Jump to content

Found an *Allowed IP* in Web Exclusions

frogman1435
 Share

Recommended Posts

frogman1435

frogman1435

Posted
Posted

Good Afternoon from Eastern Europe. I will eventually get to the introduction forum but I have a more serious issue to deal with. Last night I noticed an *Allowed* IP in the Web Exclusions section which I checked out using network tools online, it led to an IP address originating from Moldova. I also noticed that I was not able to update my MBAM. Right away I took the following steps.

1. Strong MBAM password for everything.

2. Looked at all settings, some were changed, changed them back to *paranoid level*, update every 1 hour, if missed 2, scan every day.

3. Allowed custom scans. Changed ALL passwords on computer, I do not keep email ones on a Win box, those stay on encrypted thumbies that only touch *nix, and I only access email via my *nix machine.

4. Ran a lot of scans AdwCleaner, TDSS, Combofix, MBAM, MSSE, checked my hosts file, working on my services list now, going to check my registery next, all those scans came up empty by the way.

5. But how was someone able to insert an *allowed IP* into my MBAM, this is what REALLY worries me, is this common, do they have kernel access, should I just wipe the OS and start fresh, 10+ passes with DBAN is not really an option here >> SSD <<

 

Can anyone please help me, I am at your mercy. Also welcome from Eastern Europe where we have DE on one side and Russia on the other and Ukraine below us :) I will make an introduction post as soon as this is settled, I am just VERY stressed right now as you can imagine. I am going to start up wireshark via *nix and see my traffic for any UPX, RST, etc etc.

 

Forgot to mention, I have IE turned off for good, I use current version of Firefox with needed plugins to stop scripts, wont mention which for obvious reasons, but this is my work computer so I need it to be *safe* , win7_64_SP1. What worries me is that I would not notice any real slowdowns as it is an overclocked fx-8350 :/. But I normally run @ around 60 processes, too much I know, but I have not noticed any new additions, but I am keeping an eye.

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello frogman1435 and :welcome:
 
We will be somewhat unable to answer your questions and address your failure to update MBAM issue without technical details regarding your system, its software, and how it's setup.

 

We strongly will caution you against the self-directed use of sUBs' ComboFix and respectfully request you do so only with qualified assistance.
 
First please read the following and attach the 3 requested logs in a reply to this thread. - Diagnostic Logs. Also, please reply with the IP address allowed.

 

After that, we can address your failure to update MBAM issue.
 
Thank you.

Link to post
Share on other sites
frogman1435

frogman1435

Posted
  • Author
Posted

Hello frogman1435 and :welcome:

 

We will be somewhat unable to answer your questions and address your failure to update MBAM issue without technical details regarding your system, its software, and how it's setup.

 

We strongly will caution you against the self-directed use of sUBs' ComboFix and respectfully request you do so only with qualified assistance.

 

First please read the following and attach the 3 requested logs in a reply to this thread. - Diagnostic Logs. Also, please reply with the IP address allowed.

 

After that, we can address your failure to update MBAM issue.

 

Thank you.

 

Alright I will get on this right away, for now MBAM is updating, right now June 23, 5:07pm Warsaw time it is on version 2014.06.23.09, it has updated 4 times today so far on it's own and I have just completed a manual update, now onto your 3 logs. Also, thank  you very much for your precipitous response, I see tux in your avatar, would I be wrong to ascertain you are a from scratch user:) I started on a Apple II in early 90s, sometimes I feel like a dinosaur around the new generation and unlike most who go from Win -> *nix, I went from 1.##.## without symetric processing and HAL was nowhere to be found. Ok, onto the logs, I apologize for being a *Windows Noob*, but I need it for work. Will add logs as they come to this post.

Link to post
Share on other sites
1PW

1PW

Posted
Posted

 

I see tux in your avatar

 

I tell folks who ask, "it's a "selfie". I usually dual-boot some form of Linux on most of my systems.

 

It's strange that your MBAM update issue is intermittent.

 

You may attach all the requested diagnostic logs in the same reply for simplification.

Link to post
Share on other sites
frogman1435

frogman1435

Posted
  • Author
Posted

Also I do not allow nor disallow any IP addresses in the Web Exclisions part of MBAM. As for system spec, it is AMD FX-8350 on a Sabertooth 990fx r2.0 with a Crucial m4 2.5inch 256gb OS drive, I do not use onboard sound rather a Recond3d PciE sound card. Lan is onboard. Anything else just ask.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Too much unknown without forensic discovery which no one is going to do for free as that can take days or weeks to fully analyze. The issue at hand is that one of two things probably transpired.

 

1. You accidentally clicked to allow it originally when the IP came up.

2. It was a recent addition to our IP block that was not previously blocked so it may not actually have been in the list (if it was then almost has to be #1)

 

You have a proxy set on your system that is okay as long as you set it, if not then I'd recommend removing it.

Your search scope in IE is invalid so I'd recommend a reset of the browser.

 

Unless you're having some ongoing issue then there really isn't much else to look at or do here.

Link to post
Share on other sites
frogman1435

frogman1435

Posted
  • Author
Posted

Too much unknown without forensic discovery which no one is going to do for free as that can take days or weeks to fully analyze. The issue at hand is that one of two things probably transpired.

 

1. You accidentally clicked to allow it originally when the IP came up.

2. It was a recent addition to our IP block that was not previously blocked so it may not actually have been in the list (if it was then almost has to be #1)

 

You have a proxy set on your system that is okay as long as you set it, if not then I'd recommend removing it.

Your search scope in IE is invalid so I'd recommend a reset of the browser.

 

Unless you're having some ongoing issue then there really isn't much else to look at or do here.

I have not set any proxies on my rig, the only way I can control IE is via control panel -> internet options, as I turned off IE via *Turn Windows features on or off*, if you could just point me to this proxy and I will try my best to null it and also how do I reset a browser I have turned off? THANK YOU for your time, I know it took me 3 hours to go through those pages, I know my rig is quite big (not tooting my own horn so more I have in there, more can go boink ) But that proxy and reset would help a GREAT deal. Once again, thank you sooooooo much, you are very astute :)

Link to post
Share on other sites
frogman1435

frogman1435

Posted
  • Author
Posted

The entry is labeled as this in the logs.

 

ProxyServer: 0.0.0.0:80

 

Odd as that is a broadcast normally often seen in a hosts file to ignore a site not in a proxy setting.

 

Please see this site for removal

http://support.microsoft.com/kb/2289942

Ok my mistake, few months ago I was seeing IE9 listings in CCleaner, at the time it did not occur to me that IE and Windows Update are interlinked, so I tried a method I found online to sort of proxy block IE, but I quickly realized that I was not able to get Windows updates. It wasn't much garbage collection in CCleaner, maybe 1mb here, 2 there, but still, for a program I turned off, ...well the hamster in my head started in overdrive. So my mistake *homers DOH* I did just update to IE11 as I noticed a lot of history in IE9 that I never visited so that had me a bit worried. I have lots of time as I am disabled so I will mull this one over tomorrow, it is bedtime. Goodnight and thanks. Funny, the sun is already rising and it is 3:33am :| I miss the east coast.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept