Gandalf196

This one: 138.99.160.244 https://support.ntp.org/Servers/PublicTimeServer001794 -Dados do site da Web- Categoria: Site Comprometido Domínio: 0.pool.ntp.org Endereço IP: 138.99.160.244 Porta: 123 Tipo: Saída Arquivo: C:\Windows\System32\svchost.exe (end)

Same

I am not the developer, but I believe this unnoficial HD fan made addon to be safe: https://sites.google.com/site/heroes3hd/ However, whenever I press update (inside the addon), I get the blocked website message (I attached). Could you check if it is indeed safe? Thanks in advance!

Well, as we did nothing to eliminate this issue, I suppose it may appear again, but, now, I know it is not malware related. Thank you for your time Kevin"

Well RogueKiller has found this: [VT.Unknown] nw.exe(4904) -- C:\Program Files (x86)\Apptui\14.30.4700\nw.exe[-] -> Interrompido [TermProc][VT.Unknown] nw.exe(468) -- C:\Program Files (x86)\Apptui\14.30.4700\nw.exe[-] -> Interrompido [TermThr][VT.Unknown] nw.exe(3696) -- C:\Program Files (x86)\Apptui\14.30.4700\nw.exe[-] -> Interrompido [TermThr][VT.Unknown] nw.exe(2308) -- C:\Program Files (x86)\Apptui\14.30.4700\nw.exe[-] -> Interrompido [TermThr] ¤¤¤ Registro : 17 ¤¤¤[VT.Unknown] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Apptui : C:\Program Files (x86)\Apptui\14.30.4700\nw.exe [-] -> Encontrado[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com -> Encontrado [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1777295242-1742805609-1554575121-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus13.msn.com -> Encontrado [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 201.21.192.166 201.21.192.161 [bRAZIL (BR)][bRAZIL (BR)] -> Encontrado[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 201.21.192.166 201.21.192.161 [bRAZIL (BR)][bRAZIL (BR)] -> Encontrado[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A9C9A2EA-831D-4174-90D1-7A1EAEE1342A} | DhcpNameServer : 201.21.192.166 201.21.192.161 [bRAZIL (BR)][bRAZIL (BR)] -> Encontrado[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{A9C9A2EA-831D-4174-90D1-7A1EAEE1342A} | DhcpNameServer : 201.21.192.166 201.21.192.161 [bRAZIL (BR)][bRAZIL (BR)] -> Encontrado That's why I asked you if they were false positives. I attached the file you requested

And what about Rogue Killer's log? All false positives? If this is not a malware, how do I get rid of it? Thanks!

I'm posting the files as requested and a print of an F-secure scan I just did: I'm not using those DNS you recommended last time. I'm using the default ones (my Internet Provider's)

It is displayed sometimes when I start my notebook.

I've solved the problem. Please, close the topic.

