ZeeBee Posted September 3, 2012 ID:593113 Share Posted September 3, 2012 I too have had this I.P 173.241.240.153 being blocked. Each time I get the message I'm on a totally unrelated site. Again I don't think I have any malware on this machine.Msg given by Mbam:IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 52679, Process:coreserviceshell.exe )In processes and it shows that the Process: Coreserviceshell.exe is Trend Micro Anti-malware solution platform. Do you use Trend micro by any chance?I noticed this post http://forums.malwarebytes.org/index.php?showtopic=114748 so I to visited major geeks and I too got the IP-BLOCK 173.241.240.153 (Type: outgoing, Port: 52679, Process:coreserviceshell.exe ) message again Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 4, 2012 ID:593425 Share Posted September 4, 2012 Then, you saw Steven Burn's notation The block is being caused by a geo-specific advert. The IP belongs to OpenX, and has been compromised more times than I can count. Link to post Share on other sites More sharing options...
ZeeBee Posted September 4, 2012 Author ID:593547 Share Posted September 4, 2012 HiI read a few ideas of what may have been the cause on the link http://forums.malwarebytes.org/index.php?showtopic=115307 but was not sure which was the right option.Thank you for the clarification and your help. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 4, 2012 ID:593561 Share Posted September 4, 2012 You're welcome.I would only suggest you do a quick scan with MBAM, to make sure nothing is detected.Then follow that up with a full scan with your antivirus program. Link to post Share on other sites More sharing options...
ZeeBee Posted September 5, 2012 Author ID:593693 Share Posted September 5, 2012 Thanks I did a full scan with my AV and full scan, flash scan with Mbam, Hitmanpro, TDSSkiller and nothing turned up. I have had the IP blocked message (same IP as above) turn up once when I was not even browsing the net just after the PC booted. Thank you again Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 5, 2012 ID:593723 Share Posted September 5, 2012 This pc has instant messenger (IM) programs ?Download DDS and save it to your desktop from http://download.bleepingcomputer.com/sUBs/dds.scr here or http://download.bleepingcomputer.com/sUBs/dds.com or http://www.infospyware.net/sUBs/ddsDisable any script blocker if your antivirus/antimalware has it.Then double click dds.scr to run the tool.DDS will run in a command prompt window and will take 3 to 4 minutes or so.When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop. Please Copy & Paste contents of the following logs in your next reply:DDS.txtAttach.txt Link to post Share on other sites More sharing options...
ZeeBee Posted September 5, 2012 Author ID:593873 Share Posted September 5, 2012 HiNo I.M software is used on this on this computer.The logs as requested:DDS.txt.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2Run by DogWomen at 23:09:39 on 2012-09-05Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3068.2123 [GMT 1:00].AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\rundll32.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Trend Micro\AMSP\coreServiceShell.exeC:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exeC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_OE\TMAS_OEMon.exeC:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_WLM\TMAS_WLMMon.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exeC:\Windows\ehome\ehmsas.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.co.uk/BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dllBHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dllBHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dllTB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dlluRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [Google Update] "c:\users\dogwomen\appdata\local\google\update\GoogleUpdate.exe" /cmRun: [RtHDVCpl] RtHDVCpl.exemRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""mRun: [OE] "c:\program files\trend micro\titanium\plugin\tmas\tmas_oe\TMAS_OEMon.exe"mRun: [WLM] "c:\program files\trend micro\titanium\plugin\tmas\tmas_wlm\TMAS_WLMMon.exe"mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"mRun: [Keyboard Manager Utility] "c:\program files\keyboard manager\manager utility\KeyboardManager.exe" /lang en /HmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttraymPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)TCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{35BC6F49-C33A-42B7-9404-52F3F48F55E4} : DhcpNameServer = 192.168.1.254TCP: Interfaces\{B5E8FDD2-6AE3-4AC0-BA78-616D7FA83328} : DhcpNameServer = 192.168.1.254Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dllHandler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dllHandler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dllHandler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll.============= SERVICES / DRIVERS ===============.R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-3-19 68368]R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-3-19 200632]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-3-19 21504]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-1 655944]R2 tmeevw;tmeevw;c:\windows\system32\drivers\tmeevw.sys [2012-3-19 55056]R2 tmnciesc;tmnciesc;c:\windows\system32\drivers\tmnciesc.sys [2012-3-19 171280]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-1 22344]R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2012-3-19 3658752]R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-6-9 43040]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504].=============== Created Last 30 ================.2012-09-04 22:42:53 -------- d-----w- c:\users\dogwomen\appdata\roaming\PeerNetworking2012-09-02 21:32:44 -------- d-----w- c:\program files\Secunia2012-09-01 20:34:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys2012-09-01 20:34:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2012-09-01 20:24:45 -------- d-----w- c:\users\dogwomen\appdata\roaming\Malwarebytes2012-09-01 20:24:33 -------- d-----w- c:\programdata\Malwarebytes2012-08-31 10:56:02 -------- d-----w- c:\program files\CCleaner2012-08-31 10:54:10 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2012-08-31 10:00:39 -------- d-----w- c:\users\dogwomen\appdata\local\Secunia PSI2012-08-31 08:01:55 -------- d-----w- c:\programdata\Kaspersky Lab2012-08-15 08:17:51 2047488 ----a-w- c:\windows\system32\win32k.sys2012-08-15 06:39:44 623616 ----a-w- c:\windows\system32\localspl.dll2012-08-10 22:20:42 -------- d-----w- c:\program files\HitmanPro.==================== Find3M ====================.2012-08-31 10:53:42 821736 ----a-w- c:\windows\system32\npdeployJava1.dll2012-08-31 10:53:42 746984 ----a-w- c:\windows\system32\deployJava1.dll2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb2012-06-17 21:10:08 965120 ----a-w- c:\windows\system32\ac3filter.acm.============= FINISH: 23:09:56.32 ===============Attach.txt.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume2Install Date: 19/03/2012 11:55:17System Uptime: 05/09/2012 22:08:31 (1 hours ago).Motherboard: Quanta | | TW8/SW8/DW8Processor: Intel® Core2 Duo CPU P7350 @ 2.00GHz | CPU | 2000/1066mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 224 GiB total, 171.015 GiB free.D: is CDROM ().==== Disabled Device Manager Items =============.Class GUID: {36fc9e60-c465-11cf-8056-444553540000}Description: USB Mass Storage DeviceDevice ID: USB\VID_0BDA&PID_0158\20071114173400000Manufacturer: Compatible USB storage deviceName: USB Mass Storage DevicePNP Device ID: USB\VID_0BDA&PID_0158\20071114173400000Service: USBSTOR.Class GUID: {36fc9e60-c465-11cf-8056-444553540000}Description: USB Mass Storage DeviceDevice ID: USB\VID_10D6&PID_1101\5&1C59D2A&0&2Manufacturer: Compatible USB storage deviceName: USB Mass Storage DevicePNP Device ID: USB\VID_10D6&PID_1101\5&1C59D2A&0&2Service: USBSTOR.==== System Restore Points ===================.RP258: 15/08/2012 09:17:22 - Windows UpdateRP289: 28/08/2012 23:49:37 - Removed OpenOffice.org 3.4RP290: 29/08/2012 00:01:32 - Installed OpenOffice.org 3.4.1RP291: 31/08/2012 08:45:25 - Installed Java 6 Update 35RP292: 31/08/2012 11:46:38 - Removed Java 6 Update 22RP293: 31/08/2012 11:47:32 - Removed Java 6 Update 35RP294: 31/08/2012 11:50:08 - Removed Java 6 Update 35RP295: 31/08/2012 11:53:11 - Installed Java 7 Update 7RP297: 31/08/2012 14:24:59 - Res01RP306: 03/09/2012 09:37:49 - TITANUIMRES5[0x01111101]RP307: 03/09/2012 09:38:31 - TITANUIMRES5[0x01111101]RP308: 03/09/2012 11:32:17 - TITANUIMRES5[0x01111101]RP309: 03/09/2012 20:36:17 - Removed HiJackThisRP310: 04/09/2012 22:48:15 - TITANUIMRES5[0x01111101]RP311: 05/09/2012 12:33:30 - Scheduled CheckpointRP312: 05/09/2012 15:36:17 - TITANUIMRES5[0x01111101].==== Installed Programs ======================.Adobe Reader X (10.1.4)CCleanerEPSON Printer SoftwareGoogle ChromeHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Java 7 Update 7Java Auto UpdaterKeyboard Manager UtilityMalwarebytes Anti-Malware version 1.62.0.1300Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft SilverlightMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30411Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161NVIDIA DriversOpenOffice.org 3.4.1Realtek High Definition Audio DriverSecurity Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Trend Micro TitaniumTrend Micro Titanium Maximum Security 2012Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217).