Hannu Posted July 25, 2014 ID:857852 Share Posted July 25, 2014 Hello there, While using the newest MBAM Pro version I keep getting warnings and log files like "Malicious Website Protection IP, 219.146.8.78, 5060 Inbound, C:\Windows\System32\svchost.exe." The IP addresses and ports are changing. I made scans with Norton Antivirus, MBAM, and many adware/junkware removal tools but only tracking cookies were found. I even checked with regedit the names of all of the about 110 services that could be hosted by svchost.exe, and all of them were genuine Windows services. Finally I decided to restore my laptop totally to factory settings and reinstall all the programmes. After restoring to factory settings I first updated Windows 7, installed Norton Antivirus, and MS Silverlight that was needed for watching the help video. Then I installed MBAM 2.0 and Adobe Reader X. I made a new user account and enabled Guest account, too. Then, before starting to reinstall more programs, I took a look at MBAM History and there it was again: "Malicious Website Protection IP, 195.39.196.50, 22 Inbound, C:\Windows\System32\svchost.exe." What could this be all about? Please, note. Before writing to you I had to reinstall MS Office, too, to get my email working. Then I made a new FRST scan. Unfortunately I first deleted the first logs and it appeared that the additional log cannot be made again. So, please find the FRST.txt log attached only because it is all I have..FRST.txt Regards,Hannu Link to post Share on other sites More sharing options...
Hannu Posted July 30, 2014 Author ID:860451 Share Posted July 30, 2014 Hello, I have recently made System Restore to factory settings. While I was still reinstalling programs MBAM again started displaying pop-ups about malicious websites that it blocked. The Protection Logs have items like "Malicious Website Protection IP, 219.146.8.78, 5060 Inbound, C:\Windows\System32\svchost.exe." The IP addresses and ports are changing. Could someone help me in resolving this issue? Attached, please, find FRST.txt and Addition.txt logs. RegardsHannu FRST.txtAddition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 31, 2014 Root Admin ID:860578 Share Posted July 31, 2014 Hello and Please read the following and post back the logs when ready and we'll see about getting you cleaned up.General P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Before we proceed further, please read all of the following instructions carefully.If there is anything that you do not understand kindly ask before proceeding.If needed please print out these instructions.Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text. If the log is too large then you can use attachments by clicking on the More Reply Options button. Please enable your system to show hidden files: How to see hidden files in Windows Make sure you're subscribed to this topic:Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder) STEP 0RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processesso that your normal security software can then run and clean your computer of infections.When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policiesthat stop us from using certain tools. When finished it will display a log file that shows the processes that wereterminated while the program was running.As RKill only terminates a program's running process, and does not delete any files, after running it you should not rebootyour computer as any malware processes that are configured to start automatically will just be started again.Instead, after running RKill you should immediately scan your computer using the requested scans I've included.Please download Rkill by Grinler from one of the links below and save it to your desktop. Link 1Link 2On Windows XP double-click on the Rkill desktop icon to run the tool. On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. If not, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs. If the tool does not run from any of the links provided, please let me know. Do not reboot the computer, you will need to run the application again.STEP 01Backup the Registry:Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.Please download ERUNT from one of the following links: Link1 | Link2 | Link3 ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Double click on erunt-setup.exe to Install ERUNT by following the prompts. NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO. Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process. Choose a location for the backup.Note: the default location is C:\Windows\ERDNT which is acceptable. [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exeSTEP 02Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2xWhen reinstalling the program please try the latest version.Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... linkOpen up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. STEP 03Please download RogueKiller and save it to your desktop.You can check here if you're not sure if your computer is 32-bit or 64-bitRogueKiller 32-bit | RogueKiller 64-bit Quit all running programs. For Windows XP, double-click to start. For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run. Read and accept the EULA (End User Licene Agreement) Click Scan to scan the system. When the scan completes Close the program > Don't Fix anything! Don't run any other options, they're not all bad!! Post back the report which should be located on your desktop.Thank you Link to post Share on other sites More sharing options...
Hannu Posted July 31, 2014 Author ID:860903 Share Posted July 31, 2014 Hello and thank you for helping me in this issue. You adviced me not to continue, if I do not understand something. In the instructions reads "NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO." The installer wants to make a shortcut to the Start Menu folder. The folder can be changed but the shortcut cannot be omitted. So what did you mean and what should I do in this step? Otherwise the instructions seem clear to me. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 1, 2014 Root Admin ID:861225 Share Posted August 1, 2014 If you read the next dialog box it should be evident but in either case you can allow it to install and we'll fix it later. Please proceed with the other instructions. Thank you Link to post Share on other sites More sharing options...
Hannu Posted August 1, 2014 Author ID:861315 Share Posted August 1, 2014 Here is MBAM Log Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 1.8.2014Scan Time: 16:21:52Logfile:Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.08.01.02Rootkit Database: v2014.07.17.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: OmistajaScan Type: Threat ScanResult: CompletedObjects Scanned: 374875Time Elapsed: 10 min, 4 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Adnd this is the RogueKiller Report RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.comOperating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Omistaja [Admin rights]Mode : Scan -- Date : 08/01/2014 17:03:25¤¤¤ Bad processes : 19 ¤¤¤[Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr][Proc.Hidden] -- [x] -> KILLED [TermThr]¤¤¤ Registry Entries : 12 ¤¤¤[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 62.241.198.245 62.241.198.246 -> FOUND[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 62.241.198.245 62.241.198.246 -> FOUND[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 62.241.198.245 62.241.198.246 -> FOUND[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CA008121-93C5-4783-881E-C4BF42741187} | DhcpNameServer : 62.241.198.245 62.241.198.246 -> FOUND[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{CA008121-93C5-4783-881E-C4BF42741187} | DhcpNameServer : 62.241.198.245 62.241.198.246 -> FOUND[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{CA008121-93C5-4783-881E-C4BF42741187} | DhcpNameServer : 62.241.198.245 62.241.198.246 -> FOUND[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1539846819-2877819943-2624664115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1539846819-2877819943-2624664115-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND¤¤¤ Scheduled tasks : 0 ¤¤¤¤¤¤ Files : 0 ¤¤¤¤¤¤ HOSTS File : 0 ¤¤¤¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤¤¤¤ Web browsers : 0 ¤¤¤¤¤¤ MBR Check : ¤¤¤+++++ PhysicalDrive0: INTEL SSDSC2BW240A3L +++++--- User ---[MBR] 9da27b5f6284949bb0176d7073db074f[bSP] 822a1ae9a0df0ccf1e3b10460ae8d60d : Lenovo MBR CodePartition table:0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 202266 MB2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 417314816 | Size: 18000 MB3 - [XXXXXX] OS/2-HIBER (0x84) [HIDDEN!] Offset (sectors): 454178816 | Size: 7168 MBUser = LL1 ... OKUser = LL2 ... OK============================================RKreport_SCN_08012014_164749.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 1, 2014 Root Admin ID:861363 Share Posted August 1, 2014 Please go ahead and run through the following steps and post back the logs when ready. STEP 04Please download Junkware Removal Tool to your desktop.Shutdown your antivirus to avoid any conflicts. Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP. The tool will open and start scanning your system. Please be patient as this can take a while to complete. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next reply message When completed make sure to re-enable your antivirusSTEP 05Lets clean out any adware now: (this will require a reboot so save all your work)Please download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator Click on the Scan button. AdwCleaner will begin...be patient as the scan may take some time to complete. When it's done you'll see: Pending: Please uncheck elements you don't want removed. Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. Look over the log especially under Files/Folders for any program you want to save. If there's a program you may want to save, just uncheck it from AdwCleaner. If you're not sure, post the log for review. (all items found are adware/spyware/foistware) If you're ready to clean it all up.....click the Clean button. After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically. Copy and paste the contents of that logfile in your next reply. A copy of that logfile will also be saved in the C:\AdwCleaner folder. Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine To restore an item that has been deleted: Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.STEP 06Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... linkOpen up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats foundOnce completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.STEP 07Please go here to run the online antivirus scannner from ESET.Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked Click on Advanced Settings and ensure these options are ticked:Scan for potentially unwanted applications Scan for potentially unsafe applications Enable Anti-Stealth Technology [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.STEP 08Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bitDouble-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Link to post Share on other sites More sharing options...
Hannu Posted August 1, 2014 Author ID:861465 Share Posted August 1, 2014 Here are the logs of STEPS 4 to 7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 6.1.4 (04.06.2014:1)OS: Windows 7 Professional x64Ran by Omistaja on pe 01.08.2014 at 20:35:57,49~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Services~~~ Registry Values~~~ Registry Keys~~~ Files~~~ Folders~~~ Event Viewer Logs were cleared~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on pe 01.08.2014 at 20:51:58,70End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # AdwCleaner v3.302 - Report created 01/08/2014 at 21:11:11# Updated 30/07/2014 by Xplode# Operating System : Windows 7 Professional Service Pack 1 (64 bits)# Username : Omistaja - THINKPADT530# Running from : C:\Users\Omistaja\Desktop\AdwCleaner.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] *****Folder Deleted : C:\Windows\util***** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] ********** [ Browsers ] *****-\\ Internet Explorer v11.0.9600.17207-\\ Mozilla Firefox v24.7.0 (fi)[ File : C:\Users\Hannu\AppData\Roaming\Mozilla\Firefox\Profiles\jjh2b8ww.default\prefs.js ][ File : C:\Users\Omistaja\AppData\Roaming\Mozilla\Firefox\Profiles\5gx4wzy0.default\prefs.js ][ File : C:\Users\Vieras\AppData\Roaming\Mozilla\Firefox\Profiles\k7u1br35.default\prefs.js ]*************************AdwCleaner[R0].txt - [1049 octets] - [01/08/2014 21:00:04]AdwCleaner[s0].txt - [974 octets] - [01/08/2014 21:11:11]########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1033 octets] ########## Question: The files like [ File : C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\jjh2b8ww.default\prefs.js ] apparently contained the custom settings of Firefox for each user. Resetting Firefox made it to open in the First Run window and without extensions. Because I never had any problems in Firefox I suppose it is OK to restore the above settings from the Qarantine folder? ****************Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 1.8.2014Scan Time: 21:31:48Logfile:Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.08.01.04Rootkit Database: v2014.07.17.01License: PremiumMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: OmistajaScan Type: Threat ScanResult: CompletedObjects Scanned: 375096Time Elapsed: 9 min, 46 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) ESET Log C:\Users\Omistaja\Downloads\ccsetup416.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application ************Before going to step 08 I must know how to treat with the existing files FRST.exe, FRST.txt, and Addition.txt. I have run FRST before starting this thread and these files still exsit on on my desktop. Link to post Share on other sites More sharing options...
Hannu Posted August 1, 2014 Author ID:861483 Share Posted August 1, 2014 Hi, It was clearly a mistake to allow AdwCleaner to put the above mentioned files to quarantine. Firefox now saves only the settings of the administrator accaunt. All other user's settings are ignored after restart. Because I use Firefox (and other programs) with limited rights account I cannot use Firefox at all. Can I restore those quarantined files or do you recommend to reinstall Firefox? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 1, 2014 Root Admin ID:861484 Share Posted August 1, 2014 You can remove the old logs and again to get new logs. You can restore the firefox configuration file as well. If needed we'll address it as we move forward. Link to post Share on other sites More sharing options...
Hannu Posted August 1, 2014 Author ID:861497 Share Posted August 1, 2014 Attached please find the new FRST.log It seems that the customized Firefox settings cannot be restored from the quarantine. Only items found in the AdwClener Cuarantine contents areC:\Windows\util\nomlock.exe andC:\Windows\util\TURBO.EXEFRST.txtFRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 2, 2014 Root Admin ID:861540 Share Posted August 2, 2014 Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below. Important! - Please make sure you save combofix to your desktop and do not run it from your browser Direct download link for: ComboFix.exe Please make sure you disable your security applications before running ComboFix. Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load. Please attach that log file to your next reply. If needed the file can be located here: C:\combofix.txt NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Link to post Share on other sites More sharing options...
Hannu Posted August 2, 2014 Author ID:861583 Share Posted August 2, 2014 The ComboFix scan stops without any notification after completing Stage 4. The cursor keeps blinking but nothing else seems to happen. I waited for more than 30 minutes. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 2, 2014 Root Admin ID:861593 Share Posted August 2, 2014 Restart the computer and try again please. I may or may not be back to assist further until Monday as I'm going to be out of town.If needed try from Safe Mode by tapping the F8 key during startup of the computer. Link to post Share on other sites More sharing options...
