Jump to content

I keep receiving 2 kinds of notifications

shifoc

By shifoc
in Resolved Malware Removal Logs

 Share
Go to solution Solved by kevinf80,

Recommended Posts

shifoc

shifoc

Posted
Posted

hello,
I keep receiving 3 kinds of notifications:
one is from qbitorrent and the others are from "system". what is happening/ what should I do?
I ran a scan and the only thing it found is pup-optional-advancedsystemcare. it's a software I previously downloaded , is it not safe?


Log 1:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/7/20
Protection Event Time: 3:11 AM
Log File: 341889f4-3829-11eb-bd09-0a002700000b.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33987
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 121.88.58.223
Port: 137
Type: Outbound
File: System

(end)

log 2:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/7/20
Protection Event Time: 2:35 AM
Log File: 1d11e714-3824-11eb-bc43-0a002700000b.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33987
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 220.85.218.239
Port: 137
Type: Outbound
File: System

(end)

log 3:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/7/20
Protection Event Time: 1:24 AM
Log File: 2ee75d02-381a-11eb-9abf-0a002700000b.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33983
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\qBittorrent\qbittorrent.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 107.167.244.67
Port: 45168
Type: Outbound
File: C:\Program Files (x86)\qBittorrent\qbittorrent.exe

(end)

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya shifoc and welcome to Malwarebytes,

The block via "qBittorrent" is very common, you are using P2P software. Your system is certainly more at risk as you more or less open the security door when such software is active... To stop the alerts simply uninstall all very risky P2P software..

The blocks to "System" will need more investigation, continue:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

 

Link to post
Share on other sites
shifoc

shifoc

Posted
  • Author
Posted

hello,
thank you for your reply.

while I was scanning it happened again multiple times:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/7/20
Protection Event Time: 6:36 PM
Log File: 572751ba-38aa-11eb-8f2c-0a002700000a.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.34025
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 59.93.18.172
Port: 137
Type: Outbound
File: System

(end)

here are the other logs:AdwCleaner[C00].txtAddition.txtMalwarebytes.txtFRST.txt


 

Link to post
Share on other sites
  • Solution
kevinf80

kevinf80

Posted
  • Solution
Posted

Hiya shifoc,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply...

Thank you,

Kevin..

 

fixlist.txt

Link to post
Share on other sites
shifoc

shifoc

Posted
  • Author
Posted

I received the same notification yesterday after the fix.
I am getting worried

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/8/20
Protection Event Time: 10:30 PM
Log File: 2638c941-3994-11eb-83c1-0a002700000a.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.34095
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1198)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 94.136.69.199
Port: 137
Type: Outbound
File: System

(end)

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Now, let's re-run RogueKiller and remove all the items it found.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, make sure every item listed is checkmarked.
  • Then click the Removal button and wait until the removal process is complete.
  • When complete, click on Results.
  • Click Report.
  • Click Export and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.

Any improvement...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Yes it will remove it, if you know and trust that app upload to VirusTotal for a second opinion....

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Users\USER\AppData\Local\anghami\app-2.0.13\Anghami.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I would still remove KMspico, just ignore all entries related to anghami.

The blocks only involved two entries qbittorrent.exe and System.

qbittorrent.exe is straightforward, just uninstall it, P2P software is not recommended. Or you just put up with the block, never add as an exclusion far too risky.

System different, we are not sure what part of the system is sending the outbound call. We do know it is Malicious, from the FRST fix we did run SFC (system file checker) it did replace some system files so that may have cured those outbound calls.

Probably best run your system normally for another 24 hours, see if the blocks still happen...

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept