TechSpot

Malwarebytes Anti-Malware successfully blocked access to a potentially malicious site

Solved
By Parkor
Jan 13, 2013
  1. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  2. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Farbar Service Scanner Version: 05-01-2013
    Ran by DJ (administrator) on 14-01-2013 at 15:58:21
    Running from "C:\Users\DJ\Desktop"
    Windows 8 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is set to Demand. The default start type is Auto.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    RpcSs Service is not running. Checking service configuration:
    The start type of RpcSs service is OK.
    The ImagePath of RpcSs service is OK.


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys
    [2013-01-04 17:19] - [2012-11-05 22:53] - 0560640 ____A (Microsoft Corporation) 36D6A3201721558A8AFBCC09C2DA4C2C

    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll
    [2013-01-09 16:41] - [2012-09-20 01:31] - 0210432 ____A (Microsoft Corporation) 066B9710B36AB550E01EEFCA52155968

    C:\Windows\System32\mpssvc.dll
    [2013-01-04 17:20] - [2012-10-11 00:44] - 0904192 ____A (Microsoft Corporation) 3031573A739DBEE8923851929D0AF423

    C:\Windows\System32\bfe.dll
    [2013-01-12 00:54] - [2012-11-26 23:17] - 0718848 ____A (Microsoft Corporation) 9E6A544F465C582AB42444A217CF04DC

    C:\Windows\System32\drivers\mpsdrv.sys
    [2013-01-04 17:20] - [2012-10-11 00:15] - 0074752 ____A (Microsoft Corporation) 0D1609DD82C7440F5D5BF21A9D4D5C0C

    C:\Windows\System32\SDRSVC.dll
    [2012-07-25 20:08] - [2012-07-25 22:07] - 0148480 ____A (Microsoft Corporation) 92968277ED491E4B3DDA361E3952361E

    C:\Windows\System32\vssvc.exe
    [2012-07-25 18:36] - [2012-07-25 22:08] - 1482752 ____A (Microsoft Corporation) EA658570314042C914964FC72AB50E6B

    C:\Windows\System32\wscsvc.dll
    [2012-07-25 18:31] - [2012-07-25 22:08] - 0099840 ____A (Microsoft Corporation) FB0C1B7F94FA08E72F19F6F2CE7210E1

    C:\Windows\System32\wbem\WMIsvc.dll
    [2012-07-25 18:55] - [2012-07-25 22:08] - 0219648 ____A (Microsoft Corporation) 3D6B518B71C75C8FA4115A33615C107A

    C:\Windows\System32\wuaueng.dll
    [2013-01-12 00:54] - [2012-11-26 23:19] - 3345920 ____A (Microsoft Corporation) A8484C0CB54DB48180FB7CA00F1C3F8F

    C:\Windows\System32\qmgr.dll
    [2012-07-25 19:18] - [2012-07-25 22:07] - 0826368 ____A (Microsoft Corporation) D598C44A7072D3108D8D8102EC5E07F7

    C:\Windows\System32\es.dll
    [2012-07-25 18:50] - [2012-07-25 22:05] - 0507904 ____A (Microsoft Corporation) F9E01C2D9F8BC049E04CF5DC24A5F638

    C:\Windows\System32\cryptsvc.dll
    [2012-07-25 19:05] - [2012-07-25 22:05] - 0067584 ____A (Microsoft Corporation) F0E78B119D12BA81F163D48C0FF30B9A

    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MsMpEng.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
  3. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Farbar Service Scanner Version: 05-01-2013
    Ran by DJ (administrator) on 14-01-2013 at 15:58:21
    Running from "C:\Users\DJ\Desktop"
    Windows 8 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Action Center:
    ============

    Windows Update:
    ============
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is set to Demand. The default start type is Auto.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.


    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1

    RpcSs Service is not running. Checking service configuration:
    The start type of RpcSs service is OK.
    The ImagePath of RpcSs service is OK.


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys
    [2013-01-04 17:19] - [2012-11-05 22:53] - 0560640 ____A (Microsoft Corporation) 36D6A3201721558A8AFBCC09C2DA4C2C

    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll
    [2013-01-09 16:41] - [2012-09-20 01:31] - 0210432 ____A (Microsoft Corporation) 066B9710B36AB550E01EEFCA52155968

    C:\Windows\System32\mpssvc.dll
    [2013-01-04 17:20] - [2012-10-11 00:44] - 0904192 ____A (Microsoft Corporation) 3031573A739DBEE8923851929D0AF423

    C:\Windows\System32\bfe.dll
    [2013-01-12 00:54] - [2012-11-26 23:17] - 0718848 ____A (Microsoft Corporation) 9E6A544F465C582AB42444A217CF04DC

    C:\Windows\System32\drivers\mpsdrv.sys
    [2013-01-04 17:20] - [2012-10-11 00:15] - 0074752 ____A (Microsoft Corporation) 0D1609DD82C7440F5D5BF21A9D4D5C0C

    C:\Windows\System32\SDRSVC.dll
    [2012-07-25 20:08] - [2012-07-25 22:07] - 0148480 ____A (Microsoft Corporation) 92968277ED491E4B3DDA361E3952361E

    C:\Windows\System32\vssvc.exe
    [2012-07-25 18:36] - [2012-07-25 22:08] - 1482752 ____A (Microsoft Corporation) EA658570314042C914964FC72AB50E6B

    C:\Windows\System32\wscsvc.dll
    [2012-07-25 18:31] - [2012-07-25 22:08] - 0099840 ____A (Microsoft Corporation) FB0C1B7F94FA08E72F19F6F2CE7210E1

    C:\Windows\System32\wbem\WMIsvc.dll
    [2012-07-25 18:55] - [2012-07-25 22:08] - 0219648 ____A (Microsoft Corporation) 3D6B518B71C75C8FA4115A33615C107A

    C:\Windows\System32\wuaueng.dll
    [2013-01-12 00:54] - [2012-11-26 23:19] - 3345920 ____A (Microsoft Corporation) A8484C0CB54DB48180FB7CA00F1C3F8F

    C:\Windows\System32\qmgr.dll
    [2012-07-25 19:18] - [2012-07-25 22:07] - 0826368 ____A (Microsoft Corporation) D598C44A7072D3108D8D8102EC5E07F7

    C:\Windows\System32\es.dll
    [2012-07-25 18:50] - [2012-07-25 22:05] - 0507904 ____A (Microsoft Corporation) F9E01C2D9F8BC049E04CF5DC24A5F638

    C:\Windows\System32\cryptsvc.dll
    [2012-07-25 19:05] - [2012-07-25 22:05] - 0067584 ____A (Microsoft Corporation) F0E78B119D12BA81F163D48C0FF30B9A

    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MsMpEng.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
  4. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    You posted FSS log twice.
    I still need Security Check log.
  5. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    It wouldn't let me export, but it deleted 5 threats.
  6. Broni

    Broni Malware Annihilator Posts: 46,775   +254

  7. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    I did the security check, and it removed 5 files. It wouldn't let me export, but I'm not seeing the messages from MBAM anymore.
  8. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Security Check doesn't remove anything.
    Are you talking about Eset scan?
    If so I still need Security Check log.
    Re-read my original instructions.
  9. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Just got the message again. I did the ESET scan and it removed 5 things but I couldn't figure out how to export and I figured now its too late since you said you can only creates logs if it finds threats.
  10. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    And security check won't open on my computer. a command prompt window comes up, but it just closes right away.
  11. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Let's try to reset your router...

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (Vista and Windows 7 users: while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
     
  12. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Still getting messages after that
  13. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Does it happen when you have any browser open or it happens regardless?
  14. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    It happens at random, usually when I have a browser window open but im not sure if that has anything to do with it.
  15. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Pay close attention for another day or so and let me know.
    Maybe some other program is triggering it.

    I don't see anything malicious in your log anymore
  16. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Could it be a chrome addon possibly? its happening a lot tonight
  17. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    You need to make sure.

    If you want to give it a shot, uninstall Chrome...
    1. Close all Chrome windows and tabs.
    2. Go to the Start menu > Control Panel. (Windows 8 users: Learn how to access the Control Panel)
    3. Click Programs and Features.
    4. Double-click Google Chrome.
    5. Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete your browsing data" checkbox.
    Install fresh copy.
  18. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Been watching it, it seems to only happen when I have a window open on the web, and normally its right when I open a new page/tab, but not every time.
  19. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Did you try to reinstall Chrome following my instructions?
  20. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Yeah, didnt work :/
  21. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Try to use different browser for a while and see if same issue happens.
  22. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    It seems to only be with chrome.
  23. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Uninstall Chrome...
    1. Close all Chrome windows and tabs.
    2. Go to the Start menu > Control Panel. (Windows 8 users: Learn how to access the Control Panel)
    3. Click Programs and Features.
    4. Double-click Google Chrome.
    5. Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete your browsing data" checkbox.
    Install fresh copy.
  24. Parkor

    Parkor TS Rookie Topic Starter Posts: 45

    Ive done this a couple times..I tried uninstalling all of my addons, so far so good :)
  25. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Very well then :)

    Good luck and stay safe.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.