constant malicious attacks reprts

[domenicolupo]

Hi to everyone

I am new to this forum and I need your help.

Recently my Malwarebytes has been issuing constant notifications about my computer being attacked (every 30 seconds or so).

I did an IP search and it turns out that the most of this attacks come from China.

I have Kaspersky Anti-Virus along with Malwarebytes Anti-Malware and Advanced system Care Pro.

I did full scans, flash scans, and memory scans on all of them and there is no infections reported.

I attached DDS and Attach files in the post.

I would greatly appreciate your help

Thanks!

Dom

DDS.txt

Attach.txt

[D-FRED-BROWN]

Hello domenicolupo and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

• TDSSKiller.zip from here and extract it (right click on it => "Extract here").
  

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
  
• If an infected file is detected, the default action will be Cure, click on Continue
  
• If a suspicious file is detected, the default action will be Skip, click on Continue
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

In your next reply, please include the following (you may need to use two posts to get it all in):

• TDSSKiller_log.txt
  

how the PC is running now?

-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

-------------

In your next reply, please include:

• TDSSKiller logfile
  
• C:\ComboFix.txt
  
• Security Check checkup.txt
  

How is your computer running now?

[D-FRED-BROWN]

(bump)

Are you still with me? If your problems still persist, let me know and we'll go about fixing them.

If not, please let me know so I can close this topic.

-DFB

[domenicolupo]

Hi D-FRED,

Sorry for the long wait.

I did all the steps, and the problem is still the same.

I attached the log files you asked.I really can't figure out what is the problem.

Thanks again for helping me out

-Dom

log.txt

TDSSKiller.2.7.36.0_08.06.2012_12.40.30_log.txt

checkup.txt

[D-FRED-BROWN]

Hi, welcome back.

Could you please post the IP's which are detected as malicious within the report?

[domenicolupo]

Here are the two most recent logs. Thanks so much for your help

protection-log-2012-06-10.txt

protection-log-2012-06-11.txt

[D-FRED-BROWN]

Please download to the Desktop RogueKiller (by tigzy).

• Please quit all programs.
  
• Start RogueKiller.exe.
  
• Wait until Prescan has finished.
  
• Click on Scan.
  
• Click on Report and copy/paste the contents of the report in your next reply.
  

[domenicolupo]

Here it is

Thanks !

RKreport1.txt

[D-FRED-BROWN]

Let's try this:

The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.

The download is in ISO format.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Download the Kaspersky Rescue Disk:

http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/ .

• Burn the Kaspersky Rescue Disk ISO image to CD.
  
• Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
  
• Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
  
• Select your language (or wait a few seconds for the default English to load).
  
• Your screen may go blank for several minutes while the program loads.
  
• After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
  • Click the Update tab to view the update progress.
    
  • When the update has completed, click the Scan tab.

  [*]Place a checkmark in all the available drives to scan the entire system.

  [*]Click the "Security level" option, and select options.

  • Make sure "All Files" is selected
    
  • Under "Scan of compound files" ensure all options are selected and click the OK button.

  [*]Click the "On threat detection" option

  • Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".

  [*]Click the "Start scan" button.

  [*]When the scan has completed, click the Reports button.

  • Click the Save button, and select your System drive (normally your C: drive)
    
  • In the "File name" box, name the file krd-log and click the Save button.
    
  • Click Close to close the Reports window.

  [*]Click the Exit button to close the Rescue Disk program and confirm.

  In the lower left of the screen, left-click the red K button, select Logout, and confirm.

  [*]The computer will shut down.

  [*]Restart the computer and reboot normally.

  [*]Please post the log (krd-log.txt) in your next reply.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[domenicolupo]

D-FRED,

I already have Kaspersky Anti Virus on my computer.

I ran a full scan many times before but it did not find anything.

Do I still need to do your steps with Kaspersky Rescue Disk?

Dom

[D-FRED-BROWN]

Yes, please go ahead with the Rescue Disk.

[domenicolupo]

Ok here it is. took seven hours and I hope it provides some answers

krd-log.txt

[D-FRED-BROWN]

Go ahead and run ComboFix once again. If asked to update to the latest version, please allow it to do so.

[domenicolupo]

combo fix complete

log attached

I think the problem is fixed. I've been on line now fow about an hour and not one attack.

combofix log.txt

[D-FRED-BROWN]

Excellent news. Let's run an online scan to verify there isn't anything left :

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

[domenicolupo]

Well I spoke to soon. After I sent the last post they started up again. I'm starting to think that there is no solution to this problem.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=87abe44cb2c4ca4fa638bb0e50a2b5f0

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-07-02 11:20:31

# local_time=2012-07-02 06:20:31 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1280 16777215 100 0 11655610 11655610 0 0

# compatibility_mode=5893 16776574 100 94 407065 92789704 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=1358698

# found=2

# cleaned=0

# scan_time=24976

C:\Users\Domenico\Desktop\PDF Knjige\General Buddhism - Dharma Mind, Worldly Mind.pdf.bc! a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I

C:\Users\Domenico\Downloads\SoftonicDownloader_for_bitcomet.exe Win32/SoftonicDownloader.D application (unable to clean) 00000000000000000000000000000000 I

2 infected files.txt

[D-FRED-BROWN]

Go ahead and run the ESET scan once again, but make sure Remove found threats is Checked this time.

[domenicolupo]

Here is the log w/ remove threats check. when it was done I checked delete quarantined when I finished

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=87abe44cb2c4ca4fa638bb0e50a2b5f0

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-07-02 11:20:31

# local_time=2012-07-02 06:20:31 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1280 16777215 100 0 11655610 11655610 0 0

# compatibility_mode=5893 16776574 100 94 407065 92789704 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=1358698

# found=2

# cleaned=0

# scan_time=24976

C:\Users\Domenico\Desktop\PDF Knjige\General Buddhism - Dharma Mind, Worldly Mind.pdf.bc! a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I

C:\Users\Domenico\Downloads\SoftonicDownloader_for_bitcomet.exe Win32/SoftonicDownloader.D application (unable to clean) 00000000000000000000000000000000 I

# version=7

# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=87abe44cb2c4ca4fa638bb0e50a2b5f0

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2012-07-04 10:59:43

# local_time=2012-07-04 05:59:43 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1280 16777215 100 0 11786398 11786398 0 0

# compatibility_mode=5893 16776573 100 94 537853 92920492 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=1357392

# found=2

# cleaned=2

# scan_time=22540

C:\Users\Domenico\Desktop\PDF Knjige\General Buddhism - Dharma Mind, Worldly Mind.pdf.bc! a variant of Win32/Toolbar.Widgi application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Domenico\Downloads\SoftonicDownloader_for_bitcomet.exe Win32/SoftonicDownloader.D application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

[D-FRED-BROWN]

Looking good. Let's see what programs of yours need updating:

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

[domenicolupo]

Here is the security check result and attached todays blocks

Results of screen317's Security Check version 0.99.42

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Kaspersky Anti-Virus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

JavaFX 2.1.0

Java™ 7 Update 4

Java version out of Date!

Adobe Reader X (10.1.0)

Mozilla Firefox 12.0 Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Kaspersky Lab Kaspersky Anti-Virus 2011 avp.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

protection-log-2012-07-04.txt

[domenicolupo]

Here is the result of the security scan and attached is the block log for the 4th

Results of screen317's Security Check version 0.99.42

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Kaspersky Anti-Virus

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

JavaFX 2.1.0

Java 7 Update 4

Java version out of Date!

Adobe Reader X (10.1.0)

Mozilla Firefox 12.0 Firefox out of Date!

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Kaspersky Lab Kaspersky Anti-Virus 2011 avp.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

protection-log-2012-07-04.txt

[D-FRED-BROWN]

I'd like to get one more look at something:

Please Launch Malwarebytes' Anti-Malware.

• Please click Check for Updates to see if any updates are found. If so, please allow MBAM to download and install them.
  
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a location you will remember.
  
• Copy and Paste that log into your next reply.
  

Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK for either of the prompts and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

[domenicolupo]

Been gone for a while and just got back.

I will run the scan

I did an experiment before I left. I deleted Bitcomet and all its associated files and the attacks stopped. But when I downloaded it again none of the sercurity software on my computer detected anything in the doanload but the attacks started back when I lauched the program. I have friends that use Bitcomet but do not experience attacks like I do. Does this information help any.

[D-FRED-BROWN]

Well, it sounds like BitComet is responsible for your issues. I'd suggest you leave it permanently uninstalled. May I also remind you that Malwarebytes does not condone peer-to-peer software used for illegal file sharing of copyrighted material...

Let me know how the scan goes.