Connection Refused Problem

[RonF]

Dear Helper:

 

I am using Windows XP on a Gateway desktop.

 

I have downloaded and installed (overwritten) Malwarebytes free edition several times but each time that I tried to update the database I got the following error message from the Malwarebytes website:

 

    PROGRAM_ERROR_UPDATING (0,0,Connection refused)

 

This refusal occurred from the very first download of Malwarebytes when it prompted me to download a new database.

 

I have run Malwarebytes with the outdated database (now over 190 days old) and finally found no problems, yet I still cannot download an updated database, nor can I remove the Mixi DG V8 Toolbar using either Malwarebytes or the Change/Remove button in Setttings/Add or Remove Programs in Control Panel.

 

In addition, I am not able to connect to sites using my preferred browser, which is the latest version of Firefox, 26.0.  Fortunately, I finally got Windows explorer to work when I downloaded Version 8.0.

 

I've done everything I know about in the browser control items but nothing has worked.

 

You help would be greatly appreciated.

 

The dds.txt and attach.txt files are attached.dds.txtattach.txt

 

Sincerely,

 

RonF

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Please download RogueKiller from here:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

• Make sure to get the correct version for your system.
  
• Quit all running programs
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  
• Wait until Prescan has finished...
  
• The following EULA will appear, please select accept
   
  
   
  
• Ensure MBR scan, Check faked and AntiRootkit are checked
  
• Select Scan
   
  
   
  
• When the scan completes select Report, copy and paste that to your reply.
   
  
   
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  
  
   
  Kevin

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

[AdvancedSetup]

Topic reopened per user request

[kevinf80]

As you have requested the thread to be re-opened can you post the RogueKiller log and we can progress from there..

 

Kevin...

[RonF]

Kevin:

 

Here are the files again.  I presume these are the ones you want to review.

 

 attach.txtdds.txtRKreport0_S_01272014_154146.txt

 

Thanks much.

 

RonF

[kevinf80]

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

 

7. The following image opens, select Update

 

 

8. When the update completes select Next.

 

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 

• 
       
• Internet access
       
• Windows Update
       
• Windows Firewall
  

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

[RonF]

Hi, Kevin:

 

When I downloaded Malwarebytes Anti-Rootkit from this link:
 
 http://www.malwarebytes.org/products/mbar/

 

only the mbar-1.07.0.1.009.exe file came through.  There was no folder that included 'fixdamage'.

 

I opened and ran the mbar file and no message was displayed from Step 4 concerning a rootkit problem.

 

When I selected Update, the following message appeared "Failed: Connection Refused".  This is the same problem as before.  Repeated attempts to update yielded the same result.  (Malwarebytes continually displays a window telling me that the file is 299 days old.)

 

So, I continued running mbar without the update and it displayed this message: "Scan Finished: No

[RonF]

Hi, Kevin:

 

When I downloaded Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

only the mbar-1.07.0.1.009.exe file came through.  There was no folder that included 'fixdamage'.

 

I opened and ran the mbar file and no message was displayed from Step 4 concerning a rootkit problem.

 

When I selected Update, the following message appeared "Failed: Connection Refused".  This is the same problem as before.  Repeated attempts to update yielded the same result.  (Malwarebytes continually displays a window telling me that the file is 299 days old.)

 

So, I continued running mbar without the update and it displayed this message: "Scan Finished: No malware found!"

 

I ran it a second time with the same result.

 

How can I get a separate update file that mbar will find to rerun the program?

 

How do I get a copy of 'fixdamage' to run?

 

[ For some reason this message was automatically posted before I finished it! ]

 

Thanks much.

 

RonF

 

PS: Do you think this is a lost cause?!?!  I don't know what may be preventing updates for some applications, while Symantic antivirus updates come through normally!

[kevinf80]

Not sure what is happening, when you select the link I gave you should d/l a MBar, when that is run (double click) a self extracting executable should open and ask where to extract the MBAR folder to, did that not happen. I attach 2 images of the first two steps.... Notice the second one asks where to extract MBAR folder to, it does default to the Desktop.

 

Ok leave that for now and run the following...

 

Please download RKill from here: http://www.bleepingcomputer.com/download/rkill/

 

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

 

• Double-click on the Rkill desktop icon to run the tool.
  
• If using Vista or Windows 7, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  
• If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  
• If the tool does not run from any of the links provided, please let me know.
  

 

If RKill runs successfully see if Malwarebytes will update and run a Quick scan (Not MBAR)

 

 

[RonF]

Kevin:

 

I finally got RKill to run.  The resulting Rkill.txt file is attached.Rkill.txt

 

Reran Malwarebytes but it will not update -- same result with message "Connection refused".

 

RonF

 

 

 

 

[kevinf80]

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

• Ensure that Combofix is saved directly to the Desktop <--- Very important
   
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
   
  
• Close any open browsers and any other programs you might have running
   
  
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
   
  
• Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
   
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
   
  
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
  

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*

• 
  

    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

[RonF]

Kevin:

 

I downloaded and started Combofix successsfully, but it could not install the Recovery Console.  I ran it to its conclusion but could not find a file named ComboFix.txt anywhere on the computer.  No Search results for that filename.  Is ther possibly another name for that file?

 

Should I run it again?

 

Thanks.

 

RonF

[kevinf80]

The log Combfix creates is save here: C:\Combofix.txt

 

So you select start > my computer > C:\ > when you expand C:\ the log should be there?

[RonF]

Kevin:

 

For some reason my replies to you are disappearing!!!  Here I go again...

 

I reran ComboFix and found the file ComboFix.txt

 

I note that  it reports that Symantic Firewall in enabled, but I had turned it Off!  I also turned off Windows Firewall but the Security Center says it is ON!  I'm stumped.

 

Something is running that knows how to protect itself.

 

RonF

 

PS: Better get some sleep!

[kevinf80]

That log is from the second run of Combofix, I need to see the log from the first run. It will be here :- C:\QooBox\ComboFix2.txt

[RonF]

Kevin:

 

C:\QooBox\ComboFix2.txt is not on my machine, only ComboFix.txt  (422 Bytes). 

 

Should I run ComboFix again?

 

How do I instal the Recovery Console?

 

I ran MalwareBytes again with the oudated file and it found 1 PUM.Disabled.SecurityCenter

 

RonF

[RonF]

Kevin:

 

How can I manually download the current  MalwareBytes database file so that it will recognize the new one and not the outdated one?

 

I ran mbam.exe /update, but it refused to connect, too.  I can't find any information in MalwareBytes Help that tells me how to download the database to a different computer and then move the file to the infected computer.

 

Should I try to run Chamelion?  Or does it use the same database?

 

Cheers!

 

RonF

[kevinf80]

The CF log you posted did indicate that there had already been a previous run:

 

ComboFix-quarantined-files.txt  2014-01-30 01:29
ComboFix2.txt  2014-01-29 22:55

 

As you see Combofix2.txt was appended to the log, these logs are numbered in reverse, so at present ComboFix2.txt is actually the log from the first run, When CF is run for the first time the folder Qoobox is created, unless CF is uninstalled that folder is saved and runs from c:\

 

The initial run log is very important because anything that was removed would show in the log, also this file was also created ComboFix-quarantined-files.txt to show what was removed, that too would be in Qoobox folder.

 

The only issue I can think of is malware intervention, maybe causes the issues we see....

 

See if you can run the following:

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

•  

   

• Double-click to run it. When the tool opens click Yes to disclaimer.

   

   

• Press Scan button.

   

   

• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

   

   

• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

   

   

 

 

Post both logs...

 

Kevin

[RonF]

Kevin:

 

The FRST program ran and produced both files, which are attached: 

 

Addition.txtFRST_31-01-2014_13-17-12.txt

 

Looks like a lot of errors are listed.

 

What is the MixiDJV8 Toolbar program?  That is the program that I can NOT remove using the Add or Remove Programs button in Control Panel!

 

Thanks,

 

RonF

 

PS:  I'm using the 32 bit Professional Version of XP

[kevinf80]

Qoobox is listed as present, can you please check and see what files are inside,,

 

Navigate > Start > My Computer > C:\ > Expand C:\ Drive and open, is Qoobox there?

[RonF]

Kevin:

 

I found Qoobox.  Some files from it are attached:

 

catchme.log

ComboFix-quarantined-files.txt

Add-Remove Programs.txt

ComboFix2.txt

 

 

 

[kevinf80]

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

When you run CF this time it will offer to install the Recovery Console, accept that option....

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

• Ensure that Combofix is saved directly to the Desktop <--- Very important
   
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
   
  
• Close any open browsers and any other programs you might have running
   
  
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
   
  
• Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
   
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
   
  
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
  

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*

• 
  

    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Let me see those two logs in next reply, also give an update on any remaining issues or concerns...

 

fixlist.txt

[RonF]

Kevin:

 

I completed the preparatory work, read the instructions on the web, and then ran Combofix.

 

Combofix attempted to download the Recovery console but was unable to do so (blocked).

 

I continued with the Combofix run, and it produced the file log.txt.  The file warns that Recovery console is not installed.

 

I have not shut the computer down yet and I'm using a different computer for this conversation, because the systray is not the usual one, and I don't know whether it is OK for me to reboot the infected computer so that I can send log.txt and Fixlog.txt to you from the infected machine.

 

What's next?

 

RonF

[kevinf80]

No logs from FRST fix or Combofix?