Repeated Malicious Website Blocked Notifications

[Brett]

Hello,

It seems my PC may be infected by something.  I'm getting repeated notifications that a malicious website has been blocked.  They occur roughly every 3 minutes, twice, back to back, always from the same IP address --- 146.185.239.95.  They're occurring without internet explorer being open.  I've attached my frst & addition txt files as well as the mbam protection & scan txt files. 

Unfortunately, I ran temporary file cleaners prior to visiting the mbam support site, my mistake.  I appreciate any assistance that can be given. 

FRST.txt

Addition.txt

mbam protection log.txt

mbam scan log.txt

[Brett]

Update -  it seems the malicious website blocking notifications have stopped.  The last instance of it in my MBAM protection log shows 3:53 pm EDT, 6/1.  They had been popping up every 3 to 5 minutes starting from 12:15 am EDT, 6/1.  

I did run adwcleaner around 1 pm, using its default settings.  It found (1) file & (7) registry keys, which are currently quarantined, but it had no obvious effect on the malicious website blocking notifications. 

Since nothing was done on my end to make them cease, I'm curious if they've actually stopped or if MBAM is just no longer seeing the inbound attacks.

[AdvancedSetup]

Hello and

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
• Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
• Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
• Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
• The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
• You can check here if you're not sure if your computer is 32-bit or 64-bit
• Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
• When we are done, I'll give you instructions on how to cleanup all the tools and logs
• Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
• Your topic will be closed if you haven't replied within 3 days
• (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 01
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1 | Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.

STEP 02
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.
• Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 03
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

[Brett]

Hello AdvancedSetup,

Thank you for taking the time to help me out.  The requested scans are attached.

Rkill 060316 0146.txt

mbam scan 060316 0153.txt

[AdvancedSetup]

Thanks, Please go ahead and run through the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista / Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• If any threats were found, click the 'List of found threats' , then click Export to text file....
• Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

[Brett]

Hello Ron,

Please find attached the requested JRT and AdwCleaner scan logs.  The ESET scan is still running after 2 hours and just under halfway complete (per the scan progress bar).  The current scan result states that no threats have been found thus far.  Unfortunately, I'm leaving for vacation around 5 pm EDT today and won't be returning until next Saturday (6/11).  I won't be able to continue with the scans until I return.  If the ESET scan should finish before it's time for me to leave, I'll be sure to send it to you, as well as the FRST scan (the FRST scan takes only a minute or so to complete).  Otherwise, with your permission, I'll send you the completed scans upon my return. 

Out of curiosity, do my recent logs seem to indicate that any malicious activity is present on my PC?

I'll have my phone with me, so I'll be able to check my email for your reply.

Thank you for your continued assistance!  -------------- Brett

JRT 060316 1230.txt

AdwCleaner[S3] 060316 1253.txt

[AdvancedSetup]

So far just minor stuff. You need to tell AdwCleaner to remove what it found though. The log you uploaded is just a scan log not a clean log.

If the IP blocks are still happening then we'll need to verify if they're outgoing or incoming and look a bit deeper into the FRST logs

Thanks and have a good vacation. See you when you get back

Ron

 

[Brett]

That's great news! Sorry about the wrong adwcleaner log. I did have it remove the items it found.  They're currently in the quarantine folder.  I'll send the clean log too when I get back.

As for the IP blocks, they stopped on 6/1 in the late afternoon after occurring for about 17 hrs every 3-5 minutes.  They were all inbound blocks except for 2 outbound blocks that occurred about the same time the inbound started. All blocks were from the same IP address.

I did see that the ESET scan had found 3 threats. However, since it was still in progress, I couldn't see what they were.  I allowed it to continue to run, but I re-enabled my Norton's auto-protect as well as MBAM before I left.  So, the scan may not be accurate.

I look forward to continuing the search when I return.  Talk to you then.

Best regards ---------- Brett

 

 

[AdvancedSetup]

Just a reply to keep the topic on top while awaiting your return

 

[Brett]

Hello Ron,

I'm finally back home and back to my computer. 

It looks like the ESET online scanner froze up in my absence.  Its window was still up on my screen, but was blank and unresponsive.  I searched for its log file on my computer, but couldn't find the manufacturer's referenced ESET folder under program files (x86).  As such, I had to restart my computer and begin a new scan.  The new scan window states that the last scan took just over 4.5 hours to complete, so it seems the previous scan was successful.  I'll post new scan's results once it has finished. 

As promised, I've attached the AdwCleaner clean log file for your review.

AdwCleaner[C2] 060316 1254.txt

[Brett]

Hello Ron,

The ESET online scanner was again unresponsive upon completion.  Like before, its window was all white except for the minimize and close buttons in the top right corner. I had to close the window via task manager.  On a positive note, I was able to find the scan's log file in C:\Users\Brett\AppData\Local\Temp, which I've attached.  I see it lists (3) files as potential threats.  They're associated with an mp3 file splitter program that I haven't used in a long time, so I've uninstalled it.

Also attached are the FRST and Addition log files.  Thankfully, its scan finished without any trouble.

Let me know if you need anything else.

Thank You, Brett

FRST 061216 2228.txt

Addition 061216 2229.txt

ESET log 061216 2205.txt

[AdvancedSetup]

STEP 1

Your Event Logs are showing a repeated error for the Volume Shadow Copy service. You need to get this fixed to ensure backups and proper data management is working on Windows.

Quote

Application errors:
==================
Error: (06/12/2016 05:16:00 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {67f28155-4fc1-41c6-a9b8-83e1095df175}

Error: (06/11/2016 05:11:42 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

 

Here are a couple links for a possible fix.

https://www.terabyteunlimited.com/kb/article.php?id=563

http://www.terabyteunlimited.com/kb/article.php?id=461

https://technet.microsoft.com/en-us/library/cc734235(v=ws.10).aspx

Unlikely your issue but I'll include it anyways just as a remote outside chance.

http://superuser.com/questions/154622/problems-with-volume-shadow-copy-on-windows-7

More than likely it's just a COM permissions error or some backup type software overwrote the chain.

An interesting possible fix from Acronis.

https://kb.acronis.com/content/53792

I wonder if possibly it's connected to Norton Ghost? If so a possible reinstall may fix.

HKLM-x32\...\Run: [Norton Ghost 15.0] => C:\Program Files (x86)\Norton Ghost\Agent\VProTray.exe [2598760 2010-03-03] (Symantec Corporation)

 

STEP 2

On another note. Based on the logs I see you have software installed from iObits. This is old information but I'll post and let you decide.

The company behind this product was found to be stealing the MBAM database.
Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product.
Please see the following links and make up your own mind if you want to keep this on your system. If needed, your malware helper can help you remove it.

• IOBit Steals Malwarebytes' Intellectual Property
• IOBit's Denial of Theft Unconvincing
• IOBit Theft Conclusion
• IObit: Trusting Your Antivirus Vendor
• Malwarebytes: IObit Stole Our Signatures Database
• IObit accused of stealing from Malwarebytes
• IOBit sucks at ethics
  

 

STEP 3

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

 

 

[Brett]

Hello Ron,

Attached is the fixlog.txt

I've followed your advice by removing the iOBits Uninstaller program.  I was unaware of their shady actions.

Regarding the VSS errors, I went through all of the suggestions you provided.  I implemented the suggestion provided here: https://www.terabyteunlimited.com/kb/article.php?id=563.  I also changed the Volume Shadow Copy service's startup type from manual to automatic as one suggestion stated to start the service if it was off.  I found it to be off, so I started it manually.  However, after a reboot, it was back off again.  Since changing it to automatic start, it starts automatically after a reboot.  Is setting it to automatic startup recommended?

I looked into the, the Acronis suggestion, but it unfortunately didn't apply.  My Locale setting was already set to "English (United States)". 

I'll keep an eye on the event viewer to see if I continue to receive VSS errors.  If errors continue, I'll then try reinstalling Norton Ghost 15.

Thanks again for the continued assistance!

Fixlog.txt

[AdvancedSetup]

All looks pretty good now.

Are there still any signs of an infection or other issues then before we close up here?

 

 

[Brett]

Nope, it seems the issues have been taken care of.  Is there anything special I need to do to remove the various scanners I've downloaded/installed?

[AdvancedSetup]

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

• How Malware Spreads - How did I get infected
• Best Practices for Safe Computing - Prevention of Malware Infection
• Avoiding those unwanted free applications
• A close look at how Oracle installs deceptive software with Java updates
• IAC / Ask.com toolbars
• Malwarebytes Unpacked Blog

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

[Brett]

Thank you for your help Ron.  I'm taking it that MBAM did its job by blocking the incoming probes.  However, I greatly appreciate you taking the time to guide me in making sure my computer wasn't infected, as well as tidying things up.  Also, it looks like your suggestions for the Volume Shadow Copy errors have worked, as I have yet to see any additional errors in the event viewer since making the changes.

Thanks again, Brett

[AdvancedSetup]

You're quite welcome. Glad all is working better now overall. Take care and stay safe out there.

Ron

 

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!