What Is This Trojan ?

[Trafalgarman211068]

Complete newbie here, so please be gentle. I would like to lurk for a while and see what's what, but I'm desperate.

MBAM is constantly popping up, having "successfully blocked access to potentially malicious website ..."

Even running a full scan of MBAM is not finding whatever is generating these access attempts; what can I do ?

[mountaintree16]

Hello Trafalgarman211068, and welcome to the forums here at Malwarebytes.org

Are you running any P2P applications, such as LimeWire, BitTorrent, Vuze, uTorrent, etc..? If so, these could be accounting for your constant pop ups.

If not, do you have any reason to believe you've been infected recently?

[Maurice Naggar]

@Trafalgarman

Also, when you see those messages "successfully blocked access to potentially malicious website ..."

Are you at that time browing the Internet? or have a open browser window?

Have any instant messenger programs active?

Does this system have an antivirus program, and have you done a complete scan with it?

What is your AV program? and is it current & up-to-date?

[Trafalgarman211068]

@Trafalgarman

Also, when you see those messages "successfully blocked access to potentially malicious website ..."

Are you at that time browing the Internet? or have a open browser window?

Have any instant messenger programs active?

Does this system have an antivirus program, and have you done a complete scan with it?

What is your AV program? and is it current & up-to-date?

The first problem I have here, is that none of my response posts are appearing !

What am I doing wrong ?

Trafalgarman.

[Trafalgarman211068]

The first problem I have here, is that none of my response posts are appearing !

What am I doing wrong ?

Trafalgarman.

Ahh ! Now I see it. I am clicking the UPLOAD button, and there is no file attachment to upload.

The computer problem:

Thanks for responding, Mountaintree and Maurice.

Mountaintree; "P2P applications, such as LimeWire, BitTorrent, Vuze, uTorrent" is foreign to me, so I guess I'm not using them.

Maurice: I run a full licensed copy of Malwarebytes full-time in the background. No other anti-virus software. The pop-ups occur even when I don't have a browser open (though I am on BT Broadband, so I may be connected all the time). I regularly do scans with MBAM, sometimes even full ones.

The sites which the malware is trying to access:

94.228.209.200

91.212.226.59

195.88.144.76

and more.

Does this identify the baddy ?

[Haider]

The sites which the malware is trying to access:

94.228.209.200

91.212.226.59

195.88.144.76

and more.

Does this identify the baddy ?

Hello Trafalgarman211068: I tested all of the above mentioned IPs and they were blocked - reason being either they are malicious or may fall in that range. Are you actually visiting these or they automatically pop-up? In the case of later I may suggest a solution

[Trafalgarman211068]

Hello Trafalgarman211068: I tested all of the above mentioned IPs and they were blocked - reason being either they are malicious or may fall in that range. Are you actually visiting these or they automatically pop-up? In the case of later I may suggest a solution

Haider, thanks for the response.

I am not visiting these sites. I have no idea what they are. I get pop-up messages from MBAM saying, "... successfully blocked access to potentially malicious website..."

I hoped that someone may recognise the site codes and name the malware; then I could use the DIY solutions on this site.

Cheers,

Trafalgarman

[Haider]

Thanks Trafalgarman211068: It is possible that windows BITS service is being used to attempt to download Malware, Virtumonde, and other very closely related adware Trojans

There's ABSOLUTELY POSITIVELY NO RISK on trying the following:

Please do this, the application data folder is hidden so you will need to enable showing of Hidden/System files from within folder options in your control panel

Once done that...

Open command prompt & type the following commands hitting enter after each:

net stop bits

cd "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader" (without quotes)

ren *.dat *.old

net start bits

exit

The above will do the following:

First stops BITS service so any download jobs in queue by Windows update, malware, or anything else is stopped. (you should get success message on the first command. If it tells you service not running

[Supernovasky]

I recommend not doing the above post and simply follow these instructions

http://forums.malwarebytes.org/index.php?showtopic=9573

Its likely you are infected with something that isn't being detected by MBAM and you said you have no anti-virus software, please note that MBAM and anti-virus software are very different you NEED both.

[Maurice Naggar]

@Traflagarman

You said

I run a full licensed copy of Malwarebytes full-time in the background. No other anti-virus software.

This system has NO antivirus program ???

MBAM is not an antivirus program. It has no antivirus component. It is an anti-malware app.

You must have an antivirus installed. If you have been without an AV, I would urge you to wipe clean your system and do a new install of Windows ---- followed by immediate installation of antivirus app.

[Trafalgarman211068]

Haider, I am not going to go with your solution, though thanks for bothering. I appreciate that.

Maurice,

Your solution is so radical it daunts me. I'm not saying that it is definitely unnecessary, but the medicine is almost worse than the disease. I have a LOT of stuff on my computer.

I thought 'malware' was an all embracing term to cover all forms of spyware, viruses and trojans etc. Now I feel stupid for being on the Internet without AV protection the last year.

Thank you all for responding. I am now going to work my way through Superovasky's method, and post again.

Trafalgarman

[Maurice Naggar]

A wipe & new (clean) install need not be daunting. And if it is too much, you may consider taking the system to a local pc repair shop. Having been with antivirus protection for that long was exceedingly risky and alas system has serious infection.

Do a clean (new) Windows Install:

Before you do that, make sure you have at hand the Windows XP CD and also, a fresh new copy of your antivirus that is downloaded from a clean pc and saved on transportable-media (CD-DVD or clean thumb drive).

When you are at point of re-installing o.s., I'd recommend you have the pc disconnected from internet until after the o.s. is installed, plus the antivirus is fully setup and running.

See Windows XP Clean Installation - Partitioning and Formatting using Windows XP CD by Ramesh Srinivasan, MS-MVP & AumHa VSOP

Also Clean Install Windows by Michael Stevens, MS-MVP

IF this is Vista, then see Vista Clean Installation by the Elder Geek

I would urge you to follow the directions very carefully.

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

[whatmeworry?]

A wipe & new (clean) install need not be daunting. . . .

You will loose your documents so if you have some to save, offload them to a separate offline media. And later on insure you do a full scan of them by running your antivirus.

Maurice, I'm not sure he needs to do a clean install before he knows whether or not he is infected. It's possible that he's misinterpreting the pop-up notices he's getting. That's easy to do: MBAM provides that warning even if you don't go to a malicious site but simply go to a site where there are links to malicious sites. I remember finding that very confusing at the start.

He says that he has a lot of stuff on his computer. Since he doesn't even have a separate AV program, he probably also hasn't been using any sort of image backup. Thus, reinstalling Windows and putting back all his programs, data files, photos, music, and whatever else could indeed be a daunting task. Taking his computer to a PC shop to have them do it could be costly. So I tend to agree with him that before he takes your advice, he should probably go through all the steps in supernovasky's message (including getting and running an antivirus program such as Avira, Microsoft Security Essentials, or Avast, all of which have free versions). Even though he hasn't been running an antivirus program until now, that doesn't mean that he's infected. I'd say that before he schedules major surgery, he should try some physical therapy--that may solve the problem with much less disruption.

[Trafalgarman211068]

I downloaded and ran the free version of Avira Antivirus. It took around an hour to scan my system and found 7 trojans and 1 hidden file. Since re-booting, I have not seen any pop-ups; fingers crossed.

I may be a little out of touch now (getting old), but I work with computers every day, and have been around them since MS-DOS 3.3. I have full backups of all my work files on external drives of two different manufacturers. I could do a full re-install, all my stuff is legal and licensed, though I'm not sure I could lay my hands on all the licence codes now ! I still think it's daunting. For now I'll do nothing while I wait to see if this fix sticks.

A sincere thank you to all who responded.

Trafalgarman

[Supernovasky]

I downloaded and ran the free version of Avira Antivirus. It took around an hour to scan my system and found 7 trojans and 1 hidden file. Since re-booting, I have not seen any pop-ups; fingers crossed.

I may be a little out of touch now (getting old), but I work with computers every day, and have been around them since MS-DOS 3.3. I have full backups of all my work files on external drives of two different manufacturers. I could do a full re-install, all my stuff is legal and licensed, though I'm not sure I could lay my hands on all the licence codes now ! I still think it's daunting. For now I'll do nothing while I wait to see if this fix sticks.

A sincere thank you to all who responded.

Trafalgarman

I'd try running MBAM as well as it often picks up traces and things that A/V does not when it scans and deletes. If it comes up clean then you are PROBABLY problem free but thats not a guarantee and if there is any doubt then I advise you to post in the Malware Removal section which is Here someone will be happy to assist and be able to verify that you are malware free.

[mountaintree16]

Trafalgarman211068,

Well was anything with the name Virut/Sality or TDSS rootkit found? If so, those are nasty infections. The first requires a reformat and the latter can be cleaned but has backdoor functionality so the machine can never again fully be trusted so a reformat is recommended.

Are you still getting any IP blocks?

I also highly, highly recommend that you visit the malware removal forum as suggested by a few other people prior in this thread.

[Trafalgarman211068]

Today I found the appearance of Windows had changed radically; and was very slow. I seem to have lost the option to have a Windows XP appearance; it had reverted to an old 'Win 95' style appearance. I could not connect to Internet until I used default settings in MSConfig; I could not connect with my usual setting of all the old legacy boxes unticked (MCAfee and some utilities, none of which I ever use now).

Interesting, the pop-ups have not appeared at all.

Avira scan again tonight. Found another 4 trojans and another hidden. Also, Avira managed to connect itself for an update in my absence today (I am not the only user of this computer, I'm not sure how significant that is). For me yesterday, the update attempts failed.

So depressed. I am starting to think about the re-format option now. First I need to gather all the config info I can before it all disappears.

Thank you Supernovasky and Mountaintree for your latest repsonse, it does look like I have something nasty.

I am going to sign off now, and I might not be back for a while.

Trafalgarman

[mountaintree16]

You're welcome.

Definitely sounds like you have a real nasty on board

Please visit the malware removal forum as soon as possible & depending on the findings, you may need to look at a reformat, you and your helper can determine that.

Here is my canned reply for you for the Malware Removal Forum:

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.