Jump to content

I keep getting a notification about this website called winswr being blocked


Recommended Posts

The website is 4.winsrw.com. This and what seems to be variations of this site. I spent about an hour removing malware using various tools including adwcleaner and Malwarebytes junk removal tool. I later repeated the process to see if there were any malware but all scans found nothing. However I keep getting a pop-up of this site being blocked. Please help I'm freaking out here.

Edited by zarathos96
Autocorrect messed up the title
Link to post
Share on other sites

Here are the logs you requested. I feel like I should include some backstory to the issue. I have been running various malware removal software and tools for the last 2 days with the most recent being rougekiller. Generally after everything is done I'd run malwarebytes again and find that no malware has been detected. However after some time I would keep getting the notification of a website being blocked and it would be continuous. Sometimes every minute even. I would then repeat the process of removing the malware only for the whole thing to repeat itself. I even found some applications and folders in various places in my c drive such as opjtics and anonymizergadget which I later deleted though I have noticed some of them reappearing in other folders. After I used rougekiller I haven't been getting the notification for website blocked, however I did find some suspicious folder which I deleted. To be honest I don't know if there are any more such folders left. Last thing, most of the time when I run rougekiller I would get PUP.dns in the scans and more trojans.

P.s sorry for the long post but I hope this helps in your process. I'm pretty sure that there is some program or trojan or something which is constantly downloading these malware onto my computer.

Addition_16-01-2017 20.36.48.txt

FRST_16-01-2017 20.36.48.txt

CheckResults.txt

Link to post
Share on other sites

3 hours ago, AdvancedSetup said:

Hello @zarathos96 and :welcome:

 

Please read the following and post back the 3 requested logs as an attachment and we'll see if we can see what's going on and get you fixed up.


 
Diagnostic Logs
 
Thanks

Just an update, I suddenly got a notification from malwarebytes that it blocked a access to a website called openyes. The location seems to be from the system folder in my c drive. So far I wasn't having any problems but now I'm sure that there is some malware in my computer which keeps downloading these applications to bring in even more malware. Should I redo the 3 logs and attach them here again?

Link to post
Share on other sites

  • Root Admin

Your computer is actually having a bigger problem. It's not loading your user profile which could be due for a few reasons including a corrupt profile. You may need to create a new user profile and copy your data to the new profile.

Application errors:
==================
Error: (01/16/2017 06:35:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: DESKTOP-LORQSB3)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (01/16/2017 06:35:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: DESKTOP-LORQSB3)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Error: (01/16/2017 06:35:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: DESKTOP-LORQSB3)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 

 DETAIL - The process cannot access the file because it is being used by another process.

Error: (01/16/2017 06:35:26 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights. 

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\Zawaad\ntuser.dat

 

 

Link to post
Share on other sites

  • Root Admin


Please click on the "Search the web and Windows" box.

win10search.jpg.ab49407705b2ffa8728339ae


Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator"

 

cmd_prompt_run_as_administrator.jpg.252a

 

In the command prompt please type the following exactly.

CHKDSK  C:  /R

This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use.

Press the Y key to tell it to run on the next restart of the computer.

 

Quote

Microsoft Windows [Version 10.0.10586]


(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>CHKDSK C: /R
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

 

Then restart the computer and let it run.
Then find and copy the disk check entry from the Event Logs and paste back the results here.

How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10

 

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

You've already run most of these tools, but let me have you run through them again to see what if anything they come up with.

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Next, reboot the computer and run these steps.

 

Please restart the computer first and then run the following steps and post back the logs when ready. The steps may have changed some but in general should be similar enough to use, but if you have questions please let me know.  Temporarily disable your antivirus while running these scans, then when done make sure you re-enable your antivirus.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Yes, that's what I posted in post #8 and why we tried running a full disk check to see if we could fix it but it looks like your user profile is corrupt and you'll need to create a new user profile and copy your data to that new profile.

Please try one of these fixes.

https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/problem-with-start-menu-sound-search-and-network/f633e0f3-d029-4b7a-b29f-955c751ddabd

https://support.microsoft.com/en-us/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana

 

Link to post
Share on other sites

14 hours ago, AdvancedSetup said:

Yes, that's what I posted in post #8 and why we tried running a full disk check to see if we could fix it but it looks like your user profile is corrupt and you'll need to create a new user profile and copy your data to that new profile.

Please try one of these fixes.

https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/problem-with-start-menu-sound-search-and-network/f633e0f3-d029-4b7a-b29f-955c751ddabd

https://support.microsoft.com/en-us/help/12385/windows-10-troubleshoot-problems-opening-start-menu-cortana

 

Looks like my user profile is corrupted after all. I tried the methods listed in the links except for completely resetting windows and none of them worked. When I tried making a second user profile, everything worked normally in that one(the search bar, edge, etc). Do you think doing a factory reset on my windows would be viable? As in would it fix my corrupted files and also remove whatever malware I might have? If there are any that is.

Link to post
Share on other sites

6 hours ago, AdvancedSetup said:

The computer may not be infected. It could simply be that your profile was corrupted. Once all is working well on your profile, try uninstalling and reinstalling Malwarebytes and then do a Threat Scan and post back that log please.

Thanks again

Ron

 

Please hear me out...Powershell is trying to connect to openyes.info though luckily it was stopped by MalwareBytes. The threat scan isn't finding any malware though. I've attached the reports for openyes and the malwarebytes scan report as well. I haven't yet fixed the problem with the corrupted user profile, I will do that this Friday by doing a factory reset of my computer as I still need to use my computer till Friday for school-work. The issue with powershell however is still very concerning. Will it be resolved with the factory reset or are there any steps that I should take now? 

I am really sorry for bothering you so much like this as I know you are helping out tons of people at once. Thank you for bearing with me.

MalwareBytes Report.txt

Openyes report2.txt

Openyes report3.txt

Link to post
Share on other sites

  • Root Admin

The computer reset should stop all of that.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

  • Root Admin

If you've reset it's good for now. I'll go ahead and close up the topic for you now.

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.