I PMed Kevin and opened a new topic, no answer so far

I posted it on the wrong forum (https://forums.malwarebytes.org/index.php?/topic/169255-i-need-help-again/) I believe I am posting it in the right place now: So, I've had some trouble with MBAM constantly reporting Malicious Website Protection from outobund IP's, which I described here: https://forums.malwa...ally-desperate/ So far, the problem seemed to be solved, I no longer get theses costant messages. However, I've noticed that MBAM has recently blocked again some of these IP's: Detection, 11/06/2015 19:07:47, SYSTEM, ICARO, Protection, Malicious Website Protection, IP, 94.102.63.85, 53779, Outbound, C:\Windows\System32\svchost.exe, Detection, 11/06/2015 19:07:54, SYSTEM, ICARO, Protection, Malicious Website Protection, IP, 94.102.63.85, 53779, Outbound, C:\Windows\System32\svchost.exe, Also, when browsing google chrome on my smartphone, which uses the same router my computer does, I get a lot of "malware pop-ups", such as: "your android is overheating please head to ..... to fix this issue", etc. This way, I thought the problem could have something to do with my router's DNS. I checked with f-secure.com, and it reported my DNS country as Chile !!!!! (I live in Brazil) So, I figured there would be some problem with my router, then I restored it to factory defaults, and voilá, f-secure.com correctly reported my DNS country as Brazil! Ok, so I put my notebook to sleep. HOWEVER, when I tried that again (after waking it up), F-secure.com would report AGAIN my DNS country as Chile. It seems obvious to believe that there is some nasty agent hidden in my notebook constantly changing my DNS (probably inside svchost.exe). Obs: regarding my smartphone, I am almost sure it has nothing to do with any app installed, because I searched the web and many users are reporting this problem, in fact, a user from Brazil posted in this forum(he seems to use the same internet provider I do): https://productforum...dM/HMSDIFRao6EJ"Dear sirs, I had a same problem, but with samsung browser, no chrome, in my galaxy s4 running android 5.0.1. After no use javascript in browser,the problem is solved. I'm from Brazil, using NET Internet connection with default router configuration. Arris router tg862. Accessing the router, I see that primary DNS was changed to one Sweden IP. I change the router password, then the DNS to Google (8.8.8.8 and 8.8.4.4) and saved this configuration. After, boot my phone to security mode and clean all browser cache and temporary files. Then boot the phone again to back to normal use. I turned back use of javascript. This procedure solved my problem. No more redirection again. Hope that this help you. Hugs!" I really hope you can help me again.Thanks in advance. As requested, I am attaching both FRST.txt and the Addition.txt output diagnostic reports (I could paste them here, the post was too long):

So, I've had some trouble with MBAM constantly reporting Malicious Website Protection from outobund IP's, which I described here: https://forums.malwarebytes.org/index.php?/topic/168478-really-desperate/ So far, the problem seemed to be solved, I no longer get theses costant messages. However, I've noticed that MBAM has recently blocked again some of these IP's: Detection, 11/06/2015 19:07:47, SYSTEM, ICARO, Protection, Malicious Website Protection, IP, 94.102.63.85, 53779, Outbound, C:\Windows\System32\svchost.exe, Detection, 11/06/2015 19:07:54, SYSTEM, ICARO, Protection, Malicious Website Protection, IP, 94.102.63.85, 53779, Outbound, C:\Windows\System32\svchost.exe, Also, when browsing google chrome on my smartphone, which uses the same router my computer does, I get a lot of "malware pop-ups", such as: "your android is overheating please head to ..... to fix this issue", etc. This way, I thought the problem could have something to do with my router's DNS. I checked with f-secure.com, and it reported my DNS country as Chile !!!!! (I live in Brazil) So, I figured there would be some problem with my router, then I restored it to factory defaults, and voilá, f-secure.com correctly reported my DNS country as Brazil! Ok, so I put my notebook to sleep. HOWEVER, when I tried that again (after waking it up), F-secure.com would report AGAIN my DNS country as Chile. It seems obvious to believe that there is some nasty agent hidden in my notebook constantly changing my DNS (probably inside svchost.exe). Obs: regarding my smartphone, I am almost sure it has nothing to do with any app installed, because I searched the web and many users are reporting this problem, in fact, a user from Brazil posted in this forum(he seems to use the same internet provider I do): https://productforums.google.com/forum/#!msg/chrome/Q74jiLWfLdM/HMSDIFRao6EJ"Dear sirs, I had a same problem, but with samsung browser, no chrome, in my galaxy s4 running android 5.0.1. After no use javascript in browser,the problem is solved. I'm from Brazil, using NET Internet connection with default router configuration. Arris router tg862. Accessing the router, I see that primary DNS was changed to one Sweden IP. I change the router password, then the DNS to Google (8.8.8.8 and 8.8.4.4) and saved this configuration. After, boot my phone to security mode and clean all browser cache and temporary files. Then boot the phone again to back to normal use. I turned back use of javascript. This procedure solved my problem. No more redirection again. Hope that this help you. Hugs!" I really hope you can help me again.Thanks in advance.

Thank you again We are ready to close Cya!

Wow, it was really nice of you, I will take a look at all those links and see what I can do. Thanks a million, you were tremendously useful.