mailman

NOTE: I am speculating. Perhaps this is the incident that led to Google pulling your site from its AdSense program. Have you contacted Google to find out? ========== I suspect your hosting provider that owns IP 64.191.53.56 (ref.) wants to avoid legal/financial action Jelsoft Enterprises Ltd. (producers of vBulletin) might pursue against them for knowingly allowing pirated software to be hosted (and USED) on servers under their control. I suspect Jelsoft has the means to aggressively pursue legal/financial action if necessary. I also suspect Jelsoft WILL pursue legal/financial action if the matter cannot be resolved otherwise. http://www.vbulletin.com/forum/showthread....908#post1285908 On the other hand, I suspect the same hosting provider gets money from the vulnerability exploiters and malware pushers it apparently provides hosting services for in the same IP range. Therefore, it seems, the hosting provider would be less likely to pursue corrective action against the exploiters/malware pushers because the hosting provider's income would be negatively affected. I suspect comparatively few people have the ability/knowledge/patience/finances/etc. to aggressively pursue against the host for knowingly hosting malicious web sites. I also suspect many "legitimate" web site owners with IP addresses in the same IP range as malicious sites don't care whether or not their host also provides services to malicious domains (as long as the "legitimate" site owner gets "good value for money"). ========== Perhaps enough people who maintain "legitimate" web sites will complain to their hosting providers about their sites being hosted on the same IP address range (in some cases, even on the same IP address) as malicious sites that the hosts will begin to take appropriate actions. If the issue becomes a headache for the host personnel, (especially if enough legitimate web site owners move their sites to other hosts that have established positive, proactive reputations), then the "questionable" host personnel might begin to take the actions that Steven, and probably may other people, have been trying to get them to take. Then perhaps the online community, as a whole, will benefit. I suspect many (most?) of the people who use Malwarebytes' Anti-Malware WELCOME the "IP Protection" feature even though the feature is currently in its "first version" and can probably use some description/functionality tweaks (such as a less threatening alert message and the end-user's ablity to easily "whitelist" certain IP addresses/ranges).

Not only does www.pinnaclepoints.com resolve to 64.202.189.170, currently hpHosts indicates (clickable link) SEVERAL malicious host names also resolve to that identical IP. Also according to hpHosts,

I looked more carefully through the hpHosts list of IPs in the same IP adddress block as www.gymjam.com and found a site with the IDENTICAL IP address as www.gymjam.com so you might be out of luck regarding removal of the 72.167.232.235 IP address from MBAM's IP Protection. # Hostname IP Added Class 23 supercleanpc.com 72.167.232.235 16/06/2009 FSAAccording to hpHosts, supercleanpc.com no longer resolves to 72.167.232.235 though so, who knows? I'm still trying to get my head around the hPHosts database and how IP addresses, pointers, hostnames, etc. all fit together. Still, I would suggest you post about the 72.167.232.235 IP address in the False Positives forum (perhaps with a link to this thread).

According to hpHosts, However, also according to hpHosts, several IP addresses in the same IP address block (72.167.232.*) ARE classified as malicious. I suggest you post about the specific 72.167.232.235 IP in the False Positives forum. Perhaps MysteryFCM (the hpHosts DB administrator) will update MBAM to exclude that specific IP for www.gymjam.com from MBAM's IP Protection. Please follow the instructions in this link when creating your "New Topic" post. Good luck!

I also am wondering. The hpHosts database says this about IP 88.214.226.32: I suggest you head over to the False Positives forum and follow the instructions in this link to report about that IP. For example, it would probably be helpful for them if you explain about your "seoquake.com legitimate add on to Firefox" (perhaps even with a link to the add on that apparently triggers the alert) so they can further verify its legitimacy and they can reporoduce your annoying situation.

Hi, scarrlette. I was told the other day by one of the forum's "Trusted Advisors" that there is a policy in place such that edits are not allowed until one has made several posts and established oneself as a Malwarebytes forum member. Apparently, in the past, the "edit" feature was abused.

Thanks! First, I would probably drive there, do some of my own scans, and copy logs to USB thumb drive (already Panda vaccinated) for my research after I get back home. Besides, there's a restaurant with YUMMY PRIME RIB nearby. Then, if it turned out her computer was likely compromised, I would direct her to seek expert help. It's a toss-up between here and Windows BBS though. I feel a pretty strong loyalty to Windows BBS and Broni has been VERY busy doing a darn good malware clean-up job over there as well. (BTW, Broni also often recommends Malwarebytes' Anti-Malware to people who want "the best" anti-malware apps.) If the unfortunate occasion of malware infection arises, I might just flip a coin! Do you call HEADS or TAILS?

Exile and Lonny, THANK YOU for describing (in Posts #60, #61, and #64) the specific discrepancies you observed and corrected in eldo's registry. I GREATLY appreciate your taking time to fill us in on the details! I have not yet studied the malware removal thread similarities between eldo's logs and prompt's logs (because your fix apparently worked for both of them). That's my next step in my layperson's attempt to grasp a better understanding (of what I have a hunch is a fairly new development since Lonny stated the fix is slated to be incorporated into a ComboFix update). Thanks again for all your efforts! BTW, I'm so impressed with the Malwarebytes' people and software reputation, I purchased TWO Malwarebytes' Anti-Malware licenses and will likely purchase another for a dear friend because it's a lifetime license and she doesn't like to manually fiddle with software. I can install it, activate resident protection and automatic updates, and forget about it (unless she calls me about alerts/bugs/FPs).

Hi, TeMerc. LTNS. I already had the "free version" installed in my two computers. Last night I purchased my first MBAM license (and tonight I purchased my 2nd). Instead of downloading the "full version", I simply entered the ID code and key in my already-installed free version which unlocked the resident protection feature. When I checked the license.txt (ATTACHED to this message) in my MBAM program folder to try to determine if my 2nd license purchase was even necessary, I did not find ANY mention of the number of computers I may use a purchased license for. I suspect the "one license per computer" limit verbage is omitted from the free version download/installation but might be included in the full version download/installation. (I have not checked.) SUGGESTION: Please consider including verbage in the "free" version license.txt file that states "one paid license per computer" so other people who do not bother downloading the "full version" and simply unlock the paid features in the free version do not have to hunt and find this thread. If you need me to clarify, please holler and I will do my best. Thanks! license.txt license.txt

NOTED: This fix apparently applies ONLY to Windows XP SP3. Using it for any other version/service pack of Windows could produce very disastrous consequences. I suppose it may even produce disastrous consequences for XP SP3 as well. Therefore, one should prepare for a worst-case scenario before applying the fix. (See my "standard disclaimer" at the end of this message.) ========================== OK, Lonny. I will keep that resistry merge to myself. I checked a few days ago and discovered Dave hadn't posted there since May. (I hope he's okay.) In fact I WAS thinking of sending him a PM right about that time (because he CERTAINLY is a Windows wizard), but exile started posting your name (which I recognized) in this thread with an expression of optimism so I decided to login here and put my "fresh" ideas here instead (while attempting to solve eldo's problem which was EXTREMELY similar to prompt's, including the fact they were both recovering from malware infections). This apparently turned out VERY well for everyone involved. I am also very impressed with the patience of everyone involved. Thanks again for your help (and everyone else's), Lonny and exile. (Please pass my thanks on to them as well.) Exactly what values were incorrect? It'd be nice to see the Post #30 batch file output of eldo's registry keys (or prompt's keys over at the Windows BBS thread) for comparison after the fix was applied but I will certainly understand if they don't want to mess with something that "ain't broke" any more. I compared exile's 1st and 2nd versions of the Services .reg fix in this thread and the only differences I saw were three strings at the beginning of the .reg file that, I surmise, removes CryptSvc, seclogon, and Spooler keys from the registry before replacing them: [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]I tried to make sense of the rest of the registry merge file and the only things I noticed about the merge file are ... the ServiceSidType values are absent for the CryptSvc and spooler keys and they were present in eldo's (and prompt's) registry the RequiredPrivileges values appear to be absent the FailureActions values appear to be absent the "hex(2): ..." strings make NO sense to me yet the entire HKLM\SYSTEM\CurrentControlSet\Services\spooler\Security subkey appears to be absent the entire HKLM\SYSTEM\CurrentControlSet\Services\spooler\Enum appears to be absent I'm just trying learn what I can from this experience and remove some of the "mystery" that still exists (for me anyway). Q#1. For example, exactly what was responsible for the specific error code (Error 1290: 0x50a) that both eldo and prompt were seeing? I wonder whether it had something to do with the "RequiredPrivileges" subkey because the article I referenced states, The "RequiredPrivileges" key value seems it may be a "restriction" that the article I referenced is referring to. Q#2. What about the print spooler might be involved in all this? To my "layperson" eyes, the print spooler registry key values would be inconsequential as far as Cryptographic Services goes. I realized people may be very busy so I won't take it personally if my requests go unanswered. You have malware to eradicate! Thanks again! BTW, as a token of my appreciation, I will purchase a Malwarebytes Anti-malware license later tonight to encourage you to keep up your good work. ====================================== DISCLAIMER/CAUTION: Editing/cleaning/repairing your computer's registry is potentially dangerous. You might render your computer unstable or even unbootable. Before you edit/clean/repair your registry with any method, be sure you make a backup of your registry and you know how to access and use that backup in case you muck up your computer. If you decide to manually edit your registry, then be sure you are comfortable with editing the registry and I suggest you save a backup of at least the key you edit ahead of time in case you need/want to reverse your changes. Editing the registry can produce serious undesirable consequences if done incorrectly. In any case, you should know ahead of time how to restore your original registry settings and prepare to do so in case the need arises. MVPS.org (Ramesh's Site): How to backup the Windows XP Registry?Microsoft KB322756: How to back up and restore the registry in Windows Symantec: Backing up the Windows registry I also suggest you create a System Restore point before making any changes (regardless of what method you use). System Restore may be accessed as follows. Click Start > All Programs > Accessories > System Tools > System Restore

This is GREAT news! THANKS! Please pass my heartfelt thanks on to Lonny as well. I downloaded the FixServices_v2.zip so I can print and study it to figure out what you wizards did. May I post that file and/or its contents in our related Windows BBS thread? If I have your permission, then I will include my usual "use at your own risk" and "back up your registry" disclaimers and I will advise people (who may have a similar problem) to carefully review this thread at Malwarebytes before applying the fix.

In case your current ideas do not pan out (and continuing with my original line of thought/research regarding eldo's specific CryptSvc "Error 1290: 0x50a" code), ... The Cryptographic Services service apparently depends on the Remote Procedure Call (RPC) service (at least in my XP Home SP3 machine). Therefore, perhaps eldo's RPC service SID type setting information differs from eldo's CryptSvc service SID type setting information.

Ops, I was saying... My output has a line that is NOT in eldo's output: in the first section immediately below "Type REG_DWORD 0x20" and Eldo has another line that is not in my output: in the Parameters subkey. (I'm sorry. I would normally put this in an "edit" but I do not see such a feature with this BBS software.)

In eldo's malware removal thread with AdvancedSetup, eldo mentioned, I Googled 1290: 0x50a and found a result stating, In Post #6 of THIS thread, eldo's Crypto registry key output includes the following lines. It seems to me that those particular lines contain "restricted service SID type" information that my Google search result refers to (though I am not an expert). I ran that batch file (from Post #5) in my Windows XP Home SP3 computer and found those lines do NOT exist in my computer and my computer functions normally (as far as I know). My output has a couple lines I wonder whether or not eldo could simply (and safely) remove those parts of eldo's Crypto registry key without causing undesired consequences (and perhaps enabling eldo's CryptSvc service to start running properly again). exile360 (and/or other experts), what are your thoughts about this?