Jump to content

Recommended Posts

My wife's computer has been flashing lots of "Website blocked" notifications.  She notified me yesterday, and looking at the logs, it's been happening since at least early January.  The most recent notifications are associated with this IP address:  109.163.233.98:0.  I ran scans on both Malwarebytes Premium 3.0.6 and Windows Defender (for Win10) and neither identified a threat.  However, I'm concerned with the number and frequency of these suspicious outbound connections.

What should my next steps be?

Link to post
Share on other sites

Hello and :welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. button.

    x5o4gh.png

  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

Link to post
Share on other sites

Here's the logfile text:

# AdwCleaner v6.044 - Logfile created 19/03/2017 at 15:55:15
# Updated on 28/02/2017 by Malwarebytes
# Database : 2017-03-19.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Marinator - MARINATOR-PC
# Running from : C:\Users\Marinator\Desktop\AdwCleaner\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

[-] Service deleted: CouponPrinterService


***** [ Folders ] *****

[-] Folder deleted: C:\ProgramData\apn
[#] Folder deleted on reboot: C:\ProgramData\Application Data\apn
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
[-] Folder deleted: C:\Program Files (x86)\Coupons
[-] Folder deleted: C:\Users\MARINA~1\AppData\Local\Temp\apn


***** [ Files ] *****

[-] File deleted: C:\Users\Marinator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_aaaajpkhjdkhhnkmgfjodbkfpbmibkkk_0.localstorage
[-] File deleted: C:\Users\Marinator\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_aaaajpkhjdkhhnkmgfjodbkfpbmibkkk_0.localstorage-journal


***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[#] Key deleted on reboot: HKLM\SYSTEM\CurrentControlSet\services\couponprinterservice
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKU\S-1-5-21-3942034044-2590892135-3406517305-1000\Software\APN PIP
[#] Key deleted on reboot: HKCU\Software\APN PIP
[#] Key deleted on reboot: [x64] HKCU\Software\APN PIP
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8036C72171EF4ba46856BF57969F6A36
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\89BB7852687BDC34B9A81E01C7FF9173
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CBC85D72B148084ABE8C2F072F781F4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CC5A38A64D6098468BC8395BA0EFF03
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8DF9A1AC557F56c49B56F6B83E293C15
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A97C590397DCC454AA8923563BAB10E4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B08932C78B697C244BE7BA3E6FF09B62
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D14A7F65792054F418578C78367D13F7
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DFE9F0BD163D827438CB6AD6B100EC48
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F739A19A8327dc64C9A8B641A9E89646
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\158D6D9E3FE81fa428925F22ACB3A965
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\15E6C514FEFC09f45BAFAAE1D7546ED4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DB42320A8525634AA089F0BEC86473B
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22468B0D6050b2e46B9C4B67A8F59577
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2251BF05A2F606d43BB064BD63CBD87E
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3255D95681398614190EDF0A4F3F77DB
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3CDF313E9B28c944FBC7579CF4949414
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\71E54748EDD3dc1468548785DC856EDA
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\754590DD06DE8d249B526503432F99D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\98FD652EB4839214E97B69DD8EEA1D29
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [ApnTBMon]
[-] Value deleted: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Application Restart #1]
[#] Value deleted on reboot: [x64] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce [Application Restart #1]


***** [ Web browsers ] *****

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [6349 Bytes] - [19/03/2017 15:55:15]
C:\AdwCleaner\AdwCleaner[S0].txt - [6321 Bytes] - [19/03/2017 15:51:10]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [6495 Bytes] ##########
 

Link to post
Share on other sites

Do you have Private Internet Access installed by any chance?  I used to get these a lot, and traced it to something PIA does.  They eventually went away, and had been gone for months until Malwarebytes updated Sunday.  Now I'm seeing them again. 

Cheers,

Rusty

 

 

Link to post
Share on other sites

Thanks for the confirmations.   If we don't want to create an exclusion, is there any way to continue blocking a particular IP, but NOT generate a pop-up when it does?  Basically an exclusion for the pop-up.   Normally I'd want to see the pop-up, but not for a nuisance IP that we expect. 

The other question would be for PIA I guess. I wonder if they can let us turn off that particular server. 

Thanks,

Rusty (popping up warnings as I type...)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.