Jump to content

Mbam shows clean, but blocking outgoing IPs.


Recommended Posts

I got a virus last week, and was getting help over at the techspot forums for it...Malwarebytes was one of the programs they recommended to help remove the critter I was infected with, and I was apparently clean. However, in spite of all the scans (malwarebytes, avast, bitdefender and eset online scanners, mcafee before I got rid of it in favor of comodo and avast.) now showing clean, Mbam is blocking several outgoing connections to a handful of IP addresses. I understand that in Vista or higher, I'd be able to tell which program was initiating the connections...Almost (but not quite..) enough to make me wish I was running vista. As it is, here are my DDS logs.

My Malwarebytes trial is expired, and I do wish to purchase the full version, but I'm afraid to do anything that might risk my credit card info. I've been very careful to not do anything online that might expose any of my financial stuff since I got the virus, and want to be sure I'm clean before I do so. As you can imagine, this is a pain in, well, some region probably better left unmentioned, since I normally do bank and buy things online!



Link to post
Share on other sites

Hello and :welcome:

Could you please post me the link to your techspot topic so I can see what has been done there?



Going over your logs I noticed that you have Azureus installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall Azureus, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

In addition, p2p programs like Azureus can cause outgoing IP blocks.

Link to post
Share on other sites

To be honest, I only use Azureus rarely. I keep it because I occasionally download unlicensed subbed anime torrents from sources I know to be reliable. I haven't actually used it in at least 6 months.

Here's the thread http://www.techspot.com/vb/topic177082.html ...I got frantically busy for a few days, and didn't even have time to log onto my machine, let alone do anything else, so the thread got closed. I thought that I should go directly to the source so to speak, since Malwarebytes was the only thing alerting me.

Link to post
Share on other sites

Randomly, for the most part...Every two to five minutes for about an hour, then silence for a couple of hours. There seems to be a flurry of them in the early morning hours, or on startup...anytime I restart or power cycle the modem, it cycles to a different address, usually one of nine or ten IPs. It seems to do them in bursts, every couple of minutes, then none for a few hours. I thought for a while that I'd gotten rid of it yesterday...there were actually none, for a whole night after running combofix (Which I ended up submitting to Comodo as a white hat tool...neither it nor Avast were happy about it.) I ended up shutting off Avast and Comodo to run it.

Is there any way to get Mbam to tell what program is doing the sending in XP? Even after the fact, in the log?

I had a thought that it might be a rogue firefox add-on, (I had a couple of third party addons that didn't update with the newest firefox release.) and uninstalled a couple of the ones that no longer had official mozilla pages...For a short while afterwards it seemed I was getting fewer alerts.

Link to post
Share on other sites

Today's logs show only one IP address being blocked...ironically, it's when I went to find out what some of the ones in the log were. I probably ought to report the false positive... is ip-address.org, and probably doesn't need to be blocked. I went and looked at the logs, and it appears that I may have been looking at an older log...Rechecked today, wanting to do an IP look up what was there, and there haven't been any other than the ones for ip-address.org since the last run of combofix! The reason they seemed random is my machine is a bit slow...sometimes takes a minute after the event for the bubble to show up....and I had been writing down the addresses as they showed up, so I could look them up and figure out where at least where whatever was being sent was going...I assumed the ones I was seeing were the same random ones I'd written down, but didn't pay attention since I'd just copy them from the Mbam log...(I already feel the long gray ears growing from assuming anything!) I blame my dunderheadedness on the cold meds. Everything seems to be running fine now.

Link to post
Share on other sites

I probably ought to report the false positive... is ip-address.org
I already did here: http://forums.malwarebytes.org/index.php?showtopic=106036 :)

It seems not to be a FP. :)

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u3.
  • Look for "JDK 7u3 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.



I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

  • 1 month later...
  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.