Jump to content

MBAM Blocking Access To Potentially Malicious Website


Recommended Posts

Originally posted in the "general" section - reposting here.

I recently seemed to have some kind of infection: I have McAfee & somehow still got a trojan or something that was redirecting my internet to wherever it wanted. I kept having to change my LAN settings (unchecked the proxy box). I ran a McAfee scan & it found nothing. But I kept getting a McAfee pop-up in the corner that told me that it detected & removed DNSChanger.fa!. I decided to download MBAM and I ran a quick scan & then a full scan. The quick scan found 7 infected files:

Scan type: Quick scan

Objects scanned: 193629

Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

c:\Users\Heather\AppData\Local\Temp\0.35625843264144863.exe (Backdoor.Bot) -> 3704 -> Unloaded process successfully.

c:\Users\Heather\AppData\Roaming\conhost.exe (Backdoor.Bot) -> 4652 -> Unloaded process successfully.

c:\Users\Heather\AppData\Local\Temp\dwm.exe (Backdoor.Bot) -> 1612 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Bot) -> Value: conhost -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Bot) -> Bad: (C:\Users\Heather\AppData\Local\Temp\dwm.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Heather\AppData\Local\Temp\0.35625843264144863.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\Roaming\conhost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\Local\Temp\dwm.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\Roaming\microsoft\lvvm.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\Local\Temp\0.23787661421449802.exe (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\Local\Temp\mie.dll (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\Local\Temp\uxbehknqtw (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

The full scan found 2 infected files:

Scan type: Full scan (C:\|D:\|Q:\|)

Objects scanned: 412458

Time elapsed: 1 hour(s), 3 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Heather\AppData\LocalLow\Sun\Java\deployment\cache\6.0\27\67dac4db-4d99f67c (Backdoor.Bot) -> Quarantined and deleted successfully.

c:\Users\Heather\AppData\LocalLow\Sun\Java\deployment\cache\6.0\39\6f49e8a7-5f354329 (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.

So I removed the infections using MBAM and then thought everything would be great. But now I keep getting all these pop-ups from both MBAM and McAfee. MBAM is saying that it has blocked access to a potentially malicious website & McAfee states that it has detected and removed the DNSChanger.fa!

These two different pop-ups usually happen at the exact same time.

Here is (some, because it is quite long) of the MBAM log for the pop-ups:

00:08:37 Heather MESSAGE Protection started successfully

00:08:42 Heather MESSAGE IP Protection started successfully

00:11:04 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 49297, Process: svchost.exe)

00:11:20 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 25700, Process: svchost.exe)

00:11:21 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 25700, Process: svchost.exe)

00:11:21 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:11:29 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 25700, Process: svchost.exe)

00:11:45 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 50547, Process: svchost.exe)

00:11:45 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:11:45 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:12:09 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:12:17 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59665, Process: svchost.exe)

00:12:25 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:12:33 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59324, Process: svchost.exe)

00:13:38 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:13:46 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:14:02 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 54673, Process: svchost.exe)

00:14:02 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 54674, Process: svchost.exe)

00:14:10 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 50822, Process: svchost.exe)

00:14:10 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56943, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 63625, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:06 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:07 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 54902, Process: svchost.exe)

00:15:15 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:23 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 54096, Process: svchost.exe)

00:15:39 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 52438, Process: svchost.exe)

00:15:39 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:39 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:39 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:15:39 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56490, Process: svchost.exe)

00:15:47 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:03 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56491, Process: svchost.exe)

00:16:03 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:11 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:11 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:11 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:11 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:59 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56492, Process: svchost.exe)

00:16:59 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:59 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:16:59 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56493, Process: svchost.exe)

00:16:59 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56494, Process: svchost.exe)

00:17:48 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:17:48 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:17:48 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:17:48 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:17:56 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 56114, Process: svchost.exe)

00:17:56 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:18:04 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:18:36 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:00 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 50157, Process: svchost.exe)

00:19:00 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 50158, Process: svchost.exe)

00:19:00 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:00 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 55638, Process: svchost.exe)

00:19:00 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:00 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:08 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59032, Process: svchost.exe)

00:19:08 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:08 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59033, Process: svchost.exe)

00:19:08 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:17 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:25 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59034, Process: svchost.exe)

00:19:25 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:25 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:33 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:33 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59035, Process: svchost.exe)

00:19:41 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:41 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59036, Process: svchost.exe)

00:19:41 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:41 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59037, Process: svchost.exe)

00:19:41 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:49 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:49 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59038, Process: svchost.exe)

00:19:49 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59039, Process: svchost.exe)

00:19:49 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:49 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

00:19:57 Heather IP-BLOCK 109.236.81.172 (Type: outgoing, Port: 59040, Process: svchost.exe)

00:19:57 Heather IP-BLOCK 109.236.81.172 (Type: incoming, Port: 25700, Process: svchost.exe)

& I am still getting these notifications right now

So it is a good mix of incoming and outgoing and the process is always svchost and there are all different ports, it seems. It is all the same IP MOSTLY, but occaisionally I will get this IP show up:

89.28.113.221

My internet seems fine, it isn't redirecting me anymore.

Another wierd thing is that McAfee says my firewall is ON, but when I click on the setting for the firewall it says it is off, and so I click "Turn On" and it won't some on, it just stays at OFF. But when I go back to the main McAfee screen (or whatever, the screen where it gives me a little summary of all my protections) it says on. So is it on or off???

PLEASE HELP!!!

& Thanks So Much!!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.