Jump to content

Getting "malicious website blocked" - scan is clean


Recommended Posts

I'm working on a friend's computer, it's running very slow and AnyMalwareBytes is popping up the malicious website blocked every few seconds.  I did a scan and it came up clean. The IP address being blocked is somewhere in Russia, so something bad is running. 

Can I post a HiJack report (or something) so someone can take a look?

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

 

Let me see those logs in your next reply...

 

Kevin....

Link to post
Share on other sites

Here they are.  Thanks for your help.

 

RogueKiller V10.0.1.0 [Oct 10 2014] by Adlice Software





 

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : user [Administrator]

Mode : Scan -- Date : 10/10/2014  15:50:15

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 15 ¤¤¤

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme (\??\C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys) -> Found

[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found

[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found

[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-21-1060284298-573735546-682003330-1003\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 167.206.13.180 167.206.13.181 192.168.1.1  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | DhcpNameServer : 167.206.13.180 167.206.13.181 192.168.1.1  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252  -> Found

[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{F01455DF-5072-4865-BB40-16ACF4D04A60} | NameServer : 208.69.150.250,208.69.150.252  -> Found

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 1 ¤¤¤

[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

 

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤

[Filter()] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD642JJ +++++

--- User ---

[MBR] 28dc343cb884e1d0d8f76517948fd370

[bSP] d70be290b98a79d156a2df3543938e3d : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 610469 MB

User = LL1 ... OK

User = LL2 ... OK

 

 

============================================

RKreport_SCN_10102014_125838.log

Addition.txt

FRST.txt

Link to post
Share on other sites

Can you tell me if the following accounts are expected and trustworthy/

 

AAx-DPR-SrvAcct (S-1-5-21-1060284298-573735546-682003330-1011 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\AAx-DPR-SrvAcct.SERVER
LogMeInRemoteUser (S-1-5-21-1060284298-573735546-682003330-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\LogMeInRemoteUser
M1-SKDCAccount (S-1-5-21-1060284298-573735546-682003330-1010 - Administrator - Enabled)

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Next,

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 

 

  •  

         

  • Internet access

     

         

  • Windows Update

     

         

  • Windows Firewall

     

     

 

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Fixlist.txt

Link to post
Share on other sites

OK.  I think the user accounts are valid. I know he uses logmein to remote into the PC, and I thing the other SrvAcct.SERVER account is used for a database program.

I ran FRST Fix. Log is attached.

Ran updated antimalware, nothing detected. (see below)

Ran mbar, nothing detected. Log is attached.

Two things: After the FRST fix, windows update started working and the security updates for IE8 from April were due to be installed. I didn't install them.

Also, when the malicious web site warnings are popping up I ran task manager and there were 8 explorer.exe processes running.

When I started up the machine I was getting to pop-ups constantly. Now they stopped, even though no malware was found.  I'm going to reboot and see what happens.  Below is the antimalwarebytes log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10/10/2014
Scan Time: 5:49:53 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.10.10.10
Rootkit Database: v2014.10.08.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: user
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 447493
Time Elapsed: 36 min, 29 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


 

Fixlog.txt

mbar-log-2014-10-10 (20-52-04).txt

Link to post
Share on other sites

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post the log in next reply please...

 

Next,

 

Scan with Gmer rootkit scanner

 

Please download Gmer from Here by clicking on the "Download EXE" Button.

 

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
     
            Sections
            IAT/EAT
            Show All ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

 

Please post the content of the ark.txt here.

 

 

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

**If GMER crashes** Follow the instructions here and disable your security temporarily…

 

Let me see those logs please:

Kevin
 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.