Jump to content

Blocked IP


Recommended Posts

I too have had this I.P being blocked. Each time I get the message I'm on a totally unrelated site. Again I don't think I have any malware on this machine.

Msg given by Mbam:

IP-BLOCK (Type: outgoing, Port: 52679, Process:coreserviceshell.exe )

In processes and it shows that the Process: Coreserviceshell.exe is Trend Micro Anti-malware solution platform. Do you use Trend micro by any chance?

I noticed this post http://forums.malwarebytes.org/index.php?showtopic=114748 so I to visited major geeks and I too got the

IP-BLOCK (Type: outgoing, Port: 52679, Process:coreserviceshell.exe ) message again

Link to post
Share on other sites

Thanks I did a full scan with my AV and full scan, flash scan with Mbam, Hitmanpro, TDSSkiller and nothing turned up. I have had the IP blocked message (same IP as above) turn up once when I was not even browsing the net just after the PC booted.

Thank you again

Link to post
Share on other sites

This pc has instant messenger (IM) programs ?

Download DDS and save it to your desktop from http://download.bleepingcomputer.com/sUBs/dds.scr here

or http://download.bleepingcomputer.com/sUBs/dds.com or


Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:



Link to post
Share on other sites


No I.M software is used on this on this computer.

The logs as requested:



DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2

Run by DogWomen at 23:09:39 on 2012-09-05

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3068.2123 [GMT 1:00]


AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch


C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup


C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService



C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe

C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup






C:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_WLM\TMAS_WLMMon.exe


C:\Program Files\Keyboard Manager\Manager Utility\KeyboardManager.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe


C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe


C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe





============== Pseudo HJT Report ===============


uStart Page = hxxp://www.google.co.uk/

BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll

BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll

TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Google Update] "c:\users\dogwomen\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""

mRun: [OE] "c:\program files\trend micro\titanium\plugin\tmas\tmas_oe\TMAS_OEMon.exe"

mRun: [WLM] "c:\program files\trend micro\titanium\plugin\tmas\tmas_wlm\TMAS_WLMMon.exe"

mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"

mRun: [Keyboard Manager Utility] "c:\program files\keyboard manager\manager utility\KeyboardManager.exe" /lang en /H

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

TCP: DhcpNameServer =

TCP: Interfaces\{35BC6F49-C33A-42B7-9404-52F3F48F55E4} : DhcpNameServer =

TCP: Interfaces\{B5E8FDD2-6AE3-4AC0-BA78-616D7FA83328} : DhcpNameServer =

Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1078\TmIEPlg.dll

Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\titanium\uiframework\ToolbarIE.dll

Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - c:\program files\trend micro\titanium\uiframework\ProToolbarIMRatingActiveX.dll


============= SERVICES / DRIVERS ===============


R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-3-19 68368]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]

R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-3-19 200632]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-3-19 21504]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-9-1 655944]

R2 tmeevw;tmeevw;c:\windows\system32\drivers\tmeevw.sys [2012-3-19 55056]

R2 tmnciesc;tmnciesc;c:\windows\system32\drivers\tmnciesc.sys [2012-3-19 171280]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-9-1 22344]

R3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2012-3-19 3658752]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-6-9 43040]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]


=============== Created Last 30 ================


2012-09-04 22:42:53 -------- d-----w- c:\users\dogwomen\appdata\roaming\PeerNetworking

2012-09-02 21:32:44 -------- d-----w- c:\program files\Secunia

2012-09-01 20:34:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-01 20:34:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-01 20:24:45 -------- d-----w- c:\users\dogwomen\appdata\roaming\Malwarebytes

2012-09-01 20:24:33 -------- d-----w- c:\programdata\Malwarebytes

2012-08-31 10:56:02 -------- d-----w- c:\program files\CCleaner

2012-08-31 10:54:10 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-08-31 10:00:39 -------- d-----w- c:\users\dogwomen\appdata\local\Secunia PSI

2012-08-31 08:01:55 -------- d-----w- c:\programdata\Kaspersky Lab

2012-08-15 08:17:51 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-08-15 06:39:44 623616 ----a-w- c:\windows\system32\localspl.dll

2012-08-10 22:20:42 -------- d-----w- c:\program files\HitmanPro


==================== Find3M ====================


2012-08-31 10:53:42 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-08-31 10:53:42 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-17 21:10:08 965120 ----a-w- c:\windows\system32\ac3filter.acm


============= FINISH: 23:09:56.32 ===============






DDS (Ver_2011-08-26.01)


Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 19/03/2012 11:55:17

System Uptime: 05/09/2012 22:08:31 (1 hours ago)


Motherboard: Quanta | | TW8/SW8/DW8

Processor: Intel® Core2 Duo CPU P7350 @ 2.00GHz | CPU | 2000/1066mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 224 GiB total, 171.015 GiB free.

D: is CDROM ()


==== Disabled Device Manager Items =============


Class GUID: {36fc9e60-c465-11cf-8056-444553540000}

Description: USB Mass Storage Device

Device ID: USB\VID_0BDA&PID_0158\20071114173400000

Manufacturer: Compatible USB storage device

Name: USB Mass Storage Device

PNP Device ID: USB\VID_0BDA&PID_0158\20071114173400000

Service: USBSTOR


Class GUID: {36fc9e60-c465-11cf-8056-444553540000}

Description: USB Mass Storage Device

Device ID: USB\VID_10D6&PID_1101\5&1C59D2A&0&2

Manufacturer: Compatible USB storage device

Name: USB Mass Storage Device

PNP Device ID: USB\VID_10D6&PID_1101\5&1C59D2A&0&2

Service: USBSTOR


==== System Restore Points ===================


RP258: 15/08/2012 09:17:22 - Windows Update

RP289: 28/08/2012 23:49:37 - Removed OpenOffice.org 3.4

RP290: 29/08/2012 00:01:32 - Installed OpenOffice.org 3.4.1

RP291: 31/08/2012 08:45:25 - Installed Java 6 Update 35

RP292: 31/08/2012 11:46:38 - Removed Java 6 Update 22

RP293: 31/08/2012 11:47:32 - Removed Java 6 Update 35

RP294: 31/08/2012 11:50:08 - Removed Java 6 Update 35

RP295: 31/08/2012 11:53:11 - Installed Java 7 Update 7

RP297: 31/08/2012 14:24:59 - Res01

RP306: 03/09/2012 09:37:49 - TITANUIMRES5[0x01111101]

RP307: 03/09/2012 09:38:31 - TITANUIMRES5[0x01111101]

RP308: 03/09/2012 11:32:17 - TITANUIMRES5[0x01111101]

RP309: 03/09/2012 20:36:17 - Removed HiJackThis

RP310: 04/09/2012 22:48:15 - TITANUIMRES5[0x01111101]

RP311: 05/09/2012 12:33:30 - Scheduled Checkpoint

RP312: 05/09/2012 15:36:17 - TITANUIMRES5[0x01111101]


==== Installed Programs ======================


Adobe Reader X (10.1.4)


EPSON Printer Software

Google Chrome

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Java 7 Update 7

Java Auto Updater

Keyboard Manager Utility

Malwarebytes Anti-Malware version

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Silverlight

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

NVIDIA Drivers

OpenOffice.org 3.4.1

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Trend Micro Titanium

Trend Micro Titanium Maximum Security 2012

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)


==== Event Viewer Messages From Past Week ========


31/08/2012 08:39:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

31/08/2012 08:39:21, Error: EventLog [6008] - The previous system shutdown at 00:34:26 on 31/08/2012 was unexpected.

30/08/2012 09:34:51, Error: EventLog [6008] - The previous system shutdown at 09:31:55 on 30/08/2012 was unexpected.

05/09/2012 22:09:29, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

03/09/2012 15:09:57, Error: Microsoft-Windows-RasSstp [1] - The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. The remote computer refused the network connection.

02/09/2012 14:18:26, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

02/09/2012 14:18:26, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

02/09/2012 14:18:26, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

02/09/2012 14:18:26, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

02/09/2012 14:18:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}


==== End Of File ===========================

Thank you for your continued its much appreciated

Link to post
Share on other sites

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.

Step 3

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:


  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here


    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break popcorn.gifpepsi.gif

Re-enable the antivirus program.

Reply with copy of the Eset scan log

Link to post
Share on other sites


I tried to run the ESET scan exactly as you described and the start button was totally unresponsive in IE. I did try all the advice on this page too http://go.eset.com/us/online-scanner/faq/ but nothing worked. So I downloaded the .exe version for Chrome and it ran OK.

It did not save a log file in the folder as described. Does this matter as it found nothing so I don't think I have anything malicious on the PC it was just weird that a Geo-advert was blocked when I wasn't browsing and had not even opened the browser.

Thank you for your kind help.

Link to post
Share on other sites

OK. AS long as ESET scan found nothing, that is good.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
    If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Download >> Farbar's Service Scanner utility << and Save to your Desktop.

If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.

If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Copy & Paste contents of FSS.txt into your reply.

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites


Fss log


Farbar Service Scanner Version: 06-08-2012

Ran by DogWomen (administrator) on 07-09-2012 at 13:33:37

Running from "C:\Users\DogWomen\Desktop"

Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

Boot Mode: Normal


Internet Services:


Connection Status:


Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:


Firewall Disabled Policy:


System Restore:


System Restore Disabled Policy:


Security Center:


Windows Update:


Windows Autoupdate Disabled Policy:


Windows Defender:


WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is OK.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]


Other Services:


File Check:


C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Checkup log


Results of screen317's Security Check version 0.99.50

Windows Vista Service Pack 2 x86 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Trend Micro Titanium Maximum Security 2012

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version


Java 7 Update 7

Adobe Reader X (10.1.4)

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Trend Micro AMSP coreServiceShell.exe

Trend Micro UniClient UiFrmWrk uiWatchDog.exe

Trend Micro AMSP coreFrameworkHost.exe

Trend Micro Titanium plugin TMAS\TMAS_OE\TMAS_OEMon.exe

Trend Micro Titanium plugin TMAS\TMAS_WLM\TMAS_WLMMon.exe

Trend Micro UniClient UiFrmWrk uiSeAgnt.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1 %

````````````````````End of Log``````````````````````

Thank you.

Link to post
Share on other sites


Yes I did the TDSKILLER scan but forgot to add the log, it was clean no infections. I did have a look at the routers firewall and the security section is full of

"IDS dos parser : tcp syn flood", "FIREWALL icmp check (1 of 1): Protocol: ICMP", "IDS dos parser : tcp syn flood", "IDS proto parser : tcp null port", "IDS rate parser : tcp rate limiting", "IDS proto parser : tcp data on syn segment", "IDS scan parser : tcp syn scan: **.**.**.**. scanned at least 20 ports", "IDS scan parser : udp port scan: **.**.**.** scanned at least 20 ports". It goes back as long as the logs have recorded.Its not just once a week it is every day not one day has gone past in the security logs without some thing being recorded.

I should say its not my computer or ISP I look after it for an elderly friend who needs a lot of help with her computer.

Well thanks for your help at least the firewall is doing its job and there is no malware.

All I need to do now is find out who is trying to gain access and why, easier said than done.

Thanks again for your kind assistance.

Link to post
Share on other sites

If you can make sense of firewall logs, more power to you.

I'd say, make sure your friend has no peer-to-peer file sharing programs. That is one possible area of network traffic.

Instant messeneging programs are another.

Overall, I set my MBAM to turn on website blocking, and also to not show me the ip blocks.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Zeebee only. If you are a casual viewer, do NOT try this on your system!

If you are not Zeebee and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.


Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.


[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

Link to post
Share on other sites


I ran ComboFix and after running it Google Chrome is running much much faster with quicker page loading time, although this could be down to the fact I changed the I.P at the same time to see if that stops the naughty stuff appearing in the firewalls security logs.

ComboFix Log:


ComboFix 12-09-08.02 - DogWomen 08/09/2012 19:52:44.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3068.2127 [GMT 1:00]

Running from: c:\users\DogWomen\Desktop\ComboFix.exe

AV: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}

SP: Trend Micro Titanium Maximum Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



((((((((((((((((((((((((( Files Created from 2012-08-08 to 2012-09-08 )))))))))))))))))))))))))))))))



2012-09-08 18:59 . 2012-09-08 19:00 -------- d-----w- c:\users\DogWomen\AppData\Local\temp

2012-09-08 18:59 . 2012-09-08 18:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-07 14:22 . 2012-09-07 14:22 -------- d-----w- c:\users\DogWomen\AppData\Roaming\Unity

2012-09-07 13:21 . 2012-09-08 16:31 -------- d-----w- c:\users\DogWomen\AppData\Local\Unity

