Malicious website blocked popup every couple minutes

[abliceb1]

I downloaded Farber Recovery Scan Tool, and here are the two files resulting from the scan (attached)

 

I am getting the popup "Malicious Website Blocked; su2.ff.avast.com; 92.242.140.21" in the righthand part of my screen every couple minutes. It disappears pretty quickly, and when I click on it, I can no longer see the information that was listed on the popup.

 

I've seen this topic listed, but I can't seem to find the resolution. It looks like a lot of people started seeing this regardless of OS.

 

I use Windows 7.

 

Thanks in advance!

Addition.txt

FRST.txt

[MrCharlie]

Welcome to the forum, are you on a Verizon/FIOS router?

MrC

[abliceb1]

I think I am. I use the wifi available to me in my building, and I think it is Verizon/fios.

[MrCharlie]

Do you have access to the router????

Your problem is usually related to the router, we can make some tweaks to resolve it.
There's some malware on the system that needs to be cleaned also.

=================================

Please uninstall this program if possible:

Define Ext (HKU\S-1-5-21-1812722484-316454843-485349640-1001\...\Define Ext) (Version: 8 - DefineExt.com) <==== ATTENTION

==================================

Download Delfix from Here and save it to your desktop.

• Place a check mark in front of .......
• Create registry backup <---only!
• Uncheck the rest!
• Click the Run button.
  
  Close the tool out when it's done....we'll use it later.
  
  ============================
  
  Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
  Run FRST.exe/FRST64.exe and click Fix only once and wait
  The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.
  
  ==========================
  
  Lets check for any adware/spyware now:
  
  Please download AdwCleaner from HERE or HERE to your desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  Next..................
  
  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  Next.........
  
  Please Update and run a Threat Scan (Malwarebytes)
  Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware
  Same for PUM (Potentially Unwanted Modifications)
  Quarantine All that's found
  
  MrC
   

fixlist.txt

[abliceb1]

I was able to remove the program. I do not have free access to the router. It is in my landlord's apartment, not easily accessible. I recently put in a signal amplifier because I was not receiving signal very well. I bring my laptop to work as well and use the wifi as well as an ethernet cable for internet.

 

I did the first couple things up until adding the fixlog file. Should I remove AVAST! before moving onto the next step? I don't want too many competing programs installed on my computer at once.

Fixlog.txt

[abliceb1]

# AdwCleaner v5.008 - Logfile created 18/09/2015 at 10:02:12
# Updated 18/09/2015 by Xplode
# Database : 2015-09-17.3 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Anna - ANNA-HP
# Running from : C:\Users\Anna\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\LinkSwift
[-] Folder Deleted : C:\ProgramData\Conduit
[-] Folder Deleted : C:\ProgramData\{18165758-115C-4DC0-9EC2-FF89F725767F}
[-] Folder Deleted : C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[-] Folder Deleted : C:\Users\Anna\AppData\Local\~0
[-] Folder Deleted : C:\Users\Anna\AppData\Local\Conduit
[-] Folder Deleted : C:\Users\Anna\AppData\Local\DefineExt
[-] Folder Deleted : C:\Users\Anna\AppData\Local\PackageAware
[-] Folder Deleted : C:\Users\Anna\AppData\LocalLow\Conduit

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\Users\Anna\AppData\LocalLow\SkwConfig.bin

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKU\.DEFAULT\Software\ImInstaller
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\IM
[-] Key Deleted : HKCU\Software\ImInstaller
[-] Key Deleted : HKCU\Software\Define Ext
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Define Ext
[-] Key Deleted : HKLM\SOFTWARE\W3I
[!] Key Not Deleted : [x64] HKCU\Software\Conduit
[!] Key Not Deleted : [x64] HKCU\Software\IM
[!] Key Not Deleted : [x64] HKCU\Software\ImInstaller
[!] Key Not Deleted : [x64] HKCU\Software\Define Ext
[!] Key Not Deleted : HKU\S-1-5-21-1812722484-316454843-485349640-1001\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2A498D792D0AD2F4DADF03B3C066122B
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C697F962E048A434B8AE269E702964C8

