MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131

dsperber · 01 Feb 2014

A friend's Vista laptop (his wife is an AOL user, so AOL email is involved) was in need of help. I installed a proper anti-virus (Microsoft Security Essentials) as well as Anti-Malware Pro.

Almost immediately after installing MBAM I began to see popups about "successfully blocked access..." for two sites: 5.45.64.145 and 5.45.69.131, which are both well known malicious sites registered in the Netherlands. The access is unwanted and malicious (presumably), and the fact that MBAM blocked it is a good thing. But this happens regularly (especially when a browser or AOL is open), and each such blockage comes with a popup bubble message that must be clicked to make it disappear... and this annoying.

The initial scan by MBAM produced about 15 items which I purged, and then re-booted. No change. Still fairly regular popups for blocking of these two sites, whether using IE7, newly installed Firefox 26, or AOL. So whatever was found and deleted appears to have been unrelated to whatever is causing the continued ongoing access of these two IP addresses.

Cleaned out all cookies and history from IE, deleted all TEMP folders, re-booted. No change. Still fairly regular popups advising MBAM blocking these two sites. Something's still present somewhere that MBAM is not finding.

Deleted all unwanted programs and products in Control Panel, and removed/uninstalled/disabled all plugins and add-ons for IE. No change. Access to these two sites persists.

Applied all Windows Updates for Vista, including application of Service Pack 3. This installs IE8, and I further upgraded to IE9. Once again, still can't stop this accesses to the two sites. Yes, MBAM is blocking them. But there's no way to turn off the bubble-message advising that the access has been blocked, an it's just perpetually annoying to have to click on the message to make it go away or wait 10 seconds while it just fades away naturally.

Upgraded AOL from 9.1 to 9.5. Still no change. Obviously something is still "active" and attempting to contact these two sites, which has escaped detection.

Re-scanned with MBAM, and found another 3 suspect files. Deleted them, re-booted, no change. Still MBAM blocks the ongoing access of the two IP addresses.

I'm kind of at my wits end here, and looking for outside assistance. Is there a "more robust" piece of anti-malware software which might finally get to the bottom of this and locate the offending file(s) or Registry entries associated with the access of these two IP addresses?

As far as MBAM is concerned, I'd actually be willing to just accept the fact that it correctly and thankfully blocked access to these two sites "quietly and silently", rather than also bother me advising of each blockage with a popup bubble-message. But I don't see any such setting to prescribe that behavior.

Many thanks in advance for any advice or direction.

I also did run a FULL scan (as opposed to a QUICK scan), and MBAM found 2 more suspect files. But once again, deleting them and re-booting produced no change. I'm still getting ongoing attempts to access those two IP address and associated proper blocking of those attempts by MBAM.

==> I'd really like to truly remove whatever is responsible. But MBAM is obviously not finding it.

DavidE · 01 Feb 2014

The Protection tab has a "Show tooltip balloon when malicious website is blocked".
Does unchecking that turn off the popup message?
I assume you're using MBAM 1.75, not the new 2.0 BETA.

It looks like you created a thread in the MBAM Removal Help forum for this ...
I don't know how quickly they help with cleaning malware, and it's a weekend ...

MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131-mbpsp01.png

UsernameIssues · 01 Feb 2014

I think that David has the solution to your MBAM popup.

Have you looked at Resource Monitor to see what app is contacting the IP addresses? Just as a test, turn disable the DNS service and restart the computer. That may make the info in Resource Monitor clearer.

You might also want to download/run Process Explorer. It can now send a file hash to VirusTotal for every process the it finds running - of course, root kits can hide from Process Explorer, MSE and MBAM.

Since support for MSE is going away for XP boxes that I support, I've been playing with Panda Cloud Antivirus. That AV tool can also tell you which app is connecting to those IP addresses.

dsperber · 01 Feb 2014

DavidW7ncus said:

The Protection tab has a "Show tooltip balloon when malicious website is blocked".
Does unchecking that turn off the popup message?
I assume you're using MBAM 1.75, not the new 2.0 BETA.

AHA!! I'm an idiot! Don't know how I did not see that option before you pointed it out!

I un-checked it, but the now "furiously frantic" attempts for the malware to "phone home" had increased to every few seconds, and I was unable to stop it even with this check box un-checked.

In frustration, I re-booted. And now, finally, the bubble messages were suppressed (even though entries in the LOG continued to be recorded).

So at least now the desktop user-experience is back to "silent normal" with no intrusively annoying constant popup messages indicating the blocked IP access attempts. Even though that's only part of the "solution", along with MBAM doing the blocking of the attempted IP access being another part of the solution, the remainder will come when I determine the true "culprit" rogue code and get rid of it.

Many many thanks for this tip. And yes, I'm using the official 1.75 version of the program.

dsperber · 01 Feb 2014

UsernameIssues said:

I think that David has the solution to your MBAM popup.

Indeed... don't know how I missed that option.

But un-checking it quieted down the "patient" so that I could focus on some more data gathering.

Have you looked at Resource Monitor to see what app is contacting the IP addresses?

Excellent idea. Again, I should have thought of that as well. Many thanks for the "crack on the head" to wake me up!

Anyway, it does appear (at least in this Windows session) to be related to service PID=876, which is running through the appearance of SVCHOST.EXE (DcomLaunch). Other than that, there's not much of any identification to go on.

However it does appear to be attempting to contact 62.75.136.158/159, which are two IP addresses in Russia registered to Abuzam.net. I'm guessing these are what externally appear eventually as 5.45.69.131 and 5.45.69.131 for MBAM to block, as the 5.45 addresses never actually showed up in Resource Monitor whereas the 62.75 addresses did.

I have not yet tried to simply "remove" that PID=876 service task.

You might also want to download/run Process Explorer. It can now send a file hash to VirusTotal for every process the it finds running - of course, root kits can hide from Process Explorer, MSE and MBAM.

Another EXCELLENT suggestion.

There was some seemingly relevant information revealed by SysInternals as a clue here for PID=876. Again, the annotation of DcomLaunch appears closely involved.

I did a "search" on the Vista machine for Dcom, and didn't find much that might be applicable other than the "Microsoft remote assistance DcomServer" folder. But I have the same folder on my own Win7 machine, so it looks probably legit... although that may be precisely the "ruse".

Anyway, as you point out, no response yet over on the Malwarebytes forum thread. But you definitely have gotten me headed in the right direction research-wise. I'll do some Interweb searching on DcomLaunch and see if that turns up anything.

Many many thanks.

UsernameIssues · 01 Feb 2014

Did you disable the DNS service while testing? Of course, the app connecting to the 5.... IP addresses will not need to make a DNS inquiry to connect to an IP address that is already known, but with the DNS service disabled, malware usually sticks out by making lots of DNS queries to other computers.

Did you notice the option to have Process Explorer check out each process?

MBAM cannot remove "culprit" access to 5.45.64.145/5.45.69.131-pm-vt.png

Expect a few hits on TeamViewer - if that is installed.

I find it odd that the 5.... IP addresses did not show up in Resource Monitor. What does one of the MBAM log enties for those addresses look like? If you feel real adventurous, you can uninstall MSE and put Panda Cloud Antivirus on for a second opinion on what app is connecting to what external IP or server. Let me know if you want to try that and I'll document the screens to click on to set up Panda to log such connections.

BTW, I think that the AOL browser is just a wrapper for very old versions of Chrome. AOL 9.7 is Chrome 21. (Chrome is up to 32.) Surf to whatsmyuseragent.com using AOL and see if it IDs the Chrome rev.

Slartybart · 01 Feb 2014

It sounds as though your system needs a good thorough malware cleanup.

Start with this scanner:
AdwCleaner (by Xplode) Download > AdwCleaner Download
Save to the Desktop.

Before running the program, please read the AdwCleaner Usage Instructions.
It alerts users of Antivir Webguard to the consequences of using this program.
Also, be aware the program resets search settings to the default Microsoft search, if changed by adware.

To proceed, right-click on AdwCleaner.exe and select: Run as Administrator

At the main window, press the [Scan] button.
The Scan function does not delete anything. It just lists elements.

Once AdwCleaner completes its scan, it shows a list of elements.
You can uncheck any item(s) you do not want to remove.

Next, click the [Clean] button.

A small window appears to inform that all programs will close.

AdwCleaner proceeds to delete all checked elements.

If a reboot is needed, a small window appears notifying of such. Please click: OK

When the AdwCleaner logfile appears, please provide it in your reply.

(The logfile is also saved in C:\AdwCleaner\AdwCleaner[R0].txt)
more information can be found on the author's site: Xplode

Then collect some information:
I've started using and recommending herdProtect - a multi-engine scanner.

Try downloading the portable version here. Then run herdProtect on the infected system.
Unfortunately herdProtect is still in beta, so it's a report only scanner; it doesn't fix the problem.

dsperber · 01 Feb 2014

UsernameIssues said:

Did you disable the DNS service while testing? Of course, the app connecting to the 5.... IP addresses will not need to make a DNS inquiry to connect to an IP address that is already known, but with the DNS service disabled, malware usually sticks out by making lots of DNS queries to other computers.

Did not do that, at least not yet. I was kind of poking around just enough to get some high-level information that might be very revealing, and I think it was.

But I will probably do some deeper probing, especially after [hopefully] the Malwarebytes forum post produces some response from their support people.

Did you notice the option to have Process Explorer check out each process?

Again, I didn't really do much playing here. I was focused simply on the DcomLaunch revelation and tie-in, and just wanted to get that documented.

I will no doubt use its more in-depth tools when I continue on with this later today. (need some sleep)

I find it odd that the 5.... IP addresses did not show up in Resource Monitor. What does one of the MBAM log enties for those addresses look like?

Plain and simple:

Code:

2014/02/01 08:56:08 -0500    PAUL    susan    IP-BLOCK    5.45.69.131 (Type: outgoing, Port: 51956, Process: svchost.exe)
2014/02/01 08:58:00 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52168, Process: svchost.exe)
2014/02/01 08:59:13 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52307, Process: svchost.exe)
2014/02/01 09:00:49 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52477, Process: svchost.exe)
2014/02/01 09:01:37 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52538, Process: svchost.exe)
2014/02/01 09:02:26 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52557, Process: svchost.exe)
2014/02/01 09:02:34 -0500    PAUL    susan    IP-BLOCK    5.45.69.131 (Type: outgoing, Port: 52560, Process: svchost.exe)
2014/02/01 09:03:30 -0500    PAUL    susan    IP-BLOCK    5.45.69.131 (Type: outgoing, Port: 52568, Process: svchost.exe)
2014/02/01 09:04:18 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52574, Process: svchost.exe)
2014/02/01 09:06:34 -0500    PAUL    susan    IP-BLOCK    5.45.64.145 (Type: outgoing, Port: 52593, Process: svchost.exe)

BTW, I think that the AOL browser is just a wrapper for very old versions of Chrome. AOL 9.7 is Chrome 21. (Chrome is up to 32.) Surf to whatsmyuseragent.com using AOL and see if it IDs the Chrome rev.

I upgraded to AOL 9.5, not 9.7. But there is no reference to Chrome. Actually it looks like some underlying reference to Mozilla, although it's really using the installed IE9.

Now, the above useragent string is VERY VERY VERY interesting to me... because there is a SECOND problem on this Vista laptop as relates to AOL that I'm also trying to solve. I'm not an AOL expert (or even novice, really), so any help would be appreciated.

Yes, this machine previously was at Vista Service Pack 2 and using IE7 and AOL 9.1. But she had a problem "seeing the pictures" via for shopping via advert email sent from Nordstrom's, that she would read using AOL email. The problem was that Nordstrom's web site made a change a few months ago which required IE higher than 7, in order to support the new graphics functionality their web pages now utilized. So the pictures on the web pages were not showing up, instead replaced by the standard "dead links" icons.

So I fully expected my application of Vista Service Pack 3, and the subsequent upgrade to IE8 followed by my manual upgrade to IE9, along with my AOL software upgrade from 9.1 to 9.5, well I expected that this all would "fix" the problem of "dead graphics links icons" on those Nordstrom pages.

Remarkably, it did NOT fix the problem! Instead, the Nordstrom pages continued to display (in what is actually an IE browser window launched by AOL when you click on the "view email in a browser window" link) an error message stating "we no longer support the browser you are using, IE7". Clearly this is tied to the loss of graphics issue on their web pages when viewed through AOL, but should no longer be happening because it is now IE9 which is currently installed... not IE7 as it definitely used to be.

So now I see this useragentstring value which also shows IE7!!! And yet, it is really IE9 that is on the machine.

So, if I knew how to purge that "cookie" or whatever AOL saves in order to populate the useragentstring, so that it would pick up a current and correct value of IE9, well I suspect that would obviously now send the proper useragentstring to the Nordstrom web site when queried, and the online sales pages would [hopefully and presumably] now populate the graphics correctly on those pages.

So... you wouldn't happen to know how/where to get that AOL value changed to properly reflect IE9?

Slartybart · 01 Feb 2014

dsperber said:

I upgraded to AOL 9.5, not 9.7. But there is no reference to Chrome. Actually it looks like some underlying reference to Mozilla, although it's really using the installed IE9.

How's that AdwCleaner scan coming along? I know threads get hectic sometimes, run the scan when you get the chance.

Could you explain what you mean by although it's really using the installed IE9

I think you're also confusing "IE7 broswer" with "IE7 HTML std"

I saw that you applied Vista SP3 and I recommend running Windows Update (WU) on that machine until all there are no further updates offered.

See where that gets you.

dsperber · 01 Feb 2014

[QUOTE=Slartybart;2677173]

dsperber said:

How's that AdwCleaner scan coming along?

I'm back on that machine again. It's actually in Florida and I'm in LA, remoting in with RealVNC.

I will run this shortly.

Could you explain what you mean by although it's really using the installed IE9

It is no longer IE7 which is actually installed and currently running when the "E" gets launched. It's IE9.

And yet the "useragentstring" value that gets sent out when using the AOL browser (and which is presumably than parsed by the Nordstrom web site to confirm that a compatible version of IE is in use on the client machine) shows that it is "MSIE 7.0" which is in use (if my interpretation of that value is correct), rather than what I would now expect to see as "MSIE 9.0".

IE7 previously was installed until yesterday's software upgrades. It's now IE9, and I'd think that is what would now be in "useragentstring".

I think you're also confusing "IE7 broswer" with "IE7 HTML std"

Might be. If so, then my theory as to why the Nordstrom site presents the error message that is is presenting would suggest it is deciding IE7 is in use must be from something other than "useragentstring"... which I honestly doubt.

I saw that you applied Vista SP3 and I recommend running Windows Update (WU) on that machine until all there are no further updates offered.

Good idea, although there is no Windows Update icon showing in the system tray.

But while this is certainly prudent and wise and appropriate, it still doesn't address either of my two issues:

(1) malware attempting to contact Russia, and

(2) AOL sending indication to Nordstrom site of instlaled_browser=MSIE7 when it should be sending installed_browser=MSIE9. If it's not in "useragentstring" then where else might it be??