Getting rid of an IP

Lately I've been getting messages from NOD32 about this item:

http:[REMOVETHIS]//74.208.13.39/n2_21_09_07_0.exe

(I put the [REMOVETHIS] part in not to make people click it by accident)

...saying it could be a trojan.

If I understood what's going on, it must be an address trying to install malware on my PC. I've ran a search and it says it's from an American company called 1&1 Internet Inc.

How can I stop this from happening again? It's getting annoying.

If I uncheck the "Show alert window" (if that is what's called), will it automatically block it, or will it take no action?

(I've run a deep scan and found nothing, of course, also other scans with SpyBot and AVG Anti-Spyware)

 

Hi The Nameless One

As long as Nod32 is blocking this, you can use your browser? The problem with allowing it to be blocked by your antivirus, is that as some point, your antivirus may be disabled for whatever reason, and then you will have a much bigger problem. Did you find your information about it in this article? http://forums.comodo.com/comodo_ant...il_exploit_sneaking_by-t14053.0.html;msg98424

It would be helpful for us if you can run through these. NEW READ & RUN ME FIRST WITH MG TOOLS

This will produce a set of logs you can attach with your next post which will allow us to see what's going on in your registry.

Thanks.
abri

 

The link to the article doesn't work.

But I can use my browser (Opera).

I've searched a little and found out the Peer Guardian can block certain addresses. Does it conflict with Windows Firewall?

I'll check the other link you gave me.

EDIT: here are the logs...

EDIT2: Peer Guardian doesn't seem to work...

 

Hi Nameless One

I'm sorry you can't get to that website. This is the complete website address, but I put a line break in the middle of it, so you'll have to put it back together.

The problems listed in here sound very relevant. You have the same files being generated in your temporary files, which you can see if you do a search in your newfiles.txt log in the zip folder for C:\WINDOWS\TEMP
Anyway, we are going to kill them and then try to locate what is generating them. They all came in in the last two days.


1) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 11
- J2SE Runtime Environment 5.0 Update 2
- J2SE Runtime Environment 5.0 Update 4
- J2SE Runtime Environment 5.0 Update 6
- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1"
- MessengerPlus! 3\MsgPlus.exe <---- consider seriously replacing this with Windows Live if you don't have it. Windows Plus is a source of adware for your computer.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) We need to stop a service:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ICF
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste ICFinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

4) Now run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

After you click FIX, just exit HijackThis.


5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

If you use Internet Explorer browser

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

6) Now please REBOOT your computer.


7) After you have completed ALL of the above in the correct order, please attach a fresh set of the zipped logs.

• MGlogs.zip

abri

 

The link worked later. Go figure.

A couple of things didn't go according to the script:

- ICF was already deactivated. I did select the startup deactivation though.
- On the second HJT run, I couldn't find the ICF Service among the things to delete. Did it get deleted on the first run?
- In ATF cleaner, I couldn't select Opera (nor anything else), so I had to use the default options. I did select all and delete it, anyway.

Ok, so here are the logs:

Thanks a lot in advance if all is fixed.

 

Hi Nameless!

Your logs look much better. Unfortunately, your GetRunKeys scan doesn't run. There seems to be a problem with it recently. For the time-being, I would like to ask that you go to the link How to Protect Yourself from Malware so that you can find a two-way firewall, which you very much need. I'm not familiar with Peer Guardian, but the main thing is that you choose a firewall which will block both outgoing and incoming connections. Most of the firewalls will allow you to block specific ports. It takes a bit of time to configure them properly. When you install the firewall, turn off your Windows Firewall, as it is not good to have them both running at the same time. Your Security Center will recognize the new firewall, even if it is unhappy about this at first. If you've not used a firewall before, they are only a bit of trouble at first while you give them permission to allow the programs you use to access the net. If you're not sure about a program, say no. If you can't get to the net after that, reboot and say yes. Don't check any "remember this setting" until you are sure.

I don't know at this point if your ip problem will come back, so please wait to remove all the tools until you can see if you're still getting the same warning from Nod32. We still need to set a new restore point, but you have not run any of the major scans and I would like to hear back from you in a day or two to hear how your computer is doing.

abri

 

I had Zone Alarm and Outpost, but I have a router and they gave me hell. I'll see if I can get one anyway.

I've kept the PC on for a good 5 hours and there's no sign of the problem. It used to come up every five minutes or so. I hope it's actually fixed.

 

HI Nameless!
I hope it's fixed too.

If you use ZoneAlarm, use the free one, as Pro gets too boisterous in its warnings. Pro likes to tell you things in dark red bold popups like a malicious program has been identified trying to make changes to your registry, but then it turns out the malicious program is your antivirus program. The free version is a very good firewall.

abri

 

I've installed Comodo Personal Firewall. It's not giving any problems, for now.

 

Oh good!

We have a few final cleaning instructions for you to follow. Please go to add/remove programs and uninstall HijackThis. After you've done this, go to C:\MGTools in Windows Explorer and delete the entire folder. Once you've done this, please post back to me one last time to let me know how things are going and how the removal of the tools went. The delivery of these tools in this particular way is still in the testing stage so we're happy for feedback about them.
abri

 

Everything seems to be fine. An Internet Explorer icon did appear on my desktop after the use of those tools, though. Or maybe it was the malware, I don't know.

Well, thanks again for having rid my PC of that stuff.

 

Hi The Nameless One!
Did the Internet Explorer Icon appear after using the tools or after uninstalling them? I'm curious, because I got this too. I'll pass on this information.
abri

 

After using the tools.

 

Thanks for letting us know and happy surfing!