Outgoing connections detectad by Malwarebytes

[Mizgal]

Hello!
I experienced my Malwarebytes detecting dozen (20-30) of outgoing connections and blocking www sites, it happened during normal browsing of not problematic in the past sites.I performed full scan with AVG and Malwarebyres afterwards but nothing was found. 
I would greatly appreciate if someone could precise whether I am safe or more profound diagnostic is to be performed.

Addition.txt FRST.txt

[Maurice Naggar]

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

 

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

A browser is not required to be running, just an active Internet connection with processes running,

such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

 

These are also triggered by banner ads running on websites which is the most common form of alert.

 

[ 2 ]

It would be good to know which web browser is in use when the block notices come up.

What website is being visited at that time ?

Were you reading Email online thru the browser ?   which web browser ?

 

Look at the following Malwarebytes Blog article and scroll down to the section marked *Clear your browser's cache* 
and do that for each of your web browser programs.
https://blog.malwarebytes.com/puppum/2017/04/adware-the-series-part-1/

 

[ 3 ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Version 7.4 of Adwcleaner  detects factory Preinstalled applications too!

I  encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/.

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

There will be more to do later.

Thanks.  Keep me advised.

 

 

 

[Mizgal]

Hello, 
thank you your answer!
1.There are no suspicoius symptoms. 
What do you mean by: " (...) or there are multiple (different) IPs (ex;123.23.34 and 4.44.56)."

2. I was using google chrome. 
Sorry I don't remember exaclty, likely a popular anime streaming site. It was 2 weeks ago, and I was not able to take care of that matter earlier. 
No, I wasn't reading Email online or offline at that moment. 
I've done everthing according to this article. 

3.Done
 

AdwCleaner[C00].txt

[Maurice Naggar]

Hi.  To your # 1,   I mean if more than one website address or more than one IP address keeps re-appearing all the time.  2 or more repeats of the very same.

Thanks for the Adwcleaner report.  It only found & removed 2 inert traces of adware in the registry.  No actual files involved.   That is a fine result.

.

Let’s start by doing a new thorough scan with Malwarebytes for Windows.   The goal is to see whether there is an infection or P U P.

 

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

Then you can proceed to click on the blue button Quarantine selected.

In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

 

 

[Mizgal]

1.There were many different IPs, all blocked by Malwarebytes.

2.Currently, I am using free version of Malwarebytes - I can not turn on "Automatically quarantine detected malware".

 

MB.txt

[Maurice Naggar]

Thank you for the report.  There was no P U P.   no malware reported.  I had you run Adwcleaner before.

The web protection of Malwarebytes is keeping the pc safe.  The protections in real-time of Malwarebytes will cease after the 14th day from original install.

Unless you get the Premium license for Malwarebytes.

Lets follow on with the following suggestions.

[ 1 ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[ 2 ]

also,  install the Malwarebytes beta browser extension.  There is one for Chrome & another for Firefox.

To get & install the Malwarebytes beta Chrome extension,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

 

To get & install the Malwarebytes beta Firefox extension.

Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

[ 3 ]

You can check this system using another free tool at Microsoft.  For another opinion.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

take a minute to locate & then send the log that it made, named msert.log

It should be at C:\Windows\debug\msert.log

 

[ 4 ]

This fix is for Mizgal only.

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the K:\Pobrane folder

The tool named FRST64.exe  is already on the K:\Pobrane folder.

Start the Windows Explorer and then, open the K:\Pobrane folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your reply.    Also advise on the situation after this run.

.

Fixlist.txt

[Mizgal]

1.Done
2.Done
3.Done, only VirTool:Win32/DefenderTamperingRestore regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware

was detected; it seems it is not a virus. 

4.Hey, would you like to clarify, what is this fix going to do? Improving system registry is a correct guess? 

 

msert.log

[Mizgal]

Ad. 
In the meantime, windowns has beed updated, does it change anything in relation to using this fixlog by FRST? 

[Maurice Naggar]

Windows update has no effect on what we are doing.

I very much would like a copy of the Fixlog.txt  file   from the FRST fix run

The fix run was for the purpose of removing tasks that were dead & no longer applied & for housekeeping for Firefox.

The scan by the Safety scanner caught a line that may have prevented Windows Defender from working.

Please attach the FIXLOG.txt with your reply.    Also advise on the situation .  Have the block event notices stopped ?

 

[Mizgal]

Here you go. 
Yes they did stop. 

Fixlog.txt

[Maurice Naggar]

Thanks for the log.  That is a good run.  and I am glad to know that the block notices have gone away.

Let me know if you need other help. 

You should delete the FIXLIST.txt file I had you save.

I had given you tips about Chrome & Firefox.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Safer practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.


Check in at http://windowsupdate.microsoft.com 
Windows Update and install any Important Updates offered.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

I am happy to have helped.

Sincerely,

Maurice

 

 

[Mizgal]

Thank you very much for your help!
If right know I am secure, than It would be all, I think.

Best regards
Mizgal

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks