Jump to content

suspect I'm infected, Also malwarebytes warns that skype attempts to access forbidden hosts


Recommended Posts

Hello, i got a lot of help from malwarebytes software but i guess that my computer is still infected.

I can see a lot of hard disk activity and also got warnings that skype access or get accesed from malicius ip

 

i can found things like this

Detection, 01/04/2014 14:55:50, SYSTEM, PEPE-PC, Protection, Malicious Website Protection, IP, 89.28.87.46, 44176, Inbound, C:\Program Files (x86)\Skype\Phone\Skype.exe, 
Detection, 01/04/2014 14:55:50, SYSTEM, PEPE-PC, Protection, Malicious Website Protection, IP, 89.28.87.46, 44176, Inbound, C:\Program Files (x86)\Skype\Phone\Skype.exe, 
2 times in a week more or less
 
i did scanned with the tool and this is the first (FRST.txt) and (Addition.txt) files...
 
i'm attaching them since i got a message saying "your post was too long"
 
thanks for the help in advance!
Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

 

Read the following link before we continue and run Combofix:

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post those logs in next reply please...

 

Kevin

 

 

 

 

fixlist.txt

Link to post
Share on other sites

Thanks for the logs, we continue:

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::RegNull::[HKEY_USERS\S-1-5-21-588724753-2069094988-3097208938-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{232AA658-AD16-67A0-8F2F-36C387F919DF}*]File::c:\windows\system32\drivers\34D759BE.sys

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt.

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is ticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Kevin

Link to post
Share on other sites

Hello Kevin!

 

a lot of time (around 4 hours) but I completed the required tasks

 

attached files...

 

ComboFix.txt (i attached it from c:\ this time, since i had forced to do that from desktop because uploader didn't complete the upload from c:\)

 

AdwCleanerS0.txt and AdwCleanerR0.txt (attaching both since i'm not sure if you need them)

 

JRT.txt (this seems the clean one to me)

 

ESET SCAN.txt (found 12 things, some I was aware bout it, some not)

 

 

One more time, thank you very much for the help!

 

 

Regards

Link to post
Share on other sites

Kevin, I was waiting for another instruction or directive as I attached the last logs and I can not read very well ... 

 

Please let me know if I have anything else to do or whether to activate or implement any additional tool you already own that are microsof security essentials and malwarebytes premium 

 

finally I want to know if I can attach new scans here for another computer with similar characteristics or just run the same tools in the same order you provided me.

 

many thanks for the big help!

Link to post
Share on other sites

kevin sorry for the wrong english...

 

my previous post must read...

 

Kevin, I was waiting for another instruction or directive as I attached the last logs and I can not read them very well ... 
 
Please let me know if I have anything else to do, activate, implement or any additional tool... I already have microsof security essentials and malwarebytes premium 
 
finally I want to know if I can attach new scans here for another computer with similar characteristics or just run the same tools in the same order you provided me.
 
many thanks for the big help!
Link to post
Share on other sites

Open Malwarebytes 2.0, run a Threat Scan

 


On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 

Post log:

 


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Let me see that log, also tell me if there are any remaining issues or concerns..

 

Kevin

Link to post
Share on other sites

Hello Kevin!

 

this is the Last Scan!

 

By the way it says below... "Self-protection: Disabled" is something missing in my malwarebytes setup?

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 27/05/2014
Scan Time: 17:18:36
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.05.27.10
Rootkit Database: v2014.05.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Pepe
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 352134
Time Elapsed: 11 min, 7 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
thanks again!
Link to post
Share on other sites

Thanks for the update, run the following to clean up. Let me know if it completes ok...

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Finally,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we can close out...

 

Thanks,

 

Kevin...

Link to post
Share on other sites

hello again kevin!

 

delfix rocks! cool thig that removes all the traces from others!

 

all seems to be clean again. Feel free to close this topic is needed.

 

now i have 2 questions

 

i have a NAS device, "iomega storcenter ix2" and i need to be sure that is not infected, how can i check it?

should i start a new topic for it?

 

Regards

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.