==== Event Viewer Messages From Past Week ========.31/08/2012 08:39:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}31/08/2012 08:39:21, Error: EventLog [6008] - The previous system shutdown at 00:34:26 on 31/08/2012 was unexpected.30/08/2012 09:34:51, Error: EventLog [6008] - The previous system shutdown at 09:31:55 on 30/08/2012 was unexpected.05/09/2012 22:09:29, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.03/09/2012 15:09:57, Error: Microsoft-Windows-RasSstp [1] - The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The remote computer refused the network connection.02/09/2012 14:18:26, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.02/09/2012 14:18:26, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).02/09/2012 14:18:26, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.02/09/2012 14:18:26, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.02/09/2012 14:18:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}.==== End Of File ===========================Thank you for your continued its much appreciated Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 6, 2012 ID:594013 Share Posted September 6, 2012 Step 11. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 2Show all files: Click the Start button, and then click Computer. On the Organize menu, click Folder and Search Options. Click the View tab. Locate and uncheck Hide file extensions for known file types. Locate and uncheck Hide protected operating system files (Recommended). Locate and click Show hidden files and folders. Click Apply > OK. Step 3You will want to print out or copy these instructions to Notepad for offline reference!Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsFor directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsDo NOT turn off the firewallClose all open browsers at this point.Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.Using Internet Explorer browser only, go to ESET Online Scanner website:http://www.eset.com/onlinescan/Accept the Terms of Use and press Start button;Approve the install of the required ActiveX Control, then follow on-screen instructions;Enable (check) the Remove found threats option, and run the scan.After the scan completes, the Details tab in the Results window will display what was found and removed. A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt. Look at contents of this file using Notepad.The Frequently Asked Questions for ESET Online Scanner can be viewed herehttp://go.eset.com/us/online-scanner/faqIt is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner. (And the prompt re-enabling when finished.) If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.Do not use the system while the scan is running. Once the full scan is underway, go take a long break Re-enable the antivirus program.Reply with copy of the Eset scan log Link to post Share on other sites More sharing options...
ZeeBee Posted September 7, 2012 Author ID:594321 Share Posted September 7, 2012 Hi I tried to run the ESET scan exactly as you described and the start button was totally unresponsive in IE. I did try all the advice on this page too http://go.eset.com/us/online-scanner/faq/ but nothing worked. So I downloaded the .exe version for Chrome and it ran OK.It did not save a log file in the folder as described. Does this matter as it found nothing so I don't think I have anything malicious on the PC it was just weird that a Geo-advert was blocked when I wasn't browsing and had not even opened the browser. Thank you for your kind help. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 7, 2012 ID:594343 Share Posted September 7, 2012 OK. AS long as ESET scan found nothing, that is good.Please read carefully and follow these steps.Download TDSSKiller and save it to your Desktop.Double-Click on TDSSKiller.exe to run the application, then on Start Scan.If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueIt may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. Download >> Farbar's Service Scanner utility << and Save to your Desktop.If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.If using XP, double-click to start.Answer Yes to ok when prompted.If your firewall then puts out a prompt, again, allow it to run.Once FSS is on-screen, be sure the following items are checkmarked:Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderClick on "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Copy & Paste contents of FSS.txt into your reply. Download Security Check by screen317 from here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document. Link to post Share on other sites More sharing options...
ZeeBee Posted September 7, 2012 Author ID:594379 Share Posted September 7, 2012 HelloFss log----------------Farbar Service Scanner Version: 06-08-2012Ran by DogWomen (administrator) on 07-09-2012 at 13:33:37Running from "C:\Users\DogWomen\Desktop"Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Google.com is accessible.Yahoo IP is accessible.Yahoo.com is accessible.Windows Firewall:=============Firewall Disabled Policy: ==================System Restore:============System Restore Disabled Policy: ========================Security Center:============Windows Update:============Windows Autoupdate Disabled Policy: ============================Windows Defender:==============WinDefend Service is not running. Checking service configuration:The start type of WinDefend service is OK.The ImagePath of WinDefend service is OK.The ServiceDll of WinDefend service is OK.Windows Defender Disabled Policy: ==========================[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]"DisableAntiSpyware"=DWORD:1Other Services:==============File Check:========C:\Windows\system32\nsisvc.dll => MD5 is legitC:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legitC:\Windows\system32\dhcpcsvc.dll => MD5 is legitC:\Windows\system32\Drivers\afd.sys => MD5 is legitC:\Windows\system32\Drivers\tdx.sys => MD5 is legitC:\Windows\system32\Drivers\tcpip.sys => MD5 is legitC:\Windows\system32\dnsrslvr.dll => MD5 is legitC:\Windows\system32\mpssvc.dll => MD5 is legitC:\Windows\system32\bfe.dll => MD5 is legitC:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legitC:\Windows\system32\SDRSVC.dll => MD5 is legitC:\Windows\system32\vssvc.exe => MD5 is legitC:\Windows\system32\wscsvc.dll => MD5 is legitC:\Windows\system32\wbem\WMIsvc.dll => MD5 is legitC:\Windows\system32\wuaueng.dll => MD5 is legitC:\Windows\system32\qmgr.dll => MD5 is legitC:\Windows\system32\es.dll => MD5 is legitC:\Windows\system32\cryptsvc.dll => MD5 is legitC:\Program Files\Windows Defender\MpSvc.dll => MD5 is legitC:\Windows\system32\svchost.exe => MD5 is legitC:\Windows\system32\rpcss.dll => MD5 is legit**** End of log ****Checkup log------------------ Results of screen317's Security Check version 0.99.50 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Trend Micro Titanium Maximum Security 2012 Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.62.0.1300 CCleaner Java 7 Update 7 Adobe Reader X (10.1.4) Google Chrome 21.0.1180.83 Google Chrome 21.0.1180.89 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Trend Micro AMSP coreServiceShell.exe Trend Micro UniClient UiFrmWrk uiWatchDog.exe Trend Micro AMSP coreFrameworkHost.exe Trend Micro Titanium plugin TMAS\TMAS_OE\TMAS_OEMon.exe Trend Micro Titanium plugin TMAS\TMAS_WLM\TMAS_WLMMon.exe Trend Micro UniClient UiFrmWrk uiSeAgnt.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1 % ````````````````````End of Log`````````````````````` Thank you. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 7, 2012 ID:594394 Share Posted September 7, 2012 Did you do the TDSSKILLER ?? I do not see that log.The FSS & Checkup results are good. Link to post Share on other sites More sharing options...
ZeeBee Posted September 7, 2012 Author ID:594464 Share Posted September 7, 2012 HiYes I did the TDSKILLER scan but forgot to add the log, it was clean no infections. I did have a look at the routers firewall and the security section is full of"IDS dos parser : tcp syn flood", "FIREWALL icmp check (1 of 1): Protocol: ICMP", "IDS dos parser : tcp syn flood", "IDS proto parser : tcp null port", "IDS rate parser : tcp rate limiting", "IDS proto parser : tcp data on syn segment", "IDS scan parser : tcp syn scan: **.**.**.**. scanned at least 20 ports", "IDS scan parser : udp port scan: **.**.**.** scanned at least 20 ports". It goes back as long as the logs have recorded.Its not just once a week it is every day not one day has gone past in the security logs without some thing being recorded.I should say its not my computer or ISP I look after it for an elderly friend who needs a lot of help with her computer.Well thanks for your help at least the firewall is doing its job and there is no malware.All I need to do now is find out who is trying to gain access and why, easier said than done.Thanks again for your kind assistance. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 7, 2012 ID:594485 Share Posted September 7, 2012 If you can make sense of firewall logs, more power to you.I'd say, make sure your friend has no peer-to-peer file sharing programs. That is one possible area of network traffic.Instant messeneging programs are another.Overall, I set my MBAM to turn on website blocking, and also to not show me the ip blocks.You will want to print out or copy these instructions to Notepad for offline reference!These steps are for member Zeebee only. If you are a casual viewer, do NOT try this on your system! If you are not Zeebee and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use!Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.If you have a prior copy of Combofix, delete it now Download Combofix from any of the links below, and SAVE it to your Desktop. Link 1Link 2**Note: It is important that it is saved directly to your Desktop and not run straight away from download **Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware ProgramsHave infinite patience during the run & scan by Combofix. It has many phases: some 50+ stagesIt will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator". A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. A file will be created at => C:\Combofix.txt. Notes:[1] IF after Combofix reboot you get the message Illegal operation attempted on registry key that has been marked for deletion....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.[2] Do not mouseclick combofix's window nor run any program while Combofix is running.That may cause it to stall.[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh Reply & Copy & Paste contents of the C:\Combofix.txt log and tell me, How is the system now ?Re-enable your antivirus program. Link to post Share on other sites More sharing options...
ZeeBee Posted September 8, 2012 Author ID:594910 Share Posted September 8, 2012 HiI ran ComboFix and after running it Google Chrome is running much much faster with quicker page loading time, although this could be down to the fact I changed the I.P at the same time to see if that stops the naughty stuff appearing in the firewalls security logs.ComboFix Log:-------------------ComboFix 12-09-08.02 - DogWomen 08/09/2012 19:52:44.1.2 - x86Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3068.2127 [GMT 1:00]Running from: c:\users\DogWomen\Desktop\ComboFix.exeAV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))..2012-09-08 18:59 . 2012-09-08 19:00 -------- d-----w- c:\users\DogWomen\AppData\Local\temp2012-09-08 18:59 . 2012-09-08 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp2012-09-07 14:22 . 2012-09-07 14:22 -------- d-----w- c:\users\DogWomen\AppData\Roaming\Unity2012-09-07 13:21 . 2012-09-08 16:31 -------- d-----w- c:\users\DogWomen\AppData\Local\Unity2012-09-04 22:42 . 2012-09-04 22:42 -------- d-----w- c:\users\DogWomen\AppData\Roaming\PeerNetworking2012-09-01 20:34 . 2012-09-01 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2012-09-01 20:34 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys2012-09-01 20:24 . 2012-09-01 20:24 -------- d-----w- c:\users\DogWomen\AppData\Roaming\Malwarebytes2012-09-01 20:24 . 2012-09-01 20:24 -------- d-----w- c:\programdata\Malwarebytes2012-08-31 10:56 . 2012-08-31 10:56 -------- d-----w- c:\program files\CCleaner2012-08-31 10:54 . 2012-08-31 10:54 -------- d-----w- c:\program files\Common Files\Java2012-08-31 10:54 . 2012-08-31 10:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2012-08-31 10:00 . 2012-08-31 10:00 -------- d-----w- c:\users\DogWomen\AppData\Local\Secunia PSI2012-08-31 08:01 . 2012-08-31 08:01 -------- d-----w- c:\programdata\Kaspersky Lab2012-08-15 08:17 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys2012-08-15 06:39 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll2012-08-10 22:20 . 2012-08-10 22:20 -------- d-----w- c:\program files\HitmanPro...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2012-08-31 10:53 . 2012-06-07 22:22 821736 ----a-w- c:\windows\system32\npdeployJava1.dll2012-08-31 10:53 . 2012-04-02 06:33 746984 ----a-w- c:\windows\system32\deployJava1.dll2012-06-28 19:40 . 