Jump to content

Continuous Website Blocked Reports

Gorlassar
 Share

Recommended Posts

Gorlassar

Gorlassar

Posted
Posted

Over about the past two months, I was using another anti-virus software before switching it to MWB - I was using AVG, and getting constant "website blocked" popups from them. I formatted my computer and continued to get the popups. I went through their support system, and they had to remotely control my computer and only uninstalled and reinstalled their program and Google Chrome, deleted all my extensions, and that was it. I then uninstalled both and reinstalled them myself so I could uncheck all the extra options that they left on during the installation process: this did not solve my "issue".

Recently I switched to MWB in an attempt to solve whatever my "issue" is. Since then. MWB has had numerous "website blocked" notifications with logs from many different IP addresses, websites and ports, even when I'm not browsing any website ( but have had Chrome open with several tabs ). This is coming from Chrome most of the time, and Skype sometimes :

This has happened with Google Chrome open in both normal and incognito mode. This has happened while playing video games on my machine. This has happened while talking with people via text on Skype. I recognize one of the websites it listed as an outbound connection because I had this problem before, but I do not remember how I solved it.

I do not always get the "website blocked" notifications. MWB shows 2-4, then stops, but I go into the log reports and there's anywhere from 5 - 15 happening at the same time and date. It deleted a program that I had and removed, Advanced SystemCare Ultimate, as a "PUP" that I used for years but now got rid of. I did several scans over the past few days to completely remove it, and it's no longer on my computer as far as I can tell, but I am still getting these website blocked notifications.

What are these notifications? Are they false ( I do not think they are, but... )? How do I "fix" this?

MWB Threat Log.txt

Addition.txt

FRST.txt

Link to post
Share on other sites
  • 2 weeks later...
kevinf80

kevinf80

Posted
Posted
Hello Gorlassar and welcome to Malwarebytes,

Follow the instructions at this link and post the requested logs: https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Can you also post the last 6 block reports from Malwarebytes:

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

Thank you,

Kevin

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns..

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted

Here are the three attached files as requested. I have used the AdwCleaner by MWB before, but it did not find anything. None of the above programs found anything: I even ran Sophos twice and it did not find anything.

However, my current antivirus program, Avast, did get a message popup while I was using my computer normally - I didn't have a chance to do all the scans at one time. Should I attach said popup with another reply? It would just be a screenshot of what it found.

Should I also keep the other programs that you had me install to scan on my computer? Or should I uninstall them since they are now not in use?

AdwCleaner[C1].txt

Fixlog.txt

2017.10.23-20.46.29-i0-t92-d0.txt

Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted

As I did say, there were a LOT of these popups when I used MWB. I am not saying Avast is better, but if two out of three antivirus software detected these almost constantly, then... Then there has to be something, right? It's really bothering me. The AVG one I attached to this reply is older, too, about a month or two old, showing that it was also detecting something even after I wiped my computer clean.

49eff91526fa13daad412c870e528dba.png

2.png

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for update and images. it looks like the current problem is with Chrome. Lets go for a clean install...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome :

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en

Does that help
Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted (edited)

I did already try uninstalling and clearing out some Chrome data, then reinstalling it: should I try to do so again? I believe what you're suggesting has been more thorough. I won't be using Adblock Plus, however, because they sell your data to others and are actually known to specifically target you with ads. I have been using uBlock Origin.

Another one of the AVG popups and with MWB as well did say that it was originating from Skype. This only happened a handful of times. I will attempt to find the logs/popups to send them to show you.

Edited by Gorlassar
Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted

I wanted your opinion on what I should do with Skype as well as if I should do anything with Chrome still. I didn't find any AVG popups coming from Skype, but I found at least two from MWB; it's hard to go through MWB just because there's probably about 50-100 protection alerts that I had over the course of roughly two weeks.

Skype Protection.txt

Skype Protection 2.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Chrome needsto be Clean installed as per my instructions. Regarding Skype, read the following:

Those blocks you mention are inbound to Skype, this one (IP 31.133.58.141) is coming in from Russia https://whois.domaintools.com/31.133.58.141

The second one is also inbound to Skype (IP 197.220.72.4) is coming in from Somalia https://whois.domaintools.com/197.220.72.4

Both of those calls are entering through Port: [18520] you need to block that port OFF in your FIREWALL, it is beneficial that Malwarebytes stopped those probes or your system would be exploited again...

As far as i`m aware Skype normally listens on Ports 80 and 443, you will need to check on the Skype settings and see if there have been changes made....
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted

It takes me some time to even have the time to be able to try anything. I cleaned out Chrome as per instructed, but I have not done anything with Skype yet - to do anything with my ports I have to call my ISP and have them change them around rather than me doing it myself. My modem does not allow access to it any more. 

I also am using uBlock Origin as I said, and I also installed the Dr. Web extension. I had one anti-virus popup from Avast before I started all of this, however, and it's the same popup notification that AVG used to give me. I also no longer have as much protection with Avast anymore, so I'm worried that something will be able to get through easier or not be detected anymore. Should I switch back to AVG if Avast doesn't find anything? At least temporarily, since AVG was alerting me quite a bit.

458b140788c4058123aa43854d78e141.png

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Skype appears to be taking inbound calls via ports that are not usually used, is probably a good idea for you to take this up with Skype help...

Have a read here: https://support.skype.com/en/faq/fa1070/how-do-i-update-my-firewall-to-work-with-skype

and here: https://support.skype.com/en/faq/FA148/which-ports-need-to-be-open-to-use-skype-for-windows-desktop

Can you also run GMER and post the produced log...

Please download Gmer from Here by clicking on the "Download EXE" Button.
 
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    Sections
    IAT/EAT
    Show All     ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.


Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…
Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted

I have blocked the 18520 port with both UDP and TCP inbound connections. Skype did have settings turned on to get additional things from ports 80 and 443; should I turn that off? It also was set to have port 18520 as well. When looking over my Firewall Advanced Security settings, there's a bunch of things on it such as remote things that I'm kind of worried about: I've never been in these settings before, so I don't know what is supposed to be in there and what's not. Should I still ask the Skype support forums on help with it? It's taken me weeks, sometimes even months, for a reply there, since it's the Microsoft Support Forums now.

I did download the GMER program and attempted to run it: Avast keeps blocking it, I assume, because it does not load all of those settings for me to check like you wanted. I tried turning off Avast, but Avast still blocks it from me trying to use those settings.

Also, since I did clean out Chrome like you suggested, I have had an Avast alert since then. This was before I blocked the 18520 port.

11-4-17 3-27pm avast NO DROPBOX PICTURE.png

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run the following instead, lets see what comes back in the log...

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.



Do not use the delete option until i`ve had a look at the log..

Thank you,

Kevin

Link to post
Share on other sites
Gorlassar

Gorlassar

Posted
  • Author
Posted

RogueKiller V12.11.23.0 (x64) [Nov  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.15063) 64 bits version
Started in : Normal mode
User : Steven [Administrator]
Started from : C:\Users\Steven\Desktop\RogueKiller_portable64.exe
Mode : Scan -- Date : 11/06/2017 16:44:19 (Duration : 00:19:53)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www.cnn.com/] -> Found
[PUM.HomePage][Chrome:Config] Profile 1 [SecurePrefs] : homepage [https://www.tumblr.com/dashboard] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200AAKS-75SBA0 ATA Device +++++
--- User ---
[MBR] f4878c9c3482352c4b5a7aef6d39a46c
[BSP] 5a7ca462fb66401160fbf53936b37c78 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305142 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD6400AAKS-65A7B2 ATA Device +++++
--- User ---
[MBR] 315ffc2467129affb5648c76cb35fa37
[BSP] ceb84c3e7b096f62a58a22cb4210973b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 610378 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: SSD2SC120G1SA754D117-820 ATA Device +++++
--- User ---
[MBR] 068d635464ea5028dc4041acd2d0c7a7
[BSP] c3fcfc5e744220ec52e54e23e1b8ddd3 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 114021 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 233517056 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept