Jump to content

Recommended Posts

For some time now, Malware Bytes has been popping up to tell me it blocked an outgoing connection to IP 174.137.132.45 .  A quick check of todays log shows that MB has blocked attempts to connect to this site 22 times oer the past 12 hours and the log entry reads something like:

IP-BLOCK 174.137.132.45 (Type: outgoing, Port <1, 3, or 5 digit port number>, Process: iexplore)

[see attached log].  That IP address appears to be registered to Webair Internet Development Company. Inc. of Garden City, NJ., but I note that a tracert fails for "too many hops".

I also know that something is depositing an HKCR Registry Key that Malware Bytes finds and deletes [delete works only if IE is turned off during the scan].  Otherwise, MB, MB Anti-rootkit, and MSE anti-virus detect nothing.

 

Got any idea what's going on?

-----Bob H-----

 

protection-log-2014-01-20.txt

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Read here regarding Webair http://www.forumpostersunion.com/showthread.php?t=4903  IP address etc may differ but history is the same.......

 

Run the following:

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.


The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log.

 

Let me see those logs, also give update on any remaining issues or concerns...

 

Kevin

fixlist.txt

Link to post
Share on other sites

Run this please...

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop. Make sure to select direct on the word “Zip”

Double click zip file and extract to your  Desktop:


Zoekd.jpg


you will now have 3 versions of the tool on the Desktop:


Zoeke.jpg

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:


Zoekb.jpg


Copy and paste the following script from the code box and paste into the field.


standardsearch;autoruns;autoclean;emptyclsid;emptyalltemp;installedprogs;


Select the "Run Script" tab. The following window will open:



Zoekc.jpg



Please be patient and do not use the PC when the scan is in progress.

When complete you maybe asked to re-boot your PC, if so please do

Zoekf.jpg

Post the produced log in your next reply, also let me know if any remaining issues or concerns..

 

Kevin

Link to post
Share on other sites

Hi Kevin:

 

After first unplugging my Internet connection and disabling the Security "stuff", I successfully ran Zoek.exe and the results log is attached.

 

Also attached is the latest MBAM log, which shows that, in addition to the 174.137.132.45 IP address previously reported, earlier today IE attempted to connect to two new ones--193.169.104.1 and 174.137.132.45.  Argh!

-----Bob H-----

 

 

zoek-results.log

protection-log-2014-01-22.txt

Link to post
Share on other sites

Hi Kevin:

 

Well, I didn't need 24 hours.  Minutes ago, IE made three attempts to connect to that 174.137.132.45 site.  What happened at approximately that time is that I brought up Ancestry.com's ROOTSWEB Worldconnect database site.  It used to be true that when I did that, ROOTSWEB would blap up an ad for this that or the other thing; however, no ads appear.  So I just wonder if somehow, when I load that site, my machine is attempting to make a connection to their adserver and MBAM is blocking it. Does that make sense?

 

-----Bob H-----

Link to post
Share on other sites

Hi Kevin:

 

BINGO!  I believe I can prove that the culprit that is causing the attempts to access IP 174.137.132.45 is the ROOTSWEB/Ancestry Worldconnect database site at http://wc.rootsweb.ancestry.com .  I have been opening the MBAM protection log every time I bring up a web site and just now, when I was working on the above site via IE, a connection attempt was made; and since yesterday afternoon, no other connection attempts were made  So I brought up my Firefox browser, went through the same motions, and lo, another connection attempt was immediately made.  It looks like it happens whenever the link to display an individuals "descendancy" is clicked and also when the link to display an individuals ancestors ("ahnentafel") is clicked,and I know not what other links on that site might cause it as well.  So it looks like the thesis that the site is trying to connect to an adware server may be a good one.

My guess is that either ROOTSWEB/Ancestry recently changed their adware server, or MBAM has recently picked it up as a "problem" IP address.

 

Thanks for all your help.  Cleaning out that bunch of garbage, although said garbage probably wasn't the actual cause of the problem, was a valuable (at least to me) side benefit!

 

-----Bob H-----

Link to post
Share on other sites

Excellent piece of detective work, If no other issues I guess we can clean up....

 

Uninstall adwcleaner.exe

  •   Please close all open programs and internet browsers.
  •   Double click on adwcleaner.exe to run the tool.
  •   Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner

 

 

Next,

 

We need to remove FRST,  first it is very important to deal with its own Quarantine folder by using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:
 
Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.
 
Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

Next,
 
Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


  •    
  • Remove disinfection tools
       
  • Purge System Restore

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Let me know if the clean up completes ok, also if any remaining issues or concerns....

 

Thank you,

 

Kevin



 

 

 

fixlist.txt

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.