Jump to content

Recommended Posts

I am getting the following popup and in the protection log, but only at login ...

 

Detection, 2/6/2015 9:12:40 AM, SYSTEM, HFIYRK1PLT120, Protection, Malicious Website Protection, IP, 46.161.41.123, cryptexplorer.us, 1200, Outbound, C:\Windows\System32\wscript.exe, 

Detection, 2/6/2015 9:12:40 AM, SYSTEM, HFIYRK1PLT120, Protection, Malicious Website Protection, IP, 46.161.41.123, cryptexplorer.us, 1200, Outbound, C:\Windows\System32\wscript.exe, 

Detection, 2/6/2015 9:12:43 AM, SYSTEM, HFIYRK1PLT120, Protection, Malicious Website Protection, IP, 46.161.41.123, cryptexplorer.us, 1207, Outbound, C:\Windows\System32\wscript.exe, 

Detection, 2/6/2015 9:12:43 AM, SYSTEM, HFIYRK1PLT120, Protection, Malicious Website Protection, IP, 46.161.41.123, cryptexplorer.us, 1209, Outbound, C:\Windows\System32\wscript.exe, 

Detection, 2/6/2015 9:12:43 AM, SYSTEM, HFIYRK1PLT120, Protection, Malicious Website Protection, IP, 46.161.41.123, cryptexplorer.us, 1210, Outbound, C:\Windows\System32\wscript.exe, 

Detection, 2/6/2015 9:12:43 AM, SYSTEM, HFIYRK1PLT120, Protection, Malicious Website Protection, IP, 46.161.41.123, cryptexplorer.us, 1212, Outbound, C:\Windows\System32\wscript.exe, 

 

The ports vary each time I reboot and log back in, but login is the only time I get the notice.  I've turned on rootkit scan and scanned, but found nothing.  I've also disabled almost everything in my startup.  I'm pretty sure it's not wscript.exe, but rather a script it's running that is is the issue.  I just can't find it.

 

I've run FRST and attached the results.

 

Any help would be appreciated, thanks.



Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll try to help your with your issue.
 
     
    
Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 



 
Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"



 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

Link to post
Share on other sites

Thanks for the reply.  I ran anti-rootkit and it popped up a warning about probable rootkit activity.  I clicked Yes.  I've attached that as well.  The first time it ran it didn't look like it ran correctly because I got a warning MBAM was still running.  I let it run anyway and it found nothing to fix.  I rebooted, but the blocked website warning was still present.  Since I wasn't sure it ran correctly the first time, I stopped MBAM first and ran it again with the same results except for the MBAM warning.  Logs from both runs are attached as well as new output from FRST.  The popup about the website is still present.

 

Addition.txt

FRST.txt

post-183033-0-02398900-1423334414_thumb.

mbar-log-2015-02-07 (10-20-30).txt

mbar-log-2015-02-07 (11-21-19).txt

system-log.txt

 

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.