Blocked outgoing connection - Reason: Trojan

[Blaxxun]

Hello Forum,

I use Malwarebytes Premium 3.6.1.2711 on Win7 SP1

Lately i get this popup window that something trys to connect to a website. (No programs or webbrowsers got opend)

Domain: 8tiya.com

IP: 50.63.202.78

Port: is changing

Type: outgoing connection

File: blank

 

Several Full System Scans did not help.

I tryd Malwarebytes Adwcleaner 7.2.5.0

I tryd TFC - Tempfilecleaner

I fixed my registry with Registry CleanUP 6

 

The popup still pops up.

What can i do?

 

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If the problem persists it could be a Syncing issue.
You are probably Syncing Chrome with other devices?
To remove it reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

If the problem persists run this program so we can check further.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions

[Blaxxun]

Hi, thanks for your reply.

I dont use Chrome, i use Firefox.

 

FRST.txt

Addition.txt

[nasdaq]

Hi,

This is an unknown extension.
If you have installed this Extension fine. You can disable it if the problem is solved, then delete it.
FF Extension: (Kein Name) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qmxkd1rh.default\Extensions\{0e05c778-ab7d-45a5-98d0-ed365ac4653b}.xpi [2018-11-17]
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

===

If the problem persists this may be the issue.

If you are Syncing Firefox it with other Devices remove it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.
<<<>>>

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know if all is well or not.

fixlist.txt

[Blaxxun]

Hello, thanks for your help.

I did what you said.

After the Fix it said the PC has to reboot. But then it hanged on the "Shutting down" screen.

I made a reset after 15 minutes.

I also dont do any syncing at all.

The popup still pops up.

 

Thank you for your help.

 

Fixlog.txt

[nasdaq]

Hi,

What did you decide to do with this extension?
FF Extension: (Kein Name) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qmxkd1rh.default\Extensions\{0e05c778-ab7d-45a5-98d0-ed365ac4653b}.xpi [2018-11-17]

Remove and reinstall FireFox.

Before proceeding save your Bookmarks. (Export)
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Firefox Password manager - Import your passwords.
Password Manager - Remember, delete, change and import saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_protecting-your-passwords
===

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox

Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Restart the computer normallhy.

Install the latest version of the application.
https://www.mozilla.org/en-US/firefox/new/

Import your Bookmarks. Same link as the Export function above.

Restart the computer normally.
<<<>>>

How is it now?

 

[Blaxxun]

Hi,

Quote

What did you decide to do with this extension?
FF Extension: (Kein Name) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qmxkd1rh.default\Extensions\{0e05c778-ab7d-45a5-98d0-ed365ac4653b}.xpi [2018-11-17]

It says "Kein Name" that means No name. So i dont know what this was.

 

I did what you sayd.

Deleted Firefox. Even with Revo Pro. Reinstalled it.

The problem still exists.

The popup also pops up even when Firefox is not yet opened after a fresh PC boot.

I did a new scan with FRST64.exe

 

Thanks for your help :)

 

FRST.txt

Addition.txt

[nasdaq]

Hi,

Your logs are clean.

Lately i get this popup window that something trys to connect to a website. (No programs or webbrowsers got opend)

Domain: 8tiya.com

IP: 50.63.202.78

Port: is changing

Type: outgoing connection

This is a message from MBAM that informs you that it has blocked an attempt.

Is it always the same message or does it change?

[Blaxxun]

I really wonder what this is.

What else can i do to find the triggering program?

I tried wireshark also already, but without luck.

If Malwarebytes would just tell what file it is. But the File Area (Datei) is empty.

Thanks for your time.

[nasdaq]

Hi,

Can this be the reason.

FIREFOX SYNCING.
If Firefox still gives you problems and you are Syncing it with other Devices remove it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.
<<<>>>

 

[nasdaq]

Are you still with me?

[Blaxxun]

Hi nasdaq,

Sorry, holidays..

The problem still exists.

As mentioned before: I do not use Firefox synching, i dont even have an account.

The message pops up even if i dont have firefox running.

[nasdaq]

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

After the restart of the computer IF the problem persists run this fix.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

----

Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

Let me know if the problem persists.

 

fixlist.txt

[Blaxxun]

Hi,

thank you!

I did everything you said. Still no luck.

This stupid popup still comes up.

 

Fixlog.txt

fixme.zip

[nasdaq]

Hi,

Did you remove and reinstall Firefox as suggested in post no. 6?
If not please do it.

You do not know what this extension does, remove it.
FF Extension: (Kein Name) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\qmxkd1rh.default\Extensions\{0e05c778-ab7d-45a5-98d0-ed365ac4653b}.xpi [2018-11-17]

===

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Keep me posted.

[evabrown]

I am facing some log in issue on my Netgear router. I have Change Netgear Router Password but didn't get any proper solution. Can anyone help me?

[nasdaq]

I have used all of the know fixes to stop these attacks.

I know that you have done all I suggested.

Navigate to this topic, download and run the Malwarebytes Support Tool.

Troubleshoot issues with Malwarebytes for Windows
https://forums.malwarebytes.com/topic/190532-having-problems-using-malwarebytes-please-follow-these-steps/

Follow the instructions listed on the page.

If you have questions read read the FAQs.

Malwarebytes Support Tool FAQs
https://support.malwarebytes.com/docs/DOC-2387
<<<>>>

You should get an answer from their engineers.

 

[AdvancedSetup]

Since this issue is resolved the topic will now be closed to prevent others from posting here.

If you need assistance please start your own new topic and someone will be happy to assist you.

Thanks