Blocking Outbound Access Attempts

[tjconn31]

https://forums.malwarebytes.org/index.php?/topic/173147-malicious-website-blocked/

 

Please help

 

Thank you

 

Terry

FRST.txt

Addition.txt

[MrCharlie]

Welcome to the forum.

Are you on a Verizon/FIOS router???

Model number???

===================================================

Download Delfix from Here and save it to your desktop.

• Place a check mark in front of .......
• Create registry backup <---only!
• Uncheck the rest!
• Click the Run button.

  Close the tool out when it's done....we'll use it later.

  ============================

  Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

  Run FRST.exe/FRST64.exe and click Fix only once and wait

  The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

  ==========================

  Lets check for any adware/spyware now:

  Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  Next..................

  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  Next.........

  Please Update and run a Threat Scan (Malwarebytes)

  Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

  Same for PUM (Potentially Unwanted Modifications)

  Quarantine All that's found

  MrC

fixlist.txt

[tjconn31]

Model Number: MI424WRGEN3I-I

 

Fix result of Farbar Recovery Scan Tool (x64) Version:15-09-2015
Ran by terry (2015-09-21 23:26:57) Run:1
Running from C:\Users\terry\Downloads
Loaded Profiles: terry & UpdatusUser (Available Profiles: terry & UpdatusUser)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
emptytemp:
Task: {05E5E5ED-ADA4-4CF5-8FAD-9828CF30645E} - \WSE_Vosteran No Task File <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Vosteran.job => C:\Users\terry\AppData\Roaming\WSE_VO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\...\Policies\Explorer: [NoSaveSettings] 0
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://vosteran.com/...r=927136474&ir=
2015-01-19 10:29 - 2015-01-19 10:29 - 00002407 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PerforMax Cleaner.lnk
2015-01-19 10:29 - 2015-01-19 10:29 - 00002401 _____ () C:\Users\Public\Desktop\PerforMax Cleaner.lnk
2015-01-19 10:29 - 2015-01-19 10:29 - 00000000 ____D () C:\Program Files (x86)\PerforMax Cleaner
2015-01-19 17:39 - 2015-01-19 17:39 - 00000000 ____D () C:\Users\terry\AppData\Local\PerforMax Cleaner
HKLM-x32\...\Run: [PerforMax Cleaner] => C:\Program Files (x86)\PerforMax Cleaner\PerforMax Cleaner.exe [1589760 2014-12-05] ()
C:\Program Files (x86)\PerforMax Cleaner
CHR DefaultSearchKeyword: Default -> vosteran.com
CHR DefaultSearchURL: Default -> http://vosteran.com/...r=927136474&ir=
CHR HomePage: Default -> hxxp://vosteran.com/?f=1&a=vst_adkpub_15_04_ie&cd=2XzuyEtN2Y1L1Qzuzz0C0AzyzztBtC0FtCzyzytDyBtCyCzztN0D0Tzu0StCtCtCyEtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StB0DyB0D0E0AtDzztG0Czz0C0BtGtDtByByBtGyCtBtB0DtGyB0BzzyD0FtAtD0DtD0E0C0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FyE0ByC0B0CtC0DtGtBtCyCtDtGyEtDzzyBtGzzzyzy0FtG0C0EzyzzzztByEtCyCzz0A0D2Q&cr=927136474&ir=
CHR StartupUrls: Default -> "hxxp://vosteran.com/?f=7&a=vst_adkpub_15_04_ie&cd=2XzuyEtN2Y1L1Qzuzz0C0AzyzztBtC0FtCzyzytDyBtCyCzztN0D0Tzu0StCtCtCyEtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StB0DyB0D0E0AtDzztG0Czz0C0BtGtDtByByBtGyCtBtB0DtGyB0BzzyD0FtAtD0DtD0E0C0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0FyE0ByC0B0CtC0DtGtBtCyCtDtGyEtDzzyBtGzzzyzy0FtG0C0EzyzzzztByEtCyCzz0A0D2Q&cr=927136474&ir=", "https://www.google.com/"
CHR DefaultSearchKeyword: Default -> vosteran.com
CHR DefaultSearchURL: Default -> http://vosteran.com/...r=927136474&ir=
2015-01-19 10:27 - 2015-01-19 17:37 - 00000292 _____ () C:\Windows\Tasks\WSE_Vosteran.job
2015-01-19 10:27 - 2015-01-19 17:34 - 00000000 ____D () C:\Program Files (x86)\WSE_Vosteran
2015-01-19 10:27 - 2015-01-19 10:28 - 00000000 ____D () C:\Users\terry\AppData\Local\Vosteran
2015-01-19 10:27 - 2015-01-19 10:27 - 00000000 ____D () C:\Users\terry\AppData\Roaming\WSE_Vosteran
C:\ProgramData\rkill64.exe

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

*****************

Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05E5E5ED-ADA4-4CF5-8FAD-9828CF30645E} => key not found.
C:\Windows\Tasks\WSE_Vosteran.job => not found.
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore => key not found.
HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings => value not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PerforMax Cleaner.lnk" => File/Folder not found.
C:\Users\Public\Desktop\PerforMax Cleaner.lnk => moved successfully
"C:\Program Files (x86)\PerforMax Cleaner" => File/Folder not found.
C:\Users\terry\AppData\Local\PerforMax Cleaner => moved successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\PerforMax Cleaner => value not found.
"C:\Program Files (x86)\PerforMax Cleaner" => File/Folder not found.
Chrome DefaultSearchKeyword => not found.
Chrome DefaultSearchURL => not found.
Chrome HomePage => not found.
Chrome StartupUrls => not found.
Chrome DefaultSearchKeyword => not found.
Chrome DefaultSearchURL => not found.
"C:\Windows\Tasks\WSE_Vosteran.job" => File/Folder not found.
"C:\Program Files (x86)\WSE_Vosteran" => File/Folder not found.
"C:\Users\terry\AppData\Local\Vosteran" => File/Folder not found.
"C:\Users\terry\AppData\Roaming\WSE_Vosteran" => File/Folder not found.
"C:\ProgramData\rkill64.exe" => File/Folder not found.
EmptyTemp: => 6.8 GB temporary data Removed.

The system needed a reboot..

==== End of Fixlog 23:34:02 ====

# AdwCleaner v5.008 - Logfile created 21/09/2015 at 23:48:44
# Updated 18/09/2015 by Xplode
# Database : 2015-09-20.1 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : terry - TERRY-PC
# Running from : C:\Users\terry\Downloads\adwcleaner_5.008 (1).exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Yahoo!\Companion
[-] Folder Deleted : C:\ProgramData\Avg_Update_1014avt
[-] Folder Deleted : C:\ProgramData\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
[-] Folder Deleted : C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[-] Folder Deleted : C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
[-] Folder Deleted : C:\Users\terry\AppData\LocalLow\Yahoo!\Companion
[-] Folder Deleted : C:\Users\terry\AppData\Roaming\download Manager
[-] Folder Deleted : C:\Windows\SysWOW64\C2MP

***** [ Files ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key Deleted : HKU\.DEFAULT\Software\AVG Secure Search
[-] Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\AVG Security Toolbar
[-] Key Deleted : HKCU\Software\Adknowledge
[-] Key Deleted : HKCU\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\Yahoo\YFriendsBar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\Avg Secure Update
[-] Key Deleted : HKLM\SOFTWARE\W3I
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayManager
[!] Key Not Deleted : [x64] HKCU\Software\Adknowledge
[!] Key Not Deleted : [x64] HKCU\Software\Yahoo\Companion
[!] Key Not Deleted : [x64] HKCU\Software\Yahoo\YFriendsBar
[!] Key Not Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\AVG Security Toolbar
[!] Key Not Deleted : HKU\S-1-5-21-1880721975-2681396882-3100980296-1002\Software\AppDataLow\Software\Yahoo\Companion
[!] Key Not Deleted : HKU\S-1-5-18\Software\AppDataLow\Software\AVG Security Toolbar
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509

***** [ Web browsers ] *****

[-] [C:\Users\terry\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : jhgdphfpmicmcjljihifcbkejmgbnmoc
[-] [C:\Users\terry\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : oilkkkefbalmbfppgjmgjoefbclebkce

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2973 bytes] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.2 (09.14.2015:1)
OS: Windows 7 Home Premium x64
Ran by terry on Mon 09/21/2015 at 23:56:49.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Tasks

Successfully deleted: [Task] C:\Windows\system32\tasks\PCDEventLauncherTask
Successfully deleted: [Task] C:\Windows\system32\tasks\TuneUpUtilities_Task_BkGndMaintenance2013

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\TuneUp Undelete

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{120B1FCF-5C56-4CF5-958A-EB3552B29679}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{196780E2-8B0D-45A4-A324-52E35778506D}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{383E3A15-330B-4E3C-BDD9-12C509BC7007}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{39DCD55C-AEBF-4038-97E2-08749653062D}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{4B0525EC-B3EC-4ABA-9EF3-83E628DEB399}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{50D75981-0499-4619-BBF8-FC8A8D7D2708}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{5A88103A-3695-4E1D-96DA-092453172BE2}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{7B7AEF7B-47F7-42B9-BC3A-BF7754AB72A6}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{CA41CD08-455D-43CF-931A-7674537052FB}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{DC017ABD-ACC9-460E-8091-3ED234115791}
Successfully deleted: [Empty Folder] C:\Users\terry\Appdata\Local\{DC1BB2B8-2D99-48CE-BE4C-959DDF108E02}

 

~~~ Chrome

[C:\Users\terry\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\terry\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\terry\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\terry\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/22/2015 at  0:04:36.13
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[MrCharlie]

OK...this is from Verizon and how to resolve the problem:

"This is expected bahavior. The Verizon Online DNS resolvers have NXDOMAIN redirection services that redirect any unknown host to a sponsored search page. You can opt out of this by changing your resolver from .12 to .14."

https://www.verizon.com/support/residential/internet/fiosinternet/troubleshooting/network/questionsone/99144.htm#<---opt out

===================================

Rather than change the current settings as they say to, we've been installing OpenDNS on the routers and it's been working fine.

So lets give that a try:

First..as in the image below, copy down the current DNS settings (primary and secondary)

Example:

71.252.0.12

71.242.0.12

======================================

Now here's instructions on how to install OpenDNS on your router:

https://support.opendns.com/entries/49788514--Verizon-FIOS-Actiontec-MI424WR-and-Westell-UltraLine

To confirm it's installed correctly...visit the site below:

http://www.opendns.com/welcome/

Good Luck.....Let me know, MrC

[tjconn31]

I verified opendns and everything seems much better.

 

Is there anything else we need to do?

 

Thank you.

[MrCharlie]

Good.....

A little clean up to do....

---------------------------------

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[exile360]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!