Removal of saltjs.01bd.ru Outbound (Data Stealer?)

[RutinTutinPootin]

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/28/19
Protection Event Time: 9:22 PM
Log File: f4ec9154-9a03-11e9-bb2d-50b7c384cec9.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.11310
License: Trial

-System Information-
OS: Windows 10 (Build 17763.557)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Adware
Domain: saltjs.01bd.ru
IP Address: 104.27.138.14
Port: [51268]
Type: Outbound
File: C:\Users\William\AppData\Local\Discord\app-0.0.305\Discord.exe

(end)

Its not just coming from Discord.exe it seems to hop files constantly, tried typical Mail.ru removal but to no avail. Any help would be appreciated 

[RutinTutinPootin]

Addition.txtFRST.txtThreat.txt

Three Key files i was missing 

[Maurice Naggar]

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Thanks for the reports.

The message you relayed is the web protection keeping your pc safe.

Does that message come up when you are using Firefox ?   Do you use mail.ru ?  It is currenty showing as the Firefox home page.

Further to that, Did you knowingly install Discord  & accept & concur to its being installed?

 

[RutinTutinPootin]

Yes I knowingly installed discord even reinstalled it from there website and the message popped back up hours after. I’m not getting any website redirections on my browser at all either

[Maurice Naggar]

If you did not pay for Discord, I would suggest you uninstall it.

Lets do this next step to get mail.ru references out of Firefox.

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) in the Downloads folder 

The tool named FRST64.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRST64  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Kindly attach the Fixlog.txt with your next reply. 

[ 2 ]

Keep going with all below.

Start Malwarebytes. Click Settings button.   Now on the Application tab, click on the line "Install Application Updates".

Let it do its check and when prompted, click Yes to go forward with installing version 3.8.3.2965

 

[ 3 ]

Run a scan with Malwarebytes.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left.  ( if any items are found )

Then click on Quarantine selected.

 

Be sure all detected items were removed.

When that is completed, kindly send the report.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply.

fixlist.txt

[Maurice Naggar]

Hi,

Did you see my last reply?   Just checking in on you.

[Maurice Naggar]

Hello @RutinTutinPootin 

It has been 5 days or a bit more, since I had last sent a action suggestion.

Are you still with us ?   Did you see my reply from Saturday June 29 ?  Are you still needing help.

Sincerely,

Maurice

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks