MALWARE BYTES BLOCKING OUTBOUND CONNECTION TO WEBSITE USING POWERSHELL

[Shahir]

Hi

Im running a windows server with malware bytes installed.I keep getting notified by malware bytes that an outbound connection was blocked. Please see the attached file detection history which shows the same. I have also uploaded the file scan report from malware bytes scan

Im trying to run frst tool bar but unable to open it. 

scan report.txt

[Maurice Naggar]

Hi,     

My name is Maurice. I will be helping and guiding you, going forward on this case.   Please let me know what first name you prefer to be called by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Please do understand, Malwarebytes for Windows does not support usage on Windows Server O.S.'s

 

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.3.749.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

[Shahir]

Hi Maurice

Thank you for your reply. See attached as requested.

 

---

mbst-grab-results.zip

[Maurice Naggar]

Thanks for the report.

One note of caution.   The OS   Windows Server 2016 Standard  is at release build 1607.   Seems to me that that is way out of date.   Please see about getting Latest Microsoft Windows release build.

There are 3 tasks set in Windows Tasks  that are the ones with batch-type runs & are the "boogers"  at play.  This next task will remove those 3.

[    1   ]

This custom script is for  Shahir  only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  DOWNLOADS  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Desktop.


Double click FRSTENGLISH

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity    We will do more later on

Keep going and do the next task, please.

[    2    ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

 

 

Fixlist.txt

[Shahir]

Here you go what was requested

Fixlog.txt mbar-log-2019-12-29 (21-07-44).txt

[Maurice Naggar]

Thank you very much for the 2 report.

The custom fix script was a good run.   That should have got the situation of mis-use of powershell all removed.

The MBAR antirootkit tool run reports no rootkits or infections.

 

Run a new  scan with Malwarebytes for Windows.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.    If no items are detected, then you may stop ;   just please be sure to send a copy of the scan report.

 

IF something was detected, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.

Let it remove what it has detected.

 

[Shahir]

Hi

Sorry for the delayed replies. I have done a scan and some threats were detected and quarantined. No more outbound connections were detected in the last 48 hours. I m curious to know what kind of issues was i facing and how the server got infected? We did have ransomware attacks on our computers and did a clean install of the server but it still came back . I have formated the other computers on the network as well and as of now all is well 

Your support is really great and now im definitely buying the premium version. What kind of security products can you provide for a windows server 

Thank you agin for your support

[Maurice Naggar]

Sorry, there is not a way for me to know what /how this machine may have got infected.

Please know that Malwarebytes for Windows is just only for consumer level Windows O.S.    ( basically Windows 7,  8.1,  or 10 )

For Server O.S.   you need to check with business support     https://support.malwarebytes.com/community/contactsupport/pages/business-support

 

I am happy to read that the  I  P   blocks have ceased.

Happy New Year to you.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"