M.A.M: IP-BLOCK (outgoing) in Firefox - Need advice

[Terrax]

Hi.

One of our home laptops was unfortunately recently infected with malware; seemingly something called "AV Security Suite 2012", a program posing to be a antivirus program trying to trick the attacked party to make a purchase of the software to get rid of a collection of viruses and malware.

Exerpt from the Malwarebytes Anti-Malware initial scan log (I have the norwegian version, so I have tried to translate the norwegian bits):

- - - - - - - - - - - start - - -

Registry values discovered: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|AV Security Essentials (Rogue.AVSecurityEssentials) -> Data: "C:\ProgramData\5be20a\AV5be_8050.exe" /s /d -> No measures taken.

Registry values discovered: 1

HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=8050&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> No measures taken.

- - - - - - - - - - - - end - - -

AV Security Suite was removed using "Malwarebytes Anti-Malware". My anti-virus solution is "Microsoft Security Essentials". I also downloaded the latest versions of "Spybot - Search & Destroy" and "Ad-Aware". I ran scans using all these applications (one at a time) and removed any issues that were discovered. I re-ran all the scans and no viruses / malware / problems were discovered, so the PC seemed clean.

However, when using Firefox (primary browser) I now get the following pop-up from M.A.M (again, translated from norwegian, so I might not use the exact same words as in the english version):

- - - - - - - - - - - - - - - - - - start - - -

[Malwarebytes Anti-Malware]

Successfully blocked access to a potentially damaging web site: 109.163.226.208

Type: outgoing

Port: 51316, Process: firefox.exe

- - - - - - - - - - - - - - - - - - end - - -

This is todays M.A.M. protection log:

- - - - - - - - - - - - - - - - - - start - - -

2012/02/07 00:07:24 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 51047, Process: firefox.exe)

2012/02/07 00:20:15 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 51391, Process: firefox.exe)

2012/02/07 00:20:15 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 51393, Process: firefox.exe)

2012/02/07 00:32:01 +0100 SIW-BÆRBAR Siw MESSAGE Starting protection

2012/02/07 00:32:03 +0100 SIW-BÆRBAR Siw MESSAGE Protection started successfully

2012/02/07 00:32:06 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/07 00:32:07 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/07 00:32:14 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49427, Process: firefox.exe)

2012/02/07 00:32:14 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49431, Process: firefox.exe)

2012/02/07 18:26:32 +0100 SIW-BÆRBAR Siw MESSAGE Starting protection

2012/02/07 18:26:34 +0100 SIW-BÆRBAR Siw MESSAGE Protection started successfully

2012/02/07 18:26:37 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/07 18:26:38 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/07 18:31:59 +0100 SIW-BÆRBAR Siw MESSAGE Executing scheduled update: Daily

2012/02/07 18:32:05 +0100 SIW-BÆRBAR Siw MESSAGE Scheduled update executed successfully: database updated from version v2012.02.06.05 to version v2012.02.07.04

2012/02/07 18:32:05 +0100 SIW-BÆRBAR Siw MESSAGE Starting database refresh

2012/02/07 18:32:05 +0100 SIW-BÆRBAR Siw MESSAGE Stopping IP protection

2012/02/07 18:32:56 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection stopped

2012/02/07 18:32:57 +0100 SIW-BÆRBAR Siw MESSAGE Database refreshed successfully

2012/02/07 18:32:57 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/07 18:32:58 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/07 20:38:43 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49758, Process: firefox.exe)

2012/02/07 20:38:43 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49762, Process: firefox.exe)

2012/02/07 20:47:57 +0100 SIW-BÆRBAR Siw IP-BLOCK 93.190.140.59 (Type: outgoing, Port: 50169, Process: firefox.exe)

2012/02/07 20:48:05 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 50179, Process: firefox.exe)

2012/02/07 21:05:09 +0100 SIW-BÆRBAR Siw MESSAGE Starting protection

2012/02/07 21:05:11 +0100 SIW-BÆRBAR Siw MESSAGE Protection started successfully

2012/02/07 21:05:14 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/07 21:05:15 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/07 21:06:51 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49259, Process: firefox.exe)

2012/02/07 21:11:56 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49877, Process: firefox.exe)

2012/02/07 22:11:15 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 50548, Process: firefox.exe)

2012/02/07 22:23:06 +0100 SIW-BÆRBAR Siw MESSAGE Starting protection

2012/02/07 22:23:09 +0100 SIW-BÆRBAR Siw MESSAGE Protection started successfully

2012/02/07 22:23:12 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/07 22:23:13 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/07 22:26:01 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49251, Process: firefox.exe)

2012/02/07 22:26:01 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49254, Process: firefox.exe)

2012/02/07 22:26:01 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49264, Process: firefox.exe)

2012/02/07 22:53:32 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49953, Process: firefox.exe)

2012/02/07 22:55:01 +0100 SIW-BÆRBAR Siw IP-BLOCK 74.118.192.152 (Type: outgoing, Port: 50197, Process: firefox.exe)

2012/02/07 22:55:17 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 50220, Process: firefox.exe)

2012/02/07 23:15:02 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 51316, Process: firefox.exe)

2012/02/07 23:35:11 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 51664, Process: firefox.exe)

- - - - - - - - - - - - - - - - - - end - - -

I have tried googling the 109.163.226.208 address which mainly appears in the MAM protection log, but I'm not getting any wiser from it.. Do you have any advise for me in this matter? As far as I can tell, this popup only appears (from time to time) in Firefox, not when using Internet Explorer.

Have included "DDS.txt" and "Attach.txt" as per the instructions in the forum sticky:

DDS.txt

Attach.txt

[Elise]

Hello and

I see some bad hosts file entries which may be the cause of the problem. However, first of all, please uninstall AdAware; this is no longer an antispyware program, but has also antivirus components, which means it will interfere with Microsoft Security Essentials and possibly cause conflicts.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

• 
  

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

[Terrax]

Hi and thank you for your response

Firstly, I removed Ad-Aware as instructed. I then downloaded Combofix and disabled real-time protection in MS Security Essentials and disabled Malwarebytes Anti-Malware. When trying to follow the Spybot Teatimer disabling instructions, I couldn't complete all the steps (see highlighted red text below). The guide states:

- - - - - start quote - - - - -

SPYBOT TEATIMER

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• Click on the "System Startup" icon in the List
  
• Uncheck the "TeaTimer" box and "OK" any prompts.
  
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  
• Exit Spybot S&D when done and reboot your computer.
  (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.
  

- - - - - end quote - - - - -

I unchecked "Resident TeaTimer" under "Resident", but under "System startup" I did not see any entry called "TeaTimer", so I just exited Spybot after this step. Regarding Windows Defender, which I have preinstalled with Windows 7, I was told that it was disabled when I tried to launch it, so I just skipped the disabling of this software.

I then ran Combofix (the recovery console was already installed with Win 7) and it eventually rebooted the PC. I logged in again, and got a Combofix window telling me to not launch any software until Combofix had finished running.

Finally, I was presented with a log file. I saved this to my desktop. However, I now had severe problems launching anything at all; I tried launching Firefox, Internet Explorer and Windows Explorer. I unfortunately did not write down the exact message I got each time I tried to launch the different applications, but the message was identical on each of them; it said something along the lines of: "Could not launch software. The registry key is marked for deletion". Or something similar. I rebooted the PC and I could launch the applications again. I then re-enabled MS Security Essentials, Malwarebytes Anti-Malware and Spybot's TeaTimer.

Attached files:

C:\Combofix

ComboFix.txt

I don't know if this is needed, but here is also the file C:\Qoobox\ComboFix-quarantined-files.txt

ComboFix-quarantined-files.txt

Thanks for your assistance this far, looking forward to your reply.

-Terrax-

[Terrax]

Additional info:

I received an IP block using Firefox (highlighted in red) once before starting the combofix procedure which I described in my previous post.

See log from M.A.M. below:

- - - - - log start - - - - -

2012/02/08 17:45:45 +0100 SIW-BÆRBAR Siw MESSAGE Starting protection

2012/02/08 17:45:47 +0100 SIW-BÆRBAR Siw MESSAGE Executing scheduled update: Daily

2012/02/08 17:45:48 +0100 SIW-BÆRBAR Siw MESSAGE Protection started successfully

2012/02/08 17:45:51 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/08 17:45:51 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/08 17:45:56 +0100 SIW-BÆRBAR Siw MESSAGE Scheduled update executed successfully: database updated from version v2012.02.07.04 to version v2012.02.08.03

2012/02/08 17:45:56 +0100 SIW-BÆRBAR Siw MESSAGE Starting database refresh

2012/02/08 17:45:56 +0100 SIW-BÆRBAR Siw MESSAGE Stopping IP protection

2012/02/08 17:46:39 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection stopped

2012/02/08 17:46:41 +0100 SIW-BÆRBAR Siw MESSAGE Database refreshed successfully

2012/02/08 17:46:41 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/08 17:46:42 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

2012/02/08 17:50:33 +0100 SIW-BÆRBAR Siw IP-BLOCK 109.163.226.208 (Type: outgoing, Port: 49358, Process: firefox.exe)

2012/02/08 18:31:03 +0100 SIW-BÆRBAR Siw MESSAGE Starting protection

2012/02/08 18:31:04 +0100 SIW-BÆRBAR Siw MESSAGE Protection started successfully

2012/02/08 18:31:07 +0100 SIW-BÆRBAR Siw MESSAGE Starting IP protection

2012/02/08 18:31:08 +0100 SIW-BÆRBAR Siw MESSAGE IP Protection started successfully

- - - - - log end - - - - -

I have used Firefox for a while now and so far I have not received any IP block messages. So I guess that's a good sign so far..

Though, I have had Firefox stop responding in one instance, but that might be unrelated.

- Terrax -

[Elise]

Hi Terrax, that is a fairly common error and indeed fixed with a reboot. How are things running at this point?

[Elise]

Looks like we crossposted.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

• Download the latest version of Java Runtime Environment (JRE) Version 7u2.
  
• Look for "JDK 7u2 (JDK or JRE).
  
• Click the "Download JRE" button at the right.
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
  • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
    

  [*]Save it to your desktop

  [*]Close any programs you may have running - especially your web browser.

  [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

  [*]Reboot your computer once all Java components are removed.

  [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

[Terrax]

I have unistalled 2 previous versions of JAVA (I think it was version 6 and a version 6 update) and installed JRE 7u2.

Ran MBAM, here's the log (mine's in norwegian, so I'll try to translate):

- - - - - start of log - - - - -

Malwarebytes Anti-Malware (Trial version) 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.08.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Siw :: SIW-BÆRBAR [administrator]

Protection: Activated

08.02.2012 19:52:56

mbam-log-2012-02-08 (19-52-56).txt

Scan type: Full scan

Activated scanner settings: Memory | Startup | Registry | File system | Heuristikk/Extra | Heuristikk/Shuriken | PUP | PUM

Deactivated scanner settings: P2P

Objects scanned: 309999

Time elapsed: 29 minute(s), 54 second(s)

Memory processes discovered: 0

(No harmful objects found)

Memory modules discovered: 0

(No harmful objects found)

Registry keys discovered: 0

(No harmful objects found)

Registry values discovered: 0

(No harmful objects found)

Registry files discovered: 0

(No harmful objects found)

Folders discovered: 0

(No harmful objects found)

Files discovered 0

(No harmful objects found)

(ready)

- - - - - end of log - - - - -

Seems like there aren't any problems in this log, if I read it correctly?

-Terrax-

[Elise]

No, all looks quite good! Lets do one last scan to doublecheck.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the
      icon on your desktop.
      
      
   4. Check "YES, I accept the Terms of Use."
      
   5. Click the Start button.
      
   6. Accept any security warnings from your browser.
      
   7. Under scan settings, check "Scan Archives" and "Remove found threats"
      
   8. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
        
      • Scan for potentially unsafe applications
        
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

[Terrax]

I did as you requested in your last reply, but when ESET finished, I did not see any "List of threats" button, but then again, the results window listed 0 found threats..

I took a screenshot of the results window:

Also, I found a file called C:\Programfiler (x86)\ESET\ESET Online Scanner\log.txt ("Programfiler" = "Program Files"), with the following contents:

- - - - - start of log file - - - - -

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=89bc84089d4c6a458630958181c52891

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-02-08 08:42:29

# local_time=2012-02-08 09:42:29 (+0100, Vest-Europa (normaltid))

# country="Norway"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 100 94 10887315 80360422 0 0

# compatibility_mode=8192 67108863 100 0 3759 3759 0 0

# scanned=140453

# found=0

# cleaned=0

# scan_time=3177

- - - - - end of log file - - - - -

Seems clean..?

[Elise]

Thats normal when it doesn't find any threat.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

• Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    

Please read these advices, in order to prevent reinfecting your PC:

1. Install and update the following programs regularly:
   • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
     A comprehensive tutorial and a list of possible firewalls can be found here.
     
   • an AntiVirus Software
     It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
     
   • an Anti-Spyware program
     Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
     SUPERAntiSpyware is another good scanner with high detection and removal rates.
     Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
     
   • Spyware Blaster
     A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
     

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

• Miekies' prevention suggestions
  
• So How did I get infected?
  
• Microsoft - 'Security at home'
  
• Calendar of Updates: See which updates have been released.
  
• How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
  
• Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
  
• osalt: Find (free) open source alternatives to known commercial software.

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

[Terrax]

I followed your advice from the last post; specifically, I downloaded, installed and configured Spyware Blaster on this PC.

By the way, is Spybot needed when I have Spyware blaster installed, or does Spybot do the same (or a better) job? Just curious..

Thank you very much, you've provided excellent help!

[Elise]

You are most welcome!

I will request this topic to be closed.