Jump to content

Recommended Posts

Hi,

I've been getting blocked trojan reports for a website I didn't go to (and have never heard of). This is: www.windowspasswordsrecovery.com.

I had another one labelled as phishing from sibforms.com. As with the trojan website, I've never heard of it and wasn't visiting it when I had the alert.

It says these are "Outbound Connections". Can you tell me what this means?

Thanks.

 

Link to post
Share on other sites

Hi, @CNeedHelp     :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

[ 1 ]

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

 

[ 2 ]
We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Link to post
Share on other sites

Thanks for the support tool report.   I notice that the program is running in premium Trial mode.

There was a block event notice when Firefox was in use.   That block was "www.windowspasswordsrecovery.com"

That happened 2 times.

There was another block event notice when Firefox was in use.   On "sibforms.com"

These block notices do not mean there is any infection on-board.

The last scan with Malwarebytes for Windows, on morning of the 27th, showed no malware.

 

[ 1 ]

Get & install the Malwarebytes beta Firefox extension.   It will help protect Firefox from dodgy sites, and dodgy malvertising.

Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

[ 2 ]

Delete the Cache & history of each one of your web browsers.

Look at the following Malwarebytes Blog article and scroll down to the section marked *Clear your browser's cache* 
and do that for each of your web browser programs.
https://blog.malwarebytes.com/puppum/2017/04/adware-the-series-part-1/

 

[ 3 ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

[ 4 ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Firefox and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Version 7.4 of Adwcleaner  detects factory Preinstalled applications too!

I  encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/.

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

Thanks.  Keep me advised.   Let me know if there are any more "website block events" on any browser.

Sincerely.


Link to post
Share on other sites

Hi,

Sorry for the delay getting back to you.

Adwcleaner picked up something called Rogue.ForcedExtension. Firefox has anti-ad and anti-tracking add-ons, so I was a bit surprised to be honest. I had a couple of sites whitelisted that I thought were safe, but they've now had their privileges revoked.

Thanks.

Link to post
Share on other sites

Thanks. Threat scan's clear. Will do another adwcleaner scan in a bit.

I looked up Rogue.ForcedExtension and your website says it's a Chrome infection, so I've deleted Chrome too (I rarely use it anyway). Would the Rogue thing still explain why Malwarebytes told me that Firefox is trying to visit those sites I asked about? Just to check I'm understanding, does the Rogue thing basically sit on your computer and try to access websites by itself without you actually going to the website?

Link to post
Share on other sites

The website Block notice message with Firefox meant that the pc was ( and is) protected by the web protection.   The blocks stopped any attempt that might cause harm.

You say you "deleted Chrome".   How did you accomplish that exactly?  was that thru a Uninstall from within Windows uninstall settings for installed programs.

I would like for you to run a fresh report from this machine, so that I can re-review the information.   The report tool FRSTENGLISH is already on this machine on the Downloads folder.    Use Windows File Explorer to go to the Downloads folder.

run report with FRSTENLISH

Right-click on FRSTENGLISH and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows  10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

 

Link to post
Share on other sites

Could not say.   However, we know that Chrome itself had to be installed by you or another of your computer users, at some point.

As to fresh reports I requested, I want to check for remaining traces of Chrome.   I know that are at least 2.   Just wanted fresh report from you.    post # 9

 

If you rather not, then we can opt to Close this case.

Link to post
Share on other sites

Hello.

Please know that the Topic's  in malware removal are only one to one.   The original poster and the helper.

The FRSTENGLISH is a report tool.  It is placed there by the support tool.  I need s fresh run just like I listed in post # 9  so I can have fresh information so that I can help you further,

 

Use Windows File Explorer to go to the Downloads folder.

run report with FRSTENLISH

Right-click on FRSTENGLISH and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 

 

_Windows  10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

 

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.



The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_ 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites

Thank you for the 2 reports.  This next run will remove the few remaining traces of Chrome browser.

[ 1  ]

This Thread/topic is for member  CNeedhelp only. who is the topic starter.

If you are not  CNeedhelp   , do NOT post here  & do NOT use this on any other system.

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads folder

The tool named FRSTENGLISH.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRSTENGLISH

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt log with your next reply

 

[ 2 ]

Next, I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.


Please keep me advised.

Sincerely,

Fixlist.txt

Link to post
Share on other sites

The last residuals of Chrome browser are gone.

About the "block event notice"....it is NOT a indication of something infectious on your machine.  It is  typically  the contrary.  The web protection is keeping the pc safe from potential harm.

The block may be a false positive, maybe.  A lot depends on what web browser is in use + plus in addition, What exact website it was ON  ( the website address on the address bar of that browser, + plus also all the content of that last notice message.

I would like as much as possible all 3.   Can you replicate the last event ?   Keep your eye on what side shows on TOP Address bar  & compare to what shows on the small window-box.

also  PLEASE get for me the actual History Report on that block   & attach the report.

Follow the how-to-guide on getting that Block report   

https://support.malwarebytes.com/docs/DOC-1472

 

p.s.  Also, keep in mind that the block could be triggered by malvertising on the visited site, OR a compromised ad network.  & sometimes even a bad extension on a web browser.

Tell me by the way, Did you do & finish the ESET special scan ?   What was that result ?   is that the one you wrote is Good.

 

Link to post
Share on other sites

Thanks. Yes, the ESET came back clean. I've attached the block reports.

I just managed to replicate the block. This is weird AF. I remembered I was using the address bar to search for something re: Windows last time, so I typed "win" into the address bar on Firefox. Firefox's suggested site is that password website (I hadn't noticed before because I usually ignore the recommended site). I didn't click on the website, I carried on with what I was actually searching for, but Malwarebytes pops up that block notice. Malwarebytes seems to be responding to Firefox just suggesting that website.

block report 1.txt block report 2.txt block report 3.txt block report 4.txt block report 5.txt

Link to post
Share on other sites

Thank you very much for all the detail, and the reports.   That clears up just how it is that the origin of the issue begins.  As well as confirming it is in Firefox browser.

 

I am listing 4 help articles at Mozilla.org / Firefox help.
I suggest that you clear all history of search-auto-fill suggestions, and turn off the search auto-fill option  ( at least for now ), and also delete all Cache, and browsing history
See the 4th section titled "Clearing form history"   https://support.mozilla.org/en-US/kb/control-whether-firefox-automatically-fills-forms

 

See "Remove websites from the address bar suggestions"   https://support.mozilla.org/en-US/kb/remove-websites-address-bar-suggestions

 

See "Clear recent searches from the Search bar"    https://support.mozilla.org/en-US/kb/clear-recent-searches-search-bar

 

Clear the cache & History   https://support.mozilla.org/en-US/kb/how-clear-firefox-cache

Then Close Firefox.    You can restart it later on.   Keep me advised.

Cheers.

 

Link to post
Share on other sites

Thanks. I already have Firefox set to clear everything on closing, but I went through the list of stuff anyway. Malwarebytes is now saying the password site is "malware" instead of "trojan". I've added the report.

Just to confirm, the site suggestion isn't something that I've previously visited or something from my bookmarks, it's part of Firefox or Google's site suggestion thing that's part of the address bar software (I'm not sure which of them decides which websites to suggest to people when they start typing in the address bar). None of the changes above turned these suggestions off.

block report.txt

Link to post
Share on other sites

I've also just turned off "Provide search suggestions" under Default Search Engine (Google) in the Search options. It's still suggesting websites to me when I start typing in the address bar. Does that mean these suggestions are part of Firefox rather than Google?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.