Jump to content

Computer showing Signs of Infection


Recommended Posts

Hello,

My Computer has recently been showing Signs of Infection. Random Malicious Websites being blocked by Malwarebytes when going to common trusted Websites like Youtube, etc.

Malicious Websites being blocked when sometimes connecting to TeamSpeak3 Servers.

I seem to have fixed the Browser Issue by reinstalling Chrome, which led me to believe that it was just my Browser that was hijacked, But it still happens on Internet Explorer and i never use that, so i dont know how that could have gotten infected aswell. This must be my System.

Running a Full Scan with Malwarebytes finds nothing, AdwCleaner also finds nothing but 2 preinstalled ASUS Programs (I googled those and they seem to be a false positive and just fine), A full scan on Windows Defender also finds nothing.

I have also been noticing recently that my CPU has been performing worse than it should be.

What other Scanners should i try? I am SURE that i am infected.

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

The real-time protection of Malwarebytes is keeping the system safe.  It is advising you of that.  

The "potential" threat is Stopped.    The system is being protected.

You report that the scan with Malwarebytes for Windows reported no malware / no P U P   & the same with Windows Defender.

You describe a few things.   Lets first get a full report so I can see just exactly what the block messages are about.

Slow machine can be due to other reasons / other factor.   Lets go slow  and take one thing at a time.

 

We have to see the detection logs in order to have full details about these Block event notices.

The web protection / Malwarebytes real-time protection is keeping the pc safe from potential harm.   Whatever "it" was, it is STOPPED.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".   The web protection has STOPPED any potential harm.

 

It  indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each  block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

Sincerely,

Maurice

Link to post
Share on other sites

Hello,

Thanks for the Quick Reply. My name is Marcus.

Here are some of the Blocked Connection Logs that occured in different Scenarios. (TeamSpeak3, Steam???, CurseForge)

TeamSpeak3 was downloaded off the official Site.

I also did what you told me to with the Support Tool. Heres the Log for the Support Tool aswell.

mbst-grab-results.zip

log5.txtlog4.txtlog3.txtlog2.txtlog1.txt

Link to post
Share on other sites

Also, i am aware that the Malicious Connections are being Blocked, but they shouldnt be happening in the First Place.

I highly doubt there is some Connection Exploit on TeamSpeak that is able to automatically connect to Sites when entering a Server, or that CurseForge is hijacked. Something in my System or Browser is probably trying to do these Connections.

Link to post
Share on other sites

Thanks for the zip file from the support tool.

The very most recent block events are IP  blocks

Block on   64.58.121.60         "craftprimes.com"

Block on IP  172.241.69.28     "craftprimes.com"     ....that IP address is showing as from the Netherlands

.

I would like for you to do a new download of Adwcleaner  to insure your machine has the very latest.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too!

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.

 

Link to post
Share on other sites

Hi,

Heres the AdwCleaner log.

As expected, it only finds the 2 Preinstalled ASUS Thingies.AdwCleaner[S04].txt Those are obviously fine.

 

The weird Craftprimes Connection happend when opening a specific CurseForge Page.

Doesnt happen on that Page anymore after having reinstalled Chrome, which leads me to believe that my Browser was hijacked, But still happens on Internet Explorer, but as far as i know there is no way to uninstall / reset Internet Explorer. I mean, i dont use Internet Explorer anyways, but i still dont want it to stay hijacked.

Link to post
Share on other sites

Thanks for the Adwcleaner report.   That program does flag some manufacturer add-on apps   ( in this case, some from Asus).   You can disregard those, just like you have done.  So we can put that tool to rest.

.

We do not do any uninstall / re-install of Internet Explorer.   You can delete the Cache files and history of Internet Explorer by doing what I list below.

It is a bit of a challenge but do-able.

Press & hold the Windows-logo key on the keyboard & tap the R key  to get the RUN option box.

On that run box, Copy and then Paste the following line verbatim   ( as is )

C:\Program Files\Internet Explorer\iexplore.exe -extoff

and tap Enter-key.   This will start IE browser in its safe mode.

Once IE is running, you will do the following to delete the history and cache files.

Press and hold the ALT-key on keyboard & then tap the T key  to get the TOOLS menu

Now scroll with your mouse and click on Internet Options

Look at the General tab.   Make real sure no odd / weird link-address is there in the box for Home page.

Look down in the section for Browsing History

Put a tick mark in the box  for "Delete browsing history on Exit".

