Jump to content

Recommended Posts

Hi there,

Yesterday i went on this website: pentestmonkey .net/cheat-sheet/ssh-cheat-sheet (i broke the link to make sure no one click on it by accident), and without interacting in anyway with the site once there, MalwareByte notified me that it blocked the website because of a Trojan horse attack, by real-time protection. Curiously, or rather luckily, my MalwareByte Prenium trial ended like 30 minutes afterwise. 

I didn't expect this, but simply writting the link without breaking it on this post, obviously without going on the site or clicking on the link, led to 2 other consecutives warnings from MalwareByte about Site Blocked by real-time protection against a Trojan. I'm really surprised, i really didn't thought that simply pasting a link without clicking it could lead to an attack..? Also, i'm using Brave Browser to block every cookies, every javascript, trackers (standard before, just noticed there is now an aggressive mode which i just configured) and fingerprint (same as trackers, new aggressive mode i just configured) for every site until specified otherwise, so i wasn't expecting to be so easily vulnerable navigating websites without even clicking anything, and simply typing URLs... I just disactivated the "preload pages for faster browsing and searching option" though, do you think it might prevent such attacks from simply typing URLs without interacting with them? I will also block every sound and music by default in the future until specified otherwise, since it's the only content that i can think of that i've left unblocked by default by Brave, as recommended by them.

Anyway, i'm worried because i actually copied the link to some Website Scanners yesterday after my prenium trial went down (all of which warned me it was potentially malicious / blacklisted), so if it is enough to infect my PC i might not have been properly protected by MalwareByte at this moment... I'd love it if i could provide my FRST logs to some expert which could ensure me my PCs isn't going to end up crypted in the coming days or else.

To resume what i've did since then: i ran a complete MalwareByte scan, i downloaded and ran AdwCleaner, ran CCleaner classical scan as well as it's registry scan tool, manually cleared the cache and data's on the browser i used at this moment as well as my other browser, ran Window's file cleaning tools, ran a complete scan of my PC with Norton, and i ran Norton Power Eraser in rootkit mode. I also repeated the process with Admin permission and on an Admin account on my PC since the account i used at this moment was not. Everything seems fine regarding all those scans.
I also downloaded and ran a FRST scan (i hate the fact that Farbar has no official website and that FRST must absolutely be downloaded by third-party websites, which i normally avoid at all time) and looked up the log quickly, but i'm not a malware removal expert and obviously i can't tell much from the logs that resulted (aside that Wondershare, which i've uninstalled, seems to still be in my PC). Does FRST details in any way if any result in the log is potentially malicious to their knowledge, or does it necessarily must be looked up by an expert to spot anything potentially malicious? If so, is there a specific way to provide such logs to experts on this forum in a secure, non-publicly accessible way? Those logs are super extensive, i don't know that much about cybersecurity but i wouldn't be surprised if it could be used maliciously if falling in the wrong hands.

I hope that i'm worrying for nothing, and that an expert of yours will respond quickly to confirm or infirm it as soon as possible. I will provide the logs in the specified way as soon as i get an answer from such expert. Since then, i will repeat the process once more to be sure since i've received those two warnings writing this post.

Share this post


Link to post
Share on other sites

By complete MalwareByte scan, i mean i went into the advanced scan and checked the rootkit scan, to be clear.

 

Share this post


Link to post
Share on other sites

Also, regarding Brave Browser, i added Photos to the blocked by default as well as Music and Sounds, and i changed the "ask when a site tries to download files automatically after the first site" to "do not allow any site to download multiple files automatically". Please, tell me if any of those configs are useless; i get that many are pretty excessive, but i like to comfort myself knowing that any (or almost any if any isn't possible) passive potential point of infection is locked by default navigating websites i don't know, which i'm regularly forced to. I don't remember encountering any such Trojan warning by navigating websites i don't know since using Brave this way, so i guessed it did the job... until yesterday (i obviously still try to limit my navigating to safe websites (as far as i could tell) when possible, so it very well might be the only reason).

Share this post


Link to post
Share on other sites

Here's a screenshot of those Brave site settings, in the case you'd consider it appropriate to look them up and confirm/infirm if they can make my web surfing safer in unknown waters

Screenshot-2020-07-31 17_24_09-Settings - Site and Shields Settings - Brave.png

Share this post


Link to post
Share on other sites

Hi again.

I realized that i only did the complete MalwareByte scan with rootkit detection on my admin account, doing it once again on my main account i actually found a potential Malware (uwamp\bin\apache\bin\htpasswd.exe has been detected by MalwareByte as Malware.AI.4031076051) in a UWAMP directory at the root of my C: drive.

This uwamp folder was provided to me by my school at least a year ago, in a programming context. If i remember well, at the time my antivirus did send a warning which i was told was normal and instructed to ignore. I think i might have had issue trying to get rid of this folder since. Before yesterday, i wasn't aware that MalwareByte had an advanced scanning solution with rootkit scan to be checked, so it is possible that it has been sitting there since i added the folder over a year ago... but I find it suspicious that my MalwareByte full scan including rootkits didn't find it when i did it on my Admin account, since the uWamp folder is located at the root of my c: drive and not inside a user-specific directory... I would have expected a scan from admin account to lookup the whole drive without consideration for user account, but this one scan from main account was definitely a lot longer and scanned more files than the one on admin account. Maybe the file has been maliciously added or editted since the previous scan? I can't tell.

Hope to reach an expert soon.

Share this post


Link to post
Share on other sites

Hello @rollingtatoo22

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

That is a valid block.

Your browser either directly or possibly from an Ad reached out to the site and Malwarebytes Web Protection module blocked it.

pentestmonkey.net

Are you aware of that site? Did you visit it on purpose?

 

Share this post


Link to post
Share on other sites

No, i wasn't aware of this site at all. I was looking for a SSH Cheatsheet and it's the first result DuckDuckGo sent me back. Thought it seemed legit... :\

Share this post


Link to post
Share on other sites

Yeah, the logs seem okay. I don't think there is any ongoing issue.

You can run a secondary antivirus scanner just to make sure, but cleaning your cache in Brave should be all that's possibly needed.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

Share this post


Link to post
Share on other sites

I had my guard down, but i guess i'll have to be more careful in the future when visiting sites i don't know. Maybe i should check them on Website Scanners or open them on a VM first to be sure. Seeming legit don't mean much

 

Share this post


Link to post
Share on other sites

Ok, i started the ESET Full Scan. Thanks a lot, i'm glad i've come across you. Coming back to you as soon it is over

 

Share this post


Link to post
Share on other sites

I didn't mention it, but now that i think about it, yesterday when i first received the Protection warning, i was playing around with the router i just configured as an Access Point and have trouble with (hence why i was looking for an SSH Cheatsheet), which i was connected to, and had its SPI Firewall disactivated at this moment. My WAN router still had it's firewall on at this moment though (thanks to the ISP firmware that wouldn't let me turn it down to do my tests).

Should i worry about this?

 

Share this post


Link to post
Share on other sites

Well, seems all fine just like you expected. I'm relieved.

I'm sure you must be pretty busy, but if you ever find a couple minutes to give me a piece of your mind about my security setup, i'd be glad about it. Otherwise, i completely understand.

About the "uwamp\bin\apache\bin\htpasswd.exe has been detected by MalwareByte as Malware.AI.4031076051"  issue, now that it's been quarantined by MalwareByte and before i permanently delete it, would you like it if i zip it and send it to you or else for analysis? I thought it might be useful since MalwareByte described Malware.AI as unknown threats that have not been researched on or classified yet.

Thanks a lot for your support! It's been greatly appreciated.

esetLog20200801.txt

Share this post


Link to post
Share on other sites

You can upload the file by restoring it from quarantine. Then upload it to https://virustotal.com

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.