***** [ Web browsers ] *****

[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\178p7sxp.default-1356315252077\prefs.js] [Preference] Deleted : user_pref("smartbar.originalHomepage", "about:home");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3314312&octid=CT3314312&SearchSource=61&CUI=UN24337851021526030&UM=2&UP=SP4CCB1A39-6802-4440-AC87-E4DF1B7969FC");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3314312");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("extensions.LinkSwift.aul", "1385269292221");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("extensions.LinkSwift.irl", true);
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("extensions.LinkSwift.is", "trlsus");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("extensions.LinkSwift.ug", "6203D4D9-33C0-4D71-83B1-5E68B87BE464");
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("plugin.state.npconduitfirefoxplugin", 2);
[-] [C:\Users\Anna\AppData\Roaming\Mozilla\Firefox\Profiles\x1sn3ius.default\prefs.js] [Preference] Deleted : user_pref("smartbar.machineId", "7EPUROUNG3/ESTDOAEEQIG/DN3S8EROZD5KPJK0V0GPERNHYIMHJVAHT81DC59RM+EZHZ/UFK09NQ17MMTFTKW");
[-] [C:\Users\Anna\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
[-] [C:\Users\Anna\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4772 bytes] ##########
 

[MrCharlie]

Should I remove AVAST!

No, you don't have to do that...it's not related to AVAST.

MrC

[abliceb1]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.2 (09.14.2015:1)
OS: Windows 7 Home Premium x64
Ran by Anna on Fri 09/18/2015 at 10:10:29.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_12C6C396F9F079F593189BD3E5EB8A5F



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EE67A1B4-2EC3-4F9A-AD55-529789C33E2D}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EE67A1B4-2EC3-4F9A-AD55-529789C33E2D}



~~~ Files



~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{0163274C-430D-493E-BF23-DFD34B1181C5}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{02B10B51-C033-457F-934A-D97001EB2855}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{0B0738AE-5FEF-4A6E-8C5D-68A1C94CB7E4}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{147F4F9F-0450-4A22-9EBA-BCBBCDDAED96}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{20660E79-D7F2-46BF-BE40-E5B257770FA1}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{235E3361-7A91-4BC4-9BDB-533CCE6E1D43}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{3D25B5B5-66C7-4F38-BA2B-5C712E94A7D5}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{3FB3F7C7-9E35-4C78-9609-A4A59D9B7DD6}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{44600D6D-5128-4F41-A05B-72939C3F6A82}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{4BE62585-EE35-40E1-9131-10281B666D64}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{52E2ACE3-F9DA-4454-B691-2975843C3F1B}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{5FF5D15C-AA50-4748-B176-34DD3F181917}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{600C715C-1F5D-4257-98BF-209C6A8D5052}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{62614197-91B7-4BAD-A837-08E232DFC506}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{6318978C-1B22-4155-A796-44D9603342FF}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{691C4AF9-83F9-46D9-A01B-39AB7FA5C346}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{72EBA3BE-C892-45B6-8F20-53A7A5B94BA1}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{76D9B4AA-9A60-431D-A8D4-9E5600D75DCF}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{79289990-05DA-4399-8652-D14022D2E871}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{7C077764-1EB5-44EE-BB23-D23BAD5CF897}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{888BD5A8-5B2E-410A-BD02-F2F3E48B908D}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{B64B986A-0860-43D9-A291-2D10E889755C}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{C321E8CC-A15F-4853-8718-097BF566510B}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{CC3C6518-DC25-40F0-8F85-DD472EFC5D23}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{D621EDC5-1803-4138-9128-C56D137EC7A6}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{EA9D7E09-26A9-4026-B26D-A1A8A891DB62}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{EAF142D4-1C3E-4AEF-883E-0FEEB77594E0}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{EEDBD70B-759C-4965-9EB4-18F0EFAEEFA7}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{F2A2B5D6-87EE-4B05-A9E6-C8CD507352E6}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{F689E222-31C6-4900-AF20-F2C08D04F301}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{F9920FE5-43EA-4CB6-A01A-E6E33DED4146}
Successfully deleted: [Empty Folder] C:\Users\Anna\Appdata\Local\{FE39D2B1-61A1-4FD3-B1E8-D4049F83FDA2}



~~~ FireFox

Emptied folder: C:\Users\Anna\AppData\Roaming\mozilla\firefox\profiles\x1sn3ius.default\minidumps [452 files]



~~~ Chrome


[C:\Users\Anna\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Anna\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Anna\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Anna\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 09/18/2015 at 10:16:34.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

[abliceb1]

The Scan yielded nothing to quarantine

[MrCharlie]

OK, can you post or attach the latest Protection log showing the blocks.

Please save it as a .txt file not .xml.

MrC

[abliceb1]

DelFix.txt

[MrCharlie]

Wrong log...need the latest Protection log showing the blocks:

https://support.malwarebytes.org/customer/portal/articles/1835323-how-do-i-access-and-save-logs-from-malwarebytes-anti-malware-?b_id=6438

[abliceb1]

Oops, sorry about that.

 

logfile.txt

[MrCharlie]

This is from Verizon and how to correct the problem...it would be great if your landlord could make this tweak:

 

"This is expected bahavior.  The Verizon Online DNS resolvers have NXDOMAIN redirection services that redirect any unknown host to a sponsored search page.  You can opt out of this by changing your resolver from .12 to .14."

 

https://www.verizon.com/support/residential/internet/fiosinternet/troubleshooting/network/questionsone/99144.htm#<---opt out

 

====================================

 

Lets try something simple:

Ad these to your host file, the link below shows how:

77.234.41.65  su2.ff.avast.com
0.0.0.0  2-undefined.facebook.com

Here's a good tutorial for the host file...make sure you look at the correct one for you operating system:
http://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

Let me know.....MrC

[abliceb1]

Landlord is out of town for a few days. I could potentially go take a look at the router sometime this weekend.

 

I tried to modify that document, but I could not save it in the correct location because windows 7 automatically blocks access to administrative actions. I tried to enable my administrator privileges, but nothing shows up in my MMC console.

 

Thanks for all of your help. This is pretty maddening.

[MrCharlie]

I wouldn't mess with the router unless you have your landlords permission.

This you should be able to do...install OpenDNS on your computer:

http://www.isitdownrightnow.com/how-to/setup-opendns-in-windows-7.html

Let me know.......MrC

[abliceb1]

Ok, I did that. I won't be back to work on this until a little later. Should I wait to do this until I can be around to work on it?

 

Thanks

[MrCharlie]

Ok, I did that. I won't be back to work on this until a little later. Should I wait to do this until I can be around to work on it?

 

Thanks

 

I'm not sure what you mean by this?????  What did you do and what do you want to do????

[abliceb1]

I installed OpenDNS on my computer according to the last link you provided.

[MrCharlie]

OK, did it stop the blocks????

[abliceb1]

No, it did not.

[MrCharlie]

OK then the router has to be tweaked as mentioned.

You should remove the OpenDNS from your computer, the router is over riding the computers settings.

All you should have to do is check the:

Obtain DNS Server Automatically

and that should do it

===========================================

Try HostsXpert to edit your host file as mentioned: (I've already downloaded and attached it for you.)

http://www.afterdawn.com/software/network/misc_net_tools/hostsxpert.cfm

MrC

HostsXpert_v4.4.zip

[abliceb1]

I can edit the host file, but I cannot save it in the correct folder because I do not have admin privileges. If i save it in my documents, it doesn't do anything.

[MrCharlie]

See if this works:

http://drm-assistant.com/others/how-to-gain-full-administrator-privileges-in-windows7os.html

[abliceb1]

That seemed to work. It's a little strange because I changed the permissions and then once again tried to save the notepad file in the correct folder, and it told me I still didn't have permission to do so. However, when I opened up the notepad file using that path (c:\windows\system32\drivers\etc\hosts), 77.234.41.65    su2.ff.avast.com was already saved in the file, so it seems to have done the trick. I am not seeing the little window pop up anymore.

Thanks so much for all of your assistance!

 

A