Jump to content

Recommended Posts

I got this notification last night.  I ran Malwarebytes Premium and it didn't find anything, I also did a full scan with AV.   I still have the feeling something is wrong. 

 

Detection, 8/29/2016 10:41 PM, SYSTEM, DESKTOP, Protection, Malicious Website Protection, IP, 95.79.255.41, 49473, Outbound, C:\Windows\System32\svchost.exe,
Detection, 8/29/2016 10:41 PM, SYSTEM, DESKTOP, Protection, Malicious Website Protection, IP, 95.79.255.41, 49473, Outbound, C:\Windows\System32\svchost.exe,
Detection, 8/29/2016 10:41 PM, SYSTEM, DESKTOP-, Protection, Malicious Website Protection, IP, 103.205.135.42, 49473, Outbound, C:\Windows\System32\svchost.exe,
Detection, 8/29/2016 10:41 PM, SYSTEM, DESKTOP, Protection, Malicious Website Protection, IP, 103.205.135.42, 49473, Outbound, C:\Windows\System32\svchost.exe,

Link to post
Share on other sites

:welcome:   Hello,

I will be guiding you as we go forward.  I do need to see diagnostic information from this system.
I would like to ask that you always attach any report or file I ask for, from time to time.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just always attach files / reports.
  •     
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable, it is unlikely, but things can go  wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen / flash drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • As we go along, from time to time, Windows User Account Control ( U A C ) will prompt whether to allow a tool or procedure to proceed forward.  Approve the Windows’ UAC prompt on by clicking on Continue or Yes.



When we are done, I'll give you instructions on how to clean up all the tools and logs
Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
Your topic will be closed if you haven't replied within 3 days.

Please download    Farbar Recovery Scan Tool and save it to your desktop.

You may wind up needing to temporarily turn off your antivirus program IF it interferes with the diagnostic tool-reports listed below.

Right-click on *FRST* icon and select  *Run as Administrator * to start the tool , and reply *YES* to allow it to proceed and run.
_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line  *More info* information on that screen and click button *Run anyway* on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.




Approve the Windows’ UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it also makes another log (Addition.txt).
Please attach FRST.txt & Addition.txt along your next reply.

F.Y.I.
The ip block messages are from our malicious website protection.  That is protecting your pc.
Please see/review these references on MBAM’s IP blocks
https://support.malwarebytes.org/customer/portal/articles/1835325?b_id=6438

Malicious code from Ad networks might be present in pop-ups or advertisement banners. When the banners attempt to load or the pop-up attempts to navigate to the malicious website, we block it before it has a chance to cause any damage to your system.
https://blog.malwarebytes.com/malwarebytes-news/2013/05/oh-the-sites-you-will-never-see/
 

Link to post
Share on other sites

Thanks for the reports.  I do not see a obvious sign of a infection.  The ip block may very well be due to some malvertising on some website when surfing the web.
I would like for you to do the following.

First, make real sure to save any open work files ( if any) are in use.  Before you do what follows.
Then RESTART Windows from the Start menu.

Wait for it to reload normally.
If you get stuck on any step, just move on to the next step.

Disable your AntiVirus and AntiSpyware applications (Not Malwarebytes) "if possible", usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link :
http://forums.whatthetech.com/index.php?showtopic=96260


Step 1:

Potentially Unwanted Programs (PUPs)
Adware can be a very real nuisance and very difficult to remove.
While we do identify and remove some adware variants, our main focus is on malware so there are many adware variants that we do not target (mostly for legal reasons as they do have a eula and an opt out feature in most cases)

You will need to modify your MBAM settings, if you haven't already, and want them checked for removal.  By default it will scan them but will not mark them for removal.

Please open Malwarebytes.
 
Click the Settings Tab

Click the Detections and Protection Tab
"check" Scan for RootKits.
"check" Use Advanced Heuristics

Non-Malware Protection
Change the Action for (PUP) and (PUM) to treat Detections as Malware

Run a new "Threat" scan and "quarantine" / "Remove" whatever is found.

Click on the "History" tab > "Application Logs".
Double click on the scan log which shows the Date and time of the last SCAN performed. Please make sure the word SCAN is shown and also that you grab the very latest Date. the most recent Scan run.
You can double click the line to get it on screen. Then use the menu at bottom of the window.

Click the EXPORT button at the bottom left.
Click "TEXT file"

Be very aware as to what folder and what NAME you give this report.  You have to make a note so you can send it.

Then attach that file with your next reply.


Step 2:

This is a two step process.

First run you use "Scan"
Second run you use "Clean"

Please download "AdwCleaner" from here: You should see a Green Tab to click to download
http://forums.whatthetech.com/index.php?autocom=downloads&showfile=55
or
https://toolslib.net/downloads/viewdownload/1-adwcleaner/



Note: You can skip the install of the: Hosts Anti-PUP/Adware if asked

Double click on AdwCleaner.exe to run the tool.
Click the "Options" menu heading on the menu bar and "uncheck" "Reset Winsock Settings"

Click on "Scan" Button.   Pleas do have lots of patience while it scans  & do wait for it to finish that phase.
    
Once the "Scan" part has completed,  you will be able to see & then  "click"  the "Clean" button

This tool might remove add-ons that you added by choice like Ask Toolbar.
Please uncheck / untick any items you don't want to remove.
The contents of the Results section may appear confusing or as gibberish.
Unless you see a program name that you know should not be removed,please continue with the next step.


Click the "Clean" Button.
It will require a reboot, so please be sure to close any other open programs first.
A text file will open after the restart.    
        
Please attach that log file in your reply.
You can find the log file AdwCleaner[Co].txt ('o' is the scan run number).    
The folder where it is stored is in one of these:   in the C:\Program Files (x86)\AdwCleaner folder on 64-bit systems
or folder C:\Program Files\AdwCleaner on 32-bit Windows.



Attach the report files AdwCleaner in your next reply.    

Please save using the default Notepad format,
DO NOT USE WORD or any other office type of software.
DO NOT COPY & PASTE the log, send it as an attachment.
Reply to THIS ticket, DO NOT create a new one.

Please be sure you turn back on your antivirus program.


Also let me know how it's running now

 

Link to post
Share on other sites

We can wrap up this case.

The following procedures will implement some cleanup procedures to remove the tools I had you use.

To clean-up after some tools we used, Download Delfix from
https://toolslib.net/downloads/finish/2/
and save it to your desktop.

Ensure **Remove disinfection tools** is checked.
Click the **Run** button.
Reboot

Any other programs or logs that are still remaining, you can manually delete.

The two runs are good.  I am glad to hear that the ip blocks are gone.  What follows are some added safety measures to beef up your web browsers.

Go into the Options ( settings) of Internet Explorer  ( and any other web browser you have).
Make sure that the POPUP blocker is ON.
Set the option on for rejecting (decline) 3rd-party cookies.

And in addition to all that:
Use a good browser extension ( add on) ad blocker.  If your pc has no ad blocker add-on for your browser(s), I would suggest uBlock Origin.
For Mozilla Firefox, use the Mozilla page at this link
https://addons.mozilla.org/addon/ublock-origin/

For Google Chrome, see
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

For Internet Explorer browser:
https://adblockplus.org/en/internet-explorer

For Opera browser, see
https://addons.opera.com/en-gb/extensions/details/ublock/

*ALSO this too*
To help totally block these types of  "popups" I would recommend to *only use Firefox browser* that also has the addon for
*NoScript Suite Lite.*
and just only use that when surfing the web.
Tips and how to's for Noscript suite are on this page link
http://mybrowseraddon.com/noscript-lite.html

We have a free version Malwarebytes Anti-Exploit (MBAE) that protects against exploit attacks in your browsers and Java, and a paid version that also protects additional applications such as MS Office.
https://downloads.malwarebytes.org/file/mbae_current/

I would recommend you install the Anti-Exploit in free use mode.   ( that is, if you do not have it from before).

 

 

 

 

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.