Author Topic: firewall outgoing connections question  (Read 8343 times)

0 Members and 1 Guest are viewing this topic.

Offline sellers27

  • Jr. Member
  • **
  • Posts: 20
Re: firewall outgoing connections question
« Reply #15 on: March 25, 2012, 12:34:26 AM »
Hello:    Pondus: The second to last entry on that thread has the moderator asking  him to post to their malware removal forum for more work. 
              Essexboy:  I am not sure but in 2010 i had norton work on my pc and they removed a virus in the temporary files that ran a key logger and somehow or other there were  a huge number of hidden files of our pc's activities logged.   things were good for about a year and lately things have been getting worse and worse except for the past 3 weeks.  since nothing has been found i don't feel great about stopping but i also don't want to impose. 

thanks


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #16 on: March 25, 2012, 02:23:34 PM »
No imposition, peace of mind is as important - whether we find anything or not

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Offline sellers27

  • Jr. Member
  • **
  • Posts: 20
Re: firewall outgoing connections question
« Reply #17 on: March 25, 2012, 10:28:25 PM »
Hello:  I followed your instructions for combofix but i must have made a mistake because it opened a dialogue box saying it detected a security application interfering with it running.   If i remember right  It asked if it  should continue anyways and i selected no.  i double checked avast 7.0.1426 its protection modules were off.  Also i had exited MBAM.  I don't have any other active protection modules that i know of.   How should i proceed ?

Thanks

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #18 on: March 25, 2012, 10:30:22 PM »
It is seeing the low level drivers of Avast

So run Combofix again and this time allow it to run
Do not let Avast sandbox/quarantine anything during the run

Offline sellers27

  • Jr. Member
  • **
  • Posts: 20
Re: firewall outgoing connections question
« Reply #19 on: March 26, 2012, 12:04:06 AM »
Hi:     Well it ran for about 15 minutes then pc locked up.  clock and cursor was frozen.    Also it downloaded recovery console first.   I had to power down to reboot.  What should i try?

Thanks

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #20 on: March 26, 2012, 10:46:51 AM »
Could you run from safe mode please

Offline sellers27

  • Jr. Member
  • **
  • Posts: 20
Re: firewall outgoing connections question
« Reply #21 on: March 26, 2012, 06:16:22 PM »
Hi:     I ran combofix in safe mode.   It made a restore point and scanned for 14 minutes then clock stopped incrementing and the cursor locked up.  I allowed it to go on for 30 more minutes in the off chance that it was still running.  No luck,  so i rebooted.   
   
I also have not been able to run DDS.  It locks up as well.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #22 on: March 26, 2012, 09:28:34 PM »
OK this one will take a bit longer to run.  When the analysis phase is done could you upoload the zip file to mediafire and post the sharing link so that I can check it out

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 

 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post 
 


Offline sellers27

  • Jr. Member
  • **
  • Posts: 20
Re: firewall outgoing connections question
« Reply #23 on: March 26, 2012, 10:06:27 PM »
Hello:    I am about to begin the av scan.   About how long will it take 2 hours 24 hours?

Thanks

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #24 on: March 26, 2012, 10:15:34 PM »
Dependant on the drive size between one and two hours, on my system just 30 minutes 'cos it is quite empty 

Offline sellers27

  • Jr. Member
  • **
  • Posts: 20
Re: firewall outgoing connections question
« Reply #25 on: March 27, 2012, 05:37:47 PM »
i had a trojan. here are two reports..   last one to follow

Offline sellers27

  • Jr. Member
  • **
  • Posts: 20

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #27 on: March 27, 2012, 08:28:12 PM »
Those were in your inbox, that is one area that my other tools do not look, but I have found the miscreant running from a registry key.

If you have no objections I will also remove all the old McAfee drivers for you

If you do not want that then let me know and I will rework the script

  • Re-run AVPTool 
  • Select the Manual Disinfection tab and press Script execution



  • Where it states  Insert text  script in the following box copy the below script and press Run script
    Copy from Begin until End



Code: [Select]
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}');
 RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}');
 RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7B297BFD-85E4-4092-B2AF-16A91B2EA103}');
 RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{215B8138-A3CF-44C5-803F-8226143CFC0A}');
 RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6BB594E2-6E4D-4CC9-98B0-931C323F9165}');
 StopService('MPFP');
 DeleteService('mfesmfk');
 StopService('mfesmfk');
 DeleteService('mferkdk');
 StopService('mferkdk');
 DeleteService('mfehidk');
 StopService('mfehidk');
 DeleteService('mfebopk');
 StopService('mfebopk');
 DeleteService('mfeavfk');
 StopService('mfeavfk');
 DeleteService('McShield');
 StopService('McShield');
 BC_DeleteSvc('McShield');
 BC_DeleteSvc('mfeavfk');
 BC_DeleteSvc('mfebopk');
 BC_DeleteSvc('mfehidk');
 BC_DeleteSvc('mferkdk');
 BC_DeleteSvc('mfesmfk');
 BC_DeleteSvc('MPFP');
 DeleteFile('0.exe');
 BC_DeleteFile('0.exe');
 DeleteFile('C:\Program Files\McAfee\MPF\MPFSrv.exe');
 BC_DeleteFile('C:\Program Files\McAfee\MPF\MPFSrv.exe');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
  • Your system will reboot on completion, if it does not please do so yourself   
  • On completion please run another analysis scan and attach the zip file   

Offline nweissma

  • Full Member
  • ***
  • Posts: 133
Re: firewall outgoing connections question
« Reply #28 on: March 27, 2012, 08:39:21 PM »
i just want to add my voice to the chorus: mbam's alert popups block avastsvc.exe, outgoing, port 54450 -- 66.150.14.65 .. this latter maps to the U.S... Bellevue, Washington (state), "Bellevue Pinball Corp."


what is this outgoing missive? is is malware; if it is, then is it using avast as a vehicle? what course of action should i take; is it safe to just add these alert ip's to mbam's 'ignore list'?

i just received this response from uTorrent, with which i was having the same symptoms: http://forum.utorrent.com/viewtopic.php?pid=649862#p649862

and one more noob q.: what is "OTL"?
« Last Edit: March 27, 2012, 08:44:17 PM by nweissma »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: firewall outgoing connections question
« Reply #29 on: March 27, 2012, 08:51:38 PM »
MBAM appears to take the shotgun approach if one domain on the server has hosted  malware then the server gets it