ARMOURSQUID Posted October 9, 2020 ID:1412946 Share Posted October 9, 2020 i keep getting some form of trojan warning every time i open google chrome, i dont knwo whats heppenign with this and i ran a few scans wiht nothing showing up. i will link the FRST.txt file and the Addition.txt file and the scan log also the adware scan logAdwCleaner[S00].txt as advised by others on the forum, if anyone can help me it would be great Addition.txt FRST.txt threat_scan.txt AdwCleaner[C00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 9, 2020 ID:1412974 Share Posted October 9, 2020 Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. Let me know what first name you prefer to go by. It seems like what is happening is some Block notice from the web protection that it has blocked attempts to access a specific IP address. The message-window from Malwarebytes would be showing a green tick mark on that window. That is a visual clue that it is keeping the pc safe from harm. it does 'NOT' mean by that that there is a onboard infection. Please follow my directions as we go along. Please do not do any changes on your own without first checking with me. Please only just attach all report files, etc that I ask for as we go along. I would like you to do a special search. There is the FRSTENGLISH tool on the Downloads folder. We will use that to do a search. Find & then start FRSTENGLISH Type the following ( better yet, use COPY then Paste) into the search box exactly as show then press the Search Files button SearchAll: reppoflag Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply. Thanks for your patience. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 9, 2020 ID:1412976 Share Posted October 9, 2020 For Your Information: The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm. A block notice is an advisory of the "block". A "malicious website blocked" is entirely different from a "malware detected" event. The website Block message indicates that a potential risk was blocked by the malicious website protection. The Malwarebytes web protection, by default, will always show each IP block occurrence. The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC. See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done. On Outbound blocks, any attempted connection was stopped. No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56). A browser is not required to be running, just an active Internet connection with processes running, such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts. These are also triggered by banner ads running on websites which is the most common form of alert. Link to post Share on other sites More sharing options...
ARMOURSQUID Posted October 9, 2020 Author ID:1412978 Share Posted October 9, 2020 Hi you can refer to me as Sam i did the search and hte following came up Search.txt Link to post Share on other sites More sharing options...
ARMOURSQUID Posted October 9, 2020 Author ID:1412981 Share Posted October 9, 2020 just one thing it appears that there are differnet ips that appear with every connection Link to post Share on other sites More sharing options...
ARMOURSQUID Posted October 9, 2020 Author ID:1413013 Share Posted October 9, 2020 2 hours ago, Maurice Naggar said: For Your Information: The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm. A block notice is an advisory of the "block". A "malicious website blocked" is entirely different from a "malware detected" event. The website Block message indicates that a potential risk was blocked by the malicious website protection. The Malwarebytes web protection, by default, will always show each IP block occurrence. The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC. See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done. On Outbound blocks, any attempted connection was stopped. No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56). A browser is not required to be running, just an active Internet connection with processes running, such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts. These are also triggered by banner ads running on websites which is the most common form of alert. i noticed different IPs that are connected, some longer than others, i attached the pictures in a previous reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 9, 2020 ID:1413059 Share Posted October 9, 2020 Hi, Sam ! Thank you very much for the Search log of FRST. The "reppoflag" is simply not found ( e.g. mentioned ) in the system registry; nor does it appear as a file. The screenshots above do show that these events are occurring when Chrome is in use. I would like you to see about stopping using Chrome and instead use the EDGE browser for the balance of this case. You have already run Adwcleaner so we wont be re-running that. I am going to list here a few steps that I would like you to proceed with. Do all of them, as much as you can. Do not stop unless you have a question. That is to say, do as much of all this that you can. I do think that this "reppoflag" is a form of malvertising. Again, the pc is protected by the real-time protections of Malwarebytes. There is most likely no onboard actual malware. [ 1 ] Set the Chrome "sync" to OFF. Use Chrome browser to go to https://www.google.com/settings/chrome/sync and sign into your account. Scroll down until you see the "reset sync" button and click on the button At the prompt click on "Ok". After we are all finished with this case, you may if you wish / if you need to / turn the Google Sync back On. [ 2 ] for Chrome, while Chrome is running: Press & hold SHIFT+CTRL+Del keys on keyboard to get menu for clearing browsing data: Check mark the line "Browsing history" Check mark the line "Download history" Check mark the lined "Cached images and files" and press Clear Data button ( in blue ) [ 3 ] After that, make real sure that Chrome is "NOT" set to reload the pages from the last session Go into the settings menu of Chrome by first clicking the control icon of Chrome on upper right of the adress bar Then look deeper in SETTINGS Make real sure it is "NOT" set to "continue where you left off" . [ 4 ] I suggest you install the Malwarebytes Browser guard for Chrome. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. Close Chrome when done. Just be sure it is closed by the time before you press Scan on the next section below [ 5 ] I am enclosing a custom script here to clear out the Chrome cache, to run the Windows System File Checker, and the Windows DISM tool ( to just check the operating system), to rebuild the Winsock. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. The system will be rebooted after the script has run. . This custom script is for Armoursquidl only / for this machine only. Close and save any open work files before starting this procedure. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE link AS and save it directly ( as is) to the Downloads folder The tool named FRST64 .exe tool is already on the Downloads Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRST64 and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. Keep me advise. Have patience, as we likely will need to explorer other things. Fixlist.txt Link to post Share on other sites More sharing options...
ARMOURSQUID Posted October 10, 2020 Author ID:1413178 Share Posted October 10, 2020 Hi This will hopefully be the last time I post on this thread. So I did all of the steps that you listed above and when I finished with the script it generated a fix log which I will attach. I also noticed that the file that was listed in the report was the google chrome app, so i performed a clean reinstall of the app uninstalling the app and the x86 files that it was in, I then reinstalled the app and found that the issue is gone. I performed some checks and ran the adware cleaner and the Malwarebytes app and found nothing. So I hope the issue is fixed. You have been great help, thank you SamFixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 10, 2020 ID:1413196 Share Posted October 10, 2020 Hello. Thanks for the log. That run is good. I had not requested, nor expected that you would have done a Chrome browser uninstall > reinstall. However, that is one method that has been used by others who had the same original situation. You should expect to not have a re-occurence. I suggest you do these follow-ups. Here are tips on keeping your web browsers safer. Make time and read all of this. apply the tips. See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. . Also, I would suggest that you do a manual Quick Scan with the Windows Defender Antivirus. https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-security and, Go to the Windows taskbar. Look for the search box type in security and maintenance and click on it Look for the section ( in blue ) Security click on the down-arrow to expand then you will see a screen like this Kindly let me know if you need other help. Sincerely. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 15, 2020 Root Admin ID:1414265 Share Posted October 15, 2020 Hello @ARMOURSQUID Are you still with us? Please post a status update when you have a moment Thank you Link to post Share on other sites More sharing options...
ARMOURSQUID Posted October 15, 2020 Author ID:1414313 Share Posted October 15, 2020 4 hours ago, AdvancedSetup said: Hello @ARMOURSQUID Are you still with us? Please post a status update when you have a moment Thank you Hi Thank you for following up. im happy to say that the issue has been resolved, i tried all of the solutions and they all worked thankfully. thank you for your help. 1 Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted October 15, 2020 Solution ID:1414404 Share Posted October 15, 2020 Hello. I am glad to read the good news about the status of this PC. To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .Then run that ( double click on it) to begin the cleanup proceed. My very best wishes to you. Sincerely. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 15, 2020 ID:1414405 Share Posted October 15, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts