Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Arestocrat malware takes over! Held hostage [Solved]


  • This topic is locked This topic is locked

#16
Dadellaad

Dadellaad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Interesting, I've had this window pop up a few times since running Malware Bytes:
Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website: 95.211.194.79
Type: Outgoing
Port: 53158, Process: svchost.exe
  • 0

Advertisements


#17
Dadellaad

Dadellaad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Interesting, I've had this window pop up a few times since running Malware Bytes:
Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website: 95.211.194.79
Type: Outgoing
Port: 53158, Process: svchost.exe
  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Is the computer behaving itself now, any apparent problems ?
  • 0

#19
Dadellaad

Dadellaad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
No it is actually acting strange since running Malwarebytes... Not sure if the program is just working to ward off repeated attacks or what, but my laptop is extremely slow. and that message has popped up no less than 20 times since. I googled the IP address listed in the message and it appears to have something to do with that malware that held my computer hostage.
  • 0

#20
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK that is the MBAM IP alert, generally I find that to be hyper sensitive and have disabled that on my system

MBAM also loads low level drivers, so to be honest you can uninstall and just download it when you need to do a check

So uninstall it and see if the speed reverts to normal
  • 0

#21
Dadellaad

Dadellaad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ok that's prob what I'll do. However, I am mildly concerned that if I uninstall MBAM whatever this website is that is trying to gain access may now be successful in doing so. What are your thoughts on this?
  • 0

#22
Dadellaad

Dadellaad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I ran a full scan on Malware bytes and this is what came up...

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.04.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
scottdangora2 :: SCOTTDANGORA821 [administrator]

Protection: Enabled

6/4/2013 9:02:15 PM
mbam-log-2013-06-04 (21-02-15).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 300882
Time elapsed: 34 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\_OTL\MovedFiles\06042013_145106\C_Users\scottdangora2\acrobat.exe (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06042013_145106\C_Users\scottdangora2\acrobatreader.exe (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06042013_145106\C_Users\scottdangora2\icq.exe (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06042013_145106\C_Users\scottdangora2\jucheck.exe (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06042013_145106\C_Users\scottdangora2\mstsc.exe (Trojan.Inject.RRE) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\06042013_145106\C_Users\scottdangora2\rundll32.exe (Trojan.Inject.RRE) -> Quarantined and deleted successfully.

(end)
  • 0

#23
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

However, I am mildly concerned that if I uninstall MBAM whatever this website is that is trying to gain access may now be successful in doing so. What are your thoughts on this?

I had MBAM pro installed for about 6 months and the number of alerts it produced was phenomenal but the last straw was when it stopped my AV updating because it blocked the IP address. As I have Avast with its excellent web shield, from which there was nary as murmur, I ended up uninstalling and only using it when I felt the need. If you need any further info about that please do not hesitate to ask. The latest file detections with MBAM are the files that we quarantined earlier with OTL :)

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
Posted Image


: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Posted Image Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:
  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP