Malicious Website Blocked: 195.62.25.111

[Wargon]

Hello. This is what my malwarebytes picks up. I didn't pay too much attention to it until my Steam account got hijacked, and lost all my in-game items.

I used FRST to get you the details, and the mbytes history also. Hope you guys can help me get rid of this.

Addition.txt

FRST.txt

mbytes.txt

[kevinf80]

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

The version of Chrome you have appears to be exploited and corrupt, try not to use Chrome until we make progress.....
 

Next,

 

1.Download Malwarebytes Anti-Rootkit from this link:

 http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe



4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:



5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.



7. The following image opens, select Update



8. When the update completes select Next.



9. In the following window ensure "Targets" are ticked. Then select "Scan"



10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.



11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:



13. Verify that your system is now running normally, making sure that the following items are functional:

• 
       
• Internet access
       
• Windows Update
       
• Windows Firewall
  

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

Thanks,

Kevin...
 

[Wargon]

Thanks for your response ! I got this the first time I scanned :

 

 

 

Also when I try to turn on firewall it won't let me:

 

 

mbar-log-2015-08-22 (10-09-12).txt

system-log.txt

[Wargon]

Sorry for the double post, I wasn't paying attention and skipped the last few steppes to update my firewall settings. I done the step now and waiting for the scan to finish. So far there's no rundll32 in the processes tab in the task manager, and all everything seems to be reset to default in the firewall area.

[Wargon]

Alright, unfortunately rundll.32 appeared again in the processes tab. So it's not fixed yet. Here's the reports.

mbar-log-2015-08-22 (10-39-54).txt

system-log.txt

[kevinf80]

Thanks for the update, continue please:

 

Chrome needs to be clean installed as follows:

 

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Remove all synced data from Chrome go here: http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/ follow those instructions...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Install Google Chrome from here: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Enable any other extensions you normally use..

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
• Post back the report which should also be located here:
  

C:\Programdata\RogueKiller\Logs <-------- W7/8/10
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

The log will be listed similar to this: RKreport_SCN_06282015_153950.log

Next,
 
Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.
Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender
  

• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.
  

Post those logs, also give an update on any remaining issues or concerns. Is the Firewall working ok now?

 

Thank you,

 

Kevin..
 

[Wargon]

Firewall is working perfectly now, yes ! Here are the logs you asked for. I also did the chrome clean reainstall.

 

 

FSS.txt

[Wargon]

The other file I can't upload for some strange reason, it won't allow me. It says Upload skipped (no file was selected for upload), and the file name is finished in .json . it's not a text file.

[Wargon]

This is the only way I could do it, I exported each one manually from each tab. Here are all the logs from: Processe, Modules, Services, Registry, Tasks, Filesystem, Hosts, Antirootkit, Web Browsers and Disks. Hope this is helpful.

1.txt

2.txt

3.txt

4.txt

5.txt

6.txt

7.txt

8.txt

9.txt

10.txt

[Wargon]

I guess that didn't work I thought it would, sorry. This is embarrasing.

[kevinf80]

RK log is saved as follows:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8/10
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP

The log will be listed similar to this: RKreport_SCN_06282015_153950.log
 

[Wargon]

• RKreport_SCN_08222015_225231.json

  Upload Skipped (No file was selected for upload)

This is exactly what appears.

 

That's why I attached the other file. Tried to atleast.

 

 

Here it is in the folder. Can't upload it.

[Wargon]

When I change the extention to .log or .txt I can open it, but otherwise I can't. I tried uploading it as .log also and it won't let me

[Wargon]

Alright, I copied whatever I found in that into another .txt file and now I can upload it. Here it is whatever was written in the .log

whatever.txt

[kevinf80]

mmmm, that is not what I want to see, When I run RogueKiller I post for you what I see in the saved folder as an attached image. Where I have "This PC" you will see "Computer"

 

Rename your file extension to .log from .json Does that let me see the log?

[Wargon]

No, it won't let me upload the file !!! but If I copy the content into another .txt file it lets me upload it. No clue why.

[Wargon]

Here it is.... Im awful

RKreport_SCN_08222015_225231.log

[kevinf80]

No you post that as the wrong format, that file has this extension .log-.2text is not possible for me to see the correct log file

 

Where you see the the log listed in Computer > C:\ > Program Data > RogueKiller Logs > RKreport_SCN_08222015_225231.json

 

Change the extension to .log    Does that make the log appear like this?

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK3252GSX ATA Device +++++
--- User ---
[MBR] 2083a7301575864e02b94c2609fbecb2
[bSP] 3e1d80ccba6ece7b11abf6bd8836f890 : Acer|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD3200BEVT-22ZCT0 ATA Device +++++
--- User ---
[MBR] c67052206fb168522dde596fe2709bef
[bSP] fa096e23965f9d4af64805db74cd5e35 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 191101 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 391375593 | Size: 114141 MB
User = LL1 ... OK
User = LL2 ... OK
 

[Wargon]

 

Ok, I deleted the old log file, I did another scan. The new one I renamed to .log , There it is. 

 

The stuff you showed is similar to the second file I attached, that I exported from this window that you see here. I pressed Export TXT. 

RKreport_SCN_08232015_000849.log

exported.txt

[kevinf80]

Thanks for the log, the second one is correct. Maybe roguekiller has changed options for logs... Continue please:

 

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Tasks tab and locate the following detections:


[suspicious.Path] \RunAsStdUser Task -- "C:\Users\Lorand\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe" -> Found


Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.

Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference.

One other entry maybe is suspicious, System Restore is shown as "Disabled" if that is your own setting we ignore. If that setting is outside your remit we need to reset with RK.

[PUM.Desktop] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Found

Open Registry tab and Checkmark (tick) also ensure that all other entries are not Checkmarked.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on the Scan in the Actions box
• Please wait fot the scan to finish..
• When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
• Click on the Cleaning box.
• Next click OK on the "Closing Programs" pop up box.
• Click OK on the Information box & again OK to allow the necessary reboot
• After restart the AdwCleaner(C2)-Notepad log will appear, please copy/paste it in your next reply.
  

 
Next,
 
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts. (re-enable when done)
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log
 

Post those logs, also let me know if there are any remaining issues or concerns..

 

Thank you,

 

Kevin....

[Wargon]

# AdwCleaner v5.003 - Logfile created 23/08/2015 at 11:27:43

# Updated 20/08/2015 by Xplode

# Database : 2015-08-23.2 [server]

# Operating system : Windows 7 Ultimate Service Pack 1 (x64)

# Username : Lorand - LORAND-PC

# Running from : C:\Users\Lorand\Desktop\AdwCleaner.exe

# Option : Cleaning

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

 

***** [ Files ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Web browsers ] *****

 

 

*************************

 

:: Proxy settings cleared

:: Winsock settings cleared

 

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [608 bytes] ##########

 

Note: I did it 2 times, the first time I did it I thought a .log file will appear, but it obviously didn't, and I accidentally closed the window.

 

This appears when I run JRT.exe :

 

 

This appears after I press any key, and after this appears it automatically stops:

 

 

There's no .txt file

 

Last program I try to run it doesn't start properly, it pops up for a few miliseconds and it closes.... 

 

Here's the log from the last part:

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)

Started On Sun Aug 23 11:41:01 2015

 

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)

Started On Sun Aug 23 11:41:54 2015

 

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)

Started On Sun Aug 23 11:42:24 2015

 

Engine: 1.1.11903.0

Signatures: 1.203.693.0

 

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)

Started On Sun Aug 23 11:42:33 2015

 

rundll32.exe still running in my task manager. 15-20 consumption.

export.txt

[kevinf80]

Are you concerned that rundll32.exe shows running in Taskmanager, is more than likely legitimate. Read at the following link;

 

http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/

 

AdwCleaner usually creates a log after the reboot is completed to finish cleaning process, did that not happen for you.... The logs are also saved as .txt files to this folder: C:\AdwCleaner that folder also holds the Quarantine folder..

 

What is the current status of your system, are thee any remaining issues or concerns. Do not worry about JRT we can omit that scan...

 

Thank you,

 

Kevin

[Wargon]

I'm glad to be hearing that rundll32 is now working how it should, Usually that's what the mbytes picked up but now it's fixed I'm pretty sure, since the pop-up stopped a while ago, I was just panicked that it could reappear I guess. Thank you for all your help. Here are the files I have in the adw folder.

AdwCleanerC2.txt

AdwCleanerC3.txt

AdwCleanerS3.txt

AdwCleanerS4.txt

AdwCleanerS5.txt

[kevinf80]

Thanks for the update, please not the changes in AdwCleaner, logs are now saved with a C in the name instead of S after a clean function, the digit still increases as more scans are run.

 

Also note under "Options" there are nine (9) new fixes included, Four (4) are selected as default, the other five are not. Please be aware of those options and the changes that can be made..

 

If no more issues we can clean up as follows:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

• 
     
• Remove disinfection tools
     
• Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present.
     
• Reset system settings
  

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629
 

Thank you,

 

Kevin...

[Wargon]

Thank you very much for all the patience and all the help you provided me I will be sure to be careful in the future ! Thank you, Wargon.