Jump to content

Website blocked due to Trojan from Steam and Games (Weird russian IPs?)


Go to solution Solved by kevinf80,

Recommended Posts

Hi everyone,

I have been experiencing a suspicious Problem.

Malwarebytes has been acting up today. It has appearently blocked several websites due to trojans from steam and steam games.

I have read a bit about this and most of the times, it seems to be a false positive, but in my case, the IPs that are actually blocked seem to come somewhere from russia, which is concerning to say the least...

It always says the file is either steam.exe or the .exe of the respective game.

Strangely, there seems to be no domain / URL. it just says N/A.log5.txtlog4.txtlog3.txtlog2.txtlog1.txt

Here are the logs for all of the realtime detections today. Sorry if its a problem that theyre in german.

 

Link to post
Share on other sites

Hello Marcus024 and welcome to Malwarebytes,

The blocks you are experiencing are "outbound" from your PC to the IP addresses shown in your logs. As you`ve already identified they are all associated to Steam or its games...

Lets gets some logs and see what is happening with your system..

Continue with the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language right click on FRST, select rename then rename to FRSTEnglish.
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Hi kevin,

Scan within Archives is on. Scan for Rootkits is on.

Malwarebytes found nothing, Heres the log:Malwarebytes log.txt

Updated AdwCleaner to newest version, ran with administrator, it found one PUP and two preinstalled softwares
the PUP was new to me but the two preinstalled softwares always come up, theyre just some random stuff from ASUS and i heard its better to just keep them so i dont accidentally break something, so i kept them
the PUP was some suspicious PremiumDownloadManager thing, so i quarantined it and deleted it from the quarantine / from my system completely, no reason to hold onto that crap
for some reason it didnt restart my computer, so thats weird, maybe its because i have some settings in the general repair section turned off? right now theres only delete tracing keys and reset winsock, but the others seem like theyre turned off by default
anyways, heres the log:AdwCleaner log.txt

While i ran FRST, Windows Defender randomly found something:
PUA:Win32/PiriformBundler (active)
it says low beside the name, im guessing thats for threat level: low
i googled it, it seems to be some garbage from ccleaner that appearently bundles a bunch of other products from them with ccleaner, scummy company wow, but it seems to just be harmless bloatware and i never noticed any new programs i didnt install, should i still press "take action"?
side note: the FRST addition log said several times that windows defender was cancelled before finishing a scan, that wasnt me, so thats spicy
anyways heres the FRST log and the addition:Addition.txtFRST.txt

i also have malwarebytes anti rootkit, i downloaded and ran that a long time ago when i was constantly paranoid lol, it found nothing back then and i havent ran it in a long time, should i run that aswell just to be sure? cause idk the stuff i found so far seems like way too little for a bunch of suspicious russian IPs

i might have a prediction where all of this comes from tho

my dad downloaded a cracked version of vuescan recently, i told him not to because he had downloaded it many times before on other devices and we both knew it was infected in some way (malwarebytes always detected some "RiskWare.HackTool.Agent" thing) but he stayed stubborn and said its important and he needed it so yeah, when he downloaded it on this device as always, MBAM caught riskware hacktool agent, i quarantined and deleted it, and it never showed up again, that happend a while ago so i dont have the logs for that anymore sadly, tho im willing to bet theres still some leftovers from that crack garbage hiding deep inside this machine

 

Link to post
Share on other sites

  • Solution

Hello Marcus024,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Please download RogueKiller, ensure to get the correct portable version (32-bit or 64-bit)

https://download.adlice.com/api?action=download&app=roguekiller&type=x64

https://download.adlice.com/api?action=download&app=roguekiller&type=x86
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, make sure every item listed in RED is checkmarked.
  • Then click the Removal button and wait until the removal process is complete.
  • When complete, click on Results.
  • Click Report.
  • Click Export and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Next,

If the issue with blocks from Chrome still happen use the instructions from the following link to reset Chrome:

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/

Let me see those logs in your reply.

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

  • 2 weeks later...

hi kevin,
i am really sorry that i kept you waiting for so long. I was busy and i also forgot.

important things to mention:
while roguekiller scanned, it detected one thing, and after that suddenly windows defender picked up a trojan and quarantined it:
Trojan:PDF/Phish.GA!MSR
Roguekiller detected GameCenter as PUP.MailRU, but it shows as orange and you said only delete red so keeping it for now, also i have no clue what this GameCenter is, never downloaded it 
in the meantime while i had kept you waiting (sorry again) malwarebytes suddenly started blocking a lot of connections from my email providers website / server, i was already wondering why i wasnt getting any emails, the moment i included the website to the allow list, all of the emails that were being stalled i recieved and i was getting emails againmsert.logRoguekiller Deleting.txtFixlog.txtRoguekiller Scanning.txtmalwarebytes blocking my emails.txt

Roguekiller Scanning.txt Roguekiller Deleting.txt Fixlog.txt

Link to post
Share on other sites

Hiya Marcus024,

Thanks for those logs. I do not see any reference to GameCenter in the installed programs list from FRST. RogueKiller has flagged the registry entry as orange, that indicates further investigation is required. As only the registry key is flagged it may possibly be a remnant of a previous installation.. Continue:

Run FRST one more time:

Type the following in the edit box after "Search:".

GameCenter

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.

Thanks,

Kevin...
Link to post
Share on other sites

I do not believe gamecenter is malicious, or the game it is derived from. I`ve looked at several websites referring to Warface and specifically gamecenter, they get flagged as the laucher uses P2P torrents to make the downloads, also the sites are based in Russia which makes them seem suspicious..

How is your PC vurrently responding, any issues or concerns....

Link to post
Share on other sites

my pc is doing pretty fine right now, nothing really out of the ordinary but just yesterday it happend again that some window popped up and closed immediately

i never have enough time to even read what it is or atleast get a glance of it, happens pretty randomly, like once a week?

 

Link to post
Share on other sites

Hiya Marcus024,

Thanks for the update, lets get some fresh logs ffrom FRST....

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Thank you,
 
Kevin..
Link to post
Share on other sites

Hiya Marcus024,

Thanks for the update, if no remaining issues or concerns we can finish up...

Delete the following:

C:\Users\schurik\Desktop\RogueKiller_portable64.exe

Also this folder:

C:\Program Data\RogueKiller

Next,

Right click on FRST here: C:\Users\schurik\Desktop\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.