Jump to content

Blocking an outgoing connection due to Trojan


Recommended Posts

Hi

 

I've been loading up Garry's Mod on steam, and a report comes up saying an outgoing connection was blocked:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/24/19
Protection Event Time: 9:08 PM
Log File: f9010e78-1fbf-11e9-87c3-7085c237dbd6.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.8946
License: Trial

-System Information-
OS: Windows 10 (Build 17134.523)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain:
IP Address: 74.91.124.49
Port: [56513]
Type: Outbound
File: C:\Program Files (x86)\Steam\steamapps\common\GarrysMod\hl2.exe

 

(end)

 

The IP is always the same, the port varies.

I've tried to fix this, but to no avail. What can I do to prevent this?

Link to post
Share on other sites

Hello Warmongerousand welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

The results from Malwarebytes are here:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/25/19
Scan Time: 1:32 PM
Log File: 815ebe08-2049-11e9-85a9-7085c237dbd6.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.8956
License: Trial

-System Information-
OS: Windows 10 (Build 17134.523)
CPU: x64
File System: NTFS
User: DESKTOP-TUCU90T\kst

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 317807
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 18 min, 58 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

The results from ADWCleaner:

 

# -------------------------------
# Malwarebytes AdwCleaner 7.2.6.0
# -------------------------------
# Build:    12-18-2018
# Database: 2019-01-21.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    01-25-2019
# Duration: 00:00:03
# OS:       Windows 10 Pro
# Cleaned:  0
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1249 octets] - [25/01/2019 13:58:13]
AdwCleaner[S01].txt - [1310 octets] - [25/01/2019 13:59:34]
AdwCleaner[S02].txt - [1371 octets] - [25/01/2019 14:00:54]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C02].txt ##########

 

 

The results from Farbar are attached.

 

This might be important information, so I'll include it. This detection ONLY comes up in Garry's Mod. When you click the "Find Multiplayer Game" tab, it opens the community server browser looking for servers. I looked the specific IP up that gets blocked every time, and there is a Garry's Mod server with that exact IP. Could Malwarebytes be detecting this server and blocking it, as the specific IP has been reported before? Do server browsers gather server info with different ports each time?

FRST.txt

Addition.txt

Link to post
Share on other sites

So I just tested the theory that it's detecting a specific Garry's Mod server. I connected to a server I play on via one of my friends, directly on steam. This does NOT load up the Garry's Mod in-game server browser, which looks for every single server running in Garry's Mod. I waited on said server for 10 minutes for a popup. Nothing. I then loaded the in-game browser, and pretty much 10 seconds later I got an alert saying a connection was blocked. It seems to me like it's detecting a specific server and blocking it when it comes up in Garry's Mod's server browser.

Link to post
Share on other sites

Who owns the server, can that be checked out..?  Can you empty the following cache on your system.   C:\Users\{your username}\AppData\Local\Steam\htmlcache

Also if that cache is on the server (not sure where) can that be emptied also, that htmlcache is a prime conduit for redirects. 74.91.124.49 is not trustworthy..

Link to post
Share on other sites

Hello Warmongerous,

Thanks for the update, continue to clean up:

Right click on FRST here: C:\Users\kst\Downloads\Physics tutorial questions\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.