HijackThis & MBAM logs | MBAM keeps blocking infected ip numbers "infection detected" - Page 2

Damn ! It's still there !:@

Dang! Did it remove them?

Ya it removes them, tells me then to restart to have it completely removed. After restart I do a scan and it's there again...

I have PM'd PP on this one again. Problem is partially your 64bit system. So many tools DON'T work on 64bit. We'll get back with you, probably tomorrow.
Did you ever contact SAS and see if they would respond concerning this?
I HAVE searched their forum and thus far have found nothing about this. Still wonder if it maybe could be a false positive.

Ya it removes them, tells me then to restart to have it completely removed. After restart I do a scan and it's there again...

I am pretty sure REGEDIT4 is supported in Vista 64, but you might want to open regedit and manually remove the key. That way you know for sure it is gone.
Then, if it comes back, you know for sure something is restoring it....

But only hack the registry if you are familiar or comfortable doing that. Could really bork a machine.

I'll be back Sunday night, if you guys are still having trouble with this.

Cheers :)
PP

Hmz... when I try to delete {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} it gives me an error access denied.

Hmz... when I try to delete {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} it gives me an error access denied.

You probably need to change permissions.

RightClick it and select Permissions and make sure the box for Full Control is checked for your user group (probably Administrators) then delete it.

PP :)

You probably need to change permissions.

RightClick it and select Permissions and make sure the box for Full Control is checked for your user group (probably Administrators) then delete it.

PP :)

Still same thing. I gave full control to myself and Administrator but still nothing.

Still same thing. I gave full control to myself and Administrator but still nothing.

What error message do you get when you try to delete this?

-- I am not sure any of the easy tools I have will work w/ Vista 64

Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type or Copy&Paste {6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} and Click OK.

-- You’ll need to save the log that pops up in Wordpad and then submit it for me.

I'll be back Monday night.

PP :)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}" 9/14/2009 18:05:37

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseRegistry\RegItem0]
"SubKey"="Interface\\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseRegistry\RegItem1]
"SubKey"="Interface\\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\\ProxyStubClsid"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseRegistry\RegItem2]
"SubKey"="Interface\\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\\ProxyStubClsid32"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseRegistry\RegItem3]
"SubKey"="Interface\\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\\TypeLib"

Hi you have probably tried this but just checking, after you get rid of the process with SAS have you turned off and then turn back on sys restore before you reboot?

Good Luck;)

g3nX, for the moment leave system restore alone, thus far the affected files have not been located in System Restore. Have you emptied SAS Quarantine?

I wonder if SAS has those keys set for removal on reboot?

Plus, I don't see the HKCR key that it flagged on the scan....

Odd.

Plus, this doesn't seem a big deal to me - looks like an orphaned key that should be easy to remove.

PP:)

I wonder if SAS has those keys set for removal on reboot?
Plus, I don't see the HKCR key that it flagged on the scan....
Odd.
Plus, this doesn't seem a big deal to me - looks like an orphaned key that should be easy to remove.

PP:)

Still have found nothing on this at the SAS forum. But I'm like PP, I don't think it is a big deal really. Of course you've tried to remove it and it won't go, but nothing else is picking this thing up and I have seen nothing about it anywhere else as being bad, heck I have found some threads other places where this has been totally ignored when regedits have been suggested. Maybe I am not searching correctly but have found nothing.

Everything seems normal with my computer, except for Malwarebytes keeps prompting the infected blocked IPs. Also, I just emptied quarantined items from SAS.

What is the EXACT, FULL wording of the MBA-M prompts?
Since I don't use the MBA-M paid version I don't have this option but I will check it out for you if I can get the full wording.

Malwarebytes' Anti-Malware has successfully blocked access to malicious IP: 212.117.169.16

I suggest that you read this information about the IP protection provided by MBA-M since version 1.40.
http://www.malwarebytes.org/forums/index.php?showtopic=21076

You CAN disable these notifications but as you will see, it is not recommended. But the choice is yours. Please note what types of programs can trigger these notifications and also that they DON'T mean you have infection on the computer, just that MBA-M has blocked a website.
Also please note that this DOES NOT take the place of a Firewall...what is your firewall?

I'm not using a firewall.

I'm not using a firewall.

Then this would explain at least partially you infections. MBA-M is doing the job it is supposed to be doing but if you had a firewall running on there, ESPECIALLY since you obviously have been using the uTorrent program we several times have recommended removing.
So in essence...MBA-M is the ONLY protection you are running against Online attacks. The anti-virus program steps up pretty much once something has all ready gotten on to the computer.
Do what you wish, I cannot be a keeper here, but you can thank your lucky starts for these MBA-M alerts because I now firmly believe you would be a lot more infected than you have been if not for these warnings.

No... I've been always careful without a firewall and haven't gotten infected for a while already. It's just when I got MBA-M I started getting suspicious why the infected IPs are constantly trying to connect to me. So I thought my computer is infected or something... I have a firewall in my router, maybe one day I'll configure it. This computer is mainly for work so I don't download any stuff on it that might be infected or so...

No... I've been always careful without a firewall and haven't gotten infected for a while already. It's just when I got MBA-M I started getting suspicious why the infected IPs are constantly trying to connect to me. So I thought my computer is infected or something... I have a firewall in my router, maybe one day I'll configure it. This computer is mainly for work so I don't download any stuff on it that might be infected or so...

