Jump to content

Keep getting outbound connection block to website


Recommended Posts

Hello Team,  I have Malwarebytes Premium 3.0.6.1469 installed and for the past 36 hours, it is blocking many outbound connections whenever I have Mozilla's Thunderbird.exe open or Firefox.exe open. 

The outbound IP addresses that get blocked are interesting: They are web servers hosted by A Small Orange, where two of my own domains are hosted.  One IP is 23.91.70.25.  The outbound block uses various ethereal ports like 34809, 34774, 34773 etc. 

What concerns me is that one of the execution calls is to 127.42.0.X which is of course, my own PC.  They have been 127.42.0.0, 127.42.0.12, etc.

I've run Avast multiple times and Malwarebytes multiple times and every time the scans return clean results.

Today, though, Malwarebytes stopped running after 1hr 16 min on an icon, trustedid-icon-50x50.ico,  which is a graphic for some Trusted ID service that I don't ever recall having installed, although I may have been testing something.  

I also have some CEH files, including saminsider.zip, which I have added to my exclusions but today MBAM found that as a threat.

Two weeks ago, I first started receiving similar outbound blocks to 239.255.255.250 on svchost.exe so I just stopped the service and it seemed to resolve the problem. The service was SSDP. I still have the MBAM reports from early March if you need them.

The contents from FRST and ADDITION which I have attached below show over 5000+ restricted HKU\S-1-5-21 entries.

Thank you for your help in advance, I really appreciate it.

p.s.  After I ran FRST, I am no longer getting Website Block messages.  Does FRST do some sort of cleanup?

Thank you again.

 

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Replies 62
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Hello @hacktress and :welcome:


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hi Advanced,

The FIX phase of FRST64 is still running but it's going on three hours and hasn't stopped.  I ran a Netstat -abno and the PID does not show up and does not match the PID that shows up for FRST in Task Manager.  Task Manager says it is still running.

Anyway, I have attached the Fixlog file nonetheless.

I don't want to cancel FRST64 and I don't want to restart my machine.  I suppose I can keep the machine on with FRST running until I hear back from you. 

Also, Windows10 did a patch update between the time I initially posted FRST and Addition and running the FIX phase. 

Thank you again very much, I appreciate all that you do.

 

Fixlog.txt

Link to post
Share on other sites

Hi Ron,

I reran FRST64 SCAN and have reattached brand new FRST.txt and addition.txt since MS patch update yesterday.

The Website Blocks are worsening. I hope you can help me today.  Also, I cannot access CPANEL on the webserver where my domain is hosted.  Today I also got a block to www.reversoft.com, which is the first time that I received a popup block to a site that is not related to my hosting service.

I hope we can fix this soon.  

Thank you again for your help.

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Ok, now I think I have ransomware.  I went to see why web servers at my hosting service are blocking me from CPANEL and WEMAIL, so I opened my router.  It went from my router bookmark to park[dot]above[dot]com etc, then to windowsupdate0xerror[dot] etc.   I captured the full URLs in ransomware3.png.

Then my screen opened to this page: ransomware2.png and of course, the now familiar ransomware block page, in ransomware1.png

In looking back at when this all started, I think was around two weeks ago when I went to install Tamper Data extension in my Firefox browser for my business and it didn't seem to behave normally and I uninstalled it immediately.

Please let me know what we can do next.

Thank you so much.

 

ransomware3.png

ransomware2.png

ransomware1.png

Link to post
Share on other sites

  • Root Admin

That's just a scam to get you to contact them so they can get money from you. We'll do the removals from the Recovery Environment.

 

 

Please download Farbar Recovery Scan Tool and save it to a USB flash drive.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

Plug the flash drive into the infected PC and start the computer into the Recovery Options for Command Prompt.

Windows Vista, 7

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

Windows 8, 8.1
Please see
How to use the Windows 8 System Recovery Environment Command Prompt

Windows 10
Please see
How to Start Windows 10 in Safe Mode with Command Prompt

How to Boot to Advanced Startup Options in Windows 10

Note: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc.
Any Windows installation disc or a repair disc made on another computer can be used.
Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used.

How to Create a Windows 7 System Repair Disc
How to Create a System Repair Disc in Windows 10
Microsoft Windows and Office ISO Download Tool

You may also download from Microsoft but you will need to input your license key first. The above links do not require your key

Download Windows 7 Disc Images (ISO Files)
Download Windows 8.1
Download Windows 10

 

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • Notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Please save the FIXLIST.txt file from my 2nd post to your USB thumb drive in the same location as the FRST program. Then boot up into the Recovery Console and run FRST again from the USB drive and click on the FIX button and let it run.

Then post back the new log.

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron,

Thank you for your reply.

I've attached the Fixlog.txt file from my USB, while running FIX in Recovery mode with AV turned off but MBAM was still on.  The FIX was super fast.  However, Malwarebytes Website blocked messages continue to pop up even as I type this but I see from the log we are making some progress.

Look forward to your reply and thank you again so much for your hard work.

 

 

Fixlog.txt

Edited by hacktress
Clarifying AV
Link to post
Share on other sites

Hi Ron,

Thanks for your reply.

I've attached the latest FIXLIST done in Normal Mode with AV off, MBAM on.  Still getting Website Blocked outbound messages but looks like we made more progress.  The FIX did not complete on its own,  I had to end the process manually after 20 minutes.

Thank you again so much.

We'll beat this.

 

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

No it's fully being stopped by something. Let me have you run the following. Make sure AVG is fully disabled while running.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Link to post
Share on other sites

Hi Ron,

Thank you for your note.    Over the weekend, I uninstalled/reinstalled Firefox.  MBAM did not pop yesterday at all but it started popping again today with the same error.  Very strange.  My AV now warns me that I have an unreputable browser add-on but when I go to "fix" it in their interface it doesn't seem to be doing anything.

I will run the latest fixlist that you have provided and I will post the results here.

I am very grateful for your help, I know this can be wearisome, but I am very grateful to you for all your work.

 

 

Edited by hacktress
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.