Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-20-2012, 05:07 PM
union122 union122 is offline
 
Join Date: Nov 2010
Posts: 36
union122 is an unknown quantity at this point
Default Malwarebytes Pro Constant blocked "outgoing" to 112.175.243.23

Windows 7 pro, 64bit.
Malwarebytes pro and MSE running.

I tried Combofix, malwareytes is safe mode, SAS, D7 malware removal.

Any ideas ?

thanks
Reply With Quote
  #2  
Old 06-20-2012, 05:15 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,406
NYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of lightNYJimbo is a glorious beacon of light
Default

Can you tell what port its using ? If not get smartsniff from nirsoft.net and start it up and watch what its trying to do.

I would also use a kaspersky boot disk so you can get around the O/S completely.
Reply With Quote
  #3  
Old 06-20-2012, 05:33 PM
union122 union122 is offline
 
Join Date: Nov 2010
Posts: 36
union122 is an unknown quantity at this point
Default

i will check that out later when i get home thanks..
Reply With Quote
  #4  
Old 06-20-2012, 06:30 PM
commodore64's Avatar
commodore64 commodore64 is offline
 
Join Date: Sep 2009
Location: Arizona
Posts: 177
commodore64 is on a distinguished road
Default

+1 for Kaspersky rescue disk, or slave the drive to a computer with Kaspersky on it and scan it from there. Also, mbam will find more in regular mode than it will in safe mode. You may want to try hitman pro too.
__________________
Compudoc Computer Repair
Reply With Quote
  #5  
Old 06-21-2012, 11:43 AM
Galdorf Galdorf is offline
 
Join Date: Feb 2009
Location: Ontario, Canada
Posts: 1,574
Galdorf will become famous soon enough
Default

Server IP: 112.175.243.23
Country: KoreaKorea, Republic Of
Region: Kyonggi-do
City: Seoul
Internet Service Provider: Korea Telecom
Server Host Name 112.175.243.23

http://www.bizimbal.com/odb/details.html?id=917600

Seems this site is used alot for ddos attacks.

If kaspersky rescue cd dos not find anything then try vba32 rescue cd it seems to find more malware than any other boot cd.

Last edited by Galdorf; 06-21-2012 at 11:51 AM.
Reply With Quote
  #6  
Old 07-07-2012, 08:23 PM
union122 union122 is offline
 
Join Date: Nov 2010
Posts: 36
union122 is an unknown quantity at this point
Default

This is what aswMBR detected:
08:42:39.791 Service scanning
08:42:50.259 Service Mcx2Svc C:\Windows\SysWOW64\Mcx2Svc.dll **INFECTED** Win32:Sirefef-YL [Trj]
08:42:58.152 Service RemoteAccess C:\Windows\SysWOW64\mpreim.dll **INFECTED** Win32:Sirefef-YL [Trj]
08:43:09.665 Modules scanning


I manually removed both files in safe mode.

Do you guys think that is enough ?
Reply With Quote
  #7  
Old 07-08-2012, 01:47 PM
ComputerRepairTech's Avatar
ComputerRepairTech ComputerRepairTech is offline
 
Join Date: Oct 2010
Location: Columbia, SC
Posts: 2,052
ComputerRepairTech is a jewel in the roughComputerRepairTech is a jewel in the roughComputerRepairTech is a jewel in the rough
Default

Not familiar with that variant perhaps if you still had a copy of the file you could post some where to take a look at it?

If the symptoms are gone I would try to check back with the client in a week or 2 (im going with the assumption of a new variant just to be on safe side) I believe Sirefef alias is zero access isnt it? I would just setup some way to remote in and check it in a week.
__________________
Computer Repair Tech
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:34 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.