Goodnight
The first sorry for my English.
I just installed my W7 and detect network activity.
I do a netstat and see that I have an open port, namely port 49688 and IP address 77.67.4.24.
I don´t find information about this. Is it a virus?
Hi,
For fresh Windows, network activity are legit.
Nevertheless, we can check that if you will.
http://forum.avast.com/index.php?topic=53253.0
First install Malwarebytes as it shall scan all your system additional for malware. Then to check if there is some leftover and full system diagnostic, I shall need logs from OTL and aswMBR.
Thanks for you quick answer,
This is a OTL log.
This is the aswMBR log
Hi,
Has Malwarebytes been find something? Why you did not attach MBAM log as well?
Your USB memory devices might been infected.
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat – [ NTFS ]
O32 - AutoRun File - [2009/04/29 10:02:01 | 000,000,055 | R— | M] () - D:\autorun.inf – [ CDFS ]
O33 - MountPoints2{38e894c0-76c5-11e3-9a4a-806e6f6e6963}\Shell - “” = AutoRun
O33 - MountPoints2{38e894c0-76c5-11e3-9a4a-806e6f6e6963}\Shell\AutoRun\command - “” = D:\Run.exe
Do not plug/attach USB memory devices while malware check/cleaning is in progress. We shall check USB’s later.
PS: Panda USB Vaccine can only protect you against USB based malware that uses autorun.inf to infect your PC. The harsh truth is that very few of malware today relies on autorun.inf to ensure the transition of the host machine. Today, autorun.inf are not the only way that malware can exploit, and therefor Panda USB Vaccine software is not compatible for USB protection.
But we’ll get to that later…
I’m pleased how OTL looks like. For starters I want to see what ComboFix will say to all this.
- Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
Instructions how to disable avast:
[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.
- Run ComboFix. Click on I Agree!
[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.[/size]
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console. - ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[/i]
- When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Sorry for the delay,
I was traveling.
I promise that the next time I advise you.
The MBAM scan doesn´t show nothing.
I show you the log and also the ComboFix log
Ohh.
Sorry, The ComboFix log
Hi,
ComboFix log looks good. Do you still have these network activity? As CF says to me “all is Ok”. If you wish I can preform a deeper check but I think that it is not necessary.
There was an analysis where the IP played a role: https://malwr.com/analysis/YzhkYzQ5Y2JlZDY0NDY4N2E1OGIwMmRjZTg5YTY2MDM/
This IP has an Akamai’s HTTP Acceleration/Mirror service with ssl connection
Invalid URL
The requested URL “/”, is invalid.
Reference #9.1404434d.1389879449.4db8b9d
because: |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Invalid URL
JSON {“ip”: “77.67.4.24”, “prefix”: “77.67.0.0/17”, “country_code”: “FR”, “asn”: “AS3257”, “city”: “”, “country”: “France”, “region”: “”, “hostname”: “77.67.4.24”, “longitude”: 2.35, “latitude”: 48.86, “organization”: “TINET-BACKBONE Tinet SpA”}
This is the info on the AS for that IP: AS Name: TINET-BACKBONE Tinet SpA
IPs allocated: 568608
Blacklisted URLs: 2
Hosts…
…malicious URLs? Yes
…Current Events? Yes
…spam activity? Yes
pol
Thanks for your help
Now, What I have to do? My system was infected with a usb´s virus?
Hi jlgm2k,
polonus is our Website Analysts. He has done an analysis of IP addresses.
Let’s run deeper system diagnostic checks. This shall tell us everything we need to know, whether or not any kind of malware is active on your system.
Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
=====================================
Next …
Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );
[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*] After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )
Attach here both Gmer logreports. (ARK.txt and autostart.txt)
hello again
there are the reports
and…
more…
at last…
I hope I had been everything right
@ jlgm2k
Logs doesn’t shows that anything malicious is or active&loaded on your system. Your system is clean.
Try to delete this file here: C:\Program Files\mozilla firefox\browser\searchplugins[b]drae.xml[/b]
There is almost no possibility that he is making problem. Btw, that file is Firefox plugin related thou.
As I do not see malware, I can not help you. Know this, OTL and especially ComboFix in hands of taught helper are very, very powerfull tool.
Also, both FRST and GMER in might of diagnostic scope and power that FRST is in disposal in malware detection and removal …well, let’s say that they have no competition in their greatness. If malware is active on the system, these tools would tell us so.
I would like to remove used tools if you are agree.
Well I don´t understand what you say me.
I understand that all is well, that the system is clean.
The network activity is a mozilla´s plugin.
In This computer I won´t install anything else,
I can use the logs as baseline for malware detected in the future.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
All right