2012-09-04 22:42 . 2012-09-04 22:42 -------- d-----w- c:\users\DogWomen\AppData\Roaming\PeerNetworking

2012-09-01 20:34 . 2012-09-01 20:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-01 20:34 . 2012-07-03 12:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-01 20:24 . 2012-09-01 20:24 -------- d-----w- c:\users\DogWomen\AppData\Roaming\Malwarebytes

2012-09-01 20:24 . 2012-09-01 20:24 -------- d-----w- c:\programdata\Malwarebytes

2012-08-31 10:56 . 2012-08-31 10:56 -------- d-----w- c:\program files\CCleaner

2012-08-31 10:54 . 2012-08-31 10:54 -------- d-----w- c:\program files\Common Files\Java

2012-08-31 10:54 . 2012-08-31 10:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-08-31 10:00 . 2012-08-31 10:00 -------- d-----w- c:\users\DogWomen\AppData\Local\Secunia PSI

2012-08-31 08:01 . 2012-08-31 08:01 -------- d-----w- c:\programdata\Kaspersky Lab

2012-08-15 08:17 . 2012-07-04 14:02 2047488 ----a-w- c:\windows\system32\win32k.sys

2012-08-15 06:39 . 2012-05-11 15:57 623616 ----a-w- c:\windows\system32\localspl.dll

2012-08-10 22:20 . 2012-08-10 22:20 -------- d-----w- c:\program files\HitmanPro




(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2012-08-31 10:53 . 2012-06-07 22:22 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-08-31 10:53 . 2012-04-02 06:33 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-28 19:40 . 2012-06-28 19:40 784144 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-06-17 21:10 . 2012-06-17 21:10 965120 ----a-w- c:\windows\system32\ac3filter.acm



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown




"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]



"RtHDVCpl"="RtHDVCpl.exe" [2008-04-17 6111232]

"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-07-06 1304824]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 133424]

"Keyboard Manager Utility"="c:\program files\Keyboard Manager\Manager Utility\KeyboardManager.exe" [2007-08-02 4128768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]



"EnableUIADesktopToggle"= 0 (0x0)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]









S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache


Contents of the 'Scheduled Tasks' folder


2012-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-578839235-3445313455-2016934920-1000Core.job

- c:\users\DogWomen\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-02 22:12]


2012-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-578839235-3445313455-2016934920-1000UA.job

- c:\users\DogWomen\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-02 22:12]



------- Supplementary Scan -------


uStart Page = hxxp://www.google.co.uk/

TCP: DhcpNameServer =





catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-08 19:59

Windows 6.0.6002 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...



c:\users\DogWomen\AppData\Local\Temp\catchme.dll 53248 bytes executable


scan completed successfully

hidden files: 1




--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'Explorer.exe'(284)

c:\program files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEHook.dll

c:\program files\Trend Micro\Titanium\plugin\TmvExt.dll

c:\program files\Trend Micro\AMSP\boost_thread-vc80-mt-1_36.dll

c:\program files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_36.dll


Completion time: 2012-09-08 20:04:17

ComboFix-quarantined-files.txt 2012-09-08 19:04


Pre-Run: 188,218,855,424 bytes free

Post-Run: 188,142,743,552 bytes free


- - End Of File - - 66865A5401508EA3A4E2F2EA9A3D8196

Thanks again for your help it is very much appreciated.

Link to post
Share on other sites

We can wrap this up now. Combofix found nothing, as did the ESET scan earlier.

As long as your system is malware-free, and you follow safe computer usage practices, you should not freak out about IP blocks in MBAM.

The bad guys are always probing, so an occasional block is not necessarily of concern.

As a matter of practice, I have my MBAM notice for ip blocks turned off.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used. Advise me after you have completed the cleanups.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it ComboFix icon_exclaim.gif),

put that name in the RUN box stated just below.

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Highlight the line in this CODEBOX.
    Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
    c:\users\DogWomen\Desktop\ComboFix.exe /uninstall

  • Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.
    Do a Right click within the command prompt window and select Paste. This must show the line from Codebox above.
    Then tap Enter

IF in the case Combofix un-install has an issue, skip that step.


  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

ERUNT you should keep and use periodically to backup Windows registry.

Delete the following if still present:




Go to Control Panel >> Programs and Features and Uninstall ESET Online scanner

exit Control Panel.

Safer practices & malware prevention

We are finished here. Best regards. cool.gif

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.