Malwarebytes: Malicious Website Blocked

[Th3Fang]

Just wondering if anyone else is getting this issue. Malwarebytes keeps popping up with this notification.

Information:

Domain: kdv.decipheringwarns. com
IP: 8.34.112.229
Port: 54414
Type: Outbound
Process: C:\Program Files (x86\Mozilla Firefox\firefox.exe

I've scanned with Malwarebytes, awdcleaner, and tdsskiller with no avail. Any tips?

Would a system recovery work?

 

[rgd1101]

dns ip address? getting any broswer popup?

 

[Th3Fang]

dns ip address? getting any broswer popup?

Without Malwarebytes Web Protection enabled I get a browser popup. As for DNS and IP I can tell you when System Restore is finished.

I did uninstall adware 2 weeks ago from the machine. Is this a trace of it?
For some reason yesterday I turned the machine on and a virus was detected.

 

[little_me]

If you think the adware changed browser proxy settings on firefox, you could check options -> advanced -> network -> connection settings.
Correct "normal" setting is either "no proxy" or "use system proxy settings" (I think it will then use windows/IE settings if they exist) if manual settings are there, ALL website traffic will go through their server where they add their own pop-ups, ads (and likely viruses on said ads) on the content.

 

[Th3Fang]

If you think the adware changed browser proxy settings on firefox, you could check options -> advanced -> network -> connection settings.
Correct "normal" setting is either "no proxy" or "use system proxy settings" (I think it will then use windows/IE settings if they exist) if manual settings are there, ALL website traffic will go through their server where they add their own pop-ups, ads (and likely viruses on said ads) on the content.

It's the first thing I checked right after I realized I had adware. I put the settings back to normal. However that was 2 weeks ago.

 

[little_me]

My next question would be.. does it happen on all browsers (IE, even if it's ancient, is still on pretty much all computers or chrome or opera) or just on firefox? and if so, have you considered possible unwanted addons/extensions?

 

[TheFangTM]

My next question would be.. does it happen on all browsers (IE, even if it's ancient, is still on pretty much all computers or chrome or opera) or just on firefox? and if so, have you considered possible unwanted addons/extensions?

Thanks for your quick reply! No matter which browser I use the message still pops up. Sometimes it pops up with different domains and IP's as well.

P.S. Same person different account. :l

 

[little_me]

Well... I've personally never ran into such issues but it is clear that something is going on. (also the domain/IP you posted seem to mismatch/change a lot)
rgd1101's question about dns ip address being what it should be is a good start since if that has been changed, the wrong DNS server can point you to any site they want if you try to go to any address.
Network card settings and/or ipconfig/all should tell that.
It should naturally point towards your own ISP's dns server. (or google's if you want to use that instead)

 

[Th3Fang]

Well... I've personally never ran into such issues but it is clear that something is going on. (also the domain/IP you posted seem to mismatch/change a lot)
rgd1101's question about dns ip address being what it should be is a good start since if that has been changed, the wrong DNS server can point you to any site they want if you try to go to any address.
Network card settings and/or ipconfig/all should tell that.
It should naturally point towards your own ISP's dns server. (or google's if you want to use that instead)

Sorry so type in ipconfig/all into the console?

 

[little_me]

yes

 

[Th3Fang]

Well... I've personally never ran into such issues but it is clear that something is going on. (also the domain/IP you posted seem to mismatch/change a lot)
rgd1101's question about dns ip address being what it should be is a good start since if that has been changed, the wrong DNS server can point you to any site they want if you try to go to any address.
Network card settings and/or ipconfig/all should tell that.
It should naturally point towards your own ISP's dns server. (or google's if you want to use that instead)

yes

So the dns ip address is actually the same as my own ip address.
I checked on my laptop and IPv4 Adapter is not the same just by one number. Is this supposed to be like that?

 

[little_me]

that might be a problem... it should not be same.
Generally, it should be ISP's own or if you set it on network cards settings, something else but NEVER your own IP.
For me, it is my routers IP (router acts as dns server and re-asks the ISP)
hinting at possible install of malware dns stuff or messed up hosts file or...
In any case, it should be fixable.
Control panel -> network and sharing center -> change adapter settings -> properties of your network card -> scroll down to internet protocol V4 -> properties and look at the DNS setting, it should be "obtain DNS server address automatically"

If it is that, it might be that your router settings have been compromised. Less likely but... possible.
You could also look for what DNS servers your ISP uses and put those there manually and see if it fixes the symptoms. (not the problem, it is still there somewhere)

 

[Th3Fang]

that might be a problem... it should not be same.
Generally, it should be ISP's own or if you set it on network cards settings, something else but NEVER your own IP.
For me, it is my routers IP (router acts as dns server and re-asks the ISP)
hinting at possible install of malware dns stuff or messed up hosts file or...
In any case, it should be fixable.
Control panel -> network and sharing center -> change adapter settings -> properties of your network card -> scroll down to internet protocol V4 -> properties and look at the DNS setting, it should be "obtain DNS server address automatically"

If it is that, it might be that your router settings have been compromised. Less likely but... possible.
You could also look for what DNS servers your ISP uses and put those there manually and see if it fixes the symptoms. (not the problem, it is still there somewhere)

Turns out, all I had to do was run Malwarebytes in Safe Mode. Apparently there was a Trojan somewhere there. In addition to that I ran a Virus Scan with 360 Total Security and analyzed the registry with CCleaner and .Thanks for all the help!