I need all the help I can get!

[Avanel]

Malwarebytes keeps on blocking a site even though I have no browsers opened and recently the site has been in the "allow list" for no apparent reason.
This happens even after a clean windows installation and my email was apparently under a phising attack (spam mail and threat mails).
At certain times my download speed also drop from 90mbit to 0.2mbit (always happens between 10-12 AM and PM.)
Did all scans with whatever there is and nothing.

I'm not a tech person, so I'd be thankful if someone could help me out.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/28/19
Protection Event Time: 4:47 PM
Log File: fe607220-2980-11ea-93c7-d0509931000b.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.785
Update Package Version: 1.0.16883
License: Trial

-System Information-
OS: Windows 10 (Build 18362.418)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain: 
IP Address: 62.210.207.229
Port: 1900
Type: Inbound
File: 

(end)
 

[Maurice Naggar]

Hi,    

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

.

I have a few opening remarks to convey.   The block message from the web protection means that the pc is being protected  & this is the way it displays that to you.  Pc is protected.

A   specific I.P.  ( internet address) was Stopped.   The Malwarebytes program is doing its job.

 

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

 A browser is not required to be running, just an active Internet connection with processes running,

such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

 

These are also triggered by banner ads running on websites which is the most common form of alert.

.

To get a review of your system, I need the following report.

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.3.749.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

[Avanel]

Hi Maurice, how can I get affected by ads so fast, as this is a cleanly installed windows?

The blocked IP and URL have been reported for phising from what I found from IPTracker and similar.
On top of that before I clean installed windows I was a victim of spam mail and phising attack, but so far only this IP was blocked and nothing else was found.

P.S: A friend of mine mentioned something about DNS Hijacking.


 

mbst-grab-results.zip

[Avanel]

Just now, Avanel said:

Hi Maurice, how can I get affected by ads so fast, as this is a cleanly installed windows?

The blocked IP and URL have been reported for phising from what I found from IPTracker and similar.
On top of that before I clean installed windows I was a victim of spam mail and phising attack, but so far only this IP was blocked and nothing else was found.

P.S: A friend of mine mentioned something about DNS Hijacking.


 

mbst-grab-results.zip 735.73 kB · 0 downloads

P.S:  Before everything started going out of control I did open a pdf fail accidentally, but after download it was like "broken", couldn't be found in the downloaded folder, nor opened.

[Maurice Naggar]

Thank you for the support-tool-report.   That is a big help for me to help you.

Let us just start with what follows.   There are a few small steps here.   My first goal is to help beef up your web browsers.

[   1   ]

Using Chrome browser. go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2    ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[     3    ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

[   4    ]

For Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

 

[   5    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.    We will do more later on.    Thanks in advance for your patience.

 

[Avanel]

[1] Done.

[2] Done.

[3] Done, but is this save for sensitive information like logins and credentials?

[4] Done, same question as [3]?

[5] Done.

AdwCleaner[S02].txt

[Maurice Naggar]

Yes, the Malwarebytes Browser Guards are safe.   They do not interfere with logins, credentials.

 

Thanks for the Adwcleaner report.  It reported no adwares & no P U P.    That is great.

 

Run a  new scan with Malwarebytes for Windows.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done,  IF some items are detected, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.

IF zero items were reported, you can stop.

Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.

Let it remove what it has detected.

 

We will do more later.

 

 

[Avanel]

Actually there was something suspicious.

I used Adwcleaner before I started this thread.

Will attach the 1st report I've got.

P.S: My friend keeps on repeating that maybe it's a DNS Hijack.

Here are both the Malwarebytes Threat Scan log and the 1st AdwCleaner run.

 

AdwCleaner[C00].txt Scan.txt

[Avanel]

I forgot to ask about something regarding the Threat Scan.

Is it normal for the scan to jump from 100k scanned to 200k instantly?

 

[Avanel]

I just noticed something unusual.
I had Spybot Search and Destroy and Farbar installed for some reason, yet I haven't downloaded them, they weren't even downloaded in the default download folder.

 

[Maurice Naggar]

The progress display during a scan  is not necessarily an accurate way to make a judgement.  The bottom line scan results are what we go by.

Yes, I noted that you & your acquaintance are guessing at a possible DNS hijack.

I just do not see that at this point.  Anyhow, all in good time.  One thing at a time.  We have to allow for the initial scans to do the heavy lifting.

The Adwcleaner made a small cleanup.

This last scan by Malwarebytes for Windows reports no active malware.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

NOTES:

To my knowledge, Spybot does not make use of Farbar FRST.

The Malwarebytes support tool does put on & run the FRST report.    Those help us a whole lot   ( us being the helpers on this malware=removal sub-forum).

This is to say I do not believe that your machine has a mystery regarding the Farbar.

[Avanel]

Hi!

- What I was confused about was why I had spybot installed in the C drive without my consensus and how.
- Another thing that popped up today was a bulk logon audit failures in the Event Viewer all of them from chrome.exe .
- succesful audits which were "Credential Manager was read" and audits that were "a user's local membership was enumerated". (This audit had my account name as a subject and for some odd reason the username was called "guest", but I have no other usernames on this computer.)

Currently waiting for the ESET scan to finish.

[Avanel]

I will attach the log file. 

ESETScan.txt

[Avanel]

Hi, Maurice!
I keep on getting these inbound connections blocked and firewall added some random whitelisted things.

Note:  Attached the logs and the ones marked in red are inbound + the strange firewall thing that should usually be firewall.dll only.
 

log1.txt log2.txt log3.txt

[Maurice Naggar]

Thank you for the ESET scan log.   It only found 2 exe files, which were removed.

As to your remark from before " What I was confused about was why I had spybot installed in the C drive without my consensus and how."

Spybot is not auto-installed.   Did you perhaps have a friend help you on your machine ?  or have you ever allowed anyone remote access ?

 

I honestly cannot  understand the first screen shot you have above.  Sorry.

As to the second screen from Malwarebytes ....... the block events mean that the real-time web protection of Malwarebytes is protecting your machine.   It stopped any connection.

See my prior notes in my very first reply.

 

At this point, I would like for you to do one very special scan with Microsoft Windows'  Windows Defender.

 

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

 

We can do more later on, as needed.

 

[Avanel]

Hi, Maurice!

The scan turned out clear and nothing strange was found out.

The top picture is from firewall, more precisely the "allowed apps".
I just have no idea why FirewallAPI.dll is there and why it has that number behind it.

As for the Inbound connections that keep on getting blocked every now and then...honestly I have no idea which services might be triggering them and why would their IP's be Russian and Chinese. 
I wouldn't have really cared if I'm blocking outbound, but inbound are another story.

[Maurice Naggar]

Inbound blocks can & do happen.   Again, Malwarebytes Premium put the kibosh on any attempt to connect.

 

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

•  
• Save the file first,
• Close any running programs that you started on your own ( if any).

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Start Scan.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

 

[Avanel]

A good 30 seconds after the scan finished I got another Inbound Connection Blocked.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/30/19
Protection Event Time: 9:09 PM
Log File: da6d7f31-2b37-11ea-b0f2-d0509931000b.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.785
Update Package Version: 1.0.16987
License: Trial

-System Information-
OS: Windows 10 (Build 18362.418)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain: 
IP Address: 37.49.231.108
Port: 5060
Type: Inbound
File: 

(end)

RogueKillerScan.txt

[Maurice Naggar]

Thanks.

Lets run a different scanner - - this from Microsoft

 

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

[Avanel]

Could the inbound connections be related to my user and password or port being know or just poor DNS or Ethernet protection?

NOTE: What about the detected item in RogueKiller? Safe or Remove?

MSERT Log attached.


 

MsertLog.txt

[Maurice Naggar]

The item tagged by Roguekiller is classified as a potential unwanted modification.   You can delete that registry item  By re-running Roguekiller and then in the Registry tab  to select it to be removed

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System|ConsentPromptBehaviorAdmin -- 0

 

Thanks for the MSERT log.  The Safety Scanner removed 1 entry that was hampering (potentially) the Windows Defender.

 

As to the source or cause of the inbound, it is nearly impossible to know what that is about or from.

If you use Skype or some sort of instant messenger apps on this box, see about temporarily turning them off   ( for the time being).

.

We can do a run with a special Malwarebytes anti-rootkit tool.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

[Avanel]

Hi, Maurice!

I've been keeping tabs on my Event Viewer and there are some really strange things happening.
To me it looks that someone has access to my computer/or impersonates the system.
 

==========================================================

Event ID 4798

A user's local group membership was enumerated.

Subject:
    Security ID:        SYSTEM
    Account Name:        DESKTOP-[My computer's name]
    Account Domain:        [My Domain]
    Logon ID:        0x3E7

User:
    Security ID:        DESKTOP-[My computer's name]\Guest
    Account Name:        Guest
    Account Domain:       [My computer's name]

Process Information:
    Process ID:        0x10a8
    Process Name:        C:\Windows\System32\CompatTelRunner.exe

Note: Guest account is disabled.

=========================================================

Event ID 5059

Key migration operation.

Subject:
    Security ID:        DESKTOP-[My computer's name]\[My username]
    Account Name:        [My username]
    Account Domain:        [My computer's name]
    Logon ID:        0x1ED2EEC

Process Information:
    Process ID:        2192
    Process Creation Time:    ‎2019‎-‎12‎-‎31T09:20:54.516725200Z

Cryptographic Parameters:
    Provider Name:    Microsoft Software Key Storage Provider
    Algorithm Name:    UNKNOWN
    Key Name:    Microsoft Connected Devices Platform device certificate
    Key Type:    User key.

Additional Information:
    Operation:    Export of persistent cryptographic key.
    Return Code:    0x0

Note: This event "Creation Time" - 2019-12-31 09:20:54 (Was done while the computer was turned off)

=================================================================================

Event ID 5061

Cryptographic operation.

Subject:
    Security ID:        DESKTOP-[My computer's name]\[My username]
    Account Name:        [My username]
    Account Domain:        [My computer's name]
    Logon ID:        0x1ED2EEC

Cryptographic Parameters:
    Provider Name:    Microsoft Software Key Storage Provider
    Algorithm Name:    ECDSA_P256
    Key Name:    Microsoft Connected Devices Platform device certificate
    Key Type:    User key.

Cryptographic Operation:
    Operation:    Open Key.
    Return Code:  
==================================================================================

Evend ID 5058

Key file operation.

Subject:
    Security ID:        DESKTOP-[My computer's name]\[My username]
    Account Name:        [My username]
    Account Domain:        [My computer's name]
    Logon ID:        0x1ED2EEC

Process Information:
    Process ID:        2192
    Process Creation Time:    ‎2019‎-‎12‎-‎31T09:20:54.516725200Z

Cryptographic Parameters:
    Provider Name:    Microsoft Software Key Storage Provider
    Algorithm Name:    UNKNOWN
    Key Name:    Microsoft Connected Devices Platform device certificate
    Key Type:    User key.

Key File Operation Information:
    File Path:    C:\Users\UserAsrock\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f7e753de-6f4c-4d67-b54c-7bca67216763
    Operation:    Read persisted key from file.
    Return Code:    0x0

==============================================================================

Event ID 4648

A logon was attempted using explicit credentials.

Subject:
    Security ID:        SYSTEM
    Account Name:        DESKTOP-[My computer's name]$
    Account Domain:        [My Domain]

   Logon ID:        0x3E7
   Logon GUID:        {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
    Account Name:        [My username]
    Account Domain:        DESKTOP-[My computer's name]
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Target Server:
    Target Server Name:    localhost
    Additional Information:    localhost

Process Information:
    Process ID:        0x60c
    Process Name:        C:\Windows\System32\svchost.exe

Network Information:
    Network Address:    [Not my IP]
    Port:            0

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

==================================================================================
Event ID 4797

An attempt was made to query the existence of a blank password for an account.

Subject:
    Security ID:        DESKTOP-[My computer's name]\[My username]
    Account Name:        [My username]
    Account Domain:        DESKTOP-[My computer's name]
    Logon ID:        0x1ED2EEC

Additional Information:
    Caller Workstation:    DESKTOP-[My computer's name]
    Target Account Name:    Administrator
    Target Account Domain:    DESKTOP-[My computer's name]

mbar-log-2019-12-31 (12-09-46).txt

[Maurice Naggar]

The MBAR antirootkit result is perfect.

 

Look over all the auto-started apps that start with Windows startup  and reduce them to only just the barebones   ( like Malwarebytes & any other security app

How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

 

Also, along with that, when you start & login to Windows, use a regular login-account    ( NOT  any administrator-level one )

Use a Standard user account rather than an administrator-rights account .
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use .

 

and if need be, Change the password on all your Windows accounts.

[Avanel]

I flushed and changed my DNS, so far I haven't gotten any new inbound connections blocked.
 Maybe some inbound connections are related to some of the services or the applications that I have installed, but I doubt that since one of the IP's is from a chinese game based company and I don't use their products and the other IPs are from webprotection companies.

So far it looks like they are just probing my port, but not sure what else could happen.

Note: The 1st Link doesn't open and literally redirects me to this post.

[Avanel]

System Configuration look odd though. 
Shouldn't there be a name inside the red marking?
Even the icon is missing, looks like a blank space.