Malware attempting to open URL's

[Xerd]

Hi, sorry I put this post together in a bit of a hurry so I'm not entirely familiar with how things work around here. Starting sometime in the afternoon today (I was at work but I was told that was when it started) I started receiving constant ESET notifications that an address had been blocked. These messages appear rapidly and are always from either IP address 195.2.240.79 or 95.215.1.57. I ran ESET and it detected and removed a threat but the problem persisted. I then installed and ran Malwarebytes which located a file that it identified as being from the vendor Trojan.Ransom.ED (which is rather distressing). I quarantined the file but I have not deleted it yet. I then restarted the computer but the ESET notifications continue to come up. When I ran ESET and Malwarebytes a second time they did not detect anything so whatever is attempting to open these URL's is hidden somewhere.

 

I have not downloaded any files to this computer recently (other than Malwarebytes and Farbar), have not visited any dangerous websites, and have not opened any suspicious e-mails so I am not sure exactly when and how the infection occurred.

 

I ran a Farbar scan but I am not sure if the results are complete. I have also downloaded Combo Fix but I am hesitant to disable ESET as it is preventing the pop-ups from opening. I have attached the Farbar results to this post (of course you can see that but I just thought I should say it anyway).

 

Please let me know if you require any additional information and thank you in advance for any help you are willing to offer.

FRST.txt

Addition.txt

[LiquidTension]

Hello Xerd, welcome to Malwarebytes' Malware Removal forum!

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.

If you would allow me to call you by your first name I would prefer that.

General P2P/Piracy Notice:

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

======================================================

Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.
• Please backup important documents before proceeding with my instructions.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click at the top of the page.

======================================================

Unfortunately, your computer is infected with a rootkit that opens a backdoor on the compromised machind. As such, I must issue the following warning. Please let me know how you wish to proceed.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

If you have used a router, you will need to reset it with a strong logon/password to ensure the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

Please let me know how you wish to proceed, and if you have any questions.

[Xerd]

Hello Adam, you can call me Sean. I'm going to reformat this computer and reinstall the operating system. I'll back up any relevant files first but I do not have a lot on this computer so fortunately that should not take long. I recently switched to a wireless router so I will change the password but even once this computer has been reformatted and the operating system reinstalled is there a risk of infection spreading to another connected device or the router itself? I will go ahead with this and then get back to you once I have finished. Please let me know how you would like for me to proceed from there.

[LiquidTension]

Hi Sean, 

 

Once you've changed your router's password you should be OK. 

Changing the router's password is to cover all bases so to speak. Router malware is uncommon, and there's nothing if in your logs that would suggest this is the case. 

 

If you're experiencing no issues with other devices connected to the same network, there shouldn't be any need to worry. 

 

Do you require assistance with backing up your data, reformatting/restoring your machine or transfering backed up data back?

[Xerd]

Adam, sorry it took me a while to get backto you. I immediately discnnected the problem device from the internet so I'm currently posting from another device. I apologize for the delay, I don't know what time zone you are in but my last post was made rather late and I just woke up. I hope I didn't waste your time.

 

I am reinstalling Windows from the boot disc now and everything seems to be proceeding normally but I will let you know if I have any questions.

 

I will post an update later today once I have things in working order. Thanks again for your help.

[LiquidTension]

No problem, Sean. 

 

Keep me informed. 

[Xerd]

Okay, well I finished reformatting and my computer and updating everything. It all seems to be in working order now, fortunately I didn't have much on this computer so it wasn't too much of a hassle. If you think it is worthwhile I could still generate a log and post it here but the reformatting should have restored everything to factory defaults. I know this is a hard question to answer but any idea where this particular intrusion may have come from? I know for a fact that this computer has never been used for file sharing so that eliminates a potential source but I have always considered myself careful online and this shook me up a bit. Thanks for the advice.

[LiquidTension]

Hello Sean,

Go ahead and download FRST. I will confirm the logs are clean.

We can talk more about infection vectors and how you may have contracted this afterwards.

[Xerd]

I ran FRST but I'm not able to paste anything even after enabling it on this webpage. Any ideas about why that could be? Sorry, I've never had this problem on a forum before.

[LiquidTension]

Can you attach the files in your post?

[Xerd]

Sure, here you go. Sorry I couldn't post them like you requested.

FRST_18-10-2014_21-28-45.txt

Addition_18-10-2014_21-28-44.txt

[LiquidTension]

Hi Sean, 
 
Those logs are clean. Have you ensured all Windows Updates are installed? 
 
Some of the main infection vectors (methods of becoming infected) include the following:

• Browsing the Internet without an active Anti-Virus and Firewall. 
• Leaving vulnerable Internet-facing software unpatched/outdated (Windows, Adobe software, Java, etc). 
• Participating in the usage of P2P filesharing.
• Participating in the usage of cracked/warez software. 
• Aimlessly clicking unknown links/email attachments. 
• Rushing through the installation of new software without reading each page. 
• Inserting USB drives or other removal media that you do not own. 
• Social engineering. 
• Visiting a compromised website. 

You were infected by Poweliks, an infection with rootkit-like capabilities that opens a backdoor on the compromised machine. Unfortunately, it isn't possible to determine the exact cause of infection - it could be one of many possibilities. 
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP
   

The following programmes come highly recommended in the security community.

•  AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
•  Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus. 
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) incorporates real-time protection and is designed to run alongside your Anti-Virus. 
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. 
•  Sandboxie isolates programmes of your choice, preventing files from writing to your HDD unless you approve the file. 
•  Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Unchecky automatically removes checkmarks for additional software in programme installers, helping you avoid adware and PUPs. 
•  Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website. 
   

Please let me know if you have any further questions.

[Xerd]

Yes, everything has been updated to the most recent version. I'm currently running ESET on this computer but I'll look into some of the programs you recommended as well. Thank you Adam for taking the time to look through those logs. I've seen in some of the other topics that people have made donations after their issues were resolved. I'm not sure what is customary in this situation, is there a place where I can make a donation to the site?

[LiquidTension]

Hello Sean, 
 
Please run Delfix to remove FRST. 
 
 DelFix

• Please download DelFix and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
  • Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 

I've seen in some of the other topics that people have made donations after their issues were resolved. 

Users have the option of making a donation to their helper if they wish.

The following is usually posted.

 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. 

[Xerd]

Adam, I ran DelFix and also made a small donation (better than no donation right?). I think it's safe to close this topic now, thanks again for your help.

[LiquidTension]

Hi Sean, 
 

also made a small donation (better than no donation right?)

I am extremely grateful for any donations, so thank you very much.
 
Ultimately, I do this because I enjoy helping others and fighting malware, so a donation is an added bonus. 
 
I will mark this topic for closure. 
All the best, 
Adam.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!