Cannot cure "successfully blocked" for 5.45.64.145/5.45.69.131

[DSperber]

A friend's Vista laptop (his wife is an AOL user, so AOL email is involved) was in need of help.  I installed a proper anti-virus (Microsoft Security Essentials) as well as Anti-Malware.

 

Almost immediately after installing MBAM I began to see popups about "successfully blocked access..." for two sites: 5.45.64.145 and 5.45.69.131, which are both well known problems registered in the Netherlands.

 

The initial scan by MBAM produced about 15 items which I purged, and then re-booted.  No change.  Still fairly regular popups for blocking of these two sites, whether using IE7, newly installed Firefox 26, or AOL.

 

Cleaned out all cookies and history from IE, deleted all TEMP folders, re-booted.  No change.  Still fairly regular popups advising MBAM blocking these two sites.

 

Applied all Windows Updates for Vista, including application of Service Pack 3.  This installs IE8, and I further upgraded to IE9.  Once again, still can't stop this accesses to the two sites.

 

Upgraded AOL from 9.1 to 9.5.  Still no change.  Obviously something is still "active" and attempting to contact these two sites, which has escaped detection.

 

I'm kind of at my wits end here, and looking for outside assistance.  Is there a "more robust" piece of anti-malware software which might finally get to the bottom of this?

 

Many thanks in advance for any advice or direction.

[DSperber]

Forgot to mention that subsequently, I did a second "quick scan" with MBAM and 3 additional items were found.  Again, I purged them (including deleting them from quarantine).  Still no change.

 

I'm currently about 3/4 through with a FULL SCAN of C, but so far zero has been detected.

 

Whatever is the culprit here, it does appear to be escaping detection by MBAM Pro.

[DSperber]

Full scan eventually finished.  2 more items found, but apparently were unrelated to whatever is repeatedly attempting to contact the two European IP addresses.

 

Thanks to a SevenForums member (where I'd posted a similar thread in their Security forum), I was pointed to the MBAM option (on Protection tab) to suppress the bubble popup message when IP addresses were blocked.  I un-checked that settings box but the now almost every 5 second attempt to contact 5.45.64.145 did not stop.

 

In desperation I then re-booted, and following the re-boot sure enough the bubble messages now were indeed being suppressed.  WHEW!!

 

I checked the LOG, and sure enough the blocked IP addresses are still being reported, with considerable frequency.  But thankfully the bubble messages are no longer appearing.

 

So I'm back mostly to where I want to be, with at least a user-friendly experience on the desktop while still seeing MBAM silently block access to the malicious IP addresses while also still reporting the blocked IP attempts on the LOG.

 

Which brings me back to still wanting to locate and remove the actual CULPRIT, whatever that is.  Any guidance on this one?

[DSperber]

One more clue as far as how/when the particular culprit rogue code is triggered to "phone home".

 

It appears directly tied to an access to the Internet.  So it happens when the machine is re-booted, it happens when I remotely access the machine (through RealVNC), it happens when any browser (IE or Firefox) is launched and used, it happens when AOL is launched and used, etc.

 

I know this doesn't provide much information, but it does perhaps provide a clue to the type of malicious mechanism at work here, which might be helpful in devising a defensive strategy or actually rooting it out and removing it.

[DSperber]

Using Resource Monitor, it appear (at least in this Windows session) to be related to service PID=876, which is running through the appearance of SVCHOST.EXE (DcomLaunch). Other than that, there's not much of any identification to go on.

However it does appear to be attempting to contact 62.75.136.158/159, which are two IP addresses in Russia registered to Abuzam.net. I'm guessing these are what externally appear eventually as 5.45.69.131 and 5.45.69.131 for MBAM to block, as the 5.45 addresses never actually showed up in Resource Monitor whereas the 62.75 addresses did.

I have not yet tried to simply "remove" that PID=876 service task.






Through SysInternals there was some seemingly relevant information revealed as a clue here, for PID=876. Again, the annotation of DcomLaunch appears closely involved.



I did a "search" on the Vista machine for Dcom, and didn't find much that might be applicable other than the "Microsoft remote assistance DcomServer" folder. But I have the same folder on my own Win7 machine, so it looks probably legit... although that may be precisely the "ruse".




Doing an Interweb search for "DcomLaunch malware" this seems to be a common ploy. But I guess I've reached the end of my skill level in terms of what to do next, to remove whatever it is that is truly responsible.

 

Can you help??

 

Thanks.

[DSperber]

Well, I never did hear from anybody on this forum.  Not a subscriber, nor anyone from Malwarebytes.  Maybe it was the weekend.

 

Nevertheless thanks to a great group-think effort over on the Security sub-form of SevenForums, I was guided (by a web page from Malwaretips.com) to use a collection "recipe" of eight separate anti-malware scanner/remover products (one of which was MBAM).  Presumably one or more of these products would hopefully be able to find and remove the cuplrit.

 

And lo and behold, it was HitmanPro which was the champion.  It found the remnants of what I believe to have been the offender, a thing which had shown up as MyWebSearch in the list of installed programs in Control Panel and which I never could quite uninstall completely using the normal Windows method.  Furthermore, while additional pieces of MyWebSearch had shown up with other anti-malware scanning/removal products whatever they found or removed was still insufficient to solve my problem.

 

And that included MalwareBytes Anti-Malware product... WHICH WAS APPARENTLY WORTHLESS IN FINDING AND REMOVING THIS MALWARE!!

 

Only HitmanPro seemed to again locate even further additional remnants of MyWebSearch, along with what I believe to have been the "hiding place" of the culprit object code:

 

C:\Windows\system32\rpcss.dll

 

as well as related crucial pieces (including another mention of DcomLaunch):

 

Startup
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunch\
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\

 

Anyway, thanks to HitmanPro the final remnants of MyWebSearch have now been cleansed off of the system, and the ongoing attempted accesses to the two Russian IP addresses (which WERE being successfully blocked and logged by MBAM) have now ceased.

 

I'm attaching (a) the "before delete" log from HitmanPro which shows what was found, (b) the "after delete" log from HitmanPro which shows the actions taken and the items deleted, and © the MBAM log of the period before running HitmanPro where the blocked IP addresses continue to be emitted and then the "silence" after running HitmanPro.

 

Hopefully this information will be useful to Malwarebytes, so that they might enhance their own product to actually find what they were UNABLE TO FIND but which (thankfully) HitmanPro DID FIND AND REMOVE!!

 

Also, to anyone else who is searching for help on "DcomLaunch" or the two IP addresses 5.45.64.145 and 5.45.69.131, you should use HitmanPro.  It was effective, whereas MBAM was not.

HitmanPro_20140202_1454.log

HitmanPro_20140202_1459.log

MBAM_log.txt

[AdvancedSetup]

Well unfortunately as you've replied over and over to your own post Helpers assume you've already been helped.

 

I'm infected - What do I do now?

 

Also, please do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have an helper assisting them and may be overlooked, resulting in a longer waiting period for help.

 

Since you appear to be satisfied that your system is now clean I'll go ahead and close your topic now.

 

Thank you

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.