Jump to content

Recommended Posts

Hello. I used a "search all Craigslist" website last night and as soon as I did notifiers from Malwarebytes kept popping up that "Malicious Website Blocked". Only one of the notifiers gives the Domain: fff5ee.com, IP: 31.184.192.90. The other notifiers have no domain listed, but IP: 88.214.193.211 or 95.215.1.57. The Port number is constatly increasing (started in the 50000 range and now is in the 60000 range). The Process is always the same: C:\Windows\SysWOW64\dllhost.exe.

 

Once this started, I shut down everything I was working on and ran CCleaner Free thinking it was just some temp file I picked up on that website where the page didn't fully close. I ran a custom scan with Malwarebytes Anti-Malware Premium including "Scan for Rootikits" of the entire C: drive. It took ~1.5 hours, but it didn't find anything. I also ran a Microsoft Security Essentials Quick scan and didn't find anything. I also tried to access Microsoft Safety Scanner, but got a message that said my settings don't allow it to be downloaded. I've never had a problem downloading it in the past. I disconnected the computer from the internet and it didn't stop the notifier messages. The messages pop up about one every second.

 

Please find attached FRST.txt, Addition.txt as well as snips of the Malwarebytes notifier messages that keep popping up. 

 

Any assistance would be appreciated. Thank you for your time.       

FRST.txt

Addition.txt

Malwarebytes malicious website blocked messages 10-17-14.pdf

Link to post
Share on other sites

@ edjhome & @edbr

You both are not allowed to add your malware-removal-help onto the one of the original poster --- this topic is ONLY for BMBITE

I will be deleting both of yours.  Please start your own new and separate help topics  AND put with them the FRST diagnostics.

Please read the forum rules !!

 

read and follow the directions here, skipping any steps you are unable to complete.  Then post a NEW topic here.
One of the expert helpers there will give you one-on-one assistance when one becomes available.
After posting your new post make sure under options that you select Follow this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Please post the logs there.

Don't post your logs here.

Link to post
Share on other sites

These steps are for  member BMBITE only. If you are a casual viewer, do NOT try this on your system!
If you are not  and have a similar problem, do NOT post here;  start your own topic

 

Hello BMBITE and welcome aboard.

 

Your pc has a trojan malware that is sometimes called Poweliks.

Do not do any sort of free wheeling web surfing for the duration.

 

Do not do any self fixing except for those that I guide you to.

If you have questions, stop and ask first  and wait for my reply.

 

Save the attached file Fixlist.txt    to the same location where you have FRST.exe   ---- thats important for the Fix to work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite an existing one please allow)

Run FRST again but this time press the "Fix" button just once and wait.

When finished, it will make a log (fixlog.txt) next to FRST.
Please attach the Fixlog.txt  into a reply.

Fixlist.txt

Link to post
Share on other sites

Hello Maurice. Thank you for your help! I've run the fix as you outlined. Please find attached the fixlog.txt.

 

After running the fix, it said it needed to restart the computer, so I let it restart. The pop-up notifiers from Malwarebytes have stopped after the restart. On side a note, the computer is unplugged from the internet (I unplugged it before your assistance.)

 

I'll await your next instructions. I do need to step out in about ten minutes, so I may not be able to do the next steps for an hour or so from now. Thank you.

Fixlog.txt

Link to post
Share on other sites

That is a very good start.  Two followups below.

 

A

Please do a Threat & Rootkit Scan:
Start the Anti-Malware program.

Click the Settings icon ( on the top bar) > then click **Detection and Protection** subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.

With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.

Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.

After the scan has completed, Click on the **History tab** > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click **'Copy to Clipboard'**
Paste the contents of the clipboard into your reply.
then in the body of  reply box, do a Paste by pressing CTRL+V keys on the keyboard.

 

B

For this you need to be connected to the internet.  This is a online scan.  Have lots of infinite patience.

 

It's important to run this online scan to help look for any remnants that may be lurking. This scan can take upwards of an hour.

1) Turn off your anti-virus software.

2) Click Start>All Programs and locate Internet Explorer (64-bit). Right click to run as Administrator

3) Next, click on the following link ==> http://www.eset.com/onlinescan/

4) Click on the "ESET Online Scanner" button.

5) Put a check in the box that says "YES, I accept the Terms of Use."

6) Click the 'Start' button just to the right of the checkbox.

7) UNCHECK the box that says "Remove found threats" (this is very important).

8) Click on "Advanced settings".

9) Put a check in the box that says "Scan for potentially unsafe applications".

10Verify that "Scan for potentially unwanted applications" is also checked.

11) Verify that "Enable Anti-Stealth technology" is also checked.

12) Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.

13) When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."

14) Save that text file on your desktop, and then attach it to a reply for me.

15) Close the ESET online scan.

15) Re-enable your Antivirus.

I will take a look at the log, and let you know if anything needs to be removed.

Link to post
Share on other sites

Hello Maurice. Thank you for your response.

A. Threat & Rootkit Scan completed as outlined above. It appears nothing was found. I've attached the Application Log as a .txt since I'm communicating with you via a different computer.

 

B. The Eset online scan was completed as you outlined above. I did it through Firefox because IE 11 was blocking the pop-up from them. No threats were found. I've attached a screen capture of the results.

 

Please let me know if you think I should do any additional steps. Thanks again for your help!

 

 

MB scan log 10-18-14.txt

post-175640-0-02774300-1413680594_thumb.

Link to post
Share on other sites

That is very good.

Have you noticed any other IP blocks, since then?  Any signs of "fff5ee(dot)com"" ?

 

Your are doing well.  Just would suggest one more special scan.  It will not take a whole lot of time.

 

You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for  Bmbite   only. If you are a casual viewer, do NOT try this on your system!
If you are not  and have a similar problem, do NOT post here;  start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere.  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


Have infinite patience during the run & scan by Combofix. It has many phases:  some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power  (AC power)or a UPS system


Important:  Have no other programs running.  Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts.  Accept the EULA and follow the prompts during the start phase of Combofix.

    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.  
 

A file will be created at => C:\Combofix.txt.  

Notes:
[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log
and tell me, How is the system now icon_question.gif

Re-enable your antivirus program.

 

Link to post
Share on other sites

Hello Maurice. ComboFix has completed. I didn't receive any driver errors or anything, so I manually restarted the computer. Please find attached the ComboFix.txt log.

 

The computer is working fine. I haven't seen any Malicious Website Blocked messages since before your fix from FRST.

 

Should I delete ComboFix from my desktop?

 

Thank you!

 

ComboFix.txt

Link to post
Share on other sites

We can wrap this up now. I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used. Advise me after you have completed the cleanups.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it ComboFix    
put that name in the RUN box stated just below.
The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
 

  • Highlight the line in this CODEBOX.
    Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
     
    c:\users\B\Desktop\ComboFix.exe /uninstall
  • Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.

    Do a Right click within the command prompt window and select Paste.  This must show the line from Codebox above.
    Then tap Enter

IF in the case Combofix un-install has an issue, skip that step.

NEXT
 

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.


Delete the following if still present:
FRST64.exe

FRST.txt

Fixlist.txt

Fixlog.txt

Addition.txt

 

Uninstall these Java related items thru Control Panel

Java 7 Update 67
Java Auto Updater
JavaFX 2.1.1

 

IF you must have Java, get the latest version from Sun, which now is Version 8 release 25.

You may use Control Panel >> Programs and Features and uninstall ESET Online scan.

Safer practices & malware prevention

 

Get and put in place our  Anti-Exploit
http://www.malwarebytes.org/products/antiexploit/

We are finished here. Best regards. cool.gif

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.