IP Blocking Identification Problem

[RandyC]

I am having a similar problem as some others are having with regular MBAM ip blocking pop-ups occurring without any visible activity. I found the posts relating to using NirSoft's cport program and set it up to refresh every 2 seconds and to log it's output.

I have a computer I've cleaned up but obviously have missed something. cport (with Process Explorers help) shows SVCHOST is trying to contact 213.163.89.104. But I have no idea of how to determine which program is calling/using SVCHOST to try and make this contact. The contact attempts always seem to occur in groups of 3 (as if retrying?) and can be between 8 and 30 minutes apart.

I am attaching 3 log files, one from MBAM's collect info function, one from the MBAM activity log and one from the cports log.

I've scanned the pc with MBAM (flash, quick and full), with AVG and with Super Antispyware. I also scanned it with AntiVir while running under my UBCD4WIN boot cd. I installed ZoneAlarm's free firewall and rebooted the pc. It's set up and I just saw another 3 ip blocked messages from MBAM. Of course, it could be that MBAM is blocking the attempts prior to when ZA woudl get them.

I hope someone can point me in the correct direction to remove whatever is left in the pc.

By the way, it is an ordinary core 2 duo intel pc running XP Home SP3.

Thank you, in advance, for any assistance you may offer.

Randy C

mbam_log_file.zip

[noknojon]

Hello RandyC -

The rootkit (if that is the one you refer to) is best removed by our experts - Please follow these instructions below -

As we don't work on Malware removal or diagnostics in the general forums, here are the directions -

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Thank You -

EDIT - This link will give you full information about the protection module and blocking - http://forums.malwarebytes.org/index.php?s...st&p=162100

[RandyC]

noknojon - thank you for your assistance. I am gathering the doc as I write this and will re-post as instructed.

[FutonDog]

Hi:

Yes, I have also been experiencing "mysterious" IP blocks by MBAM, even when there is supposedly no IP activity. My machine does not have and has never had P2P software on it. The IP blocks occur even when the machine is idle at the desktop (no browser sessions open under any user account). The blocks number only a few a day (thank you MBAM for exposing the protection logs), but it still bedevils the hell out of me. My machine is XP SP3 and IE6 SP3. I first installed MBAM a year ago when I got infected by Spyware Protect 2009 (sysguard). MBAM worked great, it helped me greatly in disinfecting my machine. Within the past week, my daily QuickScan detected C:\Program Files\Common\_helper.sig. So I thought, ah, maybe this _helper.sig file is the culprit making calls to the suspicious IP's that MBAM is blocking, and with its removal, the "idle" IP blocks will stop. But even after deleting this file, I'm still getting a few blocks a day. Since then, my daily MBAM QuickScans have come up clean (I also update the MBAM database daily, before my QuickScan runs, so my MBAM protection is always current) and so has my weekly Norton AV full scan. Again, this mystifies the hell out of me, and I just wish I knew what's going on. Any feedback and guidance would be most appreciated. But for all the people at MBAM, thanks for what you do and for the product and service you provide. It helps a great deal.

[YoKenny1]

FutonDog

IE8 is much more secure than IE6 and has lots of good features.

Follow noknojon's advice.