Infected, computer keeps blocking outgoing connections

[kamik]

Merged post

Please help

I have the pro version of malawayebytes and also an all in one virus scanner my ISP provide me with.

Since some times i have noticed that there is way too many malicious blocksite outgoing blocked without me sending anything anywhere... i assume im infected.

Also added today log so far of connections blocked.

added more logs as the one i posted earlier was only 1 IP.

attach.txt

dds.txt

protection-log-2012-04-10.txt

protection-log-2012-03-31.txt

protection-log-2012-04-02.txt

protection-log-2012-04-03.txt

protection-log-2012-04-04.txt

protection-log-2012-04-05.txt

protection-log-2012-04-06.txt

protection-log-2012-04-07.txt

protection-log-2012-04-08.txt

protection-log-2012-04-09.txt

protection-log-2012-04-11.txt

[kamik]

still no reply

[MrCharlie]

Welcome to the forum.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Post the log.

-----------------------------

Then........

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

[kamik]

.

mbam-log-2012-04-17 (14-36-16).txt

[kamik]

..

RKreport1.txt

[MrCharlie]

Please create a backup of the registry using ERUNT as outlined in the link below:

http://www.geekstogo...ry-using-erunt/

Please make sure system restore is running and create a new restore point before continuing.

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

[kamik]

here we go

TDSSKiller.2.7.28.0_17.04.2012_15.11.31_log.txt

[MrCharlie]

That scan was OK.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[kamik]

done

ComboFix.txt

[MrCharlie]

Please do this:

Download TFC to your desktop

Close any open windows.

Double click the TFC icon to run the program

TFC will close all open programs itself in order to run,

Click the Start button to begin the process.

Allow TFC to run uninterrupted.

The program should not take long to finish it's job

Once its finished it should automatically reboot your machine,

if it doesn't, manually reboot to ensure a complete clean

-----------------------------------

Then.......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

[kamik]

Hello there,

Tried to run TFC, but alas even after something like 60 minutes, the program is not responding if i click anything, and computer lock up and i need to reboot. You wrote it was supose to not take long, so should i let it run longer?

Also, quick scan said it was clean, attached log below.

Thanks a lot for your great work btw, thumbs up

-Kam

mbam-log-2012-04-18 (09-09-15).txt

[MrCharlie]

OK, it doesn't like XP.

Let use the built in Disk Cleanup utility:

http://www.theeldergeek.com/disk_cleanup_utility.htm

MrC

[kamik]

Ok, i have run the windows one, and it cleaned some 600mb space.

Here is the log after

mbam-log-2012-04-18 (10-55-09).txt

[MrCharlie]

How is it now?? MrC

[kamik]

System seems to be running better now, pop-ups have mostly stopped except when i exit the game called teamfortress2 from steam, i recive pop-ups saying blocked websites. Here is today log.

What i noticed is they are all in the same minutes (when i exited the game) i have read before some content server from valve are hosted on the same server farm or cluster that some bad websites use... so maybe they are false positive or i dont know.

protection-log-2012-04-18.txt

[MrCharlie]

You can look up those ip addresses here:

http://www.ip-adress.com/ip_tracer/

I have my balloon pop-up turned off and just check some of my logs and just about everyone on them shows blocked outgoing.

I don't see any malware on the system, but I would like you to run one more scan:

------------------------------------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked

Click Scan

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

[kamik]

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=16dc017c87c0184fa4feac201c4fd9dc

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-04-20 07:24:35

# local_time=2012-04-20 03:24:35 (-0500, Eastern Daylight Time)

# country="Canada"

# lang=3084

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=195561

# found=1

# cleaned=0

# scan_time=4298

C:\Program Files\WideStep Software\Free Quick Keylogger\qutils.dll une variante de Win32/HandyKeylogger Application (impossible de nettoyer) 00000000000000000000000000000000 I

[MrCharlie]

You know about this:

C:\Program Files\WideStep Software\Free Quick Keylogger\qutils.dll une variante de Win32/HandyKeylogger Application (impossible de nettoyer) 00000000000000000000000000000000 I

-----------------------------------

Download aswMBR to your desktop.

http://public.avast....erek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[kamik]

sorry i have been busy, i will run the scan asap and respond here.

Thanks

[MrCharlie]

OK, just checking...MrC

[kamik]

ok, yes i was aware about the keylogger, i had used it last year to catch a cheating gf.

Is it safe to get rid of the .dll with file assasin from Malawarebytes?

Here is the Masterbootrecord log.

aswMBR.txt

[MrCharlie]

The log is clean and I'm not seeing any malware on the system except for what ComboFix found.

When you get a notification does it say that a particular program or file is trying to connect or does it just say:

IP-BLOCK 95.154.250.105 (Type: outgoing)

I can reproduce these at any time, just go to some risky sites and my computer is definitely not infected,

--------------------------------------------

Like I said before , I have my notification pop-up turned off....if I check my logs I have many outgoing blocks.

Take a look at the links below:

http://forums.malwar...howtopic=109053

http://forums.malwar...howtopic=108627

http://forums.malwar...48

Let me know....MrC

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!