You have to remember that downloading is absolutely not the only way to get infected. Some of these infections, TROJANS I am talking about don't necessarily come from downloads that the user initiates they come from actual web sites themselves.
Here are the common ways that a Trojan will come onto your system as noted on Wikepedia

* Software downloads (e.g. A Trojan horse included as part of a software application downloaded from File sharing networks)
* Websites containing executable content (e.g. A Trojan horse in the form of an ActiveX control)
* Email attachments
* Application exploits (Flaws in a web browser, media player, messaging client or other software which can be exploited to allow installation of a Trojan horse)
* Social Engineering (e.g. A hacker tricking a user into installing a Trojan horse by communicating with them directly)

So as you can see, the user, personally, DOES NOT have to download anything. Many, many of the trojans we are commonly seeing today like all of those Rogue removal programs we are seeing...i.e..WinAntiVirus2007, and 2008, 2009, etc...all are in the same family and many, many just drop onto the computer from a website.
Don't do file sharing (uTorrent in your case), proper browser SETTINGS, more secure browsers than IE, using a Firewall, using programs like MBA-M can reduce these but as near as I can tell you are udoing only one of thee and that is using MBA-M but doing many other insecure things online.

A key phrase in your post to me is

haven't gotten infected for a while already

Why risk getting infected at all? There are many of us who surf all over the net daily without EVER getting an infection on the computer so it IS possible, and I sometimes HAVE to visit some very rquestionable sites when looking for fixes for others infected computers, I have NEVER gotten an infection from one of these sites, EVER in the 4 years I have been doing this assistance.

Malwarebytes' Anti-Malware has successfully blocked access to malicious IP: 212.117.169.16

This belongs to a server that you are trying to contact:

inetnum: 212.117.160.0 - 212.117.175.255
netname: SERVER-LU
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: ROOT-MNT
source: RIPE # Filtered

role: root eSolutions
address: 35, rue John F. Kennedy
address: L-7327 Steinsel
address: Luxembourg
phone: +352 20.500
fax-no: +352 20.500.500
e-mail: info@root.lu

HERE are some of the sites they host. Torrents, warez and pron. No wonder MBA-M block access.....

PP:)

This belongs to a server that you are trying to contact:

inetnum: 212.117.160.0 - 212.117.175.255
netname: SERVER-LU
descr: root eSolutions
country: LU
admin-c: AB99-RIPE
tech-c: RE655-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: ROOT-MNT
source: RIPE # Filtered

role: root eSolutions
address: 35, rue John F. Kennedy
address: L-7327 Steinsel
address: Luxembourg
phone: +352 20.500
fax-no: +352 20.500.500
e-mail: info@root.lu

HERE are some of the sites they host. Torrents, warez and pron. No wonder MBA-M block access.....

PP:)

haha wow what the hell... I went through the list and don't recall going to non of those websites... Just great. So why is that IP trying to access my computer constantly? Does that mean that there is some spyware hiding in my computer??

here are few more IPs 89.248.168.63 | 95.211.96.37 | 212.117.164.26

here are few more IPs 89.248.168.63 | 95.211.96.37 | 212.117.164.26

None nice. Why don't you put a firewall on there?
Exactly WHAT webpage are you on when these occur?
Copy paste it here.

None nice. Why don't you put a firewall on there?
Exactly WHAT webpage are you on when these occur?
Copy paste it here.

It doesn't matter if my browsers are open or not, it still keeps notifying me even when I just turn my computer on and leave it without running anything.

It doesn't matter if my browsers are open or not, it still keeps notifying me even when I just turn my computer on and leave it without running anything.

Because you don't have a firewall on there. I say again, MBA-M is not a firewall, you KNOW MBA-M is blocking these. It is blocking them because, as they state in their information

it provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.

These are ones which are listed within the MBA-M database so it doesn't block ALL.

Look, this has really gotten somewhat ridiculous. We've told you multiple times WHY this is happening, you are supposed to get these notifications with MBA-M Protection Module, it is doing the job it was created to do. But it won't replace a firewall. You are running Vista. It HAS a built in two way firewall, turn it on. No, it isn't the very best but it is certainly better than nothing and with the exception of MBA-M that is all you have. These pages are "calling in" what on your computer is "calling out"? You don't know. Turn on the Windows Firewall and get some additional protection at least. All you have to do is turn it on. Period. You can continue to question these websites forever, it won't stop them, you are running a non-secure computer and as long as you allow this to continue you WILL get another infection that is a guarantee.

Sorry, when you asked me if I'm using a firewall I didn't think of windows firewall.... yes my windows firewall was and is always on.
So I still don't understand why those IPs keep trying to connect to me?? You are saying if I format my windows hard drive, I will still be getting this?? What firewall would you recommend? How's ZoneAlarm?

Sorry, when you asked me if I'm using a firewall I didn't think of windows firewall.... yes my windows firewall was and is always on.
So I still don't understand why those IPs keep trying to connect to me?? You are saying if I format my windows hard drive, I will still be getting this?? What firewall would you recommend? How's ZoneAlarm?

Who said anything about formatting your computer? But yes, chances are I think you still would be getting these. You can try it if you wish, that is your choice.
No, I wouldn't recommend Zone Alarm, the one I would recommend would probably be Outpost as it also works on a 64bit system. Many don't but this one does. You will have to disable the Windows Firewall when you install another one.

One thing you have to check is the settings in the browsers you use, make sure only 1st party cookies are allowed, 3rd party are blocked.

I believe you mentioned that your router has a firewall but you are not using it? Use it.