Hannu Posted August 2, 2014 Author ID:861624 Share Posted August 2, 2014 At last I could finish the scan with ComboFix in Safe Mode. Attached please find the log. ComboFix.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 5, 2014 Root Admin ID:862523 Share Posted August 5, 2014 Please post back the last couple of days for the MBAM Protection Logs. You can find them under History, Application Logs How is the computer running now? Link to post Share on other sites More sharing options...
Hannu Posted August 5, 2014 Author ID:862653 Share Posted August 5, 2014 Hello again,As I already told I let AdwCleaner delete files like C:\Users\UserName\AppData\Roaming\Mozilla\Firefox\Profiles\jjh2b8ww.default\prefs.jsAfter that Firefox worked normally only in the Administrator (Omistaja) account. In standard user accounts (Hannu) and Guest account (Vieras) Firefox did not save User Preferences but opened the First Run windows every time it was restarted.Later I also noticed (in my standard account and Guest account) that by closing Firefox always wrote a new prefs.js file, but it was empty (0 kb). I finally had tens of prefs.js files named prefs.js, prefs-1.js, prefs-2.js, etc.AdwCleaner did not move those files in quarantine but saved a backup copy of them. On Sunday I first renamed the prefs.js files of Hannu and Vieras (Guest) to prefs.js.old, deleted the files named prefs-1.js to prefs-n.js and finally copied the original files from the backup back to the Firefox Profiles. Since then Firefox is working normally both in my own standard account and Guest account.After a restart there is a 30 seconds delay in signing in to a Windows account before the desktop is loaded but otherwise the computer works and has worked without problems all the time. There has not been anything abnormal happening. It’s the frequent MBAM popups only that make me wonder. Below are copies of some MBAM Protection logs. Malwarebytes Anti-Malwarewww.malwarebytes.orgUpdate, 5.8.2014 0:42:10, SYSTEM, THINKPADT530, Scheduler, Rootkit Database, 2014.8.1.1, 2014.8.4.1,Update, 5.8.2014 0:42:22, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.7, 2014.8.4.8,Protection, 5.8.2014 0:42:26, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 5.8.2014 0:42:26, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 5.8.2014 0:42:27, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 5.8.2014 0:42:36, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 5.8.2014 0:42:36, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 5.8.2014 0:42:36, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 5.8.2014 1:49:31, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.8, 2014.8.4.9,Protection, 5.8.2014 1:49:32, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 5.8.2014 1:49:32, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 5.8.2014 1:49:32, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 5.8.2014 1:49:41, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 5.8.2014 1:49:41, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 5.8.2014 1:49:41, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 5.8.2014 3:22:28, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 31.6.71.154, 3128, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 3:22:28, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 31.6.71.154, 3128, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 3:22:29, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 31.6.71.154, 3128, Inbound, C:\Windows\System32\svchost.exe,Update, 5.8.2014 4:28:17, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.9, 2014.8.5.1,Protection, 5.8.2014 4:28:18, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 5.8.2014 4:28:18, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 5.8.2014 4:28:18, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 5.8.2014 4:28:27, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 5.8.2014 4:28:27, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 5.8.2014 4:28:28, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 5.8.2014 4:34:13, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.186.56.7, 7070, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 4:34:13, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.186.56.7, 7070, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 4:34:13, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.186.56.7, 7070, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 4:34:13, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.186.56.7, 7070, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 4:52:24, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 80.82.79.163, 21320, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 4:52:24, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 80.82.79.163, 21320, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 5:19:59, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 89.248.160.131, 3389, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 5:19:59, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 89.248.160.131, 3389, Inbound, C:\Windows\System32\svchost.exe,Update, 5.8.2014 8:07:22, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.5.1, 2014.8.5.2,Protection, 5.8.2014 8:07:41, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 5.8.2014 8:07:41, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 5.8.2014 8:07:41, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 5.8.2014 8:07:50, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 5.8.2014 8:07:50, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 5.8.2014 8:07:50, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 5.8.2014 9:54:54, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.189.228.36, 3389, Inbound, C:\Windows\System32\svchost.exe,Detection, 5.8.2014 9:54:54, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.189.228.36, 3389, Inbound, C:\Windows\System32\svchost.exe,Protection, 5.8.2014 12:19:46, SYSTEM, THINKPADT530, Protection, Malware Protection, Starting,Protection, 5.8.2014 12:19:46, SYSTEM, THINKPADT530, Protection, Malware Protection, Started,Protection, 5.8.2014 12:19:46, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 5.8.2014 12:20:34, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,(end) Malwarebytes Anti-Malwarewww.malwarebytes.orgUpdate, 4.8.2014 1:27:17, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.3.6, 2014.8.3.7,Protection, 4.8.2014 1:27:18, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 4.8.2014 1:27:18, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 4.8.2014 1:27:18, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 4.8.2014 1:27:28, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 4.8.2014 1:27:28, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 1:27:29, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 4.8.2014 1:58:48, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 80.82.70.239, 5900, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 1:58:48, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 80.82.70.239, 5900, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 2:14:43, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 94.102.63.145, 2083, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 2:14:43, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 94.102.63.145, 2083, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 2:14:43, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 94.102.63.145, 2083, Inbound, C:\Windows\System32\svchost.exe,Protection, 4.8.2014 14:09:51, SYSTEM, THINKPADT530, Protection, Malware Protection, Starting,Protection, 4.8.2014 14:09:51, SYSTEM, THINKPADT530, Protection, Malware Protection, Started,Protection, 4.8.2014 14:09:51, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 14:10:43, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 4.8.2014 14:35:42, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.3.7, 2014.8.4.3,Protection, 4.8.2014 14:35:43, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 4.8.2014 14:35:43, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 4.8.2014 14:35:43, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 4.8.2014 14:35:51, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 4.8.2014 14:35:51, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 14:35:52, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 4.8.2014 16:31:12, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.3, 2014.8.4.4,Protection, 4.8.2014 16:31:14, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 4.8.2014 16:31:14, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 4.8.2014 16:31:14, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 4.8.2014 16:31:25, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 4.8.2014 16:31:25, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 16:31:25, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 4.8.2014 17:58:08, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.4, 2014.8.4.5,Protection, 4.8.2014 17:58:10, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 4.8.2014 17:58:10, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 4.8.2014 17:58:10, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 4.8.2014 17:58:18, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 4.8.2014 17:58:18, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 17:58:19, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 4.8.2014 20:47:38, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.5, 2014.8.4.6,Protection, 4.8.2014 20:47:39, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 4.8.2014 20:47:39, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 4.8.2014 20:47:39, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 4.8.2014 20:47:48, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 4.8.2014 20:47:48, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 20:47:49, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 4.8.2014 22:30:24, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.189.228.36, 3389, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 22:30:24, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 222.189.228.36, 3389, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 22:54:48, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 89.248.160.175, 1900, Inbound, C:\Windows\System32\svchost.exe,Detection, 4.8.2014 22:54:48, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 89.248.160.175, 1900, Inbound, C:\Windows\System32\svchost.exe,Update, 4.8.2014 23:33:29, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.4.6, 2014.8.4.7,Protection, 4.8.2014 23:33:38, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 4.8.2014 23:33:38, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 4.8.2014 23:33:38, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 4.8.2014 23:33:49, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 4.8.2014 23:33:49, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 4.8.2014 23:33:49, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,(end) Malwarebytes Anti-Malwarewww.malwarebytes.orgProtection, 2.8.2014 10:09:41, SYSTEM, THINKPADT530, Protection, Malware Protection, Starting,Protection, 2.8.2014 10:09:41, SYSTEM, THINKPADT530, Protection, Malware Protection, Started,Protection, 2.8.2014 10:09:41, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 10:09:42, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Protection, 2.8.2014 10:09:57, SYSTEM, THINKPADT530, Protection, Malware Protection, Stopping,Protection, 2.8.2014 10:09:57, SYSTEM, THINKPADT530, Protection, Malware Protection, Stopped,Protection, 2.8.2014 10:10:26, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 2.8.2014 10:10:26, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 2.8.2014 10:10:26, SYSTEM, THINKPADT530, Protection, Malware Protection, Stopping,Protection, 2.8.2014 10:10:27, SYSTEM, THINKPADT530, Protection, Malware Protection, Stopped,Protection, 2.8.2014 11:38:45, SYSTEM, THINKPADT530, Protection, Malware Protection, Starting,Protection, 2.8.2014 11:38:45, SYSTEM, THINKPADT530, Protection, Malware Protection, Started,Protection, 2.8.2014 11:38:45, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 11:38:46, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 2.8.2014 11:44:49, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 89.248.160.192, 161, Inbound, C:\Windows\System32\svchost.exe,Detection, 2.8.2014 11:44:49, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 89.248.160.192, 161, Inbound, C:\Windows\System32\svchost.exe,Protection, 2.8.2014 14:39:16, SYSTEM, THINKPADT530, Protection, Malware Protection, Starting,Protection, 2.8.2014 14:39:16, SYSTEM, THINKPADT530, Protection, Malware Protection, Started,Protection, 2.8.2014 14:39:16, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 14:40:23, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Protection, 2.8.2014 14:40:57, SYSTEM, THINKPADT530, Protection, Malware Protection, Stopping,Protection, 2.8.2014 14:40:57, SYSTEM, THINKPADT530, Protection, Malware Protection, Stopped,Protection, 2.8.2014 14:44:05, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 2.8.2014 14:44:05, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 2.8.2014 16:13:52, SYSTEM, THINKPADT530, Protection, Malware Protection, Starting,Protection, 2.8.2014 16:13:52, SYSTEM, THINKPADT530, Protection, Malware Protection, Started,Protection, 2.8.2014 16:13:52, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 16:13:57, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 2.8.2014 16:18:11, SYSTEM, THINKPADT530, Scheduler, Rootkit Database, 2014.7.17.1, 2014.8.1.1,Update, 2.8.2014 16:18:23, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.1.5, 2014.8.2.2,Protection, 2.8.2014 16:18:24, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 2.8.2014 16:18:24, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 2.8.2014 16:18:24, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 2.8.2014 16:18:35, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 2.8.2014 16:18:35, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 16:18:35, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Update, 2.8.2014 17:11:27, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.2.2, 2014.8.2.3,Protection, 2.8.2014 17:11:28, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 2.8.2014 17:11:28, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 2.8.2014 17:11:28, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 2.8.2014 17:11:37, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 2.8.2014 17:11:37, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 17:11:37, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 2.8.2014 21:45:03, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 80.82.78.12, 22, Inbound, C:\Windows\System32\svchost.exe,Detection, 2.8.2014 21:45:03, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 80.82.78.12, 22, Inbound, C:\Windows\System32\svchost.exe,Update, 2.8.2014 21:45:22, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.2.3, 2014.8.2.4,Protection, 2.8.2014 21:45:23, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 2.8.2014 21:45:23, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 2.8.2014 21:45:23, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 2.8.2014 21:45:34, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 2.8.2014 21:45:34, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 21:45:34, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,Detection, 2.8.2014 22:54:06, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 93.174.95.55, 21, Inbound, C:\Windows\System32\svchost.exe,Detection, 2.8.2014 22:54:06, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, IP, 93.174.95.55, 21, Inbound, C:\Windows\System32\svchost.exe,Update, 2.8.2014 23:44:29, SYSTEM, THINKPADT530, Scheduler, Malware Database, 2014.8.2.4, 2014.8.2.5,Protection, 2.8.2014 23:44:30, SYSTEM, THINKPADT530, Protection, Refresh, Starting,Protection, 2.8.2014 23:44:30, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopping,Protection, 2.8.2014 23:44:30, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Stopped,Protection, 2.8.2014 23:44:40, SYSTEM, THINKPADT530, Protection, Refresh, Success,Protection, 2.8.2014 23:44:40, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Starting,Protection, 2.8.2014 23:44:40, SYSTEM, THINKPADT530, Protection, Malicious Website Protection, Started,(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 5, 2014 Root Admin ID:862750 Share Posted August 5, 2014 Those are inbound IP blocks which are typically due to either an application attempting to contact your computer or an open probe from a remote system. Unfortunately there is not much you can do to stop this except to ensure you have a good Firewall in place to block unrequested incoming requests. We wanted to ensure that your computer is not the one sending out requests for a remote to come contact you back and the logs show that your computer does not appear to be reaching out on it's own due to some type of rootkit or other threat. At this time the computer appears to be clean. I'd like to just check some other applications to make sure they're not outdated and then give you a clean up speech. Please download Security Check by screen317 from HERE or HERE.Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. If you get Unsupported operating system. Aborting now, just reboot and try again. A Notepad document should open automatically called checkup.txt. Please Post the contents of that document. Do Not Attach It!!! Link to post Share on other sites More sharing options...
Hannu Posted August 5, 2014 Author ID:862792 Share Posted August 5, 2014 Thank you for the good news. It really seemed to me that there was something in my computer that tried to create contacts to malicious sites. Could you possibly try to explain to me what the word “inbound” means in this connection?Here is the SecurityCheck log: Results of screen317's Security Check version 0.99.86 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 ``````````````Antivirus/Firewall Check:``````````````Norton AntiVirus WMI entry may not exist for antivirus; attempting automatic update.`````````Anti-malware/Other Utilities Check:````````` Adobe Flash Player 14.0.0.145 Adobe Reader 10.1.10 Adobe Reader out of Date! Mozilla Firefox 24.7.0 Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Norton AntiVirus Engine 21.4.0.13 NAV.exe Malwarebytes Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: ````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 6, 2014 Root Admin ID:863023 Share Posted August 6, 2014 Inbound means that a remote computer is trying to contact your computer. Normally your computer needs to ask other computers for information and then they reply back. When one attempts to contact your computer without you asking them to that is where/when this "inbound" is happening. As I said not much one can do about it beyond what you're already doing. Just keep an eye out and make sure the blocks are incoming and not outgoing. An outgoing IP block can be an indicator of a possible infection. Please check for updates for your Acrobat Reader and Firefox but otherwise we should be done here now. At this time there are no more signs of an infection on your system.However if you are still seeing any signs of an infection please let me know.Let's go ahead and remove the tools and logs we've used during this process.Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.They are often updated daily so if you went to use them again in the future they would be outdated anyways.The following procedures will implement some cleanup procedures to remove these tools. Download Delfix from here and save it to your desktop. (you may already have this)Ensure Remove disinfection tools is checked. Click the Run button. RebootAny other programs or logs that are still remaining, you can manually delete. (right click.....Delete)IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.Note:If you used FRST and can't delete the quarantine folder:Download the fixlist.txt to the same folder as FRST.exe.Run FRST.exe and click Fix only once and waitThat will delete the quarantine folder created by FRST.The rest you can manually delete. If there are any other left over Folders, Files, Logs then you can delete them on your own. Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.How to Delete System Protection Restore Points in Windows 7 and Windows 8Remove all but the most recent Restore Point on Windows XPAs Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsersHow do I disable Java in my web browser? - Disable JavaA lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.How Malware Spreads - How did I get infected Best Practices for Safe Computing - Prevention of Malware Infection Avoiding those unwanted free applications A close look at how Oracle installs deceptive software with Java updates IAC / Ask.com toolbars Malwarebytes Unpacked BlogIf you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection. Link to post Share on other sites More sharing options...
Hannu Posted August 6, 2014 Author ID:863336 Share Posted August 6, 2014 Thank you very much, It seems that I have successfully deleted all the programs I downloaded and used under your supervision. After running DelFix, only ERUNT had to be uninstalled manually in addition to the left over logs. By the way: Norton moved DelFix.exe straight to the quarantine as it had earlier done with ComboFix.exe. Both of them had to be restored from the quarantine before they could be run. Apparently the cause of this “rootkit hunting” was in my limited knowledge in English language. I thought that “inbound” means that the initiative to create a connection arose in my computer. After all, I am very thankful for your assistance in this topic. And thanks for reminding me upon those updates, too. The case seems to be closed. With Regards Hannu Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 7, 2014 Root Admin ID:863469 Share Posted August 7, 2014 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts