Malicious Website Blocked - IP: 146.185.220.85

[tossit]

A pop-up window appears every few seconds indicating:

 

Malwarebytes Anti-Malware

Malicious Website Blocked
Domain:

Port: (Port Number constantly changing)

Type: Outbound

Process: C:\Windows\System32\svchost.exe

 

Windows 8.1 - 64 bit

Malwarebytes Premium - Scanned & Nothing Delected

McAfee Antivirus - Scanned & Nothing detected

 

What does this warning mean and how does one get rid of this warning?

[LiquidTension]

Hello tossit, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.
 
General P2P/Piracy Notice:
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
• Please backup important documents before proceeding with my instructions.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
   

======================================================
 
Please run the following diagnostic scans so I can ascertain the state of your computer.
 
STEP 1
Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

STEP 2
TDSSKiller Scan

• Please download TDSSKiller and save the file to your Desktop.
• Right-Click TDSSKiller.exe and select  Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
• ​Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.
• A log will be created and saved to the root directory (usually C:\). Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 3
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• FRST.txt
• Addition.txt
• TDSSKiller log

[tossit]

Hello Adam,

 

No P2P file sharing software. 

 

I have created the three logs  and opened them in Notepad.  I have selected all of the text in the first log and tried to copy paste it into this reply.

 

For some reason the plain text does not want to paste into the reply.  The plain text pastes into a Word doc, but not into this reply.  Any thoughts on how I can paste it into this reply?

 

Eric

[LiquidTension]

Hi Eric, 

 

Please go ahead and attach the files in your next post. 

[tossit]

Hello Adam,

 

See attached.

 

I would like the attached files to be deleted from the forum post.

 

Thanks!

 

Eric

[tossit]

Hello Adam,

 

One additional piece of information.

 

When I ran the Farbar Recovery Scan Tool the first time an Application Error dialogue box popped up.  After clicking OK in the dialogue box the Farbar Recovery Scan Tool ran and produced the log attached previously.

 

Attached is a copy of the dialogue box that popped up.

[LiquidTension]

Hi Eric,
 

I would like the attached files to be deleted from the forum post.

I will look into this. 
 

One additional piece of information.

Thank you for letting me know. 

 

Please do the following. 
 
STEP 1
Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startHKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-1366830422-3884616127-2254103674-1001\...\Policies\Explorer: [] SearchScopes: HKCU - DefaultScope {97D7A016-4554-4135-8851-89FC950EF1B1} URL = https://ca.search.yahoo.com/search?fr=mcafee&type=A011CA977&p={SearchTerms}SearchScopes: HKCU - {97D7A016-4554-4135-8851-89FC950EF1B1} URL = https://ca.search.yahoo.com/search?fr=mcafee&type=A011CA977&p={SearchTerms}CHR DefaultSearchURL: Default -> http://ca.search.yahoo.com/search?fr=mcafee&type=A211CA977&p={searchTerms}C:\Users\Eric\en_res.dllC:\Users\Eric\es_res.dllC:\Users\Eric\fr_res.dllC:\Users\Eric\grm_res.dllC:\Users\Eric\it_res.dllC:\Users\Eric\jp_res.dllC:\Users\Eric\mfc80u.dllC:\Users\Eric\msvcr80.dllC:\Users\Eric\PCPE Setup.exeC:\Users\Eric\pt_res.dllC:\Users\Eric\ResourceReader.dllC:\Users\Eric\ru_res.dllC:\Users\Eric\zh_res.dll2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETFC81.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETF685.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETF674.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETF5B8.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETF5A7.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETF566.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETECCA.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETEC1D.tmp2014-09-18 20:28 - 2014-09-18 20:28 - 00000000 _____ () C:\WINDOWS\system32\Drivers\SETEBED.tmpAlternateDataStreams: C:\Windows:3C2C6F2BFF7CF195CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: bitsadmin /reset /allusersEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name.
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
• Follow the prompts.
• Click Scan.
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate.
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
• Follow the prompts and allow your computer to reboot.
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
STEP 3
Junkware Removal Tool (JRT)

• Please download Junkware Removal Tool and save the file to your Desktop.
• Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click JRT.exe and select Run as administrator to run the programme.
• Follow the prompts and allow the scan to run uninterrupted.
• Upon completion, a log (JRT.txt) will open on your desktop.
• Re-enable your anti-virus software.
• Copy the contents of JRT.txt and paste in your next reply.
   

======================================================
 
STEP 4
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Fixlog.txt
• AdwCleaner[s0].txt
• JRT.txt

[tossit]

Hi Adam,

 

I have run all of the tools and the pop-up window is still there.  See attached log files.

[LiquidTension]

Hi Erik,

 

Can you post a copy of one of your protection logs please?

• Open Malwarebytes Anti-Malware.
• Click the History tab.
• Click Application Logs. Open a Protection Log that contains IP blocks. 
• Click Copy to Clipboard and paste the log in your next reply. 

[tossit]

Hi Adam,

 

See attached.

[LiquidTension]

Hi Erik, 
 
Thank you for the log. 
We need to take a deeper look as nothing is showing so far. 
 
STEP 1
 Malwarebytes Anti-Rootkit (MBAR)

• Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
• Double-click MBAR.exe to run the installer.
• Select a convenient location to extract the contents and click OK. Navigate to the location you selected.
• Right-Click MBAR.exe and select  Run as administrator to run the programme.
• Follow the prompts to update the programme and scan your computer. 
• Upon completion, click Cleanup and reboot your computer. 
• After the reboot, rerun the programme to verify no threats remain. If threats are still detected, click the Cleanup button once more. 
• Upon completion, two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder. 
   

STEP 2
aswMBR

• Please download aswMBR and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click aswMBR.exe and select Run as administrator to run the programme.
• Click Yes when prompted to download avast! virus definitions. Wait until AVAST engine defs: ### appears.
• If you are prompted to enable the use of "Virtualization Technology", click Yes.
• Click the AV Scan: drop down box and click C:\.
• Click Scan.
• Upon completion, you will see Scan finished successfully. Click Save log. Save the log to your Desktop.
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.

Note: Do NOT click Fix or FixMBR.
Note: A file (MBR.dat) will be created on your Desktop. Do NOT click or delete it.
 
 
======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• mbar-log.txt
• system-log.txt
• aswMBR log

[tossit]

Hi Adam,

 

See attached log files.

[LiquidTension]

Nothing showing there bar an unknown MBR code, which is more than likely down to it being OEM (Original Equipment Manufacturer).

Lets double-check in any case. 

 

 VirusTotal Upload

• Please go to VirusTotal.com.
• Click Choose File and locate the following file:
  • C:\Users\Eric\Desktop\MBR.dat
• ​Click Scan it!.
• If you receive the following notification: File already analysed click Reanalyse.
• Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. 

[tossit]

Adam,

 

That was interesting.  It started to scan and after a few minutes it said scan failed.  I tried to re-scan, but it to failed.  Each time it got to 0/53.  Thoughts?

[LiquidTension]

Lets try this a different way. 

Please upload the file to my channel. 

[tossit]

Hi Adam,

 

File sent.

 

Eric

[LiquidTension]

Hi Eric, 

 

Thank you. The file is clean. 

 

Please answer the following questions: 

• What are you doing when your receive these blocks? Is it completely random?
• Do the blocks occur when you have no programmes open?
• When did these start, and what changes (if any) did you make to your computer prior to the issue? Eg. New software installed.  

[tossit]

Adam,

 

Last used computer last Friday.  Nothing unusual on Friday.  Turned computer on tonight (actually last night now) and I immediately got the pop-up Malicious Website Blocked - no programs open.

 

The only update before this happened was an Adobe Acrobat Reader update sometime last week.  I used the computer after that without incident.

 

There are a couple more updates to be installed, but I am holding off until we resolve this issue.

 

Eric

[LiquidTension]

OK, thanks Eric. Please give me sometime to think through our options, and I will return with instructions for you later.

In the meantime, please rerun FRST, ensuring you place a checkmark next to Addition.txt.

[tossit]

Adam,

 

Thanks for all the time spent this evening and early morning!  Take some time to think through the options. 

 

I need a little rest before going to work again in a couple of hours.  I will attack this challenge again later today.

[tossit]

Adam,

 

New files attached.

[LiquidTension]

Hi Eric, 
 
I'd like you to run the following programme please. 
 
RogueKiller

• Please download RogueKiller (x64) and save the file to your Desktop.
• Close any running programmes.
• Right-Click RogueKiller.exe and select Run as administrator to run the programme.
• Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
• A browser window may open. Close the browser window.
• Click . Upon completion, click .
• Close the programme. Do not fix anything!
• A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.

Note: If RogueKiller is unable to run, please retry. If you find after several attempts the programme will still not run, please rename RogueKiller.exe to winlogon.exe and try again.

[tossit]

Hi Adam,

 

RogueKiller will not run even after renaming file.  Each time I attempted to run RogueKiller my PC shutdown.

 

Interesting development since earlier today.  I unplugged my wireless router and connected directly to my ADSL modem.

 

When I did this the Malicious Website Blocked - IP: 146.185.220.85 pop-up disappeared.  I could surf the internet without any pop-ups.

 

I then reset my wireless router, reconfigured it and reinstalled it.

 

After reinstallation when I go to a number of different website after a brief pause on the website I get the Malwarebytes website message "Malwarebytes Anti-Malware - Potentially malicious website blocked protecting you from hackers and cyber criminals.  The website I am trying to access are ones that I have used many, many times.

 

I also get a pop-up:

 

Malwarebytes Anti-Malware

Malicious Website Blocked

Domain: security-law-hijzoecj.asia

IP: 212.129.47.213

Port: 50273

Type: Outbound

Process C:\Program Files (x86)\Internet Explorer\iexplore.exe

 

Currently I have disconnected my wireless router and am connected direct to my ADSL modem.  I am getting the Malwarebytes message and pop-up with the direct connection to the ADSL router.

 

Thoughts? Help?

[tossit]

Adam,

 

Further to my previous post I have now attached a Malwarebytes Protection Log showing the new entries.  Note the Domain name changed and the Port changes

[LiquidTension]

Hi Eric, 

• How did you reset, reconfigure and reinstall your router?
• Are you experiencing issues with other devices connected to the same Network?

 

I'd like to first get a look from outside Windows before we look into your router further. 

 

STEP 1
FRST & ListParts Recovery Environment Scan
 
Note: You require access to a clean PC and USB drive. 
Note: Please print off these instructions, or ensure you have access to them using a different device.

• Insert the USB drive into the infected PC.
• Please download Farbar Recovery Scan Tool 64-Bit AND ListParts (x64) to your USB drive.
• Enter the Recovery Environment by choosing one of the options below. 
   

Option #1: Enter Recovery Environment (Windows 8)

• Consult the following instructions on how to enter the Recovery Environment Command Prompt in Windows 8.
   

Option #2: Enter Recovery Environment (Windows Installation Disc)

• Insert your Windows installation disc.
• Restart your computer.
• Configure your infected PC to boot from CD/DVD. Instructions on how to do this can be found here.
• If prompted, press any key to start Windows from the installation disc.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the Operating System you want to repair, and then click Next.
• Select your user account, and then click Next.
   

Advanced Boot Options Menu

• Select Command Prompt.
• In the command window type notepad and press Enter on your keyboard.
• Notepad will open. Click File and select Open.
• Select Computer, write down your USB drive letter on a piece of paper and close notepad.
• In the command window type: x:\frst64.exe
  • Note: Replace letter x with the drive letter of your USB drive you wrote down earlier.
• Press Enter on your keyboard. The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Click the Scan button.
• It will create a log (FRST.txt) on the USB drive.
   
• Go back to the command window and type x:\listparts64.exe
  • Note: Replace letter x with the drive letter of your USB drive you wrote down earlier.
• Press Enter on your keyboard. The tool will start to run.
• Click List BCD.
• Click the Scan button.
• It will create a log (Result.txt) on the USB drive. 
• Boot normally into Windows. Please copy the contents of both logs (FRST.txt and Result.txt) and paste in your next reply.
   

======================================================
 
STEP 2
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• FRST.txt
• Result.txt