Jump to content

Constant "Compromised" and "Trojans" Blocked Activity


Recommended Posts

A few days ago I started getting constant (every few minutes) from Malwarebytes blocked activity popups.  One group states Compromised Blocked Website 1.223.0.107.   The other group which stopped yesterday states: Trojan Blocked Website 134.122.118.147.  I ran Farbar and it doesn't seem to have anything.  I'm running a deep Microsoft Defender Scan now.  The Offline scan found nothing.Thanks for any help and guidance.

printscreen.jpg

Addition.txt FRST.txt

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
.
 

.


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.
 

Link to post
Share on other sites

Hi.  Thank you for the report file.   At this point  ( an this is very early in the case) it is not clear as to why it seems that a Windows exe is being flagged.

Let us start by doing this first, so that the Microsoft Windows Defender is not hampered.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
Click the Security Tab. Scroll down to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
 

.

I would suggest to do a Full scan with the Microsoft Windows Defender   ( see below ).   First, I would suggest getting the Malwarebytes notifications turned OFF  so that your screen does not get swamped.    and to lessen the aggravations.

Start Malwarebytes.   Click Settings ( gear icon at the top ) 

Click the Notifications tab.

Look for "Show all notifications in the Windows notification area"   and click that to the Left.   That is to set that to Off position.

The real-time web protection and the real-time anti-malware will still be protecting your system.

.

 

Do a Full scan with the Windows 10 antivirus  ......Windows Defender
navigate to the Virus & Threat protection section.

 

Look on the Windows search box on the Windows taskbar.  Type in

virus & threat protection

You should see a list display.  There is a link for " Virus & Threat protection".  Click on that.

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.
 

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.

image.png.ef373aa406a6d2e98f0b125daff2b0e6.png

Click Scan options.

image.thumb.png.52961c57498aac823400dc1e38e15c6e.png

 

Then click on Full scan.   Have lots of patience.   Keep me advised on the result.    We can do more later.

 

 

Link to post
Share on other sites

On the Block notice events ...... Can you tell me, whether at that point,  were you possibly playing online multi-player games?

or

If possibly you were using a web browser when that notice showed up ?

 

You can let the message window close itself after a few seconds.  Or you can click the X  to Close the notice window.

And if they are an annoyance, you can suppress their display.

Start Malwarebytes.   Click Settings ( gear icon at the top ) 

Click the Notifications tab.

Look for "Show all notifications in the Windows notification area"   and click that to the Left.   That is to set that to Off position.

The real-time web protection and the real-time anti-malware will still be protecting your system.

 

Those 3 items that Windows Defender has flagged,  we should get all 3  removed.   Click on the Start Actions button.

Have them Quarantined or removed.    Kindly confirm that, please.

Link to post
Share on other sites

No online games.  What I was doing last night was connecting to the computer through remote desktop from my girlfriend's house.  Also last night I set all three to quarantine.  Windows Defender is still trying to quarantine them this morning.  Also, when I ran the full Windows Defender scan, that took over 24 hours, which is why I was checking remotely.

And to make things worse, I'm still at my girlfriend's checking remotely and now I'm getting the same Malwarebytes blocking compromises on that computer!  I'm going to run the windows defender scan there too.  I have malwarebytes on computers in both homes.

Link to post
Share on other sites

I'm running a full windows defender scan on the computer at my girlfriend's house.  I'm thinking that connecting remotely to the computer in this thread might have caused attacks to the computer in my girlfriend's house.  Either that or the fact that I'm using chrome on both and they might have synced (?).  At any rate, I took a chance and connected to my computer at home remotely.  Windows Defender is still trying to quarantine the trojans after 12 hours.  I'm leaving it on because the full windows defender scan took over 24 hours by itself.  

Link to post
Share on other sites

That is a long time for the Windows Defender run.   Lets give it more time, with the hope that it finally removes the tagged items.

Are you saying that you are having issues on 2 different machines ?   I wonder.

 

If either computer is remotely connected,  we need to have you ( if possible ) close the remote sessions.    While still letting Windows Defender to run and complete.

Please do not do any further remote connections.

As far as Chrome browser,   you should set all your Chrome browsers to NOT have the Sync feature 'on'.   That is to say, turn OFF the SYNC feature.

Using Chrome browser  go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

Close Chrome.

Please do not do any websurfing or needless browsing while this case is on-going.

 

If you could,  could you take a picture of the screen of the Windows defender scan

and then attach here.   Either with your smartphone  or else by shortcut keys on keyboard.

How to Take Screenshots in Windows 10
https://www.howtogeek.com/226280/how-to-take-screenshots-in-windows-10/

 

 

Link to post
Share on other sites

I'm remote again for the last time, as connecting remote last night seemed to infect the second computer.  I'm running windows defender on that one now.  I will not connect remotely and will be at home tomorrow to check it then.  I've had the Quarantine proceedure running since last night and it's still going.  Image attached

 

quarantine.jpg

Link to post
Share on other sites

I did not.  I clicke Remove on all and Submit.   Now, I run a quick scan and they are still there.  It finds the three current threats and the action is all Remove.  I click Start Actions and they "go away" with no other action needed.  But if I do a quick scan again, they are still there.  Under History they seem to be all there with another Remove choice.  But after selecting Remove, there is no button to allow the removal.

Link to post
Share on other sites

Also, on the other computer at my girlfriend's, it's another one of my windows computers and my user account was set to "sync".  So if I saved a file to the desktop on one, it showed up on the other.  I'm guessing that had something to do with the Compromise attacks on that other computer, since I didn't have Chrome syncing.  I turned of Windows syncing on both computers, so I'll see if that helps.  I ran a full windows defender scan on that computer and it turned up nothing.  Fortunately I have Malwarebytes on both.

Link to post
Share on other sites

Yes, we definitely need to have the end results.   Just let it finish  and do not start a new one.

When it has stopped.....write down & report the results at the bottom

and

This is the way to look at the Windows Defender scan history.

Go to the Windows Start menu.  Click on the Settings icon.
Now click on Update & Security.   Then click on Open Windows Security.
  Click the Virus & threat protection tile     and then the Protection  history label  ( in blue color)
The Protection history will have a list of recent events.

Link to post
Share on other sites

OK.   I do not know if you timed when it started.   If it gets to be like 35-40 hours then we may want to consider canceling.

.

Dot not let the details or number of lines below spook you, please. It is all do-able and needed.
Just take your time.

⦁    Open File Explorer from the taskbar. 
⦁    Select View > Options > Change folder and search options.
⦁     Select the View tab and, in Advanced settings, select 

Show hidden files, folders, and drives and OK.
 

 

If you have the time, can you see if you can locate this log & then attach a copy with your next reply

C:\Users\rturn\AppData\Local\Temp\MpCmdRun.log

 

Link to post
Share on other sites

24 hours ago I clicked Start Actions to remove all the malware.  It ran all day and night.  When I came down this morning it had stopped but had a notation that malware might be present.  I ran a Quick Scan and all the malware is still here.  I have hidden files and folders checked but there is no MpCmdRun.log

 

 

Results.jpg

Link to post
Share on other sites

Thanks for the screen gran.   I regret things had got more involved than they should have been.

Normally I would try to focus on those 3 entries dated for May 11.   one by one I would have tried ( to see ) if I can click to select one,  then see if I could use "Start actions".

That said, lets leave that be,  let us get some fresh reports.  We should be able to find entries related to the runs of Windows Defender.

By the way, it looks like the same 3 items flagged on the 9th / were flagged also on the 11th.

One seems to be some sort of document ?   another a javascript  file.

This is going to be two different procedures.

[  1  ]

You have the FRST tool.  It is called FRSTENGLISH on the Downloads folder.

Go to the Downloads folder   ( using Windows File Explorer )

 

Double click on FRSTENGLISH to start the tool.
Click YES when prompted by Windows U A C prompt to allow it to run.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

 

[    2    ]

This next part is a more direct but more involved way to look at the history of scans of Windows Defender.   Patience & detail is called for.

We are only looking for the most recent 3 flagged entries,  the ones dated May 11

 

By going thru the Windows Security options  ( in Windows 10 Settings)  you can locate summaries for the latest Windows Defender scan (s).  And if anything was flagged, you would see the detail.
And it is by date.   Here is a written how-to along with some handy images.
From the Start menu, select Settings, then select Update and Security.
Next, look at the left-side menu & select Windows Security 

image.thumb.png.fc06850d0e645d7a30ea06bedf4a8a34.png

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

image.thumb.png.eb353d5e130cb7fef43e799208500d10.png
 


Now, click on the shield Virus and threat protection
By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

image.png.0544c0700082b0ab72b9b9ca7f2674cb.png


 

On the next display,  look at all the grouped information and options.

image.thumb.png.d866aebaf0c47a0a884580caae98dbc2.png

 


When you get to this section, notice what it says about "current threats"  on your system.   
 

image.png.b7eb2d5374b3ea404cea7eb51b6065e4.png

Also in this same section, please notice the blue line marked "Protection history"    and click on that to see more details.
 

image.png.297f0f5fee00f868fac3f36277be2b40.png


You will see details like these.
 

Then look at each none of the recently listed scan runs.   The most recent should be on top.
Look on the far-left blue icon   ( whether a shield icon or a frame icon)  and click on the blue icon.  

You will then see details about the Windows Defender "classification" of the item  and where it is located.
 

Link to post
Share on other sites

This is one of the threats (the details are so long that I couldn't screen them all).  And it might explain why it's been so difficult to delete or quarantine it.  It's not, IMO an active threat.  Several  of these files are in a storage drive and are huge backups from two years ago of websites.  The sites use a lot of PHP, so I'm not sure if that's making them look like trojans.  I've been trying to delete for first one for a half hour.   It's over 14GB.   If each one of those website backups are that large, no wonder Windows is having trouble quarantining them.

 

 

webbackups.jpg

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.