Jump to content
psm9

Getting constant popups "Website blocked due to Trojan"

Recommended Posts

Hello,

I'm using Malwarytes 4.0.4 on a PC running Win10

For the last several days, I have been getting a "Website blocked due to Trojan" popup every time I go to any new website.   The domain listed is "hardyload.com"

I ran Malwarebytes multiple times - it finds nothing. I ran adwcleaner - the first time, it found something and removed it, but that didn't change anything. Further scans have been clean.

 

I've attached one of the RTP detection reports from malwarebytes and my last Threat scan. Also the adwcleaner logs - the first from the one it cleaned something, and then one I ran today (clean)

 

Thanks for any help you could give.

 

Paul

Blockedsitereport1.txt Lastthreatscan.txt AdwCleaner[C00].txt AdwCleaner[S03].txt

Share this post


Link to post
Share on other sites

Hi,    @psm9     :welcome:


My name is Maurice. I will be helping and guiding you, going forward on this case.
Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.
.

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
For Your Information:
The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
.

Let us begin with these starter steps.   We will do more later.

I need you to use Chrome browser  to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

 

[    2     ]

Install the Malwarebytes beta browser extension.  There is one for Chrome & another for Firefox.
To get & install the Malwarebytes Browser Guard extension for Chrome,
Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee 
Then proceed with the setup.
 

Let me know after these steps are done.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Maurice,

 

Thanks for the quick reply.I reset the sync and I installed the Browser guard extension.

 

What next?

 

Paul

Share this post


Link to post
Share on other sites

Hello Paul.

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 
In Windows Settings  >>> click on Windows Security from the left side list.
Next, In Windows Security section:  Click on the grey button Open Windows Security
next click on the blue Scan options
Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.
 

Share this post


Link to post
Share on other sites

I ran the scan. Took about 5-10 minutes to run. Afterwards, it returned to my log-in page. 

I opened up the Virus &Threat Protection segment of the security settings and nothing different is there.

It says MalwareBytes is turned on. Under Current Threats, it has a green check and says No Actions Needed.

I've been getting the pop up less since adding the Browser Guard extension. Still seeing some, but about 2/3 less often.

 

What next?

 

Paul

Share this post


Link to post
Share on other sites

Be sure to delete the CACHE files & History  in each of the web browsers.

Look at the following Malwarebytes Blog article and scroll down to the section marked *Clear your browser's cache* 
and do that for each of your web browser programs.
https://blog.malwarebytes.com/puppum/2017/04/adware-the-series-part-1/


[  2  ]

Keep in mind that the block notices do NOT mean there is some infection on the machine.  I do expect that the Browser Guard is indeed helping out.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

Share this post


Link to post
Share on other sites

Thanks for the help.

I deleted the cache on chrome and Edge.

The ESET scan found nothing (took several hours to run). I've attached the Scan log.

Again, the popups occur, but less often than originally.

 

Question: We have ~ 7 chrome user accounts on this computer. These popups have only appeared when I use my account.

When my wife or kids use theirs - no pop-ups. I haven't installed the Browser Guard extension on anyone else's Chrome account - just mine.

I assume the PC version of Malwarebytes would show these blocked Trojan popups if they were happening, regardless of whose chrome account it is. Correct?

I did not delete the browser cache from the other users' chrome accounts. When I did it on mine, does that also delete their Chrome cache? If not, should I do theirs, too, even if they haven't seen popups?

What else should I do, next?

Share this post


Link to post
Share on other sites

Hi, Paul.

Thanks for the ESET scan log.  Just as you said, Eset found zero viruses, zero P U P, zero malware.

The Malwarebytes Browser Guard ought to be installed for all users.

You indicate that your use of Chrome is the only one who gets occasional "block" notices.  When that happens, at the moment of the bock event, what website is it visiting ?

OR possibly, is this happening when you are reading a Email ?

 

What I have here, at present, is a batch custom script to do some cleanups of cache & temp files, & to rebuild the Winsock

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

P.S.   Delete any prior saved copy of Fixlist.txt   ( from before )

 

This custom script is for  psm9X   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  DESKTOP  folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

[    2    ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

Save the file first,
Close any running programs that you started on your own ( if any).

Double-click  RogueKillerx64.exe to run the program.
Follow the prompts. If a browser window opens, close the window.

In the HOME tab, click Start Scan.
Upon completion, a browser window may open. Close this window.
 Important: 

Please do not have RogueKiller remove any detected items.

 

Click the HISTORY tab followed by Scan Reports.
Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.
Please attach the file in your next reply.
 

P.S.S.   If there is a repeat of a website block notice, I want to know,  What website link address is up at the top of its address bar   ( of the web browser)

&  2)  which web browser is in use

3) if you clicked some link ?  if perhaps were reading Email ?  if the latter, which email is it ?

Fixlist.txt

Share this post


Link to post
Share on other sites

I've attached those 2 logs.

What I've noticed today is that I see it ~ 4-5 seconds after opening a New Tab in Google Chrome. Nothing else seems to provoke it. If I go to a website  by clicking a link, I don't see it. When I click new tab, I now notice that I get the popup whether I type in  a website URL or not.  Because it happens a few seconds after I hit the "+" to open a new tab, I normally would have already typed in a URL, so I assumed that was the problem. Now, If I just open a New tab and do nothing else, I get the popup.

 

My new tab setting in Chrome is the "New Tab page"

Never occurs with email. Only opening new tabs.  We only use Chrome.

 

Could it be some extension I installed? 

Fixlog.txt roguescan.txt

Share this post


Link to post
Share on other sites

You can drill thru the settings and preferences in Chrome that pertain to new tabs, as well as start page oif necessary.

Thank you for the reports.  The Fix run did as planned.

On the Roguekiller , ran it one time,   I would like you to only remove 1 item  and that is under the Web browses section.

Remove this line-item

[PUP.Gen0 (Potentially Malicious)] Honey (C:\Users\Miriam and Paul\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\BMNLCJ~1) -- bmnlcjabgnpnenekpadlanbbkooimhnj

 

.

As to Chrome  &  Set your homepage and startup page

see this link   https://support.google.com/chrome/answer/95314?hl=en

Share this post


Link to post
Share on other sites

Thanks again.

Sorry if I'm being daft, but I don't understand what to do with RogueKiller.

Where do I remove that line item and then what do I do?

Share this post


Link to post
Share on other sites

I think it's fixed.   Since it was only happening with New Tabs on Chrome, I assume some extension I installed was hijacking the New Tab page and redirecting to a malware site.

I reset my Chrome settings, which reset my New Tab page.

 

So far, no more popups.  I think that was it.

 

Thanks for the help.

I'll sign off for now, but I'll post again if it comes back.

 

Thanks!

Share this post


Link to post
Share on other sites

Hi.  You are welcome.

You may delete the file I had you download esetonlinescanner_enu.exe

 

To help cleanup on tools used:

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

 

If your security program alerts to Delfix either, accept the alert or turn your security off.

please right-click on Delfix  and choose run as administrator

Make Sure the following items are checked:

  Remove disinfection tools <----- this will remove tools we may have used.

 

Any other downloads I had you do, you may manually delete.

.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. 

 

Best  practices & malware prevention: 
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. 
First rule of internet safety: slow down & think before you "click". 

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). 

 
Free games & free programs are like "candy". We do not accept them from "strangers". 

,

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. 
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. 
 
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. 
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". 
 
Use a Standard user account rather than an administrator-rights account when "surfing" the web. 
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html 
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet. 
 
 
Do a Windows Update. 
 
Make certain that Automatic Updates is enabled. 
https://support.microsoft.com/en-us/help/12373/windows-update-faq 

 
 
 
Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. 
 
For other added tips, read "10 easy ways to prevent malware infection" 

. 

Backup is your best friend.

My best wishes to you.   Stay safe.

Sincerely,

Maurice

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.