Jump to content

Blocked websites (compromised, trojan)


Pidd
 Share

Recommended Posts

Hi,

I've experienced an unusual amount of websites being blocked by MWB. I'm running a fairly new system and haven't received any notifications before, but as of yesterday MWB has blocked several websites. Mostly "Compromised" but also a Trojan. The sites have been blocked without me doing anything, or being aware of the fact. Noticed it when I opened the program and had some notifications. Not sure how this works.

I've scanned several times with both MWB and Windows Defender and they both report 0 threats. I'm not experiencing any issues that I can think of, it just seemed unusual for the program to all of a sudden start blocking a bunch of threats. Makes me a bit nervous! I'd love some assistance to see if my system is in order, or if I'm just being paranoid :)

I've attached a few screenshots, and the report of my latest scan.

 

Have a good day!

Regards,mwb.jpg.772be106bdeaa01f76d9b5badd1da8c0.jpgmwb2.jpg.20c4031aea8058261aa1230059ef554d.jpgmwb_report.txt

Peter

Link to post
Share on other sites

  • Replies 108
  • Created
  • Last Reply

Top Posters In This Topic

Hello Pidd and welcome to Malwarebytes,

Run the following:

Open Malwarebytes....
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the RTP Detection log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Let me see last 3 RTP detection logs...

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... Right click on FRST and rename FRSTEnglish
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Thank you,

Kevin
Link to post
Share on other sites

Thank you Kevin!

Here are the logs from MWB. Let me get back to you with the FRST, couldn't download it because it said it was malicious. I know you said that would happen, but it still makes me a bit uneasy. I'll get it done when I get back home.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/4/21
Protection Event Time: 6:24 PM
Log File: e3b10d9c-670d-11eb-8234-244bfede9b26.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1157
Update Package Version: 1.0.36729
License: Premium

-System Information-
OS: Windows 10 (Build 19041.746)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 89.218.74.46
Port: 445
Type: Inbound
File: System

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/4/21
Protection Event Time: 9:11 AM
Log File: 88bb06d8-66c0-11eb-aec0-244bfede9b26.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1157
Update Package Version: 1.0.36707
License: Premium

-System Information-
OS: Windows 10 (Build 19041.746)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 87.255.203.82
Port: 445
Type: Inbound
File: System

(end)

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/3/21
Protection Event Time: 11:21 PM
Log File: 307100ba-666e-11eb-88f2-244bfede9b26.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1157
Update Package Version: 1.0.36681
License: Premium

-System Information-
OS: Windows 10 (Build 19041.746)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 27.110.165.155
Port: 445
Type: Inbound
File: System

(end)

 

Link to post
Share on other sites

Hiya Pidd,

Yes FRST is often flagged as malicious, I can guarantee that it is legitimate. Probably all malware removal forum websites use FRST as there initial scanner, it does give a great overview of operating systems...

The blocks you are experiencing are inbound, meaning Malwarebytes is doing what it is designed to do and blocking inbound sniffers trying to connect with your PC. The ones you posted are following:

Kazakhstan - 89.218.74.46

Kazakhstan - 87.255.203.82

Philppines - 27.110.165.155

It does not necessarily mean that your system is actually infected, these are speculative attempts to make a connection with your PC. The worrying part is your Firewall is letting them through initially, fortunately Malwarebytes is more thorough..

Post your FRST logs and we can see if there is anything to be concerned about..

Thank you,

Kevin

Link to post
Share on other sites

Hiya Pidd,

Do not see any obvious malware or infection in your logs.

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Program Files\plugins.dat
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Thanks,

Kevin

Link to post
Share on other sites

Hiya Pidd,

Yes that result is correct, continue please:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply...

Thank you,

Kevin..

 

 

fixlist.txt

Link to post
Share on other sites

Thanks for getting back to me again, Kevin! This.. looks daunting haha.

I didn't know there were more steps, so I deleted FRST after the initial scan. But I downloaded it again, renamed it to FRSTEnglish and saved it to my desktop. Should be fine, yes?

In regards to all the temp files being removed, what exactly does this mean? I'm assuming they're not of use to me anyway. 

Not using my PC for several hours could be a bit of a problem. I literally do everything from my home PC these days. Will I not be able to do anything during the Sophos scan?

I'll get back to you, need to go to bed now!

Link to post
Share on other sites

Hi again Kevin,

I'll ignore the FRST fix then, actually makes me kind of relieved.

