Malwarebytes blocking outbound n65adserv.com

[Rich54]

Malwarebytes is blocking the website below.   I cannot delete the file, properties description is Microsoft(C) Register Server.  This happens with all browsers and even when not using a browser. How do I remove this?

Domain: n65adserv.com

Outbound

IP: 74.117.177.139

Process: c:\Windows\sysWOW64\regserv32.exe

[kevinf80]

Hello Rich54 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs... Thank you, Kevin..

[Rich54]

I ran RogueKiller and AdwCleaner last night and they found and corrected some issues.  Malwarebytes ran later  that night and the scan was clean.  I have not see any more outbound IPs blocked by Malwarebytes. I wiii run Farbar  and post the files.

FRST.txt

Addition.txt

[kevinf80]

Hello Rich54 and welcome to Malwarebytes,

Do not see any evidence of Malware or infection in your logs. There is however evidence of a possible failing hard drive....

Quote

Error: (05/23/2017 10:20:35 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:20:33 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:20:29 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:20:27 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:20:19 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:20:17 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:18:21 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

Error: (05/23/2017 10:18:19 PM) (Source: disk) (EventID: 7) (User: )
Description: The device, \Device\Harddisk0\DR0, has a bad block.

There are also many minidump files indicating several system crashes..... Can you zip up and attach the following folder:

C:\Windows\minidump

Go to this link for information how to check the problem HDD... https://www.sysnative.com/forums/hardware-tutorials/4072-hard-drive-hdd-diagnostics-ssd-test.html

Thank you,

Kevin...

[Rich54]

I was having trouble with system restarts for a long time when I found that I only had 2G of memory.  This was causing the HDD to load and unload programs from what memory I had.  I have upgraded to 8G and this improved the system performance. no more crashes.

I don't have a zip program to send the minidump folder and I will check the HDD per the link.

Thanks

[kevinf80]

Windows 10 Pro has its own program to zip up files/foldes....  to zip up you will need to copy the folder first, paste to the Desktop. Right click on the copied folder. Select > Send to > Compressed (zipped) Folder.

[Rich54]

When I try to burn the SeaTools ISO to my CD-R drive with ImgBurn I get "no writers detected" for the destination.  My DVD drive will read a disk but will not detect a blank disk when I put one in. I found this out when I tried to make a set of recovery disks.  All of the software to reinstall windows 7 is on the HDD under another partition.  Looks like I will have to wait for the drive to fail and replace the machine.

[kevinf80]

Hiya Rich54,

Give the following a try :-

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

CHKDSK C: /R

hit the Enter key.

You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK may take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run use the following instructions to find the log:

Check Disk report:

• Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK.
• In the left panel, expand Windows Logs and then click on Application.
• Now, on the right side, click on Filter Current Log.
• Under Event Sources, check only Wininit and click OK.
• You mayl be presented with one or multiple Wininit logs.
• Click on an entry corresponding to the date and time of the disk check.
• On the top main menu, click Action > Copy > Copy Details as Text.
• Paste the contents into your next reply.
  

 

[Rich54]

I ran the " CHKDSK C: /R " twice and each time there were no wininit logs listed in the event viewer.

When running the scan I got the message "Scanning and repairing drive(c:): #%. The # would start a 1 and only go to 11 and stop counting, after about 1.5 hours it would say 100% complete.

[kevinf80]

Try option one at the following link to get chkdsk log..

https://www.tenforums.com/tutorials/40822-read-chkdsk-log-event-viewer-windows-10-a.html

[Rich54]

I was able to get the log file this time using the above link:

Log Name:      Application
Source:        Chkdsk
Date:          5/28/2017 11:11:27 AM
Event ID:      26228
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Richard-HP
Description:
Chkdsk was executed in verify mode on a volume snapshot.  

Checking file system on \Device\HarddiskVolume2
Insufficient storage available to create either the shadow copy storage file or other shadow copy data.

A snapshot error occured while scanning this drive. Run an offline scan and fix.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Chkdsk" />
    <EventID Qualifiers="0">26228</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-05-28T16:11:27.280598500Z" />
    <EventRecordID>47241</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Richard-HP</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Checking file system on \Device\HarddiskVolume2
Insufficient storage available to create either the shadow copy storage file or other shadow copy data.

A snapshot error occured while scanning this drive. Run an offline scan and fix.
</Data>
  </EventData>
</Event>

[kevinf80]

To run offline chkdsk command go here: http://www.thewindowsclub.com/run-system-file-checker-safe-mode-boot-time

To boot to offline command prompt go here: https://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/

[Rich54]

These links are about system file checker, is that the  same as chkdsk?

[kevinf80]

Yes apologies, I give you incorrect links... Go to the following link and use step 4....

https://www.raymond.cc/blog/running-a-check-disk-with-an-easy-to-use-interface/

Thank you,

Kevin

[Rich54]

I ran chkdsk c:  attached is the report:

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          5/30/2017 8:33:16 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Richard-HP
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.                         

Stage 1: Examining basic file system structure ...
  503808 file records processed.                                                        

File verification completed.
  23050 large file records processed.                                   

  0 bad file records processed.                                     

Stage 2: Examining file name linkage ...
  621788 index entries processed.                                                       

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered to lost and found.                    

Stage 3: Examining security descriptors ...
Cleaning up 14 unused index entries from index $SII of file 0x9.
Cleaning up 14 unused index entries from index $SDH of file 0x9.
Cleaning up 14 unused security descriptors.
Security descriptor verification completed.
  58991 data files processed.                                           

CHKDSK is verifying Usn Journal...
  40772008 USN bytes processed.                                                           

Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

 473232383 KB total disk space.
 100369028 KB in 330242 files.
    216572 KB in 58992 indexes.
         4 KB in bad sectors.
    629463 KB in use by the system.
     65536 KB occupied by the log file.
 372017316 KB available on disk.

      4096 bytes in each allocation unit.
 118308095 total allocation units on disk.
  93004329 allocation units available on disk.

Internal Info:
00 b0 07 00 93 ef 05 00 ec 6e 0b 00 00 00 00 00  .........n......
b6 17 00 00 4c 00 00 00 00 00 00 00 00 00 00 00  ....L...........

Windows has finished checking your disk.
Please wait while your computer restarts.

 

[Rich54]

I also ran sfc/scannow and this was the report:

Windows Resource Protection found corrupt files but was unable to fix some
of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.

[kevinf80]

Can you boot normally and run sfc /scannow command from elevated command prompt.... The log will be available at the address you posted previously....

[Rich54]

I ran sfc/scannow on 05/31/2017 @ 3:45 am with the same results as before. I do not find the log file. Am I looking in the wrong place?

[Rich54]

I tried inserting a screen shot to my last message but that looks like it did not work.  I am attaching a word doc of the information.Log file.docxLog

[Annacaos]

I joined in this discussion thread a few days ago because I was getting the same problem.I tried following kevin80's instructions but when I ran the disk report it was coming up with nothing to report, i.e. 0.  I have looked at furhtre comments but it is all getting far too technical for my abilities so I will opt out from now on.  Hopefully the problem will get sorted or I will see an easier way to solve it.  Thanks for the suggestions and including me.

[kevinf80]

Hello Rich54,

Expand the following C:\ > Windows > Logs > CBS Inside the CBS folder you will find a text file "CBS.log"

[Rich54]

I just missed it, see attached file.

CBS.log

[kevinf80]

Apologies for late reply, what is happening with your PC now....

[Rich54]

After I ran RogueKiller and AdwCleaner  I have not see any more outbound IPs blocked by Malwarebytes.  The new memory corrected the slow performance and restarting issues.  I may need to start fresh with a clean install of windows 10 at a latter point in time if I need to burn a CD disk.

[kevinf80]

Thanks for the update Rich54, unless there are any remaining concerns run the following to clean up:

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...