Jump to content

Malware attempting to open URL's


Recommended Posts

Hi, sorry I put this post together in a bit of a hurry so I'm not entirely familiar with how things work around here. Starting sometime in the afternoon today (I was at work but I was told that was when it started) I started receiving constant ESET notifications that an address had been blocked. These messages appear rapidly and are always from either IP address or I ran ESET and it detected and removed a threat but the problem persisted. I then installed and ran Malwarebytes which located a file that it identified as being from the vendor Trojan.Ransom.ED (which is rather distressing). I quarantined the file but I have not deleted it yet. I then restarted the computer but the ESET notifications continue to come up. When I ran ESET and Malwarebytes a second time they did not detect anything so whatever is attempting to open these URL's is hidden somewhere.


I have not downloaded any files to this computer recently (other than Malwarebytes and Farbar), have not visited any dangerous websites, and have not opened any suspicious e-mails so I am not sure exactly when and how the infection occurred.


I ran a Farbar scan but I am not sure if the results are complete. I have also downloaded Combo Fix but I am hesitant to disable ESET as it is preventing the pop-ups from opening. I have attached the Farbar results to this post (of course you can see that but I just thought I should say it anyway).


Please let me know if you require any additional information and thank you in advance for any help you are willing to offer.



Link to post
Share on other sites

Hello Xerd, welcome to Malwarebytes' Malware Removal forum!

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.

If you would allow me to call you by your first name I would prefer that. xsmile.png.pagespeed.ic.CwSpBGGvqN.png

General P2P/Piracy Notice:

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.


Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
  • Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
  • Please backup important documents before proceeding with my instructions.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page.

Unfortunately, your computer is infected with a rootkit that opens a backdoor on the compromised machind. As such, I must issue the following warning. Please let me know how you wish to proceed.



One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

If you have used a router, you will need to reset it with a strong logon/password to ensure the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

Please let me know how you wish to proceed, and if you have any questions.
Link to post
Share on other sites

Hello Adam, you can call me Sean. I'm going to reformat this computer and reinstall the operating system. I'll back up any relevant files first but I do not have a lot on this computer so fortunately that should not take long. I recently switched to a wireless router so I will change the password but even once this computer has been reformatted and the operating system reinstalled is there a risk of infection spreading to another connected device or the router itself? I will go ahead with this and then get back to you once I have finished. Please let me know how you would like for me to proceed from there.

Link to post
Share on other sites

Hi Sean, 


Once you've changed your router's password you should be OK. 

Changing the router's password is to cover all bases so to speak. Router malware is uncommon, and there's nothing if in your logs that would suggest this is the case. 


If you're experiencing no issues with other devices connected to the same network, there shouldn't be any need to worry. 


Do you require assistance with backing up your data, reformatting/restoring your machine or transfering backed up data back?

Link to post
Share on other sites

Adam, sorry it took me a while to get backto you. I immediately discnnected the problem device from the internet so I'm currently posting from another device. I apologize for the delay, I don't know what time zone you are in but my last post was made rather late and I just woke up. I hope I didn't waste your time.


I am reinstalling Windows from the boot disc now and everything seems to be proceeding normally but I will let you know if I have any questions.


I will post an update later today once I have things in working order. Thanks again for your help.

Link to post
Share on other sites

Okay, well I finished reformatting and my computer and updating everything. It all seems to be in working order now, fortunately I didn't have much on this computer so it wasn't too much of a hassle. If you think it is worthwhile I could still generate a log and post it here but the reformatting should have restored everything to factory defaults. I know this is a hard question to answer but any idea where this particular intrusion may have come from? I know for a fact that this computer has never been used for file sharing so that eliminates a potential source but I have always considered myself careful online and this shook me up a bit. Thanks for the advice.

Link to post
Share on other sites

Hi Sean, 
Those logs are clean. Have you ensured all Windows Updates are installed? 
Some of the main infection vectors (methods of becoming infected) include the following:

  • Browsing the Internet without an active Anti-Virus and Firewall. 
  • Leaving vulnerable Internet-facing software unpatched/outdated (Windows, Adobe software, Java, etc). 
  • Participating in the usage of P2P filesharing.
  • Participating in the usage of cracked/warez software. 
  • Aimlessly clicking unknown links/email attachments. 
  • Rushing through the installation of new software without reading each page. 
  • Inserting USB drives or other removal media that you do not own. 
  • Social engineering. 
  • Visiting a compromised website. 

You were infected by Poweliks, an infection with rootkit-like capabilities that opens a backdoor on the compromised machine. Unfortunately, it isn't possible to determine the exact cause of infection - it could be one of many possibilities. 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • x7D2ig3K.png.pagespeed.ic.x4TC1AK8OX.jpg Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus. 
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) incorporates real-time protection and is designed to run alongside your Anti-Virus. 
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. 
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from writing to your HDD unless you approve the file. 
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xsHjS79L.png.pagespeed.ic.n4Sk8_GzZn.jpg Unchecky automatically removes checkmarks for additional software in programme installers, helping you avoid adware and PUPs. 
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website. 

Please let me know if you have any further questions.

Link to post
Share on other sites

Yes, everything has been updated to the most recent version. I'm currently running ESET on this computer but I'll look into some of the programs you recommended as well. Thank you Adam for taking the time to look through those logs. I've seen in some of the other topics that people have made donations after their issues were resolved. I'm not sure what is customary in this situation, is there a place where I can make a donation to the site?

Link to post
Share on other sites

Hello Sean, 
Please run Delfix to remove FRST. 
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

I've seen in some of the other topics that people have made donations after their issues were resolved. 

Users have the option of making a donation to their helper if they wish. :)

The following is usually posted.

My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.