Jump to content

Constant compromised blocked websites


Recommended Posts

Hello all. I was asked to post here, so here goes. 

I keep getting inbound compromised event warnings every few minutes. All web browsers are closed, email is closed, etc. The only active programs (that I know about) are in the tray. I didn't install anything new. MB doesn't tell me the source of the problem. Malwarebytes scan is clean. ADWcleaner scan is clean. Logs attached as requested. Thank you for any help. These warnings are freaking me out.

MB Version: 4.1.0.56 (Windows x64)
Update package: 1.0.23654
Component package: 1.0.896

mbst-grab-results.zip FRST.txt Addition.txt

Link to post
Share on other sites

Hello WBT.

Thank you for the reports.

 

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol. 

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/


 

Link to post
Share on other sites

That was fast! So I'm 100% NOT infected, and it 100% IS someone trying to hack in from outside? That's a relief. The only problem is that they constantly change the IP address, so I can't put a one time block on it.

Where in the logs did you see this information? I searched and didn't see anything. I would like to learn how to identify this issue in case they stop now and it happens again in the future. Thanks!

 

Link to post
Share on other sites

You can certainly look thru the history logs of the Block events.

Use this article-guide   https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Look at the section at bottom   "View and download detection History in Malwarebytes on Windows"

Look for the ones tagged "block"

.

If you wish you can do a thorough scan like this to do a new check with Malwarebytes for Windows.

Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
 

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

18 minutes ago, Maurice Naggar said:

Your protection logs show two  ( 2 )  IP  addresses

185.202.1.176
185.202.1.175

That's strange, because I see a LOT of very different IP's. Images attached.

114.32...
108.175...
120.21...
etc.

Are they all RDP attempts? Or are just the 185.xx.xx.xx IP's RDP attempts?

mb.png

mb3.png

Link to post
Share on other sites

Also look at the dates.   A lot of those were on the 10th.

.

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

 

Link to post
Share on other sites

I added ALL the IP addresses I found into the Firewall block list (10 or so). After that, no more compromised block pop-ups. However, one of the IP's I already blocked yesterday via the firewall, is now giving me a ransomware threat instead. Logs attached. Thanks for the help so far. 1 problem down, 1 to go.

 

 

mb5.png

mbst-grab-results.zip

Link to post
Share on other sites

The last block events mentions  IP   92.63.194.3

The Real-time protections  ( the web protection) is keeping your pc safe.

You may do this special scan to check the system.

You can do a thorough scan like this to do a new check with Malwarebytes for Windows.

Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
 

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

Forgive me, one additional note.  I would not use the 2 words  together  "ransomware threat"   ( in this situation).  The Block notice is simply a message that the real-time protections ( in this case) the web protection is keeping the pc safe  from that specific IP.   The inbound attempt was STOPPED.

If the message notices are too much,  you can turn those off.   You would still have full protections.

I await the result from the scan above.   After that, if you wish, you can do a scan with the Windows Defender Antivirus.

.

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".   The events here are "blocked website "   ( a IP address that our researchers have deemed potentially malicious)
A "malicious website blocked" is entirely different from a "malware detected" event.

For Your Information:
The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence   ( or any other type of block).

If the frequency is too much or if they become overly annoying,  these notifications can be turned off.

 

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
 

Link to post
Share on other sites

Hi Maurice. Thank you for the information. Scan is clean. Logs attached. The strange part is that the firewall isn't blocking. If it's an external threat like the compromised sites, shouldn't the firewall stop it from ever reaching my system? I like the notices and would like to block the attempts from ever reaching my machine if possible.Thanks again.

scan.txt

Link to post
Share on other sites

This scan confirms no active on-board "goobers".    No malware on the pc.  Not even P U P

 

You may do a Full scan with Windows Defender to get another check &  analysis.   Full scan can take several hours.

I doubt if there is a thing actually on your system.   These block notices from Malwarebytes real-time protection may well re-occur.   You need to acclimate & adjust to those facts, certainly if none of the security tools  ( like Malwarebytes & Windows Defender report no actual malware).

 

Do a Full scan with the Windows 10 antivirus  ......Windows Defender
navigate to the Virus & Threat protection section.

 

Look on the Windows search box on the Windows taskbar.  Type in

virus & threat protection

You should see a list display.  There is a link for " Virus & Threat protection".  Click on that.

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.
 

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.

image.png.ef373aa406a6d2e98f0b125daff2b0e6.png

Click Scan options.

image.thumb.png.52961c57498aac823400dc1e38e15c6e.png

 

Then click on Full scan.   Have lots of patience.   Keep me advised on the result.   

 

Link to post
Share on other sites

Hi Maurice. I did a full scan as directed and there's nothing there. It's strange that the firewall doesn't block the ransomware attempts like it blocks the compromised site attempts, but since you say there's nothing to worry about, I'll ignore the warnings. Than you for all your help. It's very much appreciated!

Link to post
Share on other sites

You are very welcome.   I am glad to have helped.

To do some tool cleanups:

You may delete mb-support-1.5.4.760.exe   on the Downloads folder.

Delete  mbst-grab-results.zip  on the Desktop

To remove the FRST tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.