Illu Posted July 19, 2021 ID:1470083 Share Posted July 19, 2021 I keep getting Website blocked to due Trojan/Malware/Compromise. The file responsible is C:/Windows/System32/svchost.exe Link to post Share on other sites More sharing options...
MKDB Posted July 19, 2021 ID:1470099 Share Posted July 19, 2021 Hello @Illu and My name is MKDB and I will assist you. Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation. Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed. As English is not my native language, please do not use slang or idoms. It may be hard for me to understand. Step 1 Please download the Malwarebytes Support Tool (MBST). Run MBST. In the left navigation pane of MBST, click Advanced. In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine. A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply. Link to post Share on other sites More sharing options...
Illu Posted July 19, 2021 Author ID:1470110 Share Posted July 19, 2021 mbst-grab-results.zip Link to post Share on other sites More sharing options...
MKDB Posted July 19, 2021 ID:1470118 Share Posted July 19, 2021 Thank you very much for the logfiles @Illu. We are going to remove some orphans and check Windows system files, so the FRST-Fix (Step 1) will take some time (probably > 10 min). Please be patient. Step 1 Please download the attached fixlist.txt file and save it to the desktop or location where you ran FRST from (C:\Users\saatv\Downloads\). Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. Close all open programs and save your work. Run FRST again. Press the Fix button only once and wait. Please be patient. If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart. FRST will create one log now (Fixlog.txt) in the same directory the tool is run. Please attach this logfile to your next reply. Step 2 Run FRST again. Do not change any settings. Press the Scan button. FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run. Please attach these logfiles to your next reply. fixlist.txt Link to post Share on other sites More sharing options...
Illu Posted July 19, 2021 Author ID:1470153 Share Posted July 19, 2021 Fixlog.txtFRST.txtAddition.txtHi, here are the files you requested. Link to post Share on other sites More sharing options...
MKDB Posted July 19, 2021 ID:1470208 Share Posted July 19, 2021 (edited) Good job. 👍 Unfortunately, the fix was not finished due to a timeout limit. I would like you to run another Fix with FRST (Step 1) to complete the first one. Moreover, we will run MSS as a checkup (Step 2). I noticed this DNS server, it points to Australia: Quote Tcpip\..\Interfaces\{b5ea351a-ed05-403e-89b2-79e54deed079}: [NameServer] 1.1.1.1,1.0.0.1 Did you set it? Are you aware of it? Let me know if MBAM still blocks services.exe after the following two steps @Illu Step 1 Please download the attached fixlist.txt file and save it to the desktop or location where you ran FRST from. Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. Close all open programs and save your work. Run FRST again. Press the Fix button only once and wait. Please be patient. If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart. FRST will create one log now (Fixlog.txt) in the same directory the tool is run. Please attach this logfile to your next reply. Step 2 The Microsoft Safety Scanner (MSS) is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft. Please let me know the results of this scan. Run a full scan. The log is named MSERT.log. The log will be at%SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. fixlist.txt Edited July 19, 2021 by MKDB Link to post Share on other sites More sharing options...
Illu Posted July 20, 2021 Author ID:1470268 Share Posted July 20, 2021 I'll run the fix again(took an hour i think). I did set a DNS server to Google or Cloudflare a while back but I don't mind changing it back to default. Link to post Share on other sites More sharing options...
MKDB Posted July 20, 2021 ID:1470306 Share Posted July 20, 2021 (edited) Regarding the DNS server: I usually let users delete unknown DNS entries, but if it's your default one, I will not touch it. Please post the newest fixlog.txt from FRST and go on with Step 2. Thank you. Edited July 20, 2021 by MKDB Link to post Share on other sites More sharing options...
Illu Posted July 20, 2021 Author ID:1470320 Share Posted July 20, 2021 Fixlog.txtStep 2 has been going on for 9hours 30 mins now. Is it normal? Link to post Share on other sites More sharing options...
MKDB Posted July 20, 2021 ID:1470336 Share Posted July 20, 2021 Thank you for the fixlog, it looks good. 🙂 I'm sorry for the long scan time, it depends on different aspects, e. g. number of files on the system, hardware requirements. Thank you for the hint, I'll review my instruction... maybe a QuickScan would be enough. Link to post Share on other sites More sharing options...
Illu Posted July 20, 2021 Author ID:1470337 Share Posted July 20, 2021 msert.logThank you for your time. The scan has finished and here is the log. Link to post Share on other sites More sharing options...
MKDB Posted July 20, 2021 ID:1470338 Share Posted July 20, 2021 Oh great, logfile comes back clean. Reboot your system. You can remove the file MSERT (Microsoft Safety Scanner). How is your system running at the moment? Does MBAM still blocks a website? Link to post Share on other sites More sharing options...
Illu Posted July 20, 2021 Author ID:1470340 Share Posted July 20, 2021 I just rebooted. I'll relay back after using it for some time whether it is still sending me those pop ups. Link to post Share on other sites More sharing options...
MKDB Posted July 20, 2021 ID:1470360 Share Posted July 20, 2021 If MBAM is sending you those pop ups again, please let me know if this happens while surfing on a special site or if this happens without any open browser. Link to post Share on other sites More sharing options...
Illu Posted July 21, 2021 Author ID:1470413 Share Posted July 21, 2021 I have been using the device for an hour now with no trouble. When it did happen before a browser would be open but mostly it were common sites like stackoverflow, youtube and such. Link to post Share on other sites More sharing options...
MKDB Posted July 21, 2021 ID:1470438 Share Posted July 21, 2021 (edited) That sounds good. 🙂 Thank you for your cooperation @Illu, we're done. Step 1 Right-Click on FRST64 and choose Rename. Rename FRST64 into Uninstall. Run Uninstall. FRST and it’s files/folders will be deleted. If the tool needs a restart, please make sure you let the system restarts normally. Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection. Thank you. Edited July 21, 2021 by MKDB Link to post Share on other sites More sharing options...
MKDB Posted July 21, 2021 ID:1470499 Share Posted July 21, 2021 As this topic seems to be solved, I do not follow it any longer. Take care! 😉 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 21, 2021 Root Admin ID:1470524 Share Posted July 21, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 26, 2021 Root Admin ID:1471032 Share Posted July 26, 2021 Topic has been reopened per request. Thanks Link to post Share on other sites More sharing options...
Illu Posted July 26, 2021 Author ID:1471033 Share Posted July 26, 2021 @MKDBThe same popup is back the very next day, not as frequent as it was before, maybe once a day. Link to post Share on other sites More sharing options...
MKDB Posted July 26, 2021 ID:1471093 Share Posted July 26, 2021 @Illu, please run FRST again and post the requested logfiles. Step 1 Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit Double-click to run it. When the tool opens click Yes to disclaimer. Check the box in front of Shortcut.txt. Press the Scan button. FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run. Please attach these logfiles to your next reply. Link to post Share on other sites More sharing options...
Illu Posted July 26, 2021 Author ID:1471140 Share Posted July 26, 2021 Thank you, here's the files.FRST.txt Addition.txt Shortcut.txt Link to post Share on other sites More sharing options...
MKDB Posted July 26, 2021 ID:1471199 Share Posted July 26, 2021 (edited) Ok, now we try two more steps. Let me know how if this helps. Step 1 First of all, please reset Firefox. After that, please reboot your system. Step 2 Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe". Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes. When prompted for scan type, Click on Full scan. Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on the Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Edited July 26, 2021 by MKDB Link to post Share on other sites More sharing options...
Illu Posted July 27, 2021 Author ID:1471286 Share Posted July 27, 2021 Thank you. I did both the steps. The scan didn't detect any problems. I did step 1 first but during step2 I still got the same popup one time. scan.txt Link to post Share on other sites More sharing options...
MKDB Posted July 27, 2021 ID:1471334 Share Posted July 27, 2021 Well done @Illu. 👍 I didn't expect that ESET will find anything, because your logfiles look clean to me. Let me ask in Malware Removal Team for ideas about those pop-ups from MBAM. I would like you to run two final steps for now. Thank you in advance! Step 1 Please download and run the Kaspersky Virus Removal Tool to remove any found threats. Let me know if it finds anything or not. Step 2 Run MBST again. In the left navigation pane of MBST, click Advanced. In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine. A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply. Link to post Share on other sites More sharing options...
Recommended Posts