Jump to content

I believe I'm infected.


Go to solution Solved by Maurice Naggar,

Recommended Posts

Please do note that I have no experience with forums or technicians so- if you need me to send anything please give me detailed instructions.

I have read the 'I'm infected, what next' post, however, so attached are the files mentioned there.

What happened, is I clicked a link that was supposed to bring me to an artist's website, but it instead lead to a sham 'your computer is infected' type of website. I closed out of there, but an HTML file was downloaded without permission and Windows Defender supposedly blocked a few things.

After all that, I was scared and rushing to get Malwarebytes on this computer, as I've used it before and it works stunningly well, but accidentally clicked on a link that brought me to a fake Malwarebytes website. That link was, I believe www.malwarebytes.digital - and I downloaded the software listed on the page, promptly running it

It never opened, and when looking at the app downloaded's details, there was text in another language, and it was nothing short of unnoficial.

After actually downloading the proper, and legit software, I did a scan (malwarebytes - initial scan.txt), and Malwarebytes found 102 files, folders and bits that were infected. I just quarantined and deleted them, thinking no more of it until I started getting repeated RTP detection notifications from first the IP 217.8.117.29, followed by a website named telete.in

I've never visited these websites? But after rebooting my computer it all stopped. However, just today it started up again, now with the initial IP being the same, but all of the following reports at 37.1.206.213

I did another scan today, which is listed as the recent scan in the attachments below.

If anyone can let me know what is going on, that would be great. I will try my best to reply ASAP.

Addition.txt FRST.txt malwarebytes log - recent scan.txt malwarebytes log - initial scan.txt

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

The real-time protection of Malwarebytes is keeping the system safe.  It is advising you of that.  

The "potential" threat is Stopped.    The system is being protected.

The most recent scan with Malwarebytes for Windows reported no malware / no P U P .   The one earlier did find and remove a goodly amount of PUP type things.  Those were a bumch of adwares & a pest "Searchmanager".

 

You describe a few things.   Lets first get a full report so I can see just exactly what the block messages are about.

Lets go slow  and take one thing at a time.

 

We have to see the detection logs in order to have full details about these Block event notices.

The web protection / Malwarebytes real-time protection is keeping the pc safe from potential harm.   Whatever "it" was, it is STOPPED.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".   The web protection has STOPPED any potential harm.

 

It  indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each  block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

Sincerely,

Maurice

Link to post
Share on other sites

Thanks for the report zip file.  The Block notices are a visual advisory that the Malwarebytes web protection is keeping the pc safe from a potential external threats.

The most recent I P  blocks events are IP  37.1.206.213   which is in the Netherlands

An IP address is a unique string  { most usually a set of numbers with dots }    that identifies each computer using the Internet Protocol to communicate over a network.

First,  to mention a couple of other tips.   When you are finished with your computers at end-of-day, it will help a lot to do Windows "shutdown" on each machine.  Being shut down means your systems cant be sensed.

Keep in mind these involve automated bots.

.

The block events are on IP addresses that the Malwarebytes researchers have determined as containing harmful content.

 

You can block one or more IP addresses in the Windows 10'  Windows Firewall   by setting a new Inbound Rule

See   https://www.cm3solutions.com/block-ip-address-ip-range-using-windows-firewall/

 

To get started go to Control Panel >>System and Security >> Windows Defender Firewall     and then on the left side list, click on Advanced Settings

then follow the example in the article cited above.

Link to post
Share on other sites

Hey, Maurice.

Keeping this all in mind, I will now begin to shut down my computers at the end of the day.

Anyways, the IP rule does not seem to be taking effect. I set up the rule a few minutes before taking this screenshot, but as you can see, the connections are still coming through. Is there something I'm missing? Should I reboot my computer?image.thumb.png.52ba6141df26702a57fa47a400fbbf1c.png

Thanks,

Pab

Link to post
Share on other sites

Yes, you should Restart the pc.     But also, when you are done for the day, make sure that you do a SHUTDOWN.     That way your machine goes off the radar of the bad-guys.

 

Are you real real sure you followed all the steps in the guide article?   are you sure you picked BLOCK as the action ??

sm_5

Link to post
Share on other sites

So, I've gone and rebooted my pc (and set a daily alarm so I remember to shut it off).

Just to be sure, I went back through and followed the guide exactly again, to no avail. I've blocked all the IPs that have been blocked by Malwarebytes, yet 37.1.206.213 is still trying to connect to my computer.

I have no idea what is going on, it should all be perfectly fine..

image.png.229246e378bc35553b3fbcca2dec8df2.png

I am 100% sure it is set to block, as well.

Link to post
Share on other sites

Hi.   The probers use automated bots.   When you are not using the pc for a considerable period,  then Shutdown Windows.

.

Lets do a one time scan just to get a 2nd opinion.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 
 

Link to post
Share on other sites

Hey, Maurice. Sorry it's been a while, but I am back and when I opened my laptop (from it's shut-off state it had been in for 5 days) Malwarebytes detected 6 new harmful files. I linked the txt file for that scan below.

Aside from that though, I grabbed ESET and ran it's scan. Those results are also below. As well, the connections are still being blocked from before (same ip). However, my trial is running short. Will Malwarebytes continue to protect me from those connections once that ends?

 

9-4-20 malwarebytes.txt eset.txt

Link to post
Share on other sites

Good morning.   Thanks for the reports.

If you want the real-time Premium protections of Malwarebytes, you will need to get a Premium license.  Otherwise, the trial period ends 14 days after the date of install.

The scan run by Malwarebytes for Windows did find several threats, including this trojan     

Trojan.Dropper.SFX, C:\USERS\EVERE\APPDATA\LOCAL\TEMP\RAR$EXA34528.10784\MALWAREBYTES.EXE

The ESET scan found 1 other trojan & a hacktool   CheatEngine681.exe    a variant of Win32/FusionCore.AG potentially unwanted application,a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application,a variant of Win32/FusionCore.T potentially unwanted application    cleaned by deleting

.

Free games & free programs are like "candy". We do not accept them from "strangers".

Some "free game stuff"  can be bundled with malware  & in the worst case  they can lead to encrypting infection of a ransomware.

Be very extremely careful what you download !

.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

.

I suggest to run a special script with the main goal of cleaning up by deleting contents of temporary folders.   This will also run a quick scan with the Microsoft Windows Defender antivirus, and run the Windows System File Checker app.

Please close all open work ( if any)  and save any documents that you may be working on at this point.   That is to say, Close  all your programs.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the script has run.

.

This custom script is for  PAB43  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Fixlist.txt

Link to post
Share on other sites

Allright.  Thanks.   That was worthwhile.   and the System File hecker app found no integrity issue as far as Windows' key system files.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 
 

Link to post
Share on other sites

Cleanups:

Delete the downloaded file   mb-support-1.7.0.827.exe    on the Downloads folder

Delete   mbst-grab-results.zip   on the Desktop

To remove the FRST  tool & its work files, do this.  Go to your  Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete the ESET download file   esetonlinescanner.exe

Anything else that I had you download, you may delete.

 

I do wish you all the best.

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.