Website blocked due to Trojan

[Illu]

I keep getting Website blocked to due Trojan/Malware/Compromise. The file responsible is C:/Windows/System32/svchost.exe

[MKDB]

Hello @Illu and

 

My name is MKDB and I will assist you.

 

• Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation.
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
• As English is not my native language, please do not use slang or idoms. It may be hard for me to understand.

 

 

Step 1

• Please download the Malwarebytes Support Tool (MBST).
• Run MBST.
• In the left navigation pane of MBST, click Advanced.
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.

 

 

 

[Illu]

mbst-grab-results.zip

[MKDB]

Thank you very much for the logfiles @Illu.

We are going to remove some orphans and check Windows system files, so the FRST-Fix (Step 1) will take some time (probably > 10 min). Please be patient.

 

 

Step 1

• Please download the attached fixlist.txt file and save it to the desktop or location where you ran FRST from (C:\Users\saatv\Downloads\).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

• Close all open programs and save your work.
• Run FRST again.
• Press the Fix button only once and wait. Please be patient.
• If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
• FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

 

Step 2

• Run FRST again.
• Do not change any settings.
• Press the Scan button.
• FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
• Please attach these logfiles to your next reply.

 

fixlist.txt

[Illu]

Fixlog.txtFRST.txtAddition.txtHi, here are the files you requested.

[MKDB]

Good job. 👍

 

Unfortunately, the fix was not finished due to a timeout limit.

I would like you to run another Fix with FRST (Step 1) to complete the first one. Moreover, we will run MSS as a checkup (Step 2).

 

 

I noticed this DNS server, it points to Australia:

Quote

Tcpip\..\Interfaces\{b5ea351a-ed05-403e-89b2-79e54deed079}: [NameServer] 1.1.1.1,1.0.0.1

Did you set it? Are you aware of it?

 

Let me know if MBAM still blocks services.exe after the following two steps @Illu

 

 

Step 1

• Please download the attached fixlist.txt file and save it to the desktop or location where you ran FRST from.

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

• Close all open programs and save your work.
• Run FRST again.
• Press the Fix button only once and wait. Please be patient.
• If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
• FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

 

Step 2

The Microsoft Safety Scanner (MSS) is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

• The download links & the how-to-run-the tool are at this link at Microsoft.
• Please let me know the results of this scan.
• Run a full scan.
• The log is named MSERT.log.
• The log will be at%SYSTEMROOT%\debug\msert.log which in most cases is

C:\Windows\debug\msert.log

• Please attach that log with your next reply.

 

 

fixlist.txt

Edited July 19 by MKDB

[Illu]

I'll run the fix again(took an hour i think). I did set a DNS server to Google or Cloudflare a while back but I don't mind changing it back to default.

[MKDB]

Regarding the DNS server: I usually let users delete unknown DNS entries, but if it's your default one, I will not touch it.

 

Please post the newest fixlog.txt from FRST and go on with Step 2.

Thank you.

Edited July 20 by MKDB

[Illu]

Fixlog.txtStep 2 has been going on for 9hours 30 mins now. Is it normal?

[MKDB]

Thank you for the fixlog, it looks good. 🙂

I'm sorry for the long scan time, it depends on different aspects, e. g. number of files on the system, hardware requirements.

Thank you for the hint, I'll review my instruction... maybe a QuickScan would be enough.

[Illu]

msert.logThank you for your time. The scan has finished and here is the log.

[MKDB]

Oh great, logfile comes back clean. Reboot your system. You can remove the file MSERT (Microsoft Safety Scanner).

How is your system running at the moment? Does MBAM still blocks a website?

[Illu]

I just rebooted. I'll relay back after using it for some time whether it is still sending me those pop ups.

[MKDB]

If MBAM is sending you those pop ups again, please let me know if this happens while surfing on a special site or if this happens without any open browser.

[Illu]

I have been using the device for an hour now with no trouble. When it did happen before a browser would be open but mostly it were common sites like stackoverflow, youtube and such.

[MKDB]

That sounds good. 🙂

 

Thank you for your cooperation @Illu, we're done.

 

Step 1

• Right-Click on FRST64 and choose Rename.
• Rename FRST64 into Uninstall.
• Run Uninstall.
• FRST and it’s files/folders will be deleted.
• If the tool needs a restart, please make sure you let the system restarts normally.

 

 

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection.

Thank you.

Edited July 21 by MKDB

[MKDB]

As this topic seems to be solved, I do not follow it any longer.

Take care! 😉

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

[AdvancedSetup]

Topic has been reopened per request.

Thanks

 

[Illu]

@MKDBThe same popup is back the very next day, not as frequent as it was before, maybe once a day.

[MKDB]

@Illu, please run FRST again and post the requested logfiles.

 

 

Step 1

Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Check the box in front of Shortcut.txt.
• Press the Scan button.
• FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run.
• Please attach these logfiles to your next reply.

 

 

[Illu]

Thank you, here's the files.FRST.txt

Addition.txt Shortcut.txt

[MKDB]

Ok, now we try two more steps. Let me know how if this helps.

 

 

Step 1

First of all, please reset Firefox. After that, please reboot your system.

 

 

 

Step 2

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

• It will start a download of "esetonlinescanner.exe".
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes.
• When prompted for scan type, Click on Full scan. 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.  ( e.g. their standard program). You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Edited July 26 by MKDB

[Illu]

Thank you. I did both the steps. The scan didn't detect any problems. I did step 1 first but during step2 I still got the same popup one time.

scan.txt

[MKDB]

Well done @Illu. 👍

I didn't expect that ESET will find anything, because your logfiles look clean to me. Let me ask in Malware Removal Team for ideas about those pop-ups from MBAM.

I would like you to run two final steps for now. Thank you in advance!

 

 

Step 1

Please download and run the Kaspersky Virus Removal Tool to remove any found threats.

Let me know if it finds anything or not.

 

 

Step 2

• Run MBST again.
• In the left navigation pane of MBST, click Advanced.
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.