Jump to content

Trojan website popups


Recommended Posts

Every 2-3 days i get a malwarebytes popup blocking a website with the context of trojan and most usually I'm not opening the websites or even see them instead I get them when I'm on youtube or Gmail because of school. I did a deep scan with safe mode on and then another deep scan without it and found nothing, I used adwcleaner 8.0.4 by malwarebytes and I can't seem to find the troubled software. Used the google virus detection system inside options-advanced and still nothing. Note: every couple of days I have to delete chrome and reinstall it because the virus slows down my internet connection and it wont open any page without having to wait 5-10 minutes, note that wifi and my TV work fine as they are both connected to the same internet provider and router. Help please?

Link to post
Share on other sites

Update: Malwarebytes just gave my a popup about svchost.exe in file system32.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 20/05/2020
Protection Event Time: 17:38
Log File: fef1f7a4-9aaf-11ea-8d66-d8cb8ae6a7ab.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.896
Update Package Version: 1.0.24144
Licence: Trial

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Compromised
Domain: 
IP Address: 122.228.19.79
Port: 50049
Type: Inbound
File: C:\Windows\System32\svchost.exe

(end)

Link to post
Share on other sites

Hello @Lazko202   

Let me know what first name you prefer to go by

 

First, understand that the message window does NOT mean the actual presence of a booger  ( malware) physically on your box.  It only means that the Malwarebytes web protection has STOPPED any actual potential harm from a EXTERNAL source.   The message is just courtesy information, that Hey it protected your machine.

Any threat is EXTERNAL.

Further, it does NOT mean that anything is wrong with svchost on your box.

Again, there is NO trojan on your machine.   The probes are coming from external sources.

.

Also, you need not uninstall > re-install your web browser.

Please know that you can set the notification message to not be displayed on screen.   Your system will still be protected by the Trial Premium.

You may if you wish just set the message-window notification to be turned off  so you do not get frazzled.

Start Malwarebytes.   Click Settings ( gear icon at the top ) 

Click the Notifications tab.

Look for "Show all notifications in the Windows notification area"   and click that to the Left.   That is to set that to Off position.

The real-time web protection and the real-time anti-malware will still be protecting your system.  Plus the Notification area of Malwarebytes will continue to log the events but just in the background and silently.

.

Here are some suggested actions that you can apply to tighten up security on your Windows system.

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

You are running a Trial of Malwarebytes.  The real-time protections end 14 days after the install, unless you get a Premium license to continue having real-time protections.

 

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article

"How to Enable Your Wireless Router's Built-in Firewall"

https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

 

 

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.

If you wish to do so, here is one how-to guide for the Windows software firewall

https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.

https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

.

 

Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

 

We can run a few different scans to check this system, but it is quite likely to just report no actual malicious malware onboard.

 

For your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".   A courtesy notice,   Any potential threat was STOPPED.
A "malicious website blocked"   or a "Compromised"   site block  is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, the Malwarebytes real-time  ( Premium)  protection  is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

The potential threat was out there at    IP     122.228.19.79

.

One other tip,  Be real sure to have all the latest Updates and definitions on the Malwarebytes for windows program.

Start Malwarebytes.   Click the Settings icon  at the top right side.

Look for the General tab.   On that tab, click on the blue "Check for Updates"  and let it do a Update run.   

Next,  we can do a Scan to do a new check of the system.   

 

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
 

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

 

 

Link to post
Share on other sites

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 20/05/2020
Scan Time: 21:26
Log File: d8812822-9acf-11ea-9fc6-d8cb8ae6a7ab.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.896
Update Package Version: 1.0.24156
Licence: Trial

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: THOR\Andricka

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 324307
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 14 min, 8 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

 

2 hours ago, Maurice Naggar said:

A "malicious website blocked"   or a "Compromised"   site block  is entirely different from a "malware detected" event.

I understand this and to clarify in the detection history under event details I get "trojan" and where the event is "trojan" I get quarantined or blocked, I also got "adware.linkury" and "adwareDownloadAssist" a couple of times without me doing anything.

Link to post
Share on other sites

Per this last scan result from Malwarebytes for Windows, there are no "torjan"  or "pup".

.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Link to post
Share on other sites

 

# -------------------------------
# Malwarebytes AdwCleaner 8.0.4.0
# -------------------------------
# Build:    04-03-2020
# Database: 2020-05-19.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    05-21-2020
# Duration: 00:00:02
# OS:       Windows 10 Pro
# Cleaned:  2
# Failed:   0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{1179749A-5346-41CA-A23D-52AF2936D844}C:\program files (x86)\popcorn time\nodejs\node.exe
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{F2E7AACC-3042-42CF-80BC-19E50F38801B}C:\program files (x86)\popcorn time\nodejs\node.exe

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [4253 octets] - [15/05/2020 16:47:20]
AdwCleaner[C00].txt - [3951 octets] - [15/05/2020 16:48:03]
AdwCleaner[S01].txt - [1527 octets] - [15/05/2020 16:59:24]
AdwCleaner[S02].txt - [1588 octets] - [15/05/2020 22:32:29]
AdwCleaner[S03].txt - [1649 octets] - [17/05/2020 22:15:11]
AdwCleaner[C03].txt - [1839 octets] - [17/05/2020 22:15:34]
AdwCleaner[S04].txt - [1771 octets] - [19/05/2020 17:07:21]
AdwCleaner[S05].txt - [2252 octets] - [20/05/2020 23:45:07]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C05].txt ##########

Is this what you meant?

 

Link to post
Share on other sites

Thanks for the Adwcleaner report.   Nothing actual of a major nature here.   Just only 2 registry entries  that have no  threat ability.

Yes, thanks, you relayed the right report.

.

Just only as a precaution, you may run a couple of check tools.

[     1    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.

 

NEXT   [      2      ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

9 minutes ago, Maurice Naggar said:

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft

Do I do quick scan or a deep scan?

Link to post
Share on other sites

I did a quick scan for now, let me know if I should do a deep scan.

 


---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.315.1073.0)
Started On Thu May 21 01:31:15 2020
->Scan ERROR: resource process://pid:88,ProcessStart:132344879005260723 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:376,ProcessStart:132344879063857455 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:540,ProcessStart:132344879303394265 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:632,ProcessStart:132344879313252402 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:648,ProcessStart:132344879313362466 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:696,ProcessStart:132344879313760140 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2088,ProcessStart:132344879358130540 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:3260,ProcessStart:132344879391905667 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132344881022221235 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:10012,ProcessStart:132344881345052623 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1568,ProcessStart:132344881391507119 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:8360,ProcessStart:132344908684986473 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:3684,ProcessStart:132344908690562360 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:6852,ProcessStart:132344910582819788 (code 0x0000012B (299))
->Scan ERROR: resource process://pid:3260,ProcessStart:132344879391905667 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1568,ProcessStart:132344881391507119 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:2392,ProcessStart:132344881022221235 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:10012,ProcessStart:132344881345052623 (code 0x00000005 (5))

Quick Scan Results for F5E01FDD-543F-4EAF-ACBB-E976563B7776:
----------------
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000021 (33))
->Scan ERROR: resource process://pid:3260,ProcessStart:132344879391905667 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:3260,ProcessStart:132344879391905667 (code 0x00000005 (5))
Threat detected: HackTool:Win64/AutoKMS
    file://C:\WINDOWS\SECOH-QAD.dll
        SigSeq: 0x00002267DCB6BC9B
        SHA1:   6ef8310627537b1d24409574bc3c398cd97c474c
    file://C:\WINDOWS\SECOH-QAD.exe
        SigSeq: 0x0000226706E72247
        SHA1:   66c72019eafa41bbf3e708cc3824c7c4447bdab6
Threat detected: VirTool:Win32/DefenderTamperingRestore
    regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
        SigSeq: 0x0000055555C57273

Quick Scan Removal Results
----------------
Start 'remove' for regkeyvalue://hklm\software\microsoft\windows defender\\DisableAntiSpyware
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\SECOH-QAD.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\SECOH-QAD.dll
Operation succeeded !


Results Summary:
----------------
Found HackTool:Win64/AutoKMS and Removed!
Found VirTool:Win32/DefenderTamperingRestore and Removed!
Microsoft Safety Scanner Finished On Thu May 21 01:39:55 2020


Return code: 6 (0x6)
 

Link to post
Share on other sites

5/21/2020 15:58:03 PM
Files scanned: 711954
Detected files: 8
Cleaned files: 8
Total scan time 02:50:06
Scan status: Finished


C:\Program Files\KMSpico\scripts\AddExceptionsWD.reg    Win32/HackKMS.AZ potentially unsafe application    cleaned by deleting
C:\Program Files\KMSpico\scripts\Install_Service.cmd    Win32/HackKMS.AZ potentially unsafe application    cleaned by deleting
C:\Program Files\KMSpico\scripts\Install_Task.cmd    Win32/HackKMS.AZ potentially unsafe application    cleaned by deleting
C:\Program Files\KMSpico\scripts\Silent.cmd    Win32/HackKMS.AZ potentially unsafe application    cleaned by deleting
C:\Program Files (x86)\GRETECH\GOMPlayer\Uninstall.exe    a variant of Win32/GOMLab.A potentially unwanted application    cleaned by deleting

This is what came out of the full scan of ESET online scanner.

Link to post
Share on other sites

To answer,  I cannot say one way or another, without having the whole copy of the ESET scan log.

But this run found KMSpico   which is a hack tool.

The question that needs to be answered is,  Has the  Compromised   block notices gone away ?

Be sure to let me know each time you make a reply.

Also, let me know if you applied my tips about the firewall  ( posted in my first reply).

.

 

I would appreciate  getting some fresh details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    


    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.1.784.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

Link to post
Share on other sites

Good afternoon.  I hope you are doing well & enjoying the week-end.

How is the situation ?  Are you still with us ?   I have been looking to having the report from this machine from the Malwarebytes Support tool.

If it happens I do not hear back from you after 3 days,  I will mark the case for closure.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.