Jump to content

Recommended Posts

I found my computer to be a bit odd last night, didn't pay much attention, today i checked Mbam logs and  found that there were a bunch of scvshost.exe ip blocked, I ran a scan with malwarebytes but didnt find anything, doesnt seem to be happening today but i'm still worried.  also I removed the bittorrnt client in advance, just in case i was asked to. Any help would be appreciated, thanks in advance.

 

 

2014/03/03 13:18:07 -0800    ALTAIR    isai    IP-BLOCK    89.28.98.3 (Type: outgoing, Port: 33692, Process: azureus.exe)
2014/03/03 13:18:07 -0800    ALTAIR    isai    IP-BLOCK    89.28.98.3 (Type: outgoing, Port: 64767, Process: azureus.exe)
2014/03/03 13:18:07 -0800    ALTAIR    isai    IP-BLOCK    89.28.98.3 (Type: outgoing, Port: 33692, Process: azureus.exe)
2014/03/03 13:18:15 -0800    ALTAIR    isai    IP-BLOCK    89.28.98.3 (Type: outgoing, Port: 33692, Process: azureus.exe)
2014/03/03 13:21:03 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:03 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:11 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:19 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:19 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:19 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:19 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:35 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:35 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:35 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:35 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 13:21:35 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 51556, Process: svchost.exe)
2014/03/03 13:21:35 -0800    ALTAIR    isai    IP-BLOCK    93.115.83.250 (Type: outgoing, Port: 58499, Process: svchost.exe)
2014/03/03 14:20:36 -0800    ALTAIR    isai    MESSAGE    Executing scheduled update:  Daily
2014/03/03 14:20:44 -0800    ALTAIR    isai    MESSAGE    Scheduled update executed successfully:  database updated from version v2014.03.02.10 to version v2014.03.03.06
2014/03/03 14:20:44 -0800    ALTAIR    isai    MESSAGE    Starting database refresh
2014/03/03 14:20:44 -0800    ALTAIR    isai    MESSAGE    Stopping IP protection
2014/03/03 14:20:45 -0800    ALTAIR    isai    MESSAGE    IP Protection stopped successfully
2014/03/03 14:21:13 -0800    ALTAIR    isai    MESSAGE    Database refreshed successfully
2014/03/03 14:21:13 -0800    ALTAIR    isai    MESSAGE    Starting IP protection
2014/03/03 14:21:15 -0800    ALTAIR    isai    MESSAGE    IP Protection started successfully
2014/03/03 22:20:40 -0800    ALTAIR    isai    IP-BLOCK    188.130.176.2 (Type: outgoing, Port: 33692, Process: azureus.exe)

Attach.txt

DDS.txt

Link to post
Share on other sites

Welcome to the forum.

Please run a Quick Scan with Malwarebytes like this and post the log:

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

---------------------

Then........

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Here is the MBAM log still have to run rogue killer.

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.05.07

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16798
isai :: ALTAIR [administrator]

Protection: Enabled

3/5/2014 9:52:31 AM
mbam-log-2014-03-05 (09-52-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 262627
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\isai\AppData\Local\Temp\uttA57B.tmp (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
 

Link to post
Share on other sites

Here is rogue killer log.

 

 

ogueKiller V8.8.10 _x64_ [Feb 28 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : isai [Admin rights]
Mode : Scan -- Date : 03/05/2014 10:11:14
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH] AsPatchTouchPanel64.exe -- C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] ASUS Patch for Touch Panel : C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe [7] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 4876d5ef3b46944db11781505850f74e
[bSP] 74925cea26eb4c97ae45516ab38e669f : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_03052014_101114.txt >>



 

Link to post
Share on other sites

Lets run some scans:

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

Download Malwarebytes Anti-Rootkit from HERE

  • Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default)
  • Malwarebytes Anti-Rootkit will then open, follow the instruction in the wizard to update and allow the program to scan your computer for threats
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

something else i would like to point out is that after the incident, i checked the logs for the next 3 following days and i get this: 014/03/04 14:23:55 -0800    ALTAIR    isai    ERROR    Scheduled update failed:  No address found failed with error code 0, however it does update if i do it manually.

Link to post
Share on other sites

OK...Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

I forgot you're running W8, CF will actually run on the version you have.

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

here is the Mbam log:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.06.10

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16798
isai :: ALTAIR [administrator]

Protection: Disabled

3/6/2014 7:07:16 PM
mbam-log-2014-03-06 (19-07-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 269680
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

AdwCleanerS0.txt

Link to post
Share on other sites

well to be honest it seems almost the same just a bit smoother, I heard from someone that somebody could be rerouting traffic through my computer, if i'm doing normal task like browsing and such is not noticeable but if i play video games online i can see the lag due to internet connection, my usual ping is around 114 ms but at times it spikes to 280ms or even more, without anybody else using the wi-fi. so i'm not sure of what to do now.

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

The logs look OK, lets clean out temp files and run another scan for rootkits, etc:

Download, install and run CCleaner free to clean out temp files.

Here's a Tutorial if needed.

You may want to uncheck "cookies" and please stay away from the registry cleaner.

The default settings will be OK for now.

------------------------------

Then.............

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.80  
   x64 (UAC is enabled)  
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Trend Micro Titanium Maximum Security   
Windows Defender                        
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Adobe Flash Player     12.0.0.70  
 Mozilla Firefox (27.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Trend Micro AMSP coreServiceShell.exe  
 Trend Micro UniClient UiFrmWrk uiWatchDog.exe
 Trend Micro AMSP coreFrameworkHost.exe  
 Trend Micro AMSP AMSP_LogServer.exe  
 Trend Micro Titanium plugin TMAS\TMAS_WLM\TMAS_WLMMon.exe
 Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

That looks OK......

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (PM also found HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.