Website Blocked due to Trojan

[GuardianBob]

Hello. I have recently started receiving persistent notifications from MalwareBytes about "Website Blocked due to Trojan".

In addition I have Kaspersky Antivirus, and I am occasionally seeing similar notifications about blocking website access/download from the same site. 

I have run Malwarebytes, ADWcleaner and Kaspersky and I keep getting these notifications. They have not found/deleted the "trojan"

Any assistance would be greatly appreciated.

[Maurice Naggar]

Attention to all secondary posters.   The malware-removal help section is not a group type participation thing.

This topic belongs only for the original poster GuardianBob.    Each one of you needs to create his / her own new ( separate ) topic for help.

All me-too posts will be removed.

 

@GuardianBob     Hold on for a bit.

 

 

[Maurice Naggar]

Hello @GuardianBob      

My name is Maurice.  Let me know what name you prefer to go by.

 

We have to see the detection logs in order to have full details about these Block event notices.

The web protection / Malwarebytes real-time protection is keeping the pc safe from potential harm.   Whatever "it" was, it is STOPPED.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

[Maurice Naggar]

By the way,   The Malwarebytes Browser Guard will help protect your browser from " dakotaram.com "   which it blocks.   It will keep you safer,  just as the web protection too of the Malwarebytes for Windows.

 

Quote

Website blocked: dakotaram.com

Malwarebytes Browser Guard blocked this website because it may contain malware activity.

 

 

[GuardianBob]

Hello Maurice. Thank you for reply. Bob is fine for me. Please see my attached logs. 

Note: I have uninstalled Chrome and didn't see the error coming up, but after reinstalling the notification started appearing again. I assume the "trojan" is still here, and I'd like to be able to use chrome if possible in the future

mbst-grab-results.zip

[Maurice Naggar]

Good morning, Bob.

Lets not be presuming that the pc has any "trojan" at all.   The block notice is trying to advise that it STOPPED all harm.  It stopped a outbound  attempt to connect to a specific IP   172.64.193.23

Visually, remember that the block window has a green check-mark.   It is a visual clue that it ( Malwarebytes trial-premium real-time protections ) are keeping pc safe.

So no jumping to any assumption.

.

Question:   Which web browser are you now using  ?  the EDGE browser ?

.

One other comment by the way, this pc has Kaspersky free antivirus.   You may when you have time, do a new scan with the Kaspersky AV.   Let me know what the result is.

.

Just also by the way, the Farbar F R S T  reports do not show a mention of " dakotaram ", which is a good sign.

.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner

 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

 

[Maurice Naggar]

Hello.   How is it going ?

[Maurice Naggar]

Good morning @GuardianBob     I have not heard back from you in several days.    I hope you are doing well.

Have you seen my last set of replies ?

Let’s do a special search. 
We need to search for a few things with SystemLook:   That is a search tool that we will use to look for any mentions of 'dakotaram'.
Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop 

 

Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. 
If prompted by Windows  UAC, please allow it  to run.
If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.COPY & paste the entire text into the main text box of SystemLook: 
  
 

Quote

 

:regfind

dakotaram

:filefind

dakotaram

:folderfind

dakotaram

 

 

Click the Look button to start the scan 
When finished, a notepad window will open with the results of the scan. 
A file will be created (on the same folder where you saved SystemLook) with the results of the scan, named SystemLook.txt
Please attach  this log in your next reply. 
 

 

[GuardianBob]

hi maurice - sorry for the delay in replying - I am working through your items today and hope to get back to you tomorrow at the latest. Thanks!!

[GuardianBob]

Hi Maurice here's the answers to your questions:

I am using the EDGE browser (but would like to be able to use Chrome in the future again)

Kaspersky completed a full scan - no threats detected. 

I ran Adwcleaner - and it found nothing. See file attached.

I ran the SystemLook and doesn't seem like it found anything. See file attached. 

Let me know if I missed anything and/or what you would like me to do next. Or if you'd like me to try reinstalling Chrome and see if the dakotaram things comes back again. 

 

Thank you for your continued help.

SystemLook.txt AdwCleaner[C01].txt

[Maurice Naggar]

Hello.   Thank you for the log reports.   The result of these 2 scan reports are re-assuring, especially the one from Systemlook, which indicates there are no content that refers to 'dakotaram'.

What I do notice is that the IP  address blocked here is different from other cases   ( though the top level of the domain is 172.64 ).

At this point, I would run this custom script just to insure that the Windows Winsock is set to  fresh normal settings.   It will not take a lot of time.

The system will be rebooted after the script has run.

.

This custom script is for  GuardianBob  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the Downloads folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to Downloads folder

RIGHT click on  FRSTENGLISH     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Fixlist.txt

[GuardianBob]

Hello Maurice - I don't see the FRST tool link. Can you please provide so I can run the script you provided?

[Maurice Naggar]

Hi Bob.   The tool is named FRSTENGLISH     it is on your Downloads folder        C:\Users\rivero\Downloads

[GuardianBob]

Hi Maurice. I ran the tool and have attached the file. Thanks!

Fixlog.txt

[Maurice Naggar]

Thanks for the report.   How are things at this time?

[Maurice Naggar]

Hello.    There's a need to do what follows.    Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command

sfc /scannow

tap Enter-key.   Then wait for the scan to finish.    I need to know the bottom line results of that run.

[GuardianBob]

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

 

I haven't tried using chrome again yet - do you think it's okay to try now?

[Maurice Naggar]

Good morning.   Glad to know of that result from SFC.

{  IF your pc now does not have Chrome installed,  I would suggest that instead of it you get & use the BRAVE web browser which does a good job of screening out most adware.

see   https://brave.com        and if you do get Brave then also get the Browser Guard cited below. }

 

If your pc has Chrome / if you plan on using it /  then  I  highly  suggest you install the Malwarebytes Browser guard for Chrome. 
To get & install the Malwarebytes Browser Guard extension for Chrome, 
  
Open this link in your Chrome   browser:  
https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee
  
Then proceed with the setup.     Keep me advised.

[GuardianBob]

Hi maurice. i reinstalled chrome,, with the malware bytes browser guard. however I pretty quickly got the website blocked due to trojan again. at this point i'm just thinking to do a clean install of Windows10, to make sure everything is clean

[Maurice Naggar]

Form where do you start Chrome browser?  which shortcut link ?   the desktop one?   the Taskbar one ?   the main start menu ?

Do you recall what Chrome was doing at the moment of this block notice ?   reading online email ?   or perhaps on a game site ?

IF you would outright stop using Chrome .....and get and use the Brave web browser with the Malwarebytes Browser Guard   I believe you will not encounter the same block notice.

and by the way,  do you do any instant messenger app on this pc ?   or play online games ?   I too am trying to see what is common with cases like this.

The only single commonality is the use of Chrome browser.

I would like for you to do this one time, please.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command
 

del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"

and tap Enter-key.   This will delete all cache files of the Chrome browser.

.

The Block notices do mean that the attempted outreach was Stopped.

imho,  it is overly extreme to be thinking of a OS  wipe  & whole new install.   Switching to Brave browser or only just using Edge browser is what I suggest doing at this point.

The Brave browser has stronger security  & does reduce a lot of adwares.

[GuardianBob]

hi maurice - i am starting chrome from the desktop shortcut (that was created upon installation). it seems to appear randomly but only when i'm using chrome. and I can't determine if it's on a specific site. NOTE: i still get the block warning even after deleting all the cache files.

my concern is not about the block notice itself, but the source of the block. do you feel that the source is the websites that I'm going to or is there something on my PC that is triggering this?

if it's coming from the websites I agree with just using brave more (not chrome). but just concerned that there is something on my pc triggering it. 

 

 

[Maurice Naggar]

I do believe it has to do with some site visited in the past.   It could have been a game site, or a video streaming site or other site visitied.

Yours is one of a handful I have  worked with. None of the others had some 'thing'  on their machine.

Again, I would encourage you to ( a) get the  Brave browser  ( b) install on Brave the Malwarebytes Browser Guard.   I gave you both links before  ( c) be very very  careful if you type a address by hand.   Be careful what you visit.

I am still interested if you play online games,  or if you do a fair amount of online media browsing,  what are they.

I believe one of the cases I handled,  they visited twitch   / that is one that I know of ....but not saying that that was the source.  I am saying be very cautious what sites you go to.

You and I need to see if the switch to Brave will help out.

By the way, when you setup Brave, it will have the logins from the other current browsers.

.

Once you have all that setup,  I would like you to run this special tool, called Autoruns.

It does not make changes. It will be just a report.

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: you also need to do the following:

Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

• Include empty locations
• Hide Microsoft entries
• Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:

• Verify code signatures
• Check VirusTotal.com

 

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

Thank you.

[GuardianBob]

See autoruns.zip attached. 

Autoruns.zip

[Maurice Naggar]

I did get the file.   Unfortunately & mysteriously,  I am having no luck to view the contents.

.

Lets see if you can do some other digging on Chrome browser, after first starting it in its safe mode.

Start Chrome.

At the top right, click More   New Incognito Window.

Next, drill down into it to look at the whole list of Extensions   and disable those that you do not recognize, or those you do not need.

Click the Settings icon for the Chrome browser on the upper-right of its top-bar

Next, click on EXTENSIONS  on the left-side.

Look closely at all extensions.    One of those could be the source of the issue-at-hand, the unwanted outreach to 'dakotaram'.

It can very well be the Rakuten extension.     I would like for you to Disable that extension  ( as a minimum.    otherwise, to uninstall it ).

This would be a very good test.

.

I would also remove the Startup URL for Search  that refers to ' ssl.gstatic.com/chromoting/chromoting_logo_512.png '

Please use this guide to reset the Chrome Search preferences / settings

https://support.google.com/chrome/answer/95426

 

 

[AdvancedSetup]

Hello @GuardianBob

Following up to see if you need any additional further assistance.

Please post a follow up on your status when you have a moment

Thank you