for BearTrap

[BearTrap]

hello,
I'm pretty new to the forums but i also have this issue, randomly between 11:40am to 12:00pm ill get several popups saying an outbound connection was blocked,
all it tells me is.
Category

[BearTrap]

hello,
I'm pretty new to the forums but i also have this issue, randomly between 11:40am to 12:00pm ill get several popups saying an outbound connection was blocked,
all it tells me is.
Category       domain     type                 ip address               port          file

malware       n/a             outbound       212.32.7.102          50573       n/a

trojan            n/a             outbound       28.218.66.186        54978       n/a

trojan            n/a             outbound       188.165.255.150    61707       n/a

malware       n/a             outbound       212.32.7.102           54987       n/a

etc etc

[BearTrap]

i've done several scans with malwarebytes, i've done several clean resets of my pc.

i've done all i know to do except completely wipe and reinstall windows 10 on my drive.

also sorry for double posting i dont know how to edit messages

 

[Maurice Naggar]

This Thread/topic is for member  BearTrap only. who is the topic starter.

If you are not  BearTrap   , do NOT post here  

 

 

Hi,   @BearTrap       

My name is Maurice. I will be helping and guiding you, going forward on this case.

 

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

A browser is not required to be running, just an active Internet connection with processes running,

such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

 

These are also triggered by banner ads running on websites which is the most common form of alert.

.

We need to get  additional  information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.623.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

[BearTrap]

ill do this but i already know i have malware, because in task manager "system" is using a lot of disk space memory and gpu resources, ive already done all the tips and tricks to reduce it but it still eats all of my resources and this is a fairly powerfull pc so it should have a large amount of these resources.

i also read i should run farbar tool and i have my results, should i post them here?

[BearTrap]

Here are the Results

mbst-grab-results.zip

[Maurice Naggar]

Thanks for the support tool report.  The FRST reports are included with it.

I notice that Malwarebytes for Windows is installed in trial mode.  I see several website block events.

Whats causing those is not clear yet.  And the other issues yu mention might be from other things.  I mean it can be a few different things going on here.

Patience is a must as we go forward.

 

We can do a battery of tests and scans.  Please have lots of patience.  I would first recommend to stop playing online games & loose web surfing.

 

[ 1 ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

Keep going forward and do this too.

[ 2 ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Version 7.4 of Adwcleaner  detects factory Preinstalled applications too!

I  encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/.

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

Thanks.  Keep me advised.

 

[BearTrap]

Here is the MBAR log

mbar-log-2019-08-08 (14-26-15).txt

[BearTrap]

here is the ADW scan report

AdwCleaner[S00].txt

[Maurice Naggar]

Thanks for the reports.  Nothing found.  Other than Adwcleaner removing some HP manufacturer pre-loaded stuff.

By the way, you can attach more than one file when you do a reply.

Lets do a couple of other special scans.

[ 1 ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

[ 2 ]

You can check this system using another free tool at Microsoft.  For another opinion.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

take a minute to locate & then send the log that it made, named msert.log

It should be at C:\Windows\debug\msert.log

Sincerely,

 

[BearTrap]

i finished the first scan but i had some trouble downloading the microsoft safety scanner, it kept pausing then unpausing repeatedly. then told me it failed to download i eventually got it to finish and right now its eating all of my pcs gpu and memory while it does this, is that ok?

[Maurice Naggar]

Give it like another 15 minutes  and let it do its thing.   Then if still stuck, close the window for it.

One wonders what other apps were up and running while this was scanning.

But I do notice that that screen ( as captured) showed 0 files tagged as infected.

[BearTrap]

yeah but im still confused as i have a lot of disk space since i recently deleted all my files and cache, the only things i have installed are steam, discord, arma 3, and war thunder. then all those anti virus/malware and scanning programs you had me install. but my pc just runs slowly when i have everything shut off and i check task manager and it says that System is using all of my disk space and my gpu, i have done every thing i could to reduce what it consumes but it just takes more, also i just got a popup from malwarebytes saying it stopped another trojan

[BearTrap]

ah the scan finished, here is the Log

msert.log

[BearTrap]

i am noow periodiclly getting a popup asking to allow google updater to run as admin and make changes to my device for no reason and im just hitting dont allow, i dont have any chrome extensions except emsisoft browser security

[Maurice Naggar]

The Microsoft Safety Scanner found no malware.

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Thu Aug 08 17:45:31 2019

.

As far as the Google Chrome Update prompt, this machine has Google Chrome browser Version: 76.0.3809.87

Google Chrome has recently released 76.0.3809.100

You should do a manual Update run in Chrome.

To update Google Chrome:

1. On your computer, open Chrome.
2. At the top right, click the options-widget at the top right corner .

Next click on HELP  from the list

and then click About Chrome   and let it do a Update check.

Watch the taskbar prompt, and get it to the forefront by Clicking and then select YES to allow the update to proceed forward.

.

I am going to list the following next steps.

[ 1 ]

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

Click Virus and threat protection   & next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

.

[ 2 ]

I would like for you to trim down & reduce   auto-loaded / auto-started applications, such as Steam, Discord, Arma,  War thunder and any other user-applications  & set Windows to start with that minimal load.  What not to disable are things like networking and security applets.  This does not involve Microsoft or Windows applets.

That means also, not auto-loading Steam, Discord, Arma,  War thunder

Keep a paper record of what you turn off from Windows startup.

The intent hear is to do a clean boot startup of Windows & then see if the Block notices stop.

https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

 

On the first restart, See if the block events go away.

Then later, as long as no block re-appears, then go back and put back on one third of the disabled items   & Restart Windows & do a new test.

Keep repeating the cycle until you identify which user application program may be the one that leads to the block notice.

[BearTrap]

Im not sure how the offline scan turned out since it wont show me the results, but ill assume good. 
the only appa i have enabled to start when my pc starts is malwarebytes and windows security notification

[Maurice Naggar]

Hi.  The main thing is, Has the block notice message gone away ?

 

This is the way to look at the Windows Defender scan history.

 

Go to the Windows Start menu.  Click on the Settings icon.

Now click on Update & Security.   Then click on Open Windows Security.

·  Click the Virus & threat protection tile     and then the Protection  history label  ( in blue color)

 

Lets do some housekeeping for the Chrome browser.

Lets turn off the Google Sync feature.

Use Chrome browser to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

.

while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

.

I would like to know if the block events have gone away.   and if not, then do they happen when Chrome or another browser is in use ?   and whether some online game is being in use.   or whether some instant messenger app like Discord   or any other Chat client, is in use,  at the time of the block notice.

[BearTrap]

so far it seems that the popup has stopped, atleast for now. but the issue with System 32 using a large amount of disk space and memory is still concerning
also here is the protection history.

The thing with my resources is i notice my pc is slowing down and sometimes completely stalling and i open task manager and see "system" is using all of my avaliable resources but then drops down to using none of it and then i close task manager and it starts using a lot of my resources again.

im currently using a i5-7400 processor, 8gb ddr4-2133 sdram, 1tb harddrive, and a gtx 1060, so i know my pc isnt the best and i need to upgrade ram but my disk space shouldnt be an issue because over 500GB free.

[Maurice Naggar]

[ a ]

Looking at the screen grab above, have you set any of your user folders as a protected folder ?

[ b ]

I would like to have you run a different report tool, so I can review.

Please download and Save this next tool to the DESKTOP ( if possible) or else to the Downloads folder ( so you can get to it easily).
Please note that the results of the following scans are not necessarily indicative of malware on your computer.

 RogueKiller Scan

• Please download RogueKiller (x64) using the link below.
  → http://download.adlice.com/api?action=download&app=roguekiller&type=x64

• Save the file first,
• Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.
Follow the prompts. If a browser window opens, close the window.

In the HOME tab, click Start Scan.
Upon completion, a browser window may open. Close this window.
 

Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.
Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.
Please attach the file in your next reply.

Thank you.

[BearTrap]

[A] - i have not set any of my folders as protected

- here are the results

Roguekiller results.txt

[Maurice Naggar]

This report seems very empty.

Did you see anything at all listed on the Processes tab ?

 

A small recap of all the prior tools & scans used to this point.

We have run Adwcleaner + MS Safety Scanner + ESET online scanner  + Windows Defender Offline + Malwarebytes Anti-rootkit standalone tool.

I am understanding that "block" notices have ceased.

As to the contents or size of Windows\System 32, there have been no reports that showed infection.

 

Edited August 10, 2019 by Maurice Naggar

[BearTrap]

The only times i see something weird happening in processes is when System is using all of my disk space the highest mb/s i've seen it take was about 20 mb/s and i wasnt installing or updating anything, my pc was just idle and every once in a while i see a process running with no icon and no name that usually dissapears by the time i see it, and sometimes when i shut down my pc i get a popup saying that "these processes are preventing shutdown" and its always task manager and 1 or sometimes 3 unamed processes.

[Maurice Naggar]

Hi.

I am going to refer back to my earlier tips about auto-started programs  and how to go about diagnosis using a clean-bootup of Windows.

I would like for you to trim down & reduce   auto-loaded / auto-started applications, such as Steam, Discord, Arma,  War thunder and any other user-applications  & set Windows to start with that minimal load.  What not to disable are things like networking and security applets.  This does not involve Microsoft or Windows applets.

Keep a paper record of what you turn off from Windows startup.

The intent hear is to do a clean boot startup of Windows & then see if that helps

https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

 

See how the reduced startup goes.

Then later,  then go back and put back on one third of the disabled items   & Restart Windows & do a new test.

Keep repeating the cycle until you identify which user application program may be

[Maurice Naggar]

It has been one week since my last reply.  I am marking this topic / case for closure.

All the best to you.