Jump to content

Recommended Posts

Malwarebytes keeps blocking access to sites on startup from two attackers: alwaysweb.info,  guardset.info. I installed Malwarebytes after getting a nasty virus that kept renaming and injecting itself and other adware into my files. Hitman Pro 'cleared' it up for the most part but left the most harmful things. Malwarebytes tried to clear the remaining trojans (well it found 6 and after restart found 3 more, after a third restart and scan it found those three again). However, it won't find the source of what keeps trying to access the above-listed sites. Similar to post at 

but 1 site is different and the Staff member said the file may harm the computer of anyone else who uses it as it was special for the customer.

Link to post
Share on other sites

Hello RichardCam and welcome to Malwarebytes,

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

Repeat that for the three latest blocks and attach or copy paste to your reply..

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Hello RisicoWolf and welcome to Malwarebytes... Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

 

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Post those logs, also let me know if there are any remaining issues or concerns..
 
Thank you,
 
Kevin...
 

 

fixlist.txt

Edited by kevinf80
typing error
Link to post
Share on other sites

I am still concerned as Malwarebytes no longer blocks the virus but Norton still blocks it when my laptop restarts. (I have tried my anti-virus to get rid of it and just haven't cleared it all off yet.)  Malwarebytes found more trojans but AdwCleaner didn't. Hopefully, the mass of logs I sent will help.

Fixlog.txt

mrt.log

norton log.txt

MalwareBytes after quaranitine (1 Failed).txt

MalwareBytes Threats Found (not quarantined yet).txt

Rkill.txt

HitmanPro_20180128_0935.log

Addition.txt

FRST.txt

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Reset your router, instructions available at the following link:

http://setuprouter.com/networking/how-to-reset-your-router/

Follow those instructions very carefully.

Next,

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper
 
  • Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
  • From the left hand pane select "Flush DNS"
  • From the main interface select the dropdown under "Choose a DNS Server"
  • From the list select either "Google Public DNS" or "Open DNS"
  • From the left hand pane select "Apply DNS"


When done re-boot your system....

Does the issue still happen...?

fixlist.txt

Link to post
Share on other sites

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Do not use the Remove Selected option until i`ve had a look at the log..
Link to post
Share on other sites

RogueKiller V12.12.1.0 (x64) [Jan 22 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : mmafi [Administrator]
Started from : C:\Users\mmafi\Desktop\Virus Protection\RogueKiller_portable64.exe
Mode : Scan -- Date : 01/28/2018 16:40:16 (Duration : 00:52:30)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1253672732-2779434441-837241238-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1253672732-2779434441-837241238-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[Tr.Gen] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {21E27F4F-DFA8-462D-9781-8FD3C48B7C78} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\mmafi\AppData\Local\yc\Application\yc.exe|Name=Chromium (mDNS-In)|Desc=Inbound rule for Chromium to allow mDNS traffic.|EmbedCtxt=yc| [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[PUP.AutoIt.Gen][File] C:\Users\mmafi\Downloads\AutoClicker.exe -> Found
[Tr.Gen0][File] C:\Users\mmafi\Pictures\Git-2.15.1.2-64-bit.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ02ABD100H +++++
--- User ---
[MBR] 65a3b17d660b6435bd9bca930723fc3b
[BSP] d9fad9dd30006d33e6916b403a39682e : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 941870 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1930240000 | Size: 853 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1931986944 | Size: 10515 MB
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites

The scan has produced a complete log... do the following:

Run RogueKiller again....
 
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Checkmark the following found entries:

    Registry :-

    [Tr.Gen] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {21E27F4F-DFA8-462D-9781-8FD3C48B7C78} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\mmafi\AppData\Local\yc\Application\yc.exe|Name=Chromium (mDNS-In)|Desc=Inbound rule for Chromium to allow mDNS traffic.|EmbedCtxt=yc| [x] -> Found

    Files :-

    [PUP.AutoIt.Gen][File] C:\Users\mmafi\Downloads\AutoClicker.exe -> Found
    [Tr.Gen0][File] C:\Users\mmafi\Pictures\Git-2.15.1.2-64-bit.exe -> Found
     
  • Leave all other "Found" entries UNChecked
  • click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply....

How is your PC responding now, any odd or erratic behavior, same for your browser...

 

Link to post
Share on other sites

The computer seems back to normal, browser as well. No more reports from any sites or IP addresses trying to access my laptop. No Russian text filling the screen, though I fixed that one before I came and asked for help with what virus protection wouldn't clear. Here is the log as requested:

 

RogueKiller V12.12.1.0 (x64) [Jan 22 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : mmafi [Administrator]
Started from : C:\Users\mmafi\Desktop\Virus Protection\RogueKiller_portable64.exe
Mode : Delete -- Date : 01/28/2018 16:40:16 (Duration : 00:52:30)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1253672732-2779434441-837241238-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1253672732-2779434441-837241238-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Not selected
[Tr.Gen] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {21E27F4F-DFA8-462D-9781-8FD3C48B7C78} : v2.27|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\mmafi\AppData\Local\yc\Application\yc.exe|Name=Chromium (mDNS-In)|Desc=Inbound rule for Chromium to allow mDNS traffic.|EmbedCtxt=yc| [x] -> Deleted

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[PUP.AutoIt.Gen][File] C:\Users\mmafi\Downloads\AutoClicker.exe -> Deleted
[Tr.Gen0][File] C:\Users\mmafi\Pictures\Git-2.15.1.2-64-bit.exe -> Deleted

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ02ABD100H +++++
--- User ---
[MBR] 65a3b17d660b6435bd9bca930723fc3b
[BSP] d9fad9dd30006d33e6916b403a39682e : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 941870 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1930240000 | Size: 853 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1931986944 | Size: 10515 MB
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites

Thanks for the update, if no remaining issues or concerns run the following to clean up:

Delete RogueKiller portable from your Desktop, also delete this folder if still present: C:\ProgramData\RogueKiller

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.