Jump to content

Constant "Website blocked due to compromised"


Recommended Posts

Constant "Website blocked due to compromised" pop-ups from MBAM even when my browser (Chrome) is closed.   

It's happening on average every 30 seconds.

My OS is Windows 10 Pro Version 1909 (OS Build 18363.778)

I ran an MBAM scan, as well as a Windows Defender scan.  Both came up clean.
 

MBAM event.txt

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
.
 

.


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

Link to post
Share on other sites

Hello Jon.    Thanks for the report.

On the Block notice events ...... Can you tell me, whether at that point,  were you possibly playing online multi-player games?

or

If possibly you were using a web browser when that notice showed up ?

or

using an instant-messenger app ?

 

You can let the message window close itself after a few seconds.  Or you can click the X  to Close the notice window.

And if they are an annoyance, you can suppress their display.

Start Malwarebytes.   Click Settings ( gear icon at the top ) 

Click the Notifications tab.

Look for "Show all notifications in the Windows notification area"   and click that to the Left.   That is to set that to Off position.

The real-time web protection and the real-time anti-malware will still be protecting your system.

Link to post
Share on other sites

I've had the notice show up even when my browser is closed..   wasn't playing online games.  All my messaging apps were closed.

I had already set MBAM to hide notifications when Chrome is full screen.   
I have now set the "Show notifications in the Windows notification area" to off.   Still don't know why it's detecting all of these events, though.   It's a little worrisome.   

It makes me think that there's some kind of malware that's inviting attacks.  One of the things I will try is to disable remote desktop hosting and see if it stops.

If you have any other ideas... I'm open to suggestion.

 

Link to post
Share on other sites

I would like for you to be sure to Close all web browsers  &  other un-needed opened apps......and then do a Full Scan with MS  Windows Defender.

That is a first step.   We can do more scans later.

 

Do a Full scan with the Windows 10 antivirus  ......Windows Defender
navigate to the Virus & Threat protection section.

 

Look on the Windows search box on the Windows taskbar.  Type in

virus & threat protection

You should see a list display.  There is a link for " Virus & Threat protection".  Click on that.

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.
 

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.

image.png.ef373aa406a6d2e98f0b125daff2b0e6.png

Click Scan options.

image.thumb.png.52961c57498aac823400dc1e38e15c6e.png

 

Then click on Full scan.   Have lots of patience.   Keep me advised on the result.    We can do more later.

 

Link to post
Share on other sites

Thanks for that bit of news.   Lets do other scans, please.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

Link to post
Share on other sites

@buckyswider    I am going to split off your 2 posts  & make a separate Topic-thread for you.   In the malware-removal section, we only work one customer per case.

These are not group-type-multi-machine situations.   One original-customer is on their own separate Topic.   One to one.

 

@MrJBK   pardon the interruption.    I am curious as to how you are doing at this point.

 

Link to post
Share on other sites

Hi Maurice,

Ran ESET overnight.   Attached is the log of what it found.  The files on the D drive are old installers and I think many are false positives.   In any event, they are never run. 
I re-enabled notifications in MBAM, and I'm not seeing the pop-ups anymore.   After sending this post I'll reboot and see if things are still well-behaved as the day progresses.

I truly appreciate the time and energy you've put into this!

ESET scan log.txt

Link to post
Share on other sites

Thank you for the ESET scan result-report.   ( some comments on that below).

I am of the view that we need to do one or two other scans  & after that, take a look at the Malwarebytes logs.

[   1   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[    2   ]

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.
Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
 

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Now also look for the very latest "Block" event-report

Look at the section "View and download detection History in Malwarebytes on Windows"

https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Question:  During this entire case   ( since the blocks started) had you been using Remote Desktop connection ?

or any sort of remote connection app ?

.

As to the ESET scan result, it did find quite a few potentially unsafe application   as well as one or so "keygen" apps.

I am not the license police of any sort.  But "keygen" & other sorts of potential cracks are known bundlers of very serious malware, as well as ransomwares.

Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".
 

 

Link to post
Share on other sites

Oh... I forgot to mention...
one of the things I did last night was to disable Remote Desktop, with the thought that maybe some bad actors were trying to come in through that door, which may have been causing the MBAM warnings. 

I will re-enable it later today after I do the scans that you're suggesting and let you know if the warnings come back.   I guess I shouldn't have done 2 things at once.  Makes it difficult to determine which one was the root cause.

 

Link to post
Share on other sites

Hi.  I would prefer that you not use Remote desktop.  period.   We can always monitor the block logs of Malwarebytes.

I also would like that you not play any online games & not use instant messenger programs.   and please do not do any web surfing.

 

We will be needing to do several different scans on this case.   Patience in all that we do is necessary.

Link to post
Share on other sites

Hi Maurice,

OK... Attached is the scan result from the Microsoft Safety Scanner.   I ran it only on my C drive (500G SSD).   My D drive is big (1TB), (nothing from D is ever loaded into memory).   Scanning D takes a long time.   Other than this forum, I'm not doing anything with the web today.

 

msert.log

Link to post
Share on other sites

Thanks for that scan report.    Do you notice if the block events  ( messages of block )  have ceased ?

 

At this point, let us do a different scan.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html


First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.
The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.
Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

My suggestion is to do a FULL scan.

 

IF you wish a Full scan or a Custom scan, first click on the Settings
then you can select which drives you want to include in the scan.
The default is a Quick scan.
Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.
If you see an item that you know is safe, you can click the Action  , and select Ignore.
When all done & ready, click the Fix now button.

Link to post
Share on other sites

the block events ended ... but I think it's because I disabled Remote Desktop...  

I've completed the TrendMicro scan.   It only found 1 threat... which I think is in the recycle bin... 
I'd like to re-enable Remote Desktop and see if the events re-appear.

I'll try that now after rebooting, and let you know what happens tomorrow.

Thanks again!  

TrendMicro20200510.jpg

Link to post
Share on other sites

Hi Maurice,

I re-enabled Remote Desktop, and sure enough, I started getting MBAM alerts :

I also did some searching and found this post:

 

which sure sounds exactly like what I'm getting.    

I've disabled Remote Desktop again, and, of course, the alerts stopped.   So this problem has everything to do with Remote Desktop being enabled.   I'm guessing that something changed in MBAM, since the post above seems to have started around the same time I saw the same problem.  

I use Remote Desktop from time to time, especially when I'm travelling (which I haven't been lately due to Covid-19) .   I'd like to keep that functionality.

What do you think?

MBAM RTP 20200510 946PM.txt

Link to post
Share on other sites

Had the exact same issue, and I can confirm it is in fact remote desktop causing it. I had port 3389 port forwarded in my unifi controller and as soon as I disabled it the incoming malwarebytes messages went away. Interestingly enough, I have another server running with remote desktop on the same lan but using RDP port 3390 instead of the default 3389. It is also port forwarded in my unifi controller and has malwareybytes running on that server as well and has not had a single alert from malwarebytes. To fix your issue, just change the remote desktop port in windows. For windows 10, its under remote desktop settings, advanced. For windows 7, you will have to search for the 3389 port in the registry and change it. Then change your port forward rule in your router to match whatever you change it  to and you will be all set.

 

-Geoff

Link to post
Share on other sites

Hi Geoff,

Thanks for your input. 

I just read this article:
https://tweaks.com/windows/50743/change-remote-desktop-rdp-port/

which kind of explains why there might be so many inbound attacks being flagged by MBAM.  It also has a more thorough explanation of how to change the port in Win 10 (there is no setting... it has to be done through the registry).  It also describes what needs to be done if I'm trying to connect to remote desktop from the RDP client... which is essential.   What's really odd about this problem is that I have another Win10 computer with MBAM which is not showing similar alerts.  The only difference I can figure between the two is that 3389 routes to my desktop (the one that has the constant alerts) so any brute force attempts to hack in through the internet all hit the desktop through 3389.  RDP host is enabled on both machines, but I only connect to the laptop through the LAN.  Since there's no way to reach the laptop through the internet, I guess that gives it some protection.

Interestingly enough, I've had RDP enabled on my desktop all morning so far and only had one alert, and it was not the same type. 

The multiple alerts that were occurring over the past week were like this one:   
Category: Compromised
Domain: 
IP Address: 77.108.68.42
Port: 51618
Type: Inbound
File: C:\Windows\System32\svchost.exe

The only alert this morning was:

Category: Trojan
Domain: cdn.tweaks.com
IP Address: 104.28.31.23
Port: 443
Type: Outbound
File: C:\Users\jklein\AppData\Local\Google\Chrome\Application\chrome.exe

The disappearance of the constant alerts may be due to a change in MBAM's definition files.   I noticed that there was an MBAM update this morning at 7:33AM and the original problem now seems be gone.

 

-Jon

Link to post
Share on other sites

Hello Jon.

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol. 

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.

 

Yes, you are right.   Malwarebytes has been adjusted to hold off on the notices.

and yes, changing the Port for RDP  is one way to put some added  protection.

Just be real sure to backup the registry before you make any change.

https://winaero.com/blog/change-rdp-port-windows-10/

 

Link to post
Share on other sites

Jon,   one more tip.

You may add those IP addresses into the block list of the Windows firewall.

If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Let me know if you need other help.

Sincerely.

Link to post
Share on other sites

Hi Maurice,

Thanks so much for the confirmation and guidance, and your forbearance through this case.  I think you've given me enough ammunition so that I can defend against the attacks.   

For the moment, I'll use the following strategy:

1.  Until I need to have Remote Desktop running, I'm turning it off.

2.  I have pulled all of the IP addresses from the 524 .json files in [C:\ProgramData\Malwarebytes\MBAMService\MwacDetections] and used VBA in Excel to create a manageable list to use for blocking...  I was going to add them to the block list, but since there are almost 100 unique addresses, and each IP address requires adding an individual rule (several clicks, etc.) that would be very time consuming, and probably not worth the effort.
I have attached the .xls file that I used to summarize the data in the .json files.   The VBA programming is not terribly professional... but it serves my purposes.

The compilation of the RTP alerts over the past several months is interesting.  There are a number of port 3389 alerts coming from IP address that I do not recognize... these are most likely break-in attempts.  I have attached the .xls file that I used to summarize the data in the .json files.

Thanks again for all of your help.

GetMBAMLogs.xls

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.