I.P. blocks 2080.hit.buy-targeted-traffic.com + file133desktop.info & adsparkmedia.net &others

[nayanwaghmare]

I think because of a recent dodgy software download I seem to have picked up this malware, I was thinking it is an adware.

 

I've run Malwarebytes and Bitdefender and CCleaner, AND reset my chrome settings but it still doesn't go away and all the softwares say everything is clean and fine.

 

Please help me get rid of this.

 

Thanks

[Maurice Naggar]

 

Tell me, please, is that a popup window ( or tab ) in one of the web browsers?  if so, which one specifically?

and if so, also, how do you start that browser   ( from which shortcut or menu )?

 

or tell me, if this perhaps is a IP Block message ?

 

Please try to reset your browser settings and see if that helps -

IE
http://support.microsoft.com/kb/923737

Google Chrome
https://support.google.com/chrome/answer/3296214?hl=en

Firefox:
First, do a refresh for Firefox.  https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings
Then set your own choices for search engine, and start & home page, etc.
https://support.mozilla.org/en-US/kb/reset-firefox-fix-most-problems


I would like to gather additional information to help troubleshoot the problem. Please follow the steps below to collect this information.


If your antivirus is NORTON you will need to turn it off before doing these next reports. Just a temporary measure before-hand.
You can get help on disabling your Norton antivirus programs here:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html

Please do as much as you can of all this below and do not let anything bar you from running the rest.


I would like to have you run a tool known as FRST. FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.

1: Please download the appropriate version of Farbar Recovery Scan Tool  (FRST.exe) from here:

"Farbar Recovery Scan Tool" from this link
and save it to your desktop.

Note: You need to download the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your computer; that will be the right version.

ATTENTION: After you click the Download Now 64-bit or the Download Now 32-bit button, another page will open - DO NOT CLICK any additional 'download now' buttons. Please wait and look toward the top or bottom of your browser for the option to Run or Save. Click Save to save the file.



Scan with FRST

Right-click on *FRST* icon  and select  *Run as Administrator* to start the tool.
 

The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that *Addition* and *Shortcut* options are *checked* -  (do not mark additional things unless asked).
Press *Scan* button and wait.


The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ and _Shortcut.txt_ .
Please *attach these three files* to your next reply.

[nayanwaghmare]

Hi,

It takes me to orion.zerohorizon.net or 2080.hit.buy-targeted-traffic.com/load/hit_1.php?source_id=2080&sub_id=&source_mk=1d0d9744 or others which seem to originate from the 2080 website as shown.

 

I did try to uninstall chrome using revo but only used the moderate setting and didn't delete my profile which was in bold, so my next step after this reply will be to complete that task.

 

Please find the attached text documents.

 

I've run literally every anti malware software available now inc Hitman Pro but still the pop ups keep apearing.

 

Think best soltion is to uninstall chrome using the advanced function in revo. 

Addition.txt

FRST.txt

Shortcut.txt

[nayanwaghmare]

Sorry I also forgot to mention this all happens in chrome as it randomly at any time but not frequently, maybe every hour or so, will open the links I mentioned above inc any new ones that it may come up with. This maybe because chrome is my default browser, however all the settings are normal and I already reset chrome's settings.

[Maurice Naggar]

Thanks for the reports.  While this case is here and I am guiding you, please do not get or run any more other tools.

 

I would like to get some Protection logs from your machine, please.

It is probably a very good idea to get a few report files from this machine, so that I can better see what the situation is.
The first thing is for me to look at a couple of the latest Protection logs from our software.
Set Windows 7 to Show all files by doing this:
Press and hold Windows-key+E key on keyboard to start Windows Explorer ( File Manager for Windows).
From the Windows Explorer menu options, Select Tools, then Folder Options.
Next click the View tab.
Locate and uncheck “Hide file extensions for known file types.”
Locate and click "Show hidden files and folders and drives. "
Click Apply > OK.

Do not let the Windows message spook you.

 

 

To show all files:
Press and hold Windows-key & then press E key to start Windows Explorer. Be patient as it will show a VIEW tab with a ribbon at the top.

When in Windows Explorer, press ALT-key then V key to get VIEW menu
Look at the top ribbon, right side. {the Show/Hide block}
Look at the line "Hidden items". IF it has no checkmark, then Click the box one time so that it is checked.
Look at the line "File Name extensions:.    IF it has no checkmark, then Click the box one time so that it is checked.

Those are important to have and show all that.   Don't get freaked out if you get a prompt when doing this.  It is all good.
 

Look in this folder on your system ( you may use Windows Explorer as needed)
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

I need to see the Protection log named protection-log-2015-09-.. in the corresponding folder. Please attach it for my review.
See about attaching these 2 files ( with your next email reply, as normal email attachments)
protection-log-2015-10-06.xml
protection-log-2015-10-07.xml

Edited October 7, 2015 by Maurice Naggar

[nayanwaghmare]

Here are the logs, I've included till 4th of October 2015 as I may have picked it up around that date.

 

Thank you for assisting me and please do advice me on what further steps I need to take.

protection-log-2015-10-04.xml

protection-log-2015-10-05.xml

protection-log-2015-10-06.xml

protection-log-2015-10-07.xml

[Maurice Naggar]

Hello,  Thanks for the logs.

First, I would request that while this case is going on, that you turn off uTorrent ( bit torrent) so that we do not have that as a possible source of interference.

 

I would suggest at this time to review Windows' settings for DNS server and make some adjustments.

I would suggest you check out this next link. https://forums.malwarebytes.org/index.php?/topic/172652-read-me-seeing-9224214021-blocks-read-me-please/

 

{ Disregard any mention of IP 92x.x  and any mention of a specific domain name.  We are just after adjusting the options for TCP IP v4 settings on DNS server choice}.

Then follow MysteryFCM's suggestions to make changes for the selections for DNS. Choose OpenDNS or otherwise Google. ( just like on the sample image below).
That should clear up the original issue.
By the way, please do not make changes to the Hosts file. Just only the DNS adpater settings as layed out by MysteryFCM on our forum page above.

 

This next picture is a sample one for the "area" under discussion.

 

 

Apply the changes and then Restart Windows, please.

Let me know how this goes, after this change.  Let me know if the web browser ( Chrome or any other)  are running into any sort of I.P. blocks for odd-named-sites.

 

NOTES:  Please see/review this reference on MBAM's IP blocks
https://support.malwarebytes.org/customer/portal/articles/1835325?b_id=6438

 

I believe your browser just happens to hit some web pages that have some sort of affiliate advertising & whose "dns" references have been hijacked or are non-existant altogether.  Thus the IP block is triggered.

The IP block is actually protecting your machine.

It seems to me that there is no actual malware on your machine.   ( and later on, we can do a few different scans to also check on that),

[nayanwaghmare]

I've done the steps you wanted me to do and changed the DNS to the screenshot in your reply.

 

However when I restarted Malwarebytes didn't open on start up and I had to manually open it, I would also like to add that I cannot add a task to Malwarebytes since I downloaded it some time ago when i switched to windows 10 as it always crashes whenever I try to add any task as I would like to add realtime updates so I don't manually have to update it.

 

Plus Malwarebytes ANTI EXPLOIT didn't seem to open and gave a dialogue box saying something like its been terminated, it does happen sometimes but as I am here asking for help, do you have any suggestions as to how to sort this out?

 

I just did the steps you asked me to, so will feed back on here if the random pop ups of those websites keep happening.

 

Also why do you call it an IP block? I don't quite get it, as I don't see how something  is being blocked as I can see the website sometimes, but not always the 2080 website as I think Malwarebytes does block that.

 

Thanks for your help and sorry for asking so many questions !

[Maurice Naggar]

You mentioned several things.  And it seems that the Anti-Malware needs to be re-installed.  Likely the Anti-Exploit as well.

I will address one thing at a time.   ( there are others issues & questions you brought up;  we can cover later).

 

What I need to know for sure is "if" the 2080.hit.buy-targeted-traffic.com + file133desktop.info & adsparkmedia.net &others

are gone now ?  That is the original central "problem".

 

You mentioned some problems in the automated task scheduler.

The Anti-Malware requires a complete uninstall and reinstall of the program. We will use our mbam-repair tool to do so.

This tool will automate the process of running our dedicated Malwarebytes Anti-Malware uninstall tool, reinstalling Malwarebytes Anti-Malware and restoring your existing license. It will also run our diagnostic tool, mbam-check.

This must be run from a user account with administrator permissions.
There will be 2 restarts of your computer during this routine.
Please do not perform other functions while performing this repair.
An active internet connection is required.
Please attend your computer during this entire procedure.

Please download mbam-repair tool from this link and save it to your desktop.


RIGHT-click on mbam-repair.exe  and select Run as Administrator & reply YES and allow to run it.
Approve the UAC prompt  by clicking on Continue or Yes.

The tool will download additional Malwarebytes tools to be used in this repair routine.
Follow the prompt to press the Enter key when it is presented. The computer will restart.
After restart, the UAC prompt will appear. Approve it again by clicking Continue or Yes.
MBAM will be installed, and updated. The license will be restored.
Wait for the update to complete, and when prompted, press the Enter key again. The computer will restart.
Note: If pressing the Enter key does not restart the computer, this means the console window is not in focus. Click once inside the black mbam-repair window and then press Enter.

 

After the restart, the UAC prompt will appear again. Approve it again by clicking Continue or Yes.
mbam-repair will perform its post-installation checks.

Our diagnostic tool, mbam-check will be run. CheckResults.txt will be presented to the screen. Close that log file. It will be located on your desktop.
Once again, press the Enter key in the mbam-repair console window.
The repair is now complete.

Note:
The Malwarebytes Anti-Malware notification area icon will have a red triangle warning still. This should only be due to the need to run a scan. Please run a scan with MBAM and report your results from this repair routine.

If the issue is resolved, there's no need to send the CheckResults.txt log created by the tool.
If the issue is not resolved, please locate the CheckResults.txt log on your desktop and send it as an attachment.

 

Let me know after this part has been done.

[nayanwaghmare]

Thanks for the tool, my Malwarebytes is running perfectly now.

 

I shall let you know in some time whether or not I am getting those pages opened randomly in chrome asap if it happens again.

 

And why do you refer to it as an IP block? I don't quite get it.

 

Thanks

[nayanwaghmare]

Unfortunately, tabs keep opening like orion.zerohorizon.net and etc, this orion.zerohorizon.net particularly keeps appearing often.

 

I did carry out all the steps you asked me to.

 

If there is anything else that can be done please do let me know.

 

Thank you

[Maurice Naggar]

You did not say which web browser is having the popup ""orion.zerohorizon.net and etc"".

If in a browser you should Reset the browser and close those rogue tabs as needed.

 

Please see and make use of the methods recommended by our page at this link
https://www.malwarebytes.org/restorebrowser/

 

IF the case is that your machine is getting messages about IP blocks from the malicious website protection, then please make that clear.

 

Let us please do a Custom Scan run like this.  Start the Anti-Malware program. Click Scan icon.
Then next please click the CUSTOM Scan.
Then take a bit of time and set the P U P option & the P U M option like shown on this image

 

Making sure that each has "Treat detections as malware".

Make sure the *C* drive is selected.  Then press *Scan now*.

Then you "may" see a screen like this once the scanning phase has completed.  Titled *Threat Scan Results*.
Though typically if the P U P selection in the settings was "treat as malware" they should automatically remove and you would not see this, but instead see just a summary window.
 

 

 

Kindly be real sure that each one of the P U P lines has a CHECK-mark in the checkbox.   as shown in this last image.
Then press the button marked Remove Selected.

After all is done. please attach the log-report file with your next  reply.

 

Thank you.

 

P.S.  By I.P. block messages I mean when you see messages like this one here

[nayanwaghmare]

Yes the tabs keep opening in chrome as per usual as its my defualt browser and I always do close them when they open, the orion website isn't blocked by malwarebytes and neither are the others, well atleast I do not get a pop up.

 

As for chrome itself, I have already uninstalled it completely wit revo uninstaller using the advanced mode, where I deleted everything,

 

I also already have done a custom scan using the same options you've outlined in the task, but will do so now again and attach the log report in the next reply.

[Maurice Naggar]

I need to ask for clarifications and ask to keep descriptions basic, simple, and on-point.

 

Are these still messages coming up about OUTBOUND I.P. blocks from the malicious website protection?

Like this image, for example

 

OR is it just a popup tab appearing in the browser ?

 

We may need to resort to doing a real clean removal and "planned" re-install of Chrome.

 

In the meantime, can you just use another web browser?

 

One more thing:  Please confirm whether or not you have done my suggestion   ( post of 8:03 am Friday ) on resetting DNS servers in settings for TCP IP v4 .   ( I see that you confirmed that yesterday.   Thanks.)

[nayanwaghmare]

I have done the DNS settings you required me to do already.

 

As to the pop ups, they are TABS that open up in chrome, "NOT" outbound or inbound IP blocks from Malwarebytes.

 

Sorry about any confusion on that, I will be running a custom scan as you mentioned in your previous reply soon as I was quite busy and needed my laptops pretty tiny power

 

Please do tell me when "we may need to resort to doing a real clean removal and "planned" re-install of Chrome" as you said.

 

For now I will continue using Chrome as I don't really like any other browser, the tabs don't seem to be of any security risk as I am sure Malwarebytes would have caught onto that, I will just close them.

 

However one thing I'd like to point out is that, even if Chrome is closed and I have not opened it. The tabs that keep opening like the orion website and now ptp24.com/promote.php?id=fb9a9b909e237b49be76aaa30d95d33a and etc, appear even though Chrome isn't running. By running I mean in foreground, I do NOT go into task manager to close Chrome.

[nayanwaghmare]

How can it be that those TABS open up and start chrome by themselves, even though previously I had closed Chrome? This is what made me question the fact that is this not some sort of malware, maybe adware that IS a threat to my laptops security.

 

I would think something is running that perioically opens those TABS in Chrome regardless of it being closed or not as it is my default browser. That is why I do not see them opening in any of my other browsers like Firefox or IE or Edge- which I do not use.

[Maurice Naggar]

It is highly advisable to do a completely new rebuild of Chrome as listed below.

 

You can keep the bookmarks by exporting them - http://support.google.com/chrome/bin/answer.py?hl=en&answer=96816


Follow instructions to remove all Google Sync data -
http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/


Now we need to uninstall Chrome

make sure to select the "Also delete your browsing data" tick box
https://support.google.com/chrome/answer/95319?hl=en-US

 

Now, take a couple of minutes, look on the Desktop.  If there are any shortcut links for Chrome there, delete them.

Then Restart Windows.

Re-install Chrome:
https://www.google.com/chrome/browser/desktop/


next, Install Adblock plus for Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb


After you have Chrome reinstalled please check things out and let me know how it is doing.
 

[nayanwaghmare]

Sorry for late reply.

 

I have just deleted everything from Google Dashboard and also deleted Chrome and all registry's using Revo Uninstaller.

 

I am now running a custom scan as you outlined in Malwarebytes and will respond soon with the feedback with regards to the issue of tabs that kept opening in Chrome and the results of the scan.

 

Thank you for you help until now  

[nayanwaghmare]

mbam-log-2015-10-13 (16-49-04).xmlUnfortunately the tabs still keep opening even after what you told me to do.

 

However when I went to Google Dashboard, there was only a Reset Sync button which I clicked and then also uninstalled Chrome using Revo Uninstaller, but when I downloaded Chrome again, after logging into my Google Account somehow all my bookmarks and remembered data like emails when I went to log into Outlook were still there.

 

So maybe the pop ups keep appearing because of that. Is there a better method to deleting everything and starting from scratch?

 

I also did a scan, here are the logs.

protection-log-2015-10-13.xml

protection-log-2015-10-12.xml

mbam-log-2015-10-12 (16-28-58).xml

[nayanwaghmare]

Maybe I will have to change some host files or something, you mentioned not to do it in one of your replies from sometime ago but would this be recommended?

[Maurice Naggar]

Hello Whylie.   Welcome to the forum.  I would urge you to not be doing any sort of registry trawling !!

You are new to the forum, so I have to make you aware that the forum rules do not allow someone ( such as yourself) {who is NOT the topic "starter" in this thread in this sub-forum}  other than the topic-original-starter to mix in and add their comments, etc.

So therefore, please if you need help, start your very own thread.

 

This thread is reserved just only for nayanwaghmare.

Thank you.

 

This  thread is only for  nayanwaghmare.

 

[Maurice Naggar]

Hello Nayanwaghmare.

The Protection logs are all fine.  They are very normal.    And no, there is no need to change anything in Hosts file  ( not unless you had made some changes there on your own from before ).

 

So to recap the original issue you had had from the very beginning.  The messages about 2080.hit.buy-targeted-traffic.com   

file133desktop.info 

adsparkmedia.net

 

should be all gone now, right ?

That was the original issue _ messages about what seemed like adwares,  that were really all about non-existing or hijacked domains.

 

 

IF when you use the Google Chrome browser you are still getting weird random "pop ups", then either completely uninstall Chrome and switch to some other browser.

Or completely delete Chrome.  Reboot. Try to install Chrome.

or

backup all personal files, document and wipe ( erase) the system and rebuild Windows from scratch.

 

Before we resort to that, IF your machine is having pop ups, I have to have some fresh details about the how, the when, the what of it, along with perhaps a screen image capture.

 

Let's do this step and see if it helps.

Go to Start button > Select RUN > type in

CMD

and press  Enter-key

Copy and Paste or type the exact (entire) contents of Code box

ipconfig /flushdns

and press  Enter-key
Close Command prompt window
 

 

[nayanwaghmare]

Yes I still do get tabs opening in my Chrome browser.

 

I have just run the CMD command you asked me to and will reply back with feedback to whether the tabs continue to open or not.

 

And I have not edited any host files or anything, I am no expert in these things so wouldn't anyways without supervision.

 

Thank you.

[nayanwaghmare]

Unfortunately the tabs still keep opening.

 

What step do you suggest I carry out next?

[Maurice Naggar]

Can you tell me specifically which browser this is on ?   Please always state that.
Also, list the website adddress ( URL's )  that you see.   At least some name, description, etc.....what is it that may seem common or appears always ?
May even get a screen image !

 

Then get fresh F R S T diagnostic reports.

Scan with FRST64

Right-click on FRST64 icon and select  Run as Administrator to start the tool.
 



The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition and Shortcut options are checked - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.




The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ and _Shortcut.txt_ .

 

 

Then also, one more log.   This one the latest protection log.

protection-log-2015-10-16.xml

 

 

Look in this folder on your system ( you may use Windows Explorer as needed)
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

 

Please attach the report  files to your next reply.
 

Edited October 16, 2015 by Maurice Naggar