Jump to content

Malwarebyte's RTP detecting malicious websites


Recommended Posts

Hello everyone

About a month ago, I installed Hola VPN (That's what I consider to be the cause) without properly researching on the internet first, which caused my MalwareBytes Real time protection to start detecting malicious traffic coming from random IPs all over the world (Russia, China, etc.) I've run multiple scans on my C drive but Malwarebyte doesn't seem to find the cause. I've tried formatting my drive and reinstalling Windows, but the issue persists. By now, I'm out of ideas on what's causing it and I don't have the knowledge to diagnose it on my own or to tweak the network settings to see if it's an issue involving that.

Could anybody help me diagnose the issue and see if there's a fix?

Attaching file with the Malwarebytes screen (sorry for the spanish language).

Thank you in advance.

JoakoFeral

20200813_000713.jpg

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

The real-time protection of Malwarebytes is keeping the system safe.  It is advising you of that.  

The "potential" threat is Stopped.    The system is being protected.

 

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article

"How to Enable Your Wireless Router's Built-in Firewall"

https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

.

 

What is the Windows version  & is it a Pro edition ?   Does it have Remote Desktop enabled ?

We have to see the detection logs in order to have full details about these Block event notices.

The web protection / Malwarebytes real-time protection is keeping the pc safe from potential harm.   Whatever "it" was, it is STOPPED.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".   The web protection has STOPPED any potential harm.

 

It  indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each  block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

Sincerely,

Maurice

Link to post
Share on other sites

Hello Maurice

First of all, thank you for responding so fast. You can call me Joako

I read the article and configured my SPI firewall on its highest setting, however I'm noticing a drop in network speed because of it, or some services not working properly. Do you think it is related?

I've attached the zip file that the support tool gave me.

As a side note, the software required me to update my Microsoft .NET to a newer version via Windows Update, but whenever I try to search for new updates, I get an error with the code 80244019.

Other than that, I thank you again and await for your response

Sincerely,

Joako

mbst-grab-results.zip

Link to post
Share on other sites

Good morning.   Thank you for the report file.  The block history shows blocks ( which means that any potentil threat was STOPPED) on some inbound IP addresses,   125.212.217.214 ,   103.253.146.142,   223.71.167.165 ,  110.45.155.101

Q:   Do you happen to recall whether a web browser was open at the moment ( time)  of the block notices ?

Q:  Have you scanned this machine with Avast antivirus ?   You do indicate that you scanned with Malwarebytes for Windows.

[   2    ]

I suggest you install the Malwarebytes Browser guard for Chrome.  

To get & install the Malwarebytes Browser Guard extension for Chrome,  

   

Open this link in your Chrome   browser:  

   

Then proceed with the setup.  

 

[    3    ]

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

 

Link to post
Share on other sites

Hello Maurice

About your questions, I don't recall exactly if it started when Chrome was opened, but I can tell you about today: The first detection popped up almost exactly 1 hour after I turned my notebook on. Chrome was open at the time of the first detection. The computer has a fresh install of Windows 7 and Chrome is not synced with any google account. Firewall was off at the time of the first detection and the IP that MB is detecting the most is 223.71.167.165, with the first detection being on port 7676.

After that, I set my SPI Firewall on high, which apparently allows only these ports:

image.png.d957d592eedd60a8290103db39945460.png

Even after that, I'm still getting more detections, both with Chrome opened and closed, on ports 8646, 40183, 56300, 43193, etc.

I ran an Avast scan that came with no results, and also an ESET scan which also didn't return any results.

My network has 3 computers connected to the router, and also 2 mobile phones. I don't know if that helps, but I remember having MB premium trial on my other computer, and I don't remember it detecting any unusual traffic. It only happens on the notebook, but I can't be certain.

Thank you again

Joako

Link to post
Share on other sites

Hello Joako .

Windows 7  ( needless to remind anyone) is past it's prime.   It dropped out of support at Microsoft this past January.

The firewalls in new Windows 10 are far more better.

What is going on is the bad guys have their bots out on the loose.  They will probe for weaknesses.

So far, the real-time protection of Malwarebytes has STOPPED   any potential harm.    stopped period.

what you may possibly consider is adding a hardware router somewhere in your setup to see if that will help.

On that, I am not a hardware expert & you will need to seek help elsewhere.

.

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

See the top part of this article  https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

 

In most cases the attempted probes will eventually stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

.

Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

Link to post
Share on other sites

Hello Again Maurice

Based on what you've found, I can say that the issue is not within the computer itself, but the network, which is being targeted by random IPs searching for vulnerabilities, right? My network public IP address is static because of the ISP setting it that way I suppose, and I have a hardware router on my home, but I don't know how to configure it (The router which the ISP gives you in their package, I don't know if you meant that). Should I call them so they can give me a new IP address or a new router? If it's network based, shouldn't the network go to every computer, making it visible on the other computers? If you don't know the answer to this because it's not your topic then it's ok and I thank you for taking care to look at my issue.

I will read the guides and switch to Windows 10 as soon as I can.

Thank you very much

Joako

Link to post
Share on other sites

As far as your IP assigned address, check with your ISP.

There is not much we can do for you.  Yes, the  attempted  probes are from the  outside.  

The Malwarebytes for Windows Premium real-time protections stopped the external attempts.

By the way....for the Firewall settings  like in the picture you sent above:

You can put a tick-mark  for "IP Flood detection"

Link to post
Share on other sites

Ok, I will call my ISP so they change my router or factory reset it or something, and they change my IP address

About windows update error 80244019, is it a problem with my misconfiguration or is it because Windows has stopped support for Windows 7 updates?

With this, I don't have anything else to ask so thank you again

Joako

Link to post
Share on other sites

As to Microsoft Windows Update, when was the last time you saw it do a successful update run ?

The FRST64 report had reported this from the Windows Event logs

Error: (08/13/2020 08:56:35 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Error en la extracción de la lista raíz de terceros del archivo .CAB actualizado automáticamente: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> con el error: Se procesó correctamente una cadena de certificados, pero termina en un certificado de raíz no compatible con el proveedor de confianza.

 

which translates to:

Error: (08/13/2020 08:56:35 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User:)
Description: Failed to extract 3rd party root list from auto updated .cab file: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with the error: A certificate chain was successfully processed, but ends in a root certificate not supported by the trusted provider.

 

We can try a procedure one time, to clear out the temporary folder for the Windows Update downloads  & then see if it helps.

Otherwise, if it does not,  I will refer you elsewhere for more help.

 

The system will be rebooted after the script has run.

.

This custom script is for  JoakoFeral  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  E: drive

The tool named FRST64 .exe   tool    is already on the drive E
Start the Windows Explorer and then, to where you saved it on E drive


RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Fixlist.txt

Link to post
Share on other sites

Hello Maurice

Sorry for not replying earlier. I upgraded to Windows 10 through Microsoft's official website and it allowed me to update the system without any issue, so Windows Update works, and as a matter of fact I haven't a encountered single MB's warning about malicious network traffic. I suppose W10 firewall is strong enough to detect this malicious IPs and block the traffic before it reaches MB's firewall? So for now, I'll contact my ISP about the IP change and consider this issue closed.

Thank you very much for your help

Joako

Link to post
Share on other sites

Hello Joako.

It is very good to know that your mchine now running Windows 10.   Bravo.

The following is just cleanup of the tools we used.

To remove the FRST64  tool & its work files, do this.  Go to your E: drive     .  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete the report file  mbst-grab-results.zip    on the Desktop.

Delete the downloaded file  mb-support-1.7.0.827.exe

 

Stay safe.   I do wish you all the best.

Sincerely,

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.