Website blocked due to trojan?.. Outbound connection in different ports

[Marcin_]

Hello.

I'm just a layman in programming and whole this knowledge, so forgive me if I did something wrong or omitted any detail in describing my problem. I'll try to describe it as much precisely as I can.

Two days ago MB started bombarding me with notifications like this: 

 

The problem is the notification window started to pop up very often, sometimes every 2 mins. Moreover, it seems unlikely that domain wpad.toya.net.pl would be infected with trojans (it's the tv & internet provider's website domain). All these connections concern different ports, but all the port numbers start from 49 (49704, 49728, etc.). As a result it occured to me that my computer must be infected. 

At the beginning I checked my task scheduler but I didn't find any suspicious task. Then I used rkill tool which found no threats, just terminated one process (see the attachment, please) and scanned the system with MB but the software found nothing. Even I used ADWCleaner and Hitman Pro with the same result. So I decided to ask you for a help. I ran FRST tool and you can find all the logs below. I hope my information will be helpful, if you have more questions, please let me know.

 

P.S. Unfortunately all my uploads failed (I don't know why) so I had to insert the logs here:

 

Addition.txt AdwCleaner[S02].txt FRST.txt HitmanPro_20190310_1705.log malwarebyteslog.txt MLBT report.txt Rkill.txt

[AdvancedSetup]

Hello @Marcin_ and

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

[Marcin_]

Thanks a lot, Ron, for a quick response. Following your advise I downloaded fixlist and ran FRST tool to fixing. Please, find the attachment below. 

Unfortunately the problem seems to exist so far. I still get the notifications such as one attached here nad the web toya.net.pl is beeing blocked by MB.

Maybe I should have run RFST as administrator?..

Fixlog.txt

[AdvancedSetup]

That alert is from the browser. I wanted to make sure the other parts of the system were not affected. Please go ahead and reset your web browser settings back to default.

Please review the following site and reset all of your browsers back to default.

https://www.guidingtech.com/25425/reset-chrome-firefox-safari-factory-defaults/

Then reboot and let me know if you're still getting this block or not.

Thank you

Ron

 

[Marcin_]

Hello, again.

I resetted my browsers, rebooted machine and still have the same problem.

[AdvancedSetup]

Please backup your bookmarks from the Opera browser. Then uninstall Opera and reboot.

Then use Microsoft Edge or Firefox browser and let me know if the block is gone

 

[AdvancedSetup]

After the removal of Opera also get me a new set of FRST logs, please.

 

[Marcin_]

Hi, Ron.

Opera has been definitely removed. I rebooted the system and decided to install FF. So far there are no notifications from MB.

You can find the files attached below after the scanning system by FRST tool.

Do I need to use the fixlist you sent me?

FRST.txt Addition.txt

[AdvancedSetup]

Overall the logs look good. Please run the following which will clean up the left over Opera folders, etc.

Then after a reboot post back the log and if you like you can reinstall a new fresh copy of Opera.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Ron

 

[Marcin_]

Hello, Ron.

Yesterday evening when FF was opened one notification popped up, despite I didn't go to any suspicious web. I hope it was caused by something within Opera remnants .

I ran the new fixlist today, rebooted and scanned the system with FRST. Please, find the files attached below.

Addition.txt Fixlog.txt FRST.txt

[AdvancedSetup]

Yes, any browser without Ad blocking can possibly observe threat activity from even a good site due to how cross-site scripting works.

Please run one more fix - then look at adding an ad-blocker to your browsers.

NOTE: This fix will also run a disk check on your drive just to ensure it's working well too.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Once that's done, please check on the following.

 

 

Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, Chrome, Opera , Safari, Microsoft Edge
AdBlock for Internet Explorer

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

 

Thank you for choosing Malwarebytes
 

Ron

 

[Marcin_]

Now I'm bombarded with a bunch of notifications again. Even during loggin into the forum.

Ok, gonna download the foxlist, run it and I'll send the logs.

And Ad blocker of course and will see.

[Marcin_]

I ran the fixlist, rebooted, added ad blocking and scanned. Here are the logs below.

Do I have still any malicious adware or something more serious in the system?..

Addition.txt Fixlog.txt FRST.txt

[AdvancedSetup]

I don't think the computer is infected but it may still have some javascript or .json files that are not cleared up that are helping to cause this block. It's not super serious but we should try to get it cleaned up.

So, are the blocks still happening? If so, which browser or do they happen even with all browsers closed?

Please post the protection log from the last alert.

 

[Marcin_]

15 hours ago, AdvancedSetup said:

So, are the blocks still happening? If so, which browser or do they happen even with all browsers closed?

Hello, Ron.

As you know, I had used Opera browser till I removed it. Now I'm using FF Quantum 65.0.2 (64bit). The notifications appear only when a browser is open.  The earliest alerts appear not before I open a browser. And apparently It doesn't matter whether I use FF or Opera.

Maybe MB is infected (it would sound as one in the eye for MB Labs).

Or maybe just to make an exclusion for this "wpad.toya.net.pl"?.. On the other hand I wouldn't get a trojan nor other *****.

I attached the last alert log, as you asked. Please, find the file below.

report 03-15-2019 21_08.txt

[Marcin_]

4 minutes ago, 3rone said:

Hello Sirs,

I have exactly same issue with domain wpad.toya.net.pl with different programs like steam, battle net, chrome. Is there chance that something is wrong with our internet provider or with your software? I saw similar topic on one of polish PC forums.

Hello, 3rone. Imho I don't think it's the Toya Co.'s fault (old DLS or something like that). The notifications appear even if I don't surf to toya.net.pl website. So it looks like any process tries to  direct the browser to the website (or to malicious fake web pretending Toya website).

[Marcin_]

18 minutes ago, 3rone said:

Weird, as I have problem with totally different applications (or sneaky one which is more clever than Malwarebytes)... Do you have adobe cloud service? That's the last thing I've downloaded on my PC.

Nope. I don't use Adobe cloud service. But I guess  there are  miscellaneous ways of getting any virus or other unwelcome code.

[Marcin_]

Maybe indeed it is bound with Java and json files. I just looked on the report...

[AdvancedSetup]

Okay, so you say the alert is only with a browser now, correct?

Which browser is having the issue?

 

[Marcin_]

Mozilla Firefox Quantum 65.0.2 (64bit)  - that's the browser, I'm using now.

The problem was, when I used Opera before I unistalled it, and the same problem is now, when I use Fire Fox.

[AdvancedSetup]

Did you add the Ad Blocker to Firefox?

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

 

Then reboot and let me know if you're still getting the block, please.

Thanks

 

 

[Marcin_]

Yes. Adblocker Ultimate.

[AdvancedSetup]

Go ahead and do the browser resets. Then reboot and let me know.

 

[Marcin_]

Hello, Ron.

 

I refreshed FF and there's no efect. Still notifications appear (maybe less frequently) and Toya website  is being blocked by MB or the screen appears with words like: safe connection unsuccessful. SSL received the record that exceeds maximum allowed length (whatever it means). The error code is: SSL_ERROR_RX_RECORD_TOO_LONG (see the attachment below, please).

 

[AdvancedSetup]

Okay, please make sure your Date and Time are correct for your computer. Then temporarily disable your current antivirus and run the following Kaspersky scanner and let's see if they're able to find anything.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Thanks

Ron