Jump to content

Recommended Posts

Hello, sorry if is here the same topic. 

I was searching some info about my school and clicked at some infected website, allowed something (if you are not robot, click allow) and I saw some naughty ads as a notifications. So I watched a tutorial how to remove a website from chrome, that was responsible for these ads. It haven't showed again. For sure I downloaded MalwareBytes and scanned PC, it didn't find anything. But on some sites MalwareBytes shows 'Website blocked'. It was a trojan through port 80. I found a tip on the internet and downloaded Adwcleaner. It found PUP.Optional.Legacy as a threat, so I deleted it. I restarted PC and MalwareBytes showed 'Website blocked' again, but now is it a fraud through port 443. So I ran Adwcleaner again and it didn't find anything.

image.png.0d5e60c617643aff0b14fc67c4fd4d41.png

Log 1:

---------------------------------------------------------------------------------------------------------------

-Properties of log file-
Date: 07.09.20
Time: 15:03
Log file: 822855cc-f10a-11ea-b6a3-40167e9c6def.json

-Software info-
Version: 4.2.0.82
Component version: 1.0.1036
Update of component package: 1.0.29563
Licence: Trial

-System info-
OS: Windows 10 (Build 19041.450)
CPU: x64
File system: NTFS
User: System

-Properties about blocked site-
Malicious website: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , 

-Website data-
Category: Trojan
Domain: webgarden.name
IP Adress: 78.24.14.148
Port: 80
Typ: Outgoing
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

---------------------------------------------------------------------------------------------------------------

Log 2:

-Properties of log file-
Date: 07.09.20
Time: 15:18
Log file: 979ecb00-f10c-11ea-aafa-40167e9c6def.json

-Software info-
Version: 4.2.0.82
Component version: 1.0.1036
Update of component package: 1.0.29563
Licence: Trial

-System info-
OS: Windows 10 (Build 19041.450)
CPU: x64
File system: NTFS
User: System

-Properties about blocked site-
Malicious website: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , 

-Website data-
Category: Fraud
Domain: ntvsw.com
IP Adress: 88.208.60.53
Port: 443
Typ: Outgoing
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

---------------------------------------------------------------------------------------------------------------

On edge browser is it the same.

Is it a fake warning? Or is anything alright?

Sorry for my english and thanks for answers.

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

The real-time protection of Malwarebytes is keeping the system safe.  It is advising you of that.  

The "potential" threat is Stopped.    The system is being protected.

The I P  addresses   78.24.14.148    &  88.208.60.53   are some of those  the Malwarebytes researchers have identified  as having threats on their address.

The web protection / Malwarebytes real-time protection is keeping the pc safe from potential harm.   Whatever "it" was, it is STOPPED.

Lets first get a full report set so I can see more details about this system.   

.

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

A block notice is an advisory of the "block".   The web protection has STOPPED any potential harm.

 

It  indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each  block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

Sincerely,

Maurice

Link to post
Share on other sites

Thanks.   Lets start out with what is listed below.   We will do a lot more later on.

[   1    ]

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The  trial  protections of Malwarebytes will still be on.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
Click the Security Tab. Scroll down to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

(  all the way to the left is OFF  position )
Close Malwarebytes when done.
 

[   2   ]

Set the Chrome "sync"  to OFF.

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

 

After we are all finished with this case, you may if you wish / if you need to /  turn the Google Sync back On.

[   3   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   4   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.bfcbff4c25a7a1a131de4b71555efd0c.png

 

Make real sure it is "NOT" set to "continue where you left off"

.

[   5   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   6   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

We will do more later after this.

Sincerely.

Edited by Maurice Naggar
Link to post
Share on other sites

OK.   Lets do one new Scan with Malwarebytes for Windows.   To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button. 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

[     2     ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner 

 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

Link to post
Share on other sites

Good afternoon.   Thank you for the reports.   The result from the Malwarebytes for Windows scan is very good.   No malware / no P U P

The Adwcleaner is very good also.   No adware.

.

I noticed in the FRST reports that this system had had in the past, Avast antivirus.   There are some traces of it left behind.   We need to get that cleaned up in order to prevent potential conflicts.

run the cleanup tool for Avast to insure no remains are left behind.

Please get, save, & then run the Avast uninstall tool

https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

.

[     2      ]

Next, I would to run this custom script just to insure that the Windows Winsock is set to  fresh normal settings.   It will also run the Windows System File Checker app to check the system,  and do a quick scan with the Microsoft Windows Defender antivirus.

It will not take a lot of time.   The system will be rebooted after the script has run.

.

This custom script is for  HAUU  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRSTENGLISH  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the Downloads folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to Downloads folder


RIGHT click on  FRSTENGLISH     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Link to post
Share on other sites
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.