Outbound coonnection blocked notification

[joonkit95]

malwarebyte been constantly blocking outbound connection, category adware, file C:\Users\User\Appdata\Local\Google\Chrome\Application\chrome.exe How do I solve it?

[Maurice Naggar]

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

You describe a block notice message by the Malwarebytes web protection.  It is keeping your pc safe.

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

 

[ 2 ]
We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

[joonkit95]

hi

mbst-grab-results.zip

[Maurice Naggar]

Hi,  Thank you for the report.  Please be sure to do one Windows Restart  ( reboot).  There is a Windows pending file rename for Chrome that needs a restart.

There is some "stuff" related to using Chrome that triggers website block notices from the Malwarebytes web protection.

The Malwarebytes web protection service  ( while the program is in trial mode of Premium ) is keeping the pc safe.

Lets start with what follows.

[ 1 ]

Please use Chrome  to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[ 2 ]

I would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner.

 

Please download  Malwarebytes AdwCleaner from here:
Click the blue Download button.   ( do not pay attention to the other text displayed on that screen).

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click AdwcleanerGUI  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply  ( later on).

 

[ 3 ]

Let's do one new run with Malwarebytes for Windows.   CLOSE Chrome and any other web browser before pressing "Scan".

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

Then you can proceed to click on the blue button Quarantine selected.

In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

Sincerely,

[joonkit95]

here you go

AdwCleaner[S05].txt Threatscan.txt

[Maurice Naggar]

Thanks for the reports.   The Malwarebytes for Windows did not report any malware.  That is just fine.

The Adwcleaner just some minor P U P type.

Let me suggest you delete the cache in Firefox browser.

Look at the following Malwarebytes Blog article and scroll down to the section marked *Clear your browser's cache* 
and do that for each of your web browser programs.
https://blog.malwarebytes.com/puppum/2017/04/adware-the-series-part-1/

[ 2 ]

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
Then look on the right hand side and click on Windows Defender.
Then, scroll all the way down on the scroll bar, down to where you see "Windows Defender Offline"
Click on the button Scan Offline to start the process and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

Sincerely,

[joonkit95]

Hi, i ran the windows defender offline scan. After its done i turned on my computer and check the threat history and nothing was found.

[Maurice Naggar]

OK.   That is great.   If your browser has not had another block notice today, we can plan to Close this case.

[joonkit95]

It still appear

[Maurice Naggar]

Screen grabs just do not have the full detail that is needed in situation like this.

I need to see the full report logged in the Reports section for that block event.

Use this guide  https://support.malwarebytes.com/docs/DOC-1472

Look for the website blocked for today.   Get it and attach it with next reply.

.

.

As I noted before, website block notices do not necessarily mean there is a actual infection on your Windows machine.

The notice is a courtesy notice.  The web protection is actually protecting the machine.  The message is just to make you aware.

[joonkit95]

okay

WebblockReport.txt

[Maurice Naggar]

The block is about this

Domain: saltjs.01bd.ru
IP Address: 104.27.139.14

when Chrome is in use.   Can you please close Chrome.   Then use a different web browser, Edge or Firefox.

I would like to know that those do normal  ....without any of these same block notices.

[joonkit95]

It has the blocked notice even if I use different browser 

[Maurice Naggar]

If you see the Block notice window, just click on the X button to close it out.

Lets get a specific report for review.

Go to the Downloads folder.   There, is the tool FRSTENGLISH

Start FRSTENGLISH

Type the following  ( or better yet, COPY the entire line as-is  & then PASTE )  into the search box exactly as show then press the Search Files button

SearchAll: saltjs.01bd.ru;01bd.ru

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

Edited July 2, 2019 by Maurice Naggar
cotrections made

[Maurice Naggar]

Sorry, I just corrected some extra un-intended typos in my preceding reply.

My bad.  See above.   You may need to do a screen refresh

[joonkit95]

Search.txt

[joonkit95]

Seach2.txt

[Maurice Naggar]

Thanks for the Search reports.  That shows there are no stuff with those names on the computer.

Re-reviewing your FRST reports, there is one sub-folder that has "mail.ru" as the name.

I am suggesting a number of things here.   Do have patience.

[ 1 ]

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[ 2 ]

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) in the Downloads folder 

The tool named FRSTENGLISH.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRSTENGLISH

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Kindly attach the Fixlog.txt with your next reply  ( later on when you are all completely done with all). 

[ 3 ]

Please try uninstalling and reinstalling Malwarebytes for Windows using our Support tool. The goal is to have a new Install.

Uninstall and reinstall using the Malwarebytes Support Tool
https://support.malwarebytes.com/docs/DOC-2674

 

[ 4 ]

Let me suggest you do a CUSTOM scan on the whole C drive !

This will take several hours.  Do have lots of patience.   This will the scan the whole system.

Open Malwarebytes

Click the Settings menu followed by the Protection tab.

Scroll down to Scan Options and turn the Scan for rootkits setting on.

 

Next, click the icon button at left marked SCAN

 

Then, from the 3 panel choices, click on the middle one marked CUSTOM

( IF you see a summary white screen with a green check, click on the Close X spot on the right side so you get to that out of the way & then click Scan button on the left & then Custom scan on the middle selected .)

 

 

Then click on Configure Scan button

be sure the Scan for rootkit on left is ticked

 

Be sure to click on the box marked C on the right.

You want to scan the whole C drive.

 

Then click Scan Now button.

Then see what the result is.

fixlist.txt

[joonkit95]

Fixlog.txt fullCscan.txt

[joonkit95]

what do I do now?

[Maurice Naggar]

The Malwarebytes custom scan result is very excellent.   No malware.  No P U P either.

Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 525255
Threats Detected: 0
Threats Quarantined: 0

.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

also, if you use Chrome or Firefox browser, install the Malwarebytes beta browser extension.  There is one for Chrome & another for Firefox.

To get & install the Malwarebytes beta Chrome extension,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

 

To get & install the Malwarebytes beta Firefox extension.

Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

[joonkit95]

ok thanks. What about the fixlog?  There is some file written there Folder: C:\ProgramData\Mail.Ru
Folder: C:\Users\User\AppData\Local\prunld8948
Folder: C:\ProgramData\0
Folder: C:\ProgramData\lock.dat
2019-06-16 12:26 - 2019-06-16 12:26 - 000000000 ____D C:\ProgramData\Mail.Ru

 

are these harmful?

[Maurice Naggar]

I had the Fix run delete the mail.ru

The 2 folders do not seem to have anything there that is meaningful.

You can delete those 2 folders.

[joonkit95]

Okay, but I still have the notification tho, do I just ignore it?

[Maurice Naggar]

Yes, if it shows again, do ignore it.

Also make a couple of tweaks in the settings for Malwarebytes.

Start Malwarebytes.
Click the Settings button.
Click the Application tab.

Scroll down to the section Notifications.
look at the "Close notifications after:"
and select "after 3 seconds" 

Then on the line about marked "Show notifications in the Windows System Tray" click on that to change to OFF
after that is done, close the window.