Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outgoing Processes repeatly actively blocked by Malwarebytes


  • Please log in to reply
4 replies to this topic

#1 brseavey

brseavey

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 23 March 2015 - 09:30 AM

but running a  Malwarebytes scan detects nothing. running FSS, JRT, adwarecleaner haphazardly detects nothing  and doesn't fix.

Running om a Dell Latitude E5530 with windows 7

I've seen similar complaints on bleeping, but the fixes came with a warning that they are computer-specific and not to use on a different computer.

Malwarebytes pops up a window that says

 

Malicious Website Blocked and lists “Domain”, IP, Port, and Process

I've tried to capture these before it disappears and present a chart below.

I see 2 generalizations

 

  1. The IP is often *.184.194.* but there exceptions

2)In almost all cases the process infected is SysWOW64\dllhost.exe

the exceptions are from

a) ccbidder.tvlmedia infected in dllhost3g.exe or dpnsvr.exe or …...

B) [ ] (that is no host named) msfeedsync.exe or NAPSTAT.exe or cmmon32.exe......

c) feednextadnet.com

 

 

 

I am now rearanging the format of how it is reported, trying to find correlations

Domain           IP                          Port                                           Process

 

c71585.com    31.184.194.6        58741                                       SysWOW64\dllhost.exe

“                          “                         65337

“                          “                         54273

“                          “                         54321

“                          “                         54377

“                          “                         57611                                       SysWOW64\dllhost.exe

“                          “                         58745

 

I got tired of typing ditto

 

 

 

e99677a.         31.184.192.92      54204                                        SysWOW64\dllhost.exe

                                                     63436

                                                     64863

                                                     52984

                                                     61863

 

ff1493.com      31.184.194.116    63586                                          SysWOW64\dllhost.exe

                                                     53204

                                                     49781

                                                     53779

 

 

[ ]                     31.184.194.37      65412                                           SysWOW64\dllhost.exe

                                                     51930

                                                     59404

                                                     52242

                                                     59404

                                                     52769

 

                                                     51995

[ ]                        184.164.143.90                                                        msfeedsync

                                                                                                             NAPSTAT.exe

                                                                                                            cmmon32.exe

 

 

 

 

ccbidder.tlvmedia.com      184.173.133.94                                           dllhost3g

                                                                                                              dpnsvr.exe

                                                                                                             dllhost.exe

 

 

feednextadnet.com


Edited by hamluis, 23 March 2015 - 10:11 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:46 AM

Posted 23 March 2015 - 10:33 AM

Block the install of Third Party aka Ad/ Tracking cookies in all browsers you use. There are other locations such as Adobe Flash that allow those cookies.

Disable third-party cookies in IE, Firefox, and Google Chrome | How To - CNET

 

Once you have blocked the Ad cookies from installing you will need to delete the existing ones. Use CCleaner and check to be sure it is deleting ALL cookies in its settings.

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Run a scan using Eset Online Scanner.

  • Run the ESET Online Scanner.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:46 AM

Posted 23 March 2015 - 10:51 AM

You may be infected with poweliks. Use the tool below to find and remove. It should take less than two minutes to install and run the tool.

 

Please download Powelikscleaner (by ESET) and save it to your Desktop.

  • Double-click ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please let me know if poweliks is found and removed as shown in last image.

1.png
2.png


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 brseavey

brseavey
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 23 March 2015 - 07:18 PM

CCleaner followed by ESET did the trick.

ESETPowelikscleaners (which I tried first) found nothing.

Thank-you to everyone who replied



#5 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:46 AM

Posted 23 March 2015 - 08:34 PM

Okay....if the problem reoccurs....let me know....you're welcome.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users