Jump to content

Website constantly flagged as blocked but can't seem to stop it


Recommended Posts

Only recently got Malwarebytes and loving it so far but every ten minutes or so it flags a website, saying it has blocked it. The website in question is one I've never visited so I'm happy to just block it for good. I'm sick of MBs constantly telling me it's blocked the website, is there any to get rid of it for good? I'm guessing something has infected the computer/browser that's causing this notification to keep popping up? 

 

Every time I run a full scan it says nothing detected - yet the notifications for this website continue to pop up as blocked every 10-15minutes like clockwork

 

Any help would be really appreciated! 

 

 

Malwarebytes.PNG

Addition.txt FRST.txt MB_Log.txt

Link to post
Share on other sites
Hiya Hyena and welcom to Malwarebytes,

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

let me see those logs in your reply..

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Hi Kevin,

 

Thanks so much for the quick reply and help. Followed all steps without an issue so I'll attach all logs. Only thing I did notice was Adwcleaner did catch two files which is good but after the reboot Malwarebytes still popped up with block notifications about that website again. I'll have to wait and see if it pops up again, as it had been doing. 

 

Think I attached all the logs you requested but if I missed anything, let me know and thanks again! 

AdwCleaner[C03].txt MB_Log.txt MB_ScanReport.txt msert.log

Link to post
Share on other sites
Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.
Link to post
Share on other sites

Hi again, 

 

I believe it flagged up eight things in total, here's the full log.

 

RogueKiller Anti-Malware V14.8.6.0 (x64) [Mar 24 2021] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64 bits
Started in : Normal mode
User : Stixx [Administrator]
Started from : C:\Users\Stixx\Downloads\RogueKiller_portable64.exe
Signatures : 20210407_080335, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/04/11 20:13:48 (Duration : 00:03:34)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> O4 - Run
  [Adw.Gen (Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|Weather -- C:\Users\Stixx\AppData\Roaming\Weather\Weather.exe --anbfs (missing) -> Found
>>>>>> O87 - Firewall
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{790F574A-91AA-400B-BB81-1BF5F5863A14}D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe|Name=Wargaming.net Game Center Renderer|Desc=Wargaming.net Game Center Renderer|Defer=User| (D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{233E1206-77BA-4335-A43D-8438A25A7379}D:\programdata\wargaming.net\gamecenter\wgc.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=D:\programdata\wargaming.net\gamecenter\wgc.exe|Name=Wargaming.net Game Center|Desc=Wargaming.net Game Center|Edge=TRUE|Defer=App| (D:\programdata\wargaming.net\gamecenter\wgc.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{0BC28CFC-CC4F-40D3-A8FA-77022325BA0E}D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe|Name=Wargaming.net Game Center Renderer|Desc=Wargaming.net Game Center Renderer|Defer=User| (D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe) (missing) -> Found
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{A96882FD-85D0-4B24-9F8A-4A05812381BA}D:\programdata\wargaming.net\gamecenter\wgc.exe -- v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=D:\programdata\wargaming.net\gamecenter\wgc.exe|Name=Wargaming.net Game Center|Desc=Wargaming.net Game Center|Edge=TRUE|Defer=App| (D:\programdata\wargaming.net\gamecenter\wgc.exe) (missing) -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Gen (Malicious)] (folder) 0031 -- C:\Windows\INF\usbhub\0031 -> Found
[PUP.HackTool (Potentially Malicious)] (folder) Scripts -- C:\Windows\schemas\Scripts -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 

Link to post
Share on other sites

Hello Hyena,

Now, let's re-run RogueKiller and remove all the items it found.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, make sure every item listed is checkmarked.
  • Then click the Removal button and wait until the removal process is complete.
  • When complete, click on Results.
  • Click Report.
  • Click Export and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.

Any improvement...?

Thanks,

Kevin...

 

 

Link to post
Share on other sites

Hi again,

Here's the log from running RogueKiller again.

 

RogueKiller Anti-Malware V14.8.6.0 (x64) [Mar 24 2021] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64 bits
Started in : Normal mode
User : Stixx [Administrator]
Started from : C:\Users\Stixx\Downloads\RogueKiller_portable64.exe
Signatures : 20210407_080335, Driver : Loaded
Mode : Standard Scan, Delete -- Date : 2021/04/12 00:32:06 (Duration : 00:03:45)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Adw.Gen (Malicious)] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|Weather -- [%_Stixx_appdata%\Weather\Weather.exe] -> Deleted
[Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{790F574A-91AA-400B-BB81-1BF5F5863A14}D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe -- [D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe] -> Deleted
[Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{0BC28CFC-CC4F-40D3-A8FA-77022325BA0E}D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe -- [D:\programdata\wargaming.net\gamecenter\dlls\wgc_renderer.exe] -> Deleted
[Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{233E1206-77BA-4335-A43D-8438A25A7379}D:\programdata\wargaming.net\gamecenter\wgc.exe -- [D:\programdata\wargaming.net\gamecenter\wgc.exe] -> Deleted
[Suspicious.Path (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{A96882FD-85D0-4B24-9F8A-4A05812381BA}D:\programdata\wargaming.net\gamecenter\wgc.exe -- [D:\programdata\wargaming.net\gamecenter\wgc.exe] -> Deleted
[Tr.Gen (Malicious)] 0031 -- %SystemRoot%\INF\usbhub\0031 -> Deleted
  => boot -- C:\Windows\INF\usbhub\0031\boot -> Deleted
[PUP.HackTool (Potentially Malicious)] Scripts -- %SystemRoot%\schemas\Scripts -> Deleted
  => activator.bat -- C:\Windows\schemas\Scripts\ACTIVA~1.BAT -> Deleted
 

