Malwarebytes AM Preventing sending to an external site?

[spotlizard]

Hi,

I was recently the victim of the WinScanner virus. I caught it as soon as it landed (thanks IE8) but it invited quite a few of its friends down to play.

Using a combination of Hijack This, ASquared, MBAM, Spybot S&D and Symantec AV I was able to get my system to scan clean, however things are still not right. If I login to my PC as a different user (and hence a new user profile) neither IE or FireFox will launch.

I ran SFC /SCANNOW and nothing out of the ordinary showed up, however, when I login under my profile I can launch both browsers. Periodically, I see a message from MBAM that it blocked outbound access to a potentially dangerous site. The IP address of the site is 91.217.162.64 which, according to WhoIS, belongs to a block of addresses in Russia.

Does any of this sound familiar to anyone? Is there another scanner I could use to identify this?

Based on what I saw, this thing dropped a few trojens, installed some browser pre-loaders and BHOs and one root kit. All of those are now gone and the system scans clean with every scanner I've used but I'm very suspicious of this IP address attempt and the fact that the browsers are not working in other profiles.

Any suggestions would be very gratefully received.

Best regards,

spotlizard

[daledoc1]

Hello, spotlizard, and welcome:

You may still have malware traces left on your system.

Alas, we do not work on malware removal in this particular forum.

Until one of the experts arrives, your best bet may be to obtain free, expert assistance at the malware removal-HJT forum.

Please go to this page, print out, read and follow as many instructions as you can:

http://forums.malwarebytes.org/index.php?showtopic=69723

Then please post your logs by starting a new thread, describing the problem you are having, here:

http://forums.malwarebytes.org/index.php?showforum=7

One of the trained experts will then assist you as soon as possible.

When you post, please be sure to select Track This Topic & choose one of the email options, so that you will be notified when someone responds; allow 24-48 hours before bumping your thread.

Alternatively, you may wish to start a support ticket by contacting support at: support@malwarebytes.org, or by using one of the other support options here:

http://www.malwarebytes.org/premium-support.php

Also, please use the "Add Reply" button when replying here & at the other boards, so that it will be easier for everyone to follow the thread.

Thanks and best regards,

daledoc1

[Mainard]

Hello spotlizard,

Anytime there is outbound blocks that is data from your computer being sent to an IP that is on our suspected malicious list. It could be trying to get information on your system to another computer. I definitely would look into talking to one of our experts into taking a look into your system to ensure everything is cleaned out.

You can follow the directions below and someone will assist you with running scans on your system to see if they can detect anything.

Please print out, read and follow the Directions HERE, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Thank you very much.

[spotlizard]

My thanks to all those who replied, and my apologies for the lateness of my reply.

I was able to remove the final traces of this infestation using ComboFix (there were a couple of hidden trojans lurking in the Application Data and Network Services folders).

Since then everything has been running smoothly. No more blocked outbound attempts.

FWIW, I've seen similar IP addresses posted in other forums and it appears as though this is some new variant of the PWSteal trojan, only a little smarter and harder to find.

Best regards.

[Mainard]

Hello spotlizard,

I am glad the traces of infection are gone!

Thank you for the additional information.

Hope you have a great day.