Jump to content

"Website blocked due to Trojan Type: Outbound. File: C:\Windows\System32\


daylight
 Share

Recommended Posts

Every 10 seconds I see this window pop up

"Website blocked due to Trojan

Type: Outbound.

File: C:\Windows\System32\wscript.exe"

sometimes it's "C:\Windows\System32\wscript.exe"

and sometimes it's "C:\Windows\SysWOW64\rundll.exe"

this problem started after I opened a .vbs file that was sent to me on skype

(I clicked on it by mistake)

I get this message when I scan for threats:

https://imgur.com/a/xpYsvgy

When I click Quarantine Selected its loading and then asks me to restart my pc, I do it, when its restarted I do another scan for safety and I see the same threats again...

I can end process of these 2 files from task manager but when I restart my pc it will open again.

 

Please help.

 

 

wscript.exe.png

Screenshot_6.png

Screenshot_7.png

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Did you install these processes and do you know what they are?

2019-02-15 16:31 - 2019-02-15 16:31 - 000023003 ____C C:\Users\Hen\AppData\Roaming\Money skrill  Btc $ VCC- PayPal ads Gmail  .vbs


2019-02-15 16:31 - 2019-02-15 16:31 - 000023003 ____C () C:\Users\Hen\AppData\Roaming\Money skrill  Btc $ VCC- PayPal ads Gmail  .vbs
HKU\S-1-5-21-1442272468-2502779562-3752437874-1000\...\Run: [MSCBDRNV3M] => C:\Users\Hen\AppData\Roaming\Money skrill  Btc $ VCC- PayPal ads Gmail  .vbs [23003 2019-02-15] ()
Startup: C:\Users\Hen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\binance.vbs [2019-02-15] ()
Startup: C:\Users\Hen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Money skrill  Btc $ VCC- PayPal ads Gmail  .vbs [2019-02-15] ()

If not subit these files to VirusTotal for inspection.
C:\Users\Hen\AppData\Roaming\Money skrill  Btc $ VCC- PayPal ads Gmail  .vbs
C:\Users\Hen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\binance.vbs

Navigate to this page and follow the instructions.
https://www.virustotal.com/#/home/upload

Post the links so I can see what we are dealing with.

Link to post
Share on other sites

I got them on skype and I clicked them by mistake.

it's probably a virus: 

https://www.virustotal.com/#/file/8444d3bb481c297a8be4e7615ed5d7e214d89f82b948d0c0063cfcf3d0304878/detection

https://www.virustotal.com/#/file/8408cc9f3395ace72938fef4e29876c816c796e32ba741a7e1df184ee5e07cc8/detection

Let me know how should I proceed..

 

Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

First of all, thank you for helping me.

The problem of the rundll32.exe is not appearing anymore.

and yesterday, when I had the problem, I used to end the process of both files (wscript.exe & rundll32.exe)

I saw in the task manager that I had 3 files of wscript.exe running and only 1 of rundll32.exe.

and now, the rundll32.exe is not running anymore and the wscript.exe is appearing only once.

I think the problem is fixed, but I'm not sure. Let me know how I proceed.

Fixlog.txt

Link to post
Share on other sites

Hi,

This should take care of the registry keys.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Link to post
Share on other sites

Hi,

If Chrome is your default browser do the fix listed in Post no. 8.

When done do not reset the Sync just yet.

Restart the computer normally.

ReSync the browser.

If you use an other browser let me know which one is compromised.

If after all this Malwarebytes is reporting the same items contact them at:

https://forums.malwarebytes.com/forum/41-malwarebytes-3-support-forum/

Start a new topic and inform them that these entries are not being removed even after resetting the Sync.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.