 

I did that last night before bed - But annoyingly, first thing that pops up when I turn the comp back on today? That same Malwarebytes notification :D 

 

Link to post
Share on other sites

Yes very frustrating for sure, can you show me the latest RTP detection log...

Open Malwarebytes....
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the RTP Detection log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply
Link to post
Share on other sites
13 minutes ago, kevinf80 said:

Do you use any type of mobile phone, either connected to your PC or maybe a router or similar...

Not quite sure I understand the question exactly. I've got an android phone that goes through the same wifi as the comp? 

Link to post
Share on other sites

Hello Hyena,

The outbound calls seem to be going to a Chinese company Xiaomi, they deal in electronics, mobile phones and many other such devices... I cannot see what software you may have installed that is making the outbound calls via svchost.exe.

I want you to set your system up in "Clean Boot" mode, from there we will see if the outbound calls cease.

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135 Basically all none MS services are disabled, see how your system runs in that mode, do the outbound calls cease..?
 
Thank you,
 
Kevin..
Link to post
Share on other sites

Hi again Kevin,

Just running the clean boot now - disabled everything except MB and so far haven't seen any sign of the usual warning pop-up about that site, so that's a good sign! Usually it pops up the second I've rebooted and then constantly every 10-15mins or so afterwards. I'll stay on this clean boot for another 30mins or so, see if I see any sign of it but so far so good. 

Link to post
Share on other sites

Bah and there it goes popping up again  😑 Still in the clean boot - I do have chrome open and have been browsing idly for the last 20min or so. No idea what would trigger it to suddenly pop up again like that.

Link to post
Share on other sites

So I reboot the comp again in clean boot last night - Left it running about three hours - No block pop-up. Then today I left it running about six hours, with chrome open- No block pop-up. Been using it 3-4 hours since then with chrome open/browsing, using chat programs etc as normal- No block pop-up. 

Really not sure what to make of it. Right now it looks as if everything is fine/fixed but that wouldn't explain why it did suddenly start popping up again last night. 

  • Thanks 1
Link to post
Share on other sites

Hello Hyena,

Yes an odd one for sure, clean boot made no difference previously when Chrome was open.. One of the extensions you do have in Chrome I`ve since found out maybe not so trustworthy:

CHR Extension: (Popup Blocker Pro) - C:\Users\Stixx\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiodaajmphnkcajieajajinghpejdjai [2020-12-23]

Do you recall adding that extention yourself...?

Obviously we cannot leave your system in clean boot mode, it will need to be put back to normal mode at some point... Usually when clean boot makes a difference it is then a case of gradually starting the services back up until we find the problem...

Thanks,

Kevin..

Link to post
Share on other sites

I believe I do add that extension myself... but pretty sure it didn't seem that great so I deactivated it. Hoping just removing it from the extension list will be enough to clear it completely? No problem doing that. 

 

~ and yeah, it's pretty frustrating! Working through a list would've been a little tedious but at least it's a pretty standard process of elimination! As of right now, I still haven't had the website block pop up once all day... which is good but I also get a nagging feeling it'll just randomly show up again at any moment. 

Link to post
Share on other sites
3 hours ago, kevinf80 said:

I guess you should really should put your system back in normal mode, see what happens.. Make sure to delete the extension I advised..

Done and done. Sure enough once I enabled everything again and came out of clean boot the pop-ups have started again.

Link to post
Share on other sites

Hello Hyena,

I half expected that outcome, sometimes this kind of issue turns out to be a real PIA. Put your your system back into clean boot, use it for a couple of hours to see if the block has ceased...

If clean boot clears the issue it is now a process of elimination to find which non MS service(s) was affecting your system...

Go through the process again, this time with all MS services hidden again enable the top half of non MS services, re-boot and see how your system responds, if still ok the top half can be left enabled. Obviously if it returns with the top half enabled the issue amonst those....

Repeat again, enable so many of the bottom half then re-boot. Continue until you locate the problem service(s). A process of elimination, a bit long winded but worth the effort. Let me know the outcome...

Thank you ,

Kevin...

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.