windows\system32\Desktop_.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-04-14 to 2012-05-14 )))))))))))))))))))))))))))))))
.
.
2012-05-13 12:59 . 2012-05-13 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-13 12:59 . 2012-04-04 12:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 12:51 . 2012-05-13 12:51 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-18 21:04 . 2012-04-19 08:34 -------- dc----w- c:\program files\Common Files\Java(2)
2012-04-17 16:54 . 2012-04-17 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hi-Rez Studios
2012-04-17 16:54 . 2012-04-19 10:14 -------- d-----w- c:\program files\Hi-Rez Studios
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-14 15:15 . 2011-02-05 07:06 2874 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-05-05 11:03 . 2012-04-01 06:00 99856 ----a-w- c:\windows\system32\drivers\AtihdXP3.sys
2012-05-05 04:52 . 2011-08-31 10:08 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 20:19 . 2012-04-03 15:03 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 20:19 . 2011-08-20 07:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 23:15 . 2011-05-13 13:17 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:15 . 2011-05-13 13:17 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-06 23:03 . 2011-05-13 13:17 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:03 . 2011-05-13 13:18 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-06 23:02 . 2011-05-13 13:18 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-06 23:01 . 2011-05-13 13:17 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-06 23:01 . 2011-05-13 13:17 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-06 23:01 . 2011-05-13 13:17 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-06 23:01 . 2011-05-13 13:18 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 22:58 . 2011-05-13 13:17 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-04-21 01:19 . 2012-05-13 15:15 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-02-28 1987976]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 08:07 843712 -c--a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 20:51 37296 -c--a-w- c:\program files\Adobe\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-02-18 12:49 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ---ha-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2011-05-02 09:25 724536 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-08-04 12:01 18702336 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"YahooAUService"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"ServiceLayer"=3 (0x3)
"npggsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"d:\\Pirate's Chest\\Assassins Creed 2 Final Crack\\offlineserver-v0.44\\server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Terraria\\TerrariaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"d:\\Pirate's Chest\\Borderlands(DIRECT PLAY with all 4 DLC's)\\Borderlands(DIRECT PLAY with all 4 DLC's)\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\EA Games\\Kingdoms of Amalur Reckoning\\Reckoning.exe"=
"d:\\Steam\\Steam.exe"=
"d:\\Steam\\steamapps\\andri474\\team fortress 2\\hl2.exe"=
"d:\\Steam\\steamapps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [02.02.2010 22:02 717296]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [28.02.2012 18:38 1373576]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [09.08.2009 22:35 51160]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [09.08.2009 22:35 43736]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [13.05.2011 16:17 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [13.05.2011 16:18 337880]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13.05.2011 16:18 20696]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18.03.2010 13:16 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [13.05.2012 15:59 654408]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03.04.2012 18:03 257696]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28.03.2012 07:58 1684736]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [01.04.2012 09:00 99856]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13.05.2012 15:59 22344]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [11.04.2010 16:25 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [11.04.2010 16:25 12672]
S3 STETH;SpeedTouch Ethernet Adapter NT Driver;c:\windows\system32\drivers\steth.sys [11.04.2010 16:25 40320]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\IObit\Game Booster 3\Driver\WinRing0.sys [08.05.2012 10:44 14416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18.03.2010 13:16 753504]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 20:19]
.
2012-05-14 c:\windows\Tasks\Game_Booster_AutoUpdate.job
- c:\program files\IObit\Game Booster 3\AutoUpdate.exe [2012-04-11 14:57]
.
2012-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1897051121-725345543-1003Core.job
- c:\documents and settings\MM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-19 08:44]
.
2012-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1897051121-725345543-1003UA.job
- c:\documents and settings\MM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-19 08:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ro/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\MM\Application Data\Mozilla\Firefox\Profiles\85svomcv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ccleaner - c:\program files\CCleaner\CCleaner.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\unyt_wrap.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-14 18:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
[HKEY_USERS\S-1-5-21-1409082233-1897051121-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:47,a8,c2,c0,19,1e,5a,2f,18,5c,cf,94,b7,bc,b1,f3,74,96,dc,c9,77,f3,41,
c1,55,a6,00,a2,3d,ce,6e,7e,f1,ff,63,0c,3c,11,e6,7c,28,d4,65,fc,72,b2,66,c6,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
[HKEY_USERS\S-1-5-21-1409082233-1897051121-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:22,e9,bc,25,90,9f,cd,d9,ca,b2,84,90,0d,c4,33,af,57,94,73,ca,13,
d9,b6,f0,3f,50,7f,0f,1b,54,9c,18,55,88,a1,89,94,dc,cd,cc,1c,3c,c4,b9,5e,3f,\
"rkeysecu"=hex:65,b5,c0,e0,2c,f1,96,01,22,46,2f,a4,2a,9b,2d,f7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-05-14 18:26:28
ComboFix-quarantined-files.txt 2012-05-14 15:26
.
Pre-Run: 48,299,868,160 bytes free
Post-Run: 57,188,306,944 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut
.
- - End Of File - - 02F1A89CB9A2439C91F2E20ECDCBE36D

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 PM

Posted 18 May 2012 - 08:37 AM

The ComboFix is clean.

Your post has "default procedures" written all over it. If you read my first post,you would have already known that I already have Malwarebytes and already ran a couple of scans and removed a number of threats,although not all,as it seems.

Sarcasm will get you nowhere. All you had to do is post your log.


Internet Explorer 6 Out of date!

For your added security you should update to IE 7. When installed and all is well I suggest your get IE8.
The old versions of IE that are installed even if you do not use them on a regular bases are vulnerable to infection.
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

This morning Malwarebytes did not block any outgoing IP addresses whatsoever,no matter how hard I tried to replicate the results of last night. What exactly does this indicate?


Please let me know the IP address. Will check it out.
Is this still occurring or has it stopped?

===

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

As for your password you decide if you want to change them.

Please let me know what problem persists.

#7 Sadface576

Sadface576
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of Nowhere
  • Local time:08:46 PM

Posted 18 May 2012 - 01:46 PM

Sorry about the,uh,sarcasm,I know you aren't paid staff so I should cut you some slack. Thanks for helping me out and all that.

ESET Online Scanner log:
None. There is no List of found threats log. Nothing to click but Uninstall. Why is that?
Also there were no threats found. I have no choice but to click finish and go to sleep.

I have some blocked IP's.For you:

Day 1:
2012/05/14 09:08:17 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 09:08:20 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 09:08:22 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 09:09:13 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/14 09:09:13 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
Sometime later....
2012/05/14 19:24:58 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:24:59 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:25:05 +0300 M Andrei IP-BLOCK 213.251.176.113 (Type: outgoing)
2012/05/14 19:25:08 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:25:08 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:25:09 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:25:11 +0300 M Andrei IP-BLOCK 46.249.51.229 (Type: outgoing)
2012/05/14 19:25:12 +0300 M Andrei IP-BLOCK 89.28.100.197 (Type: outgoing)
2012/05/14 19:25:13 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:25:13 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:25:13 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:25:13 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/14 19:25:13 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 19:25:14 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/14 19:25:14 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/14 19:25:14 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/14 19:25:15 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/14 19:25:15 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 19:25:18 +0300 M Andrei IP-BLOCK 222.73.230.106 (Type: outgoing)
2012/05/14 19:27:22 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:27:22 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:27:29 +0300 M Andrei IP-BLOCK 213.251.176.113 (Type: outgoing)
2012/05/14 19:27:32 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:27:32 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:27:32 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:27:35 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/14 19:27:35 +0300 M Andrei IP-BLOCK 46.249.51.229 (Type: outgoing)
2012/05/14 19:27:36 +0300 M Andrei IP-BLOCK 89.28.100.197 (Type: outgoing)
2012/05/14 19:27:37 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:27:37 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:27:37 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 19:27:38 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/14 19:27:38 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/14 19:27:38 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/14 19:27:38 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 19:27:39 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/14 19:27:39 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 19:27:42 +0300 M Andrei IP-BLOCK 222.73.230.106 (Type: outgoing)
2012/05/14 19:52:42 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:52:42 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:52:42 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 19:52:49 +0300 M Andrei IP-BLOCK 213.251.176.113 (Type: outgoing)
2012/05/14 19:52:52 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:52:52 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:52:53 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/14 19:52:55 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/14 19:52:55 +0300 M Andrei IP-BLOCK 46.249.51.229 (Type: outgoing)
2012/05/14 19:52:57 +0300 M Andrei IP-BLOCK 89.28.100.197 (Type: outgoing)
2012/05/14 19:52:57 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:52:57 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/14 19:52:57 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 19:52:58 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/14 19:52:58 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/14 19:52:58 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/14 19:52:59 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/14 19:52:59 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/14 21:21:50 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 21:21:50 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/14 21:21:50 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)

Day 2:
2012/05/15 19:54:01 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 19:54:01 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 19:54:01 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 19:54:10 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 19:54:10 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 19:54:10 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 19:54:10 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 19:54:10 +0300 M Andrei IP-BLOCK 95.154.250.150 (Type: outgoing)
2012/05/15 19:54:14 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 19:54:14 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 19:54:14 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 19:54:15 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/15 19:54:15 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/15 19:54:15 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/15 19:54:15 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/15 19:54:16 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/15 19:54:31 +0300 M Andrei IP-BLOCK 74.118.193.18 (Type: outgoing)
2012/05/15 20:00:14 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 20:00:14 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 20:00:14 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 20:00:23 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 20:00:23 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 20:00:23 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 20:00:23 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 20:00:23 +0300 M Andrei IP-BLOCK 95.154.250.150 (Type: outgoing)
2012/05/15 20:00:26 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/15 20:00:27 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 20:00:27 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 20:00:27 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 20:00:27 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/15 20:00:28 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/15 20:00:28 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/15 20:00:28 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/15 20:00:29 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/15 20:00:29 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/15 20:00:46 +0300 M Andrei IP-BLOCK 74.118.193.18 (Type: outgoing)
2012/05/15 20:02:54 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 20:02:54 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 20:02:55 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/15 20:03:04 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 20:03:04 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/15 20:03:04 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)

Day 3:
2012/05/16 20:46:47 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/16 20:46:48 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/16 20:46:58 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/16 20:46:58 +0300 M Andrei IP-BLOCK 95.154.250.150 (Type: outgoing)
2012/05/16 20:46:58 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/16 20:46:58 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/16 20:46:59 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/16 20:47:01 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/16 20:47:01 +0300 M Andrei IP-BLOCK 93.190.140.205 (Type: outgoing)
2012/05/16 20:47:01 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/16 20:47:03 +0300 M Andrei IP-BLOCK 89.28.100.197 (Type: outgoing)
2012/05/16 20:47:03 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/16 20:47:03 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/16 20:47:03 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/16 20:47:04 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/16 20:47:04 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/16 20:47:04 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/16 20:47:04 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/16 20:47:05 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/16 20:47:05 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/16 20:47:06 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)

Day 4,WHILE SURFING THE WEB,this time I was not playing any video games:
2012/05/17 20:53:53 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:53:56 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:02 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:14 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:16 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:17 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:19 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:23 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:25 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:37 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:40 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
2012/05/17 20:54:46 +0300 M Andrei IP-BLOCK 89.28.48.132 (Type: outgoing)
Later that day....
2012/05/17 21:35:26 +0300 M Andrei IP-BLOCK 89.28.100.197 (Type: outgoing)
2012/05/17 21:35:26 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/17 21:35:26 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/17 21:35:29 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/17 21:35:29 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/17 21:35:29 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/17 21:35:30 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/17 21:35:40 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/17 21:35:42 +0300 M Andrei IP-BLOCK 213.246.38.82 (Type: outgoing)
2012/05/17 21:35:42 +0300 M Andrei IP-BLOCK 213.251.176.113 (Type: outgoing)
2012/05/17 21:35:45 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/17 21:35:45 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/17 21:35:45 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/17 21:35:45 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/17 21:35:45 +0300 M Andrei IP-BLOCK 109.236.86.140 (Type: outgoing)
2012/05/17 21:35:49 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/17 21:35:49 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)

Day 5(today):
2012/05/18 11:10:37 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/18 11:10:39 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/18 11:10:47 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 11:10:47 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 11:10:49 +0300 M Andrei IP-BLOCK 93.190.140.205 (Type: outgoing)
2012/05/18 11:10:51 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/18 13:35:43 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/18 13:35:45 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/18 13:35:45 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/18 13:35:45 +0300 M Andrei IP-BLOCK 83.222.109.45 (Type: outgoing)
2012/05/18 13:35:46 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/18 13:35:46 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/18 13:35:46 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/18 13:35:46 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/18 13:35:49 +0300 M Andrei IP-BLOCK 222.73.230.106 (Type: outgoing)
2012/05/18 13:35:56 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 13:35:56 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 13:48:04 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/18 13:48:04 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/18 13:48:06 +0300 M Andrei IP-BLOCK 217.199.218.178 (Type: outgoing)
2012/05/18 13:48:06 +0300 M Andrei IP-BLOCK 217.199.218.183 (Type: outgoing)
2012/05/18 13:48:07 +0300 M Andrei IP-BLOCK 83.222.109.43 (Type: outgoing)
2012/05/18 13:48:10 +0300 M Andrei IP-BLOCK 222.73.230.106 (Type: outgoing)
2012/05/18 13:48:17 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 13:48:17 +0300 M Andrei IP-BLOCK 95.154.250.150 (Type: outgoing)
2012/05/18 13:48:17 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 13:48:18 +0300 M Andrei IP-BLOCK 95.154.250.105 (Type: outgoing)
2012/05/18 13:48:23 +0300 M Andrei IP-BLOCK 88.86.119.233 (Type: outgoing)
2012/05/18 16:17:27 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/18 16:17:28 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)
2012/05/18 16:17:28 +0300 M Andrei IP-BLOCK 91.211.116.14 (Type: outgoing)

They seem to repeat themselves,to some degree. Is this Malwarebytes interfering with Steam? Because 90% of the time it blocks IP's while I play TF2.

There was once when Malwarebytes blocked a single IP address,again and again,while I was viewing a web page,and not playing video games. Steam was still open. And it still scared me. The log is in Day 4.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 PM

Posted 19 May 2012 - 07:14 AM

ESET Online Scanner log:
None. There is no List of found threats log. Nothing to click but Uninstall. Why is that?
Also there were no threats found. I have no choice but to click finish and go to sleep.


Nothing bad was found. It would have been removed automaticly.

===

95.154.250.105 belongs to Game: Team Fortress 2 Browse: Team Fortress 2 Servers
Address: 95.154.250.105 Port: 27022 Status: Alive
http://www.gametracker.com/server_info/95.154.250.105:27022/
===

I search Google for the other IP addresses and all are associated with TF.


For your information read this topic.
http://forums.malwarebytes.org/index.php?showtopic=109053

Your logs are clean.

If you need more information on the IP's you may want to contact FT. These games normally have a Forum.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

#9 Sadface576

Sadface576
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Middle of Nowhere
  • Local time:08:46 PM

Posted 19 May 2012 - 11:53 AM

Combofix is removed and all is well. So I'm clean then? Finally some good news.

Also should I get rid of Malwarebytes now? I don't have money to pay for full protection because of the horrendous exchange rates and it's using up a lot of system resources,even if I disable it. And I do feel pretty safe with just Avast and my limited access account. Can you tell me how much malware and other viruses can affect me while being on a limited access account?

And thanks for all your help!

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 PM

Posted 19 May 2012 - 01:26 PM

Also should I get rid of Malwarebytes now?

Your call. You can download a fresh free copy if you feel you need to run it.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:46 PM

Posted 25 May 2012 - 10:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users