One question about the Sophos scan though, is it ok if I'm disconnected from the internet? Thinking of pulling the plug before I go to bed if I leave the computer on. I noticed too late yesterday, so I'll have to do it when I go to bed tonight instead. I thought I'd be able to squeeze it in during the day, but I googled how long the scan takes and apparently up to 9h. I don't even sleep that long..

Cheers!

Link to post
Share on other sites

Hiya Pidd,

The Sophos AV scan time is really dependent on the size of your system, the number of hard drives and amount of data. Also note that if anything malicious is found in memory the scan will stop, you will be then asked to start cleanup before the scan restarts...

Regarding the internet connection, yes you can disconnect but you must wait until Sophos has updated. Once the actual scan starts you can then pull the plug.

Thank you,

Kevin

 

Link to post
Share on other sites

Alright, thanks! Hopefully nothing shows up tomorrow when the scan is complete.

The alerts/blocked threats keep showing up btw. If I'm not infected, why is this happening? I guess it could be a number of things, but I'd love for them to stop.. I've never paid attention to the firewall before, more than the fact that it's actually on. I don't have wifi nor am I using a router; just a cable straight from the wall.

I did get my internet upgraded this Monday, seems fatfetched but could it be related?

Anyway, thanks for helping me and I'll get back to you when I've run Sophos.

Link to post
Share on other sites

Hi Kevin,

Pleased to report that Sophos did not find any threats. I don't have any logs for you though, when the scan completed "details" was grayed out and I could only click to finish it. C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs does not exist either, as it appeared to not have created a log automatically. Also, the scan took less than an hour. I guess a fast SSD helps.

 

sophos.jpg

Link to post
Share on other sites

Hiya Pidd,

What you experiencing is speculative attempts by sniffers to connect with your PC, at present Malwarebytes is doing a good job and making the block. Have you noticed if any of the inbound IPs are the same or do they constantly change. I noticed the first three RTP logs you posted were different IPs..

Usually these attempts do eventually start to decrease and eventually cease altogether..

Uninstall the following program (unless you prefer to keepit):

Sophos AV

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Also delete this folder if still present: C:\ProgramData\Sophos
 
Thank you,
 
Kevin
Link to post
Share on other sites

The two latest attempts from today seem to be from the same IP, but the rest were all different. I'll paste the latest two for you. I was really hoping they would continue to decrease, but so far I've had the same amount as yesterday within roughly an hour. But I guess there's not much to do but waiting it out..

Also, I noticed FRST made a folder on my C:\ including bin, hives, logs and quarantine. Can I remove this as well?

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/6/21
Protection Event Time: 10:40 AM
Log File: 4e789ad0-685f-11eb-bb72-244bfede9b26.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1157
Update Package Version: 1.0.36779
License: Premium

-System Information-
OS: Windows 10 (Build 19041.746)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 49.248.249.106
Port: 445
Type: Inbound
File: System

(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/6/21
Protection Event Time: 10:09 AM
Log File: fb14d010-685a-11eb-b3bc-244bfede9b26.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1157
Update Package Version: 1.0.36779
License: Premium

-System Information-
OS: Windows 10 (Build 19041.746)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, System, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 49.248.249.106
Port: 445
Type: Inbound
File: System

(end)

Link to post
Share on other sites

Hiya Pidd,

It is possible to block IP ranges with your firewall, that may help and make life a lot easier for you. Instructions at following link:

https://www.ghacks.net/2014/02/17/block-ip-ranges-windows-firewall/

For FRST removal do the following;

Right click on FRST here: C:\Users\peter\OneDrive\Skrivbord\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...
 
Let me know if that helps...
 
Thanks,
 
Kevin..
Link to post
Share on other sites

Thank you Kevin! I'll look into blocking the IP ranges if it doesn't get any better. Not completely sure how to include all the ranges though, as they seem to differ a lot.

In regards to FRST I deleted the .exe file on my desktop you're refering to. Should I download it once more, save it to my desktop, rename it to uninstall and then proceed with your instructions?

Link to post
Share on other sites

Hiya Pidd,

Yes you can download again and rename, some of the stuff FRST saves can only be removed as i`ve described....

If the notifications from Malwarebytes is a problem for you, they can be turned off. Instructions in following link:

https://support.malwarebytes.com/hc/en-us/articles/360038984933-Notifications-settings-in-Malwarebytes-for-Windows

Cheers,

Kevin..

Link to post
Share on other sites

Hi Kevin,

I downloaded FRST again (worked this time), renamed it and it removed everything related to FRST. Not sure if related, but when I was prompted to reboot after removing FRST the