Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outgoing IP connection blocked 2

Status
Not open for further replies.
licarse

licarse

IS-IT--Management
Sep 22, 2005
65
0
0
US
Hi,

One computer in my LAN started to get notifications from malwarebytes, saying IP 93.158.114.37 (outgoing) is blocked. The user can't install software, and he doesn't visit porn/games/etc. sites. I've run a full scan from SEP and Malwarebytes and there doesn't seem to be an infection.

I've also used TCPView and found that this only happens -randomly- when he's using IE. There are no suspicious add-ons also.

I used HJT and found two suspicious things. I can't post the whole log here but these two are the ones that call my attention:

R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-CQJ7A.exe" /REG /REGSVRMODE

Any ideas/suggestions?
 
Sort by date Sort by votes
The first one does nothing but should be removed just in case. The second sounds very suspicious. It looks like it's accessing the registry for some reason. You may have to dig into Malwarebytes was to why the IP is blocked. Maybe port scanning or using too much bandwidth.

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
Malwarebytes doesn't have a verbose log... at least not that I know. The only thing the log keeps is the time the IP was blocked, the IP number and the user. Nothing else. Any other ideas?
 
Upvote 0 Downvote
Try restoring it back to a date before this first appeared. That might help.
 
Upvote 0 Downvote
Could be a temporary reference left behind by an innosetup application install.
Run CCleaner and Glarys utilities first.


Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
Upvote 0 Downvote
Code: 
Name servers matching IP 93.158.114.37 
Domain Name servers     IPs Domain IP                          ASN Description Date     Details
vechaicher.ru 	  ns1.aceblackjoker.com => 93.158.114.37     (AS19170) MISN           Trojan Zbot drop zone
                    ns1.digitalcorz.com => 93.158.114.37       66.43.45.175 	        2010-09-14

so definitely you have something going on in the background...

Find and Remove Zeus (Zbot) Banking Trojan

BitDefender Releases Emergency ZBot Removal Tool

I would also reset the winsocks on that machine, by issuing the following command in a CMD window (not the run box pls):

netsh winsock reset catalog

and reboot when prompted...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
Not to counter BigBadBen's advice, but just to offer some possible insight and ask a question: could you also use a program like process explorer and/or tcpview to see what process was attempting to establish this connection?
 
Upvote 0 Downvote
Yes I did. I explained that in my first post. After BadBigBen post, I searched focusing on ZBot and used Symantec's removal tool. Since then we have no longer IP connection attempts to the suspicious IP...

Thanks a lot to everybody, specially BadBigBen!
 
Upvote 0 Downvote
Well I have to reopen this thread...

The computer started attempting to connect again to the same IP, under the very same previous behaviour. The only thing that changed is that connection attempts haven't been persistent, just 5 today (it started today).

I've already ran Trend Micro's Housecall, SEP, Malwarebytes and NEP. Checked manually in the registry and %systemroot% for possible ZBOT infections/variants but found nothing.

Any other suggestion?

P.D.: As my first post, the problem seems to trigger whenever a browser (IE, Firefox) is opened. But IE is behaving oddly-randomly. Sometimes gmail doesn't show up the delete, move, tag, etc., buttons, and some other pages don't show up images, just the red X as if a communication problem impede images to download correctly. But as said before, this is a random behaviour, and the outgoing connection is not attempting to phone home persistently (again, just 5 attempts today).
 
Upvote 0 Downvote
Make a specific check for rootkits. Download and run Kaspersky's TDSSKiller. This is a free application.

ROGER - G0AOZ.
 
Upvote 0 Downvote
It found nothing. Just opened IE in the PC and it tried to connect again to the suspicious IP. Any other tool?
 
Upvote 0 Downvote
What, and how, are you running antivirus/malicious software checks? Your problem suggests to me that whatever you're running is not finding the root cause.

Given you have the facility, I'd remove the hard disk drive from the infected machine, and attach it as a secondary drive to a known clean machine. Run that machine's AV tools on the secondary drive. I find this system works effectively at removing most malicious software.

ROGER - G0AOZ.
 
Upvote 0 Downvote
Good point. I'll do it and let you know.
 
Upvote 0 Downvote
Running a scan with the hard drive as a slave is NOT the best way to find rootkits. They disappear into the tall grass like a lion on the savanna when the o.s. is NOT loaded.

Try Radix, Combofix, Gmer, Microsoft Standalone System Sweeper. Probably in the that order. If you can't find it and clean it then, think about "abort and reload".
 
Upvote 0 Downvote
Goombawaho: Ok, I'll try those tools. As you pointed out, scanning the HD as slave didn't find anything else.
 
Upvote 0 Downvote
To Goom's suggested tools, I would like to add that perhaps deleting all restore points prior to scanning should be considered...

also add the IP that the PC is trying to contact, to the HOST file and have it redirect to local host (127.0.0.1)...

If you can't find it and clean it then, think about "abort and reload".
Click to expand...
that is very good idea...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Upvote 0 Downvote
I ran radix on friday. Anyone here would like to help me analyzing it's log? I can't post it directly to the forum for security/privacy issues...
 
Upvote 0 Downvote
The most annoying (or lucky?) part of this is that the computer hasn't tried to connect to the IP since Friday. It seems to be random but why it had so much activity in the past, stopped communicating when I ran NEP, then started again, now stopped after I ran radix? I haven't fix anything on the computer, just scanned it.
 
Upvote 0 Downvote
Looks like a job for Sysinternals. You can view a video of A Case of the Unexplained that shows some of the common tools that can be used to track down odd problems like this. There are also other videos and blogs plus all the free tools.

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Kjonnnn
  • Locked
  • Question
Virus and Code 31 connection Has
Replies
4
Views
51
Kjonnnn
Kjonnnn
ShadyGuitarMan
  • Locked
  • Question
"A recent attempt to attack your computer was blocked."
Replies
0
Views
36
ShadyGuitarMan
ShadyGuitarMan
Irene316
  • Locked
  • Question
A Recent attempt to attack your computer was blocked
Replies
0
Views
35
Irene316
Irene316
lowKut
  • Locked
  • Question
Clients are Getting Numerous Network Threat Protection Block IPs
Replies
3
Views
46
lowKut
lowKut
stevenriz
  • Locked
  • Question
Can a Trojan record keystrokes through a terminal server connection?
Replies
6
Views
53
electronicsfreak
electronicsfreak

Part and Inventory Search

Sponsor

Back
Top