Click the Delete button

You want to have a tick mark on these lines

Temporary internet files and website files

History

Download history

Then click the Delete button

Then on the following tab, click the OK button

Close  ( exit)  Internet Explorer

.

Next do these steps to beef up the browsers on this pc.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.bfcbff4c25a7a1a131de4b71555efd0c.png

 

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

Let me know how things go after this.

Cheers.

Link to post
Share on other sites

Cheers,

In the Homepage Box theres only the standard go.microsoft.com Adress.

Did what you told me to with IE, i checked temporary files, history, download history, and in addition i also checked to delete all cookies.

On Chrome, did what you told me to aswell, Reset the Sync, cleared absolutely everything in browsing data (there was nothing of importance to me anyways so i just went to advanced and checked absolutely everything)

Chrome is not set to reload the last page.

I also followed the Article and completely blocked any Notifications in Chrome aswell. 

Thanks, will try the Browser Guard.

Unfortunately, it seems that the Internet Explorer thing didnt Work. Weird Craftprimes IP still gets blocked on that random CurseForge Page.

Huh, i just tried, its happening on Chrome again aswell.

 

Link to post
Share on other sites

Two things.   ( A )  It helps to know what you were doing with the browser  at the moment of the event.

( B )   Get fresh report with the Support tool that you already have.

open your Downloads folder
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Link to post
Share on other sites

Installed the Browserguard now, Works like a Charm, blocks Ads and also blocks that weird Craftprimes Connection on CurseForge.

I was just browsing through CF when it first happend. One particular Page then showed that Craftprimes.com was blocked.

Ive actually had this happen before on another CF Page, but i dont remember which Page it was and it was some other Trojan / Malware blocked, not Craftprimes.

Also, i can see that the MB Support Tool has an integrated Version of FRST.

Heard thats a good Scanner appearently. Does it show anything detected?

Also heard of ESET once. Should i try a Scan with ESET, whatever that is?

mbst-grab-results.zip

Link to post
Share on other sites

Good morning.   I hope you are doing well this weekend.

Thanks very much for sending the Support-mbst zip file.    The FRST is just a tool that helps us to see what is running, what is scheduled to be run & other diagnostic type data.  It is not one that automatically determine infection status.   As to the ESET I can guide you on running that much later.

I did not spot a obvious indicator of a infection.

First some housekeeping that needs doing.  Just keep going down this list and do all the steps.

[    1    ]

Set the Windows 10 to show all hidden folders.   Use the Option Two as in this article at Tenforums

https://www.tenforums.com/tutorials/9168-show-hidden-files-folders-drives-windows-10-a.html

.

[    2    ]

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The Premium ( or trial ) protections of Malwarebytes will still be on.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center
Click the Security Tab. Scroll down to
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center"

{   we want it OFF  .....all the way to the left-side }

 

Next, click the General tab.   Now click on the "Check for Updates"   and follow all prompts.   Do as it guides you.

We want to be sute it has all the very latest updates.
Close Malwarebytes when done.


[     3    ]

The following custom script is intended to clear out the cache sections of Internet Explorer & Chrome & to run the Windows System File Checker tool and to run a quick scan with the Microsoft Windows Defender.

The system will be rebooted after the script has run.

.

This custom script is for  Marcus024  only / for this    machine only.

 
Close and save any open work files before starting this procedure.    This will do a Windows Restart.

I am sending a    custom Fix script which is going to be used by the FRST  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on that folder
Start the Windows Explorer and then, to the that folder.


RIGHT click on  FRSTENGLISH     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.    We can do more later on.

Fixlist.txt

Link to post
Share on other sites

Greetings,

Enabled Show Hidden Folders.

Disabled The Registering of Malwarebytes Thingy.

Checked for Updates. MBAM is at the newest update.

Saved the Link to the Downloads Folder.

Ran FRSTEnglish As Administrator.

It said something about Update complete, just klicked Okay.

Klicked Fix and waited for it to run.

It restarted, and then CCleaner asked to make changes (UAC.) I klicked Yes? Was that a bad thing? Doesnt seem like it did anything. I thought it was part of the Script. 

heres the fixlog.txt.

 

Fixlog.txt

Link to post
Share on other sites

On the CCleaner,  I would suggest that you not have CCleaner running in a task.

Thanks for the Fixlog report.  The run is good.  The IE browser cache  & the Google cache have been cleared.

How are things now at this point ?   Specifically, is there new Block notices since the last Windows Restart ?

Link to post
Share on other sites

Browser Guard still blocks Craftprimes.com on that CurseForge Page. https://www.curseforge.com/minecraft/mc-mods/immersive-railroading

This time, Windows Firewall popped up saying it blocked some Features from Chrome when opening that Page. I just klicked Cancel and didnt allow it private or public network stuff.

Im starting to doubt this whole Thing. Maybe that specific Page has been hijacked somehow?

CurseForge is usually a safe Site, its owned by Twitch.

I also noticed something. When first opening Task Manager, the CPU usage shows something like 60-80% for a split second, displaying everything thats running at 0,0% for that duration and then jumps back to normal idle CPU usage (about like 5%.) Is that normal?

 

Link to post
Share on other sites

I just noticed something else.

After the Script ran and did its thing and the PC restarted, my Desktop Icons for Twitch and GTA V shortcuts are gone. Its just blank and they dont work anymore. Launching Twitch directly doesnt work anymore. It seems like it corrupted or deleted those two for some reason.

 

 

Link to post
Share on other sites

To your last point about Task Manager, you need to totally not pay attention to the percentage  for like at least one minute.   The very intial display is NOT the real deal.  You need to let the app settle down.

.

as to cyreforge or craftprimes  .....are you visiting the site directly .....yourself ?

Link to post
Share on other sites

What do you mean by that?

Of course im not directly visiting craftprimes.com.

I am directly visiting CurseForge, whats wrong with that? Its an official Game Modding Website by Twitch.

That weird Craftprimes.com Connection tries to connect and gets blocked when opening that specific CurseForge Page.

Link to post
Share on other sites

When I do a test with my Firefox  to  https://www.curseforge.com/ I do not get a block message  or see any weird message.

What page do you go to ?

and if you get a Block message notice,  look close at the content of the message  and the option buttons on that window.

Link to post
Share on other sites

I dont get anything on https://www.curseforge.com either. It is only on that specific Page that the weird Craftprimes thing happens for some reason: https://www.curseforge.com/minecraft/mc-mods/immersive-railroading

I dont get Website blocked Messages from Malwarebytes anymore, as the Browser Guard already picks up and blocks the Connection before Malwarebytes itself notices and blocks it.

 

Link to post
Share on other sites

On that link   https://www.curseforge.com/minecraft/mc-mods/immersive-railroading    I also get a block notice after I go to it

As long as you are not prevented from doing what you need to do,   there is not much that can be done.

The block notice means that any potential harm was STOPPED.

.

About the 2 desktop shortcuts you mentioned earlier,   we can run this next procedure to see about getting them back.

First, delete the prior copy that I had you save for Fixlist.txt file   on the Downloads folder.

I am attaching a new one with this reply.

The system will be rebooted after the script has run.

.

This custom script is for  Marcus024  only / for this    machine only.

 
Close and save any open work files before starting this procedure.    This will do a Windows Restart.

I am sending a    custom Fix script which is going to be used by the FRST  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on that folder
Start the Windows Explorer and then, to the that folder.


RIGHT click on  FRSTENGLISH     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Link to post
Share on other sites

Wait, youre also getting a block notice?

So thats not just me having a hijacked Browser or something?

Well this changes everything, guess ill try to contact Curse about that, that doesnt seem right if thats something on their End...

I already deleted the corrupted Shortcuts as trying to execute them obviously said the standard response "this shortcut leads to a file that seems to have been moved or deleted bla bla bla delete this shortcut etc." will that screw up the Fixlist?

Link to post
Share on other sites

Go ahead and do the Fixlist procedure.   That should do ok.

As to the website link,  that website page has some sort of content that tries to go to "craftprimes (dot)  com"  which is tagged as having malicious content.

The block is on IP 64.58.126.136.    The outbound connection attempt is stopped.

The Malwarebytes program stops the attempt.  Malwarebytes is keeping your system safe.

 

Link to post
Share on other sites

Okay so that kind of only partially worked, Twitch now launches on startup again and it seems to be there but there is no Shortcut and its not being shown up as an installed App.

Not that big of a deal really, was planning to uninstall GTA V anyway (havent played that in Ages and not planning to, is just taking up unnecessary disk space)

Ill just backup my Twitch Files and reinstall Twitch.

Apart from that, i think we are done here

 

Fixlog.txt

Link to post
Share on other sites

Thank you for the Fixlog report.   We can wrap up this case.   I am marking the case for closure. 

 First, a few cleanups.

To remove the FRST  tool & its work files, do this.  Go to your  Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Delete mbst-grab-results.zip   on the desktop

Delete the downloaded file  mb-support-1.7.0.827.exe

Any other download file I had you save, you may delete.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.