Jump to content
C0nrad

Trojan site blocked/font file

Recommended Posts

I had removed some malware from a machine a few weeks ago as noted in this thread 

Malware from dl.okblcm.co on computer

I have noticed that Malwarebytes has been blocking a trojan site several times a day and this is the report

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/13/19
Protection Event Time: 7:41 AM
Log File: 4764e77c-bdbf-11e9-8a91-fcaa1421364a.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.11983
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: 
IP Address: 121.156.134.3
Port: [51131]
Type: Outbound
File: C:\ProgramData\DataFiles\Microsoft\Fonts\up.exe

(end)

 

In the previous thread I noticed that this file was picked up by MSRT but is still present on my machine. How do I go about removing the file to prevent further trojan site attempts.

Share this post


Link to post
Share on other sites

Hi,  @C0nrad

My name is Maurice. I will be helping and guiding you, going forward on this case.


We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.623.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites

Hi.  Thanks for the support tool.  The block notice from Malwarebytes is helping to protect this PC.   The file Up.exe cited in the block message is a trojan.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.B!ml&threatid=2147735505&enterprise=0

 

I have  procedures below to help out.  The first custom procedure will upload a copy of that Up.exe to Virustotal for analysis  & then remove it.

There is a lot listed below in 5 parts.  Take your time.  Do all of them.  Just go down the list as time permits.

First, set Windows to show all folders, all hidden folders

see   https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files

 

[ 1 ]

This Thread/topic is for member C0nrad only. who is the topic starter.

This fix is for C0nrad only.

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads folder

The tool named FRSTENGLISH.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRSTENGLISH

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your reply.    Also advise on the situation after this run.

 

[ 2 ]

Make an adjustment in Malwarebytes for Windows.   Start Malwarebytes for Windows.

Click Settings. Click Application tab.
Scroll down to Windows Action Center.


click on the line "Let Malwarebytes apply the best"

[ 3 ]

Run a scan with Malwarebytes.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, { if anything detected}   be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Let it remove what it has detected.


When that is completed, kindly send the report.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your reply. Thank you.

 

[ 4 ]

Run a scan with the Windows' Windows Defender antivirus.   I would recommend a FULL scan with Windows Defender.

Type “Windows Defender” in the  Windows  search box and then press Enter. Click Settings and make sure there is a checkmark on Turn on real-time protection recommend.

[ 5 ]

A further scan that I suggest.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

 

 

Fixlist.txt

Share this post


Link to post
Share on other sites

Hello thanks for your help thus far

 

Below is the fixlog, along with the scan report from step 3.

 

However, I can not complete step 4. Upon opening windows defender there is a pop up that states "This app has been turned off and isn't monitoring your computer." 

 

After going into the action center of control panel and under the security tab, "Malwarebytes is turned on" is listed under the virus protection where I would normally find Windows Defender. Is this correct? I have the end point protection from Malwarebytes

 

Thanks

 

Fixlog.txt scan report.txt

Share this post


Link to post
Share on other sites

Thank you for the reports.  This pc has the consumer Malwarebytes for Windows, version 3.8.3.2965

The last scan run found no malware;  no P U P

The Fixlist run indicates that the "up.exe" in the Fonts sub-folder is no longer present.   That would tend to mean that the original block notice should be no more.

 

As to the display in Windows Security Center / Action Center, make this adjustment here.

go into Malwarebytes.
Click Settings. Click Application tab.
Scroll down to Windows Action Center. .

IF it is now on "Let Malwarebytes apply the best" then in that case, click on the line "NEVER register Malwarebytes in the Windows Action Center".

Close the window when this is done.

Let me know if you need other help.

Sincerely.

Share this post


Link to post
Share on other sites

Hello.  How are things ?  Do you need other help?

Kindly advise.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

Everything seems to be working great thus far. thank you for your help

Share this post


Link to post
Share on other sites

You are welcome.  I am glad to have helped you.

You should delete the file FIXLIST.txt

You may delete the tools I had you download.

 

Safer practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites

@C0nrad   I have received your message.  I have re-opened the ticket.

What I really truly ( also) need to know is, Which web browser is in use  ( if any) when the block notices happen, & what the website address is showing on the address bar of the browser.

 

I also need a fresh report.    

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.623.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

NOTE:  Some of these block notices are reported as "inbound".  The web protection of the Premium Malwarebytes is keeping your pc safe.  It STOPPED the inbound attempt.

 

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

Share this post


Link to post
Share on other sites

Reply #2 for this Friday.  You wrote

Quote

Recently the trojan website blocked began returning and it looks like this started after changing Malwarebytes from the "let malwarebytes apply the best" to "never" 

I have went ahead and changed it back to "let malwarebytes apply" however the scan does not seem to finds the issue

Please understand, the setting for Action Center / Security Center is not related to anything of the Malwarebytes website protection 's  "block notices".

Share this post


Link to post
Share on other sites
2 hours ago, Maurice Naggar said:

@C0nrad   I have received your message.  I have re-opened the ticket.

What I really truly ( also) need to know is, Which web browser is in use  ( if any) when the block notices happen, & what the website address is showing on the address bar of the browser.

We use Chrome and most of the block notices occur with gmail and pandora in Chrome.

 

Please see attached report. 

 

Thank you for the information on the Action Center and how Malwarebytes blocks threats.
 

 

 

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

Thanks for the report.  Thanks for the information.

While reading online email at Gmail, it can very well be that there are new emails ( when being read) have embeded links that trigger the blocks.

Think malvertising.

Lets do a couple of things.

[ 1 ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

also, if you use Chrome or Firefox browser, install the Malwarebytes beta browser extension.  There is one for Chrome & another for Firefox.

To get & install the Malwarebytes beta Chrome extension,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

 

To get & install the Malwarebytes beta Firefox extension.

Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

[ 2 ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Version 7.4 of Adwcleaner  detects factory Preinstalled applications too!

I  encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/.

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

Thanks.  Keep me advised.

 

 

Share this post


Link to post
Share on other sites

Hello.  Checking in.  How are things ?

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.