Jump to content
PvdElst

Trojan keeps popping up in mwbytes, but ip address are blocked in firewall

Recommended Posts

Hi Malwarebytes,

I'm keep getting Malwarebytes popup's about RTP detection on Trojans. I'v tried about everything, including putting all ip addresses noted by Malwarebytes in firewall block rules, both incoming and outgoing. I've run adwcleaner_8.0.0.exe which found 2 PUP entries: PUP.Optional.Legacy             izito.nl and PUP.Optional.SofTonicAssistant  Softonic NL. Both where removed by adwcleaner, but the somehow come back. I've also run HitmanPro but it shows tracking cookies only. And still Malwarebytes reports incoming Trojans. All reported Trojan inbound connections target port 445 (SMB), see attached log.

On the system we're using Malwarebytes Premium 4.0.4

How is it even possible that these connection get through the firewall??
Any thoughts anyone?

Cheers, Paul

MBAMSERVICE.LOG

Share this post


Link to post
Share on other sites

Hi,     :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.3.749.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites

Hi Maurice,

I'v attached the zip file, but I have to tell you that I already used mb-support-1.5.3.749.exe last week, and I than did use "Start Repair". But the trojans keep coming.

Over the past months Malwarebytes found 49 different ip addresses from which these trojans originated. These ip addresses are in firewall block rules.

Thanks in advance for your help, Paul

mbst-grab-results.zip

Share this post


Link to post
Share on other sites

Thank you very much for the report.

For Your Information:    The web protection of Malwarebytes Premium is protecting your pc.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

.

The block history reports show this IP being blocked

37.52.9.2

81.18.134.18

201.24.82.11

.

I would like you to do one special run to get a update & then do a new scan.   These will not take long,

[    1    ]

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

 

[   2    ]
on the Scanner tab,  Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.

[    3   ]

Attach a copy of that Scan log.   I need to review the Scan Report.    See the how-to article   & do a report export  & then attach it

see   https://support.malwarebytes.com/docs/DOC-3541

 

.

 

Share this post


Link to post
Share on other sites

Hi Maurice,

 

Thanks for your help.

I've performed the steps. No threats where found, see attached log.

However, what bothers me is that these incoming connections, all targeting port 445 (SMB), keep getting through the firewall. I'm positive that Malwarebytes is blocking them, but I don't understand how these  connection even get to Malwarebytes. I've verified that my firewall blocking rules contain the ip addresses you mentioned: 37.52.9.2, 81.18.134.18, 201.24.82.11, so I would think they won't get through and Malwarebytes would never see these incoming trojan connections.

Kind regards, Paul

20191210MWBScanReport.txt

Share this post


Link to post
Share on other sites

Thank you for the report.

 

Let's use a different scan tool.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

Thank you for the report.

 

We can do a different scan.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Share this post


Link to post
Share on other sites

Thank you.  Excellent result.

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Thu Dec 12 13:50:33 2019

 

You may  try to get the Microsoft Windows Defender  Offline and run it.  It is a antivirus/malware checking tool from Microsoft.  You'll need to arrange to have it on either a USB-flash-thumb drive , or else if you have a optical drive writer, on a CD or DVD.

I am going to cite the references for it at Microsoft.

The download links are listed at the bottom of the article.  The last part of the article addresses how to execute on Windows 7 or 8.1

https://support.microsoft.com/en-us/help/17466

 

Share this post


Link to post
Share on other sites

Hi Maurice,

The server is in a cloud. I've contacted the cloud provider, but it's not possible to boot from ISO o.i.d.

I think my next step is a complete wipe of the disk and to start over.

Kind regards, Paul

Share this post


Link to post
Share on other sites

OK.  Understood.    After rebuilding the OS, please be real sure to run MS Windows Update to insure all security patches are up to date.

Also look to secure all remote desktop access.

https://blogs.technet.microsoft.com/motiba/2017/09/21/securing-remote-connections/

 

Let me know if you need anything else.

 

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

For other added tips, read "10 easy ways to prevent malware infection"

Sincerely,

Share this post


Link to post
Share on other sites

You are very welcome.   I am glad to have helped.

You may delete the ESET download   "esetonlinescanner_enu.exe"

You may delete any other file I had you download.

All best wishes to you.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.