I'm infected - Constant pop-up website blocked because of Trojan

[WouterS]

Hi,

I am using Malwarebytes and I am getting constant pop-ups that websites are being blocked because of a Trojan. I recently downloaded some adware unfortunately, so I am aware where it came from. I've tried getting rid of all these files and I think I got rid of most of them, however I still got the trojan message. After some research on these forums I've gathered several logfiles. I have added several adwarecleaner logfiles, namely the first where I got a lot of hits and the second where I got zero hits (ignoring the pre installed software from lenovo which came with my laptop). 

Yesterday I've run some scans using malwarebytes and the scan deleted 33 infected files. However, I did not save the logs at that moment and reinstalled malwarebytes today so I believe that log is gone, unfortunately.

 

I look forward hearing from you,

With regards,

Wouter

Addition.txt AdwCleaner[C00].txt AdwCleaner[S01].txt AdwCleaner[S02].txt FRST.txt MWB scan.txt

[Maurice Naggar]

Hello.  

My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.   

The Malwarebytes for Windows scan of 30 NOV shows no malware.  The "block" notices are just a visual courtesy notice that the web protection is keeping your pc safe from potential harm.  The 'trojan' is EXTERNAL out on the web, and is NOT on your machine.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  I

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Edited November 30, 2020 by Maurice Naggar
removed some non=applicable remarks, sorry.

[WouterS]

mbst-grab-results.zip

Hi Maurice!

Thanks for helping me . Good to know that the block is just a courtesy message and not an internal problem. I've gathered the MBST logs and added them to this reply. 

Don't worry about not being here 24x7, I ain't in a hurry ^^.

Cheers,

Wouter

[Maurice Naggar]

Thanks for the zip-report-file from the Malwarebytes support tool.  Your pc has the latest Malwarebytes for Windows in trial mode.  The Premium protections of Malwarebytes are there for the 2-week trial.  This pc's main resident protection is by the ESET Endpoint security with firewall.

The IP blocks are happening at some point or other where Chrome browser is on, and the IP block is on IP 78.47.67.130

it seems this is somehow related to attempts to reach game.toupdate15.com

I would like you to do these steps.   Collectively, they will not take a whole lot of time.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

 

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   6    ]

Run a  new  scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.

Let it remove what it has detected.   and let me know, How is the Chrome browser overall at that time.

 

[WouterS]

Thanks for the information!

Most of the things you mentioned I had already done:

- The malwarebytes browser guard I installed a few days ago
- the browser push notifications were off already
- the scanning for rootkits etc in malwarebytes itself were on already

I've reset my google sync and deleted my complete history as well as turned off the 'start where I left off" feature.

After this, A planned quick scan from MWB ran and had 7 detections, scanlog is added in the attachment. After that, I ran another quick scan and nothing came up. At this moment I'm running a full scan through all files on my computer, but this will take a while seeing the speed it is scanning.

Unfortunately, the IP-blocks keep on happening. They only occur when Chrome is opened, not sure if thats relevent but it could maybe help. MWB scan 01-12.txt

[Maurice Naggar]

Thank you for the scan report.  Did you notice that all 7 files tagged as malware were all on the D drive !   and most were identified as hack tools.  Hack tools often are bundled with malicious malware.  It is always best to first fully scan any file you download ......before installing it.

Now, as to Google Chrome browser:   you need to let me know from what shortcut link you start Chrome !  Is it from a taskbar link ?   from a Desktop link ?  or from another shortcut ?  or from the Windows Start menu ?   The link may have added bits such that it always attempts to load one web-page.

Let me have the scan report from the Full scan  that you mention you are doing.   Also, do this at your next available opportunity:

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  

MORE NOTES:  Try only using the Windows 10 EDGE browser instead of Chrome.   It is possible that maybe Chrome has a bad extension installed.

We will do more later.
 

[Maurice Naggar]

Reply 2 of 2  for Wednesday 2 December.   This is additional to my last preceding reply.  The Chrome browser has 2 settings that you need to change,  In the FRST reports they show like these  

CHR StartupUrls: Default -> "hxxp://www.9gag.com/"
CHR Session Restore: Default -> is enabled.

For the first line, You need to remove that mention of 9gag.com

For the 2nd line, you need to NOT restore the last session.   But instead to open a New tab when Chrome is opened.

Please see this support article at Google Support https://support.google.com/chrome/answer/95314?co=GENIE.Platform%3DDesktop&hl=en

[WouterS]

Thanks for the constant follow up, greatly appreciated :)

About the D drive; my C drive is an SSD I only use for some heavier software for modelling etc and basics, my D drive is everything else (from gaming to downloads and films etc etc) so if there were any bad origin files, it'd probably be at my D drive. Looking at what they were, things I used a long time ago but have not touched in a long time, so happy that they are gone now ^^.

I've attached the logs of both scans, the full system scan of the regular malwarebytes program got no results, same with the mbar scan.

I started using the edge browser instead of chrome and as it looks now, the block popup dissappeared, so I am guessing that its indeed a bad extension. I want to deinstall and reinstall chrome and try to build it up again, watching every step and seeing if I get another block message (ill start this when you give a 'go'  on the plan), what would you say? At this moment, the only extensions that I know of that are installed are Lastpass, Adblocker, Malwarebytes browser guard, Scopus (for academic papers). Not sure if its easily possible for extensions to be added without my knowledge?

 

fullscanMWB-02dec.txt system-log.txt

[Maurice Naggar]

Thank you for the reports.   Let us hold off on any Chrome browser rebuild at this point.  While you mention 

Quote

 I know of that are installed are Lastpass, Adblocker, Malwarebytes browser guard, Scopus (for academic papers). 

The Chrome has the Malwarebytes Browser Guard  ( good to have ) and several others too.  What do you know about Coupons at Checkout ?

What do you know about  VIRUS_NODE RTS ?  It is listed as a extension on the Chrome browser.

VIRUS_NODE is claimed to be  a Real-Time-Strategy game.   I would suggest uninstalling that extension from Chrome.

.

Beyond that, at this point, I would like you to run this next custom script mainly to remove the mention of  9gag [dot] com  which I mentioned before and to empty the Chrome cache & to run the Windows System File Checker & DISM applets & to rebuild the Winsock.  There is also one setting to auto-load a Chrome with the specific setting to "restore lst session"  which would amount to a auto-repeat of loading a dodgy site if & when one happens ....like perhaps your original situation.   That setting will be removed.

The system will be rebooted after the script has run.

.

This custom script is for  WouterS  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Start the Windows Explorer and then, to the Downloads   folder.

RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

[WouterS]

Thanks for the fixlist file!

About the extensions: I vaguely remember adding the coupon checkout but never really used it. I can definitly not remember adding VIRUS_NODE_RTS, I have removed the extension from chrome.

I've run the script you send and the fixlog is added. 

It seems like the IP-blocker has stopped after I've deleted the extension, seems to me that it was added without my knowledge and that was the problem. If that extension was the problem, I am grateful that it is gone. Thanks for all the support and helping to get rid of all the bad files on my laptop :').

Fixlog.txt

[Maurice Naggar]

Hello.   Thanks for the report.  I am happy to know that the IP blocks have not re-occurred.   I am glad that you uninstalled the extension VIRUS_NODE_RTS,

Let me suggest one other scan with a Microsoft tool.    

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

I suggest selecting a Quick scan.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.   Also, let me know if you need something else at that point.

 

[WouterS]

Hi again,

Thanks for the last checkup with the Microsoft tool. The scanlog of the quickscan is added in the attachment. Nothing was found. 

I don't think I am in need of any more assistance for now. Many thanks for all the support and helping me fix my laptop! It is grealy appreciated

Enjoy your evening!

 

Cheers,

Wouter

 

 

msert.log

[Maurice Naggar]

That's a fine scan result.   Kudos.  The following are a few steps to cleanup on the tools I had you use.

To remove the FRST64  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Delete msert.exe.

Delete MBAR.exe

Delete mbst-grab-results.zip   on the Desktop

Delete mb-support-1.80.848.exe

Any other download file I had you save, you may delete.

 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

I am very happy to have helped.

Stay safe.  I wish you all the best.   😎

Sincerely,

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you