Website blocked due to trojan?

[garysoh]

Hi there, I keep getting a notification of website blocked due to trojan, but I do not know which program is causing it.

The pop-up says that it is an outbound connection from Wscript.exe, and it is coming from a website called "usa-m.duckdns.org" 

What logs can I attach here to get more assistance? Someone mentioned MBST so I attached the zip file here.

 

mbst-grab-results.zip

[Maurice Naggar]

Hi,   

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.    Thank you for providing the MBST support tool report !

.

The web protection of Malwarebytes Premium is protecting your system.

For Your Information:

 

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".

 

It  indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each  block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

 A browser is not required to be running, just an active Internet connection with processes running,

such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

.

There are 2 very extremely suspicious tasks  "windows update verifier" that use wscript & at least 3  batch files associated to this.

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

You did not save the FRST64.exe  on a regular folder.  So you will have to be extra careful.

You have FRST64 in this folder  C:\Users\Gary\AppData\Local\Temp\mwbAD24.tmp

 

This custom script is for  garysoh    only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  C:\Users\Gary\AppData\Local\Temp\mwbAD24.tmp   folder

The tool named FRST64.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the C:\Users\Gary\AppData\Local\Temp\mwbAD24.tmp   folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

 

Fixlist.txt

[Maurice Naggar]

PS.  Please do not download any games or anything else on your own.  The Malwarebytes scan of April 4 found a lot of malware

Trojan.StolenData

PUP.Optional.ProxyGate

RiskWare.ProxyGate

RiskWare.GameHack.Generic

PUP.Optional.BitCoinMiner

Backdoor.Bifrose     ( whose remainders are involved currently for those website block notices)

 

So, no game playing, no new downloads  ( unless I guide you to them), no shopping, no banking online.   If you have questions, ask me first.

It is quite possible your identity and or some financial accounts  ( if your credit card or bank account numbers are stored on this machine )  may have been exfiltrated -  stolen.

[garysoh]

Oh dear!!!

Thanks so much!

Fixlog.txt

[Maurice Naggar]

It looks like we only got a very partial content in the Fixlog.   Please see if you can find the file one more time,  and this time Attach it directly in a new reply.  at your next later chance.

For now, let us do what follows.   I am going ahead and listing 2 tasks.   Do not let it over-whelm you.   Just do them & keep going.

[    1    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

[     2    ]

Keep ging with this.

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.

Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".

You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

 

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Thanks.  Keep me advised.

[garysoh]

HI Maurice, thanks so much!

The Fixlog is all I have - the directory is very clean in fact after I ran the clean.

Here are the 2 files u requested.

 

AdwCleaner[C00].txt MAB.txt

[Maurice Naggar]

Thanks.  Yes, the scan result from Malwarebytes for Windows is excellent.   The Adwcleaner did do some cleanups.

Let's go ahead and do these steps, next.

[   1   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

[    2    ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

[garysoh]

Thanks so much once again.

Here are the logs.

msert.log ESETlog.txt

[Maurice Naggar]

Thanks for the reports.   The result of the Microsoft Safety Scanner is  good. 

The ESET scan found a goodly number of different malware & P U P   (potentially unwanted programs) oc the C & D & E drives.

Keep in mind that each scan tool has their own unique designs & unique definitions & even different scopes of scaning.

 

Tell me, did you at some point, move your Program files folder to the D drive ?   or do the same for your "user" folders in Windows ?

Since ESET had found malwares, I think it would be prudent to keep doing more scans.

 

See about  downloading and running the Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

 

Save the KVRT.exe file to the Downloads folder.   Once the download completes,   you can then run the file.

§  Right click on KVRT.exe and select Run as Administrator.

§  Read the EULA, then select Accept.

§  Wait for Kaspersky Virus Removal Tool to initialize.

§  In the main screen, select Change parameters, place a checkmark in System drive, then click OK.

§  Click Start scan.

§  Wait for Kaspersky Virus Removal Tool to complete scanning.

§  When the scan is finished, select Neutralize all for all detected objects.

  To view the scan details, click details.

§  Close Kaspersky Virus Removal Tool when done.

Let me know what, if anything, is detected.

 

There is a guide on how to run KVRT Kaspersky tool    https://support.kaspersky.com/8528

 

 

 

[Maurice Naggar]

Hi.  Just checking.  How are things going ?

[garysoh]

sorry for the late reply....

everything should be clean now... thanks!

D drive was an old hard disk that used to house the old operating system. Now it is just used for storage but I left the old OS inside.

[Maurice Naggar]

Hi,  I am glad things are well.

This is to cleanup after the tools I had you use.

To remove the FRST64 tool & its work files, do this.  Go to the  C:\Users\Gary\AppData\Local\Temp\mwbAD24.tmp   folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.

Then run that ( double click on it)  to begin the cleanup process.   If the file is not there, disregard that step.

.

You may delete the mbst-grab-results.zip file on the Desktop

You may delete the mb-support-1.5.4.760.exe   on the Downloads folder.

You may delete msert.exe

You should delete the ESET download file    esetonlinescanner_enu.exe

The Adwcleaner you may keep and run as needed, on=demand to check for adwares.

Anything else I had you download, you may delete.

.

I am glad to have helped.  I am marking this case for closure.

The first best practice of computer safety is to have backups of the system.  Make regular periodic backups to offline removable media.
Backup is your best friend.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"
.

I wish you all the best.  Stay safe.

Sincerely,

Maurice

 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks