Jump to content

alien svchost calling home to 46.249.61.9n


Recommended Posts

Hello, Malwarebytes support,

 

At 22 second intervals, Mwb is reporting:

 

Successfully blocked access to a potentially malicious website: 46.249.61.9n

Type: Outgoing

Port: 5154x. Process: svchost.exe

 

I'm very pleased that Mwb is intercepting this malware's attempts to call home.

I would be even more pleased if there were a way to remove the malware altogether.

Mwb, Avast!, Mcafee don't find it.  It's like the wind: you can't see it, but you can see its effects.

 

I'm running RogueKiller now and will report back.

 

Thank you.

 

gospelmidi

attach.zip

dds.txt

Link to post
Share on other sites

At this point, I want to give it a double boot, into the next county.

But no, it is not a dual boot system.  Ubuntu might be a good thing for it, considering.

 

HP Pavilion g7-1019wm notebook with original BIOS

(out of warranty and no support available)

Windows 7 Home Premium, fully updated with Windows Update

Intel Pentium 2.27 GHz (dual core)

2 x 2GB Crucial DDR3-1066

WDC 500GB (slow) HDD

Radeon video adapter

Realtek network adapter

Synaptic touchpad

 

It is only after installing Malwarebytes that the BSODs (1e 0xFFFFFFFFC0000005)

have stopped long enough to fix anything.  I hope that fixing the

malware phoning home will also be the fix for the 1e BSODs.

 

Thank you for your expert help.

Link to post
Share on other sites

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Thank you, Kevin, for superb tech support.  The notebook runs like a gazelle.

No further problems are evident.  But how do I check the Windows Firewall?

 

It's all good. 

 

Would you prefer that I buy Mwb Pro, or transfer $20 to your Paypal account?

 

Thank you, thank you, thank you, Kevin.

 

gospelmidi

Christ died for our sins, and He rose from the dead,

because even death could not hold God captive.

mbar-log-2013-10-11 (06-43-44).txt

system-log.txt

Link to post
Share on other sites

Yep very nasty bootkit infection, mbar has done a very good job. It is imperative that we run an online AV scan to ensure there are no remnants of the infection remaining...

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Regarding the $20 you mention, yes i`d advise you pay for Malwarebytes Pro.....

 

Kevin...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.