2012-06-28 19:40 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll2012-06-17 21:10 . 2012-06-17 21:10 965120 ----a-w- c:\windows\system32\ac3filter.acm..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-07-06 1304824]"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-08-02 4128768]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]@="".[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]@="".S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache.Contents of the 'Scheduled Tasks' folder.2012-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-578839235-3445313455-2016934920-1000Core.job- c:\users\DogWomen\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-02 22:12].2012-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-578839235-3445313455-2016934920-1000UA.job- c:\users\DogWomen\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-02 22:12]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.co.uk/TCP: DhcpNameServer = 192.168.1.254..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2012-09-08 19:59Windows 6.0.6002 Service Pack 2 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... ..c:\users\DogWomen\AppData\Local\Temp\catchme.dll 53248 bytes executable.scan completed successfullyhidden files: 1.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'Explorer.exe'(284)c:\program files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEHook.dllc:\program files\Trend Micro\Titanium\plugin\TmvExt.dllc:\program files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dllc:\program files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll.Completion time: 2012-09-08 20:04:17ComboFix-quarantined-files.txt 2012-09-08 19:04.Pre-Run: 188,218,855,424 bytes freePost-Run: 188,142,743,552 bytes free.- - End Of File - - 66865A5401508EA3A4E2F2EA9A3D8196Thanks again for your help it is very much appreciated. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 9, 2012 ID:595156 Share Posted September 9, 2012 We can wrap this up now. Combofix found nothing, as did the ESET scan earlier.As long as your system is malware-free, and you follow safe computer usage practices, you should not freak out about IP blocks in MBAM.The bad guys are always probing, so an occasional block is not necessarily of concern.As a matter of practice, I have my MBAM notice for ip blocks turned off.If you have a problem with these steps, or something does not quite work here, do let me know.The following few steps will remove tools we used. Advise me after you have completed the cleanups.We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it ComboFix ), put that name in the RUN box stated just below. The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.Note the space before the slash mark.The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.Highlight the line in this CODEBOX.Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)c:\users\DogWomen\Desktop\ComboFix.exe /uninstall Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.Do a Right click within the command prompt window and select Paste. This must show the line from Codebox above.Then tap EnterIF in the case Combofix un-install has an issue, skip that step.NEXTDownload OTC to your desktop and run itClick Yes to beginning the Cleanup process and remove these components, including this application.You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.ERUNT you should keep and use periodically to backup Windows registry.Delete the following if still present:FSS.exeSecurityCheck.exeTDSSKILLER.exeGo to Control Panel >> Programs and Features and Uninstall ESET Online scannerexit Control Panel.Safer practices & malware preventionHave a hardware router between the incoming internet-modem and your computer. Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.Check in at Windows Update and install any Critical Updates offered.Make certain that Automatic Updates is enabled.How to configure and use Automatic Updates in Windowshttp://support.microsoft.com/kb/306525Check on other update issues as well, visit Secunia Online Software Inspector (OSI)See How to detect vulnerable and out-dated programs using Secunia Personal Software InspectorDownload, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and MalwareI'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm That would help to keep your browser away from known spyware/malware sites. Make regular backups of your system to removable media: DVD, USB external hard drive, etc.Having a total image backup of your system stored on DVD/CD is highly important.Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.aspor Paragon Backup & Recovery http://www.paragon-software.com/home/br-free/download.htmlConsider using Web of Trust WOT add-on for your browser(s)http://www.mywot.com/en/downloadhttp://www.mywot.com/en/faq/add-onOn some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:ESET Online ScannerBitDefender Quickscan Trend Micro HousecallF-Secure Online Scanner Microsoft Safety Scanner Panda ActiveScan See Six tips to help you stay safer online Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !We are finished here. Best regards. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 10, 2012 ID:595458 Share Posted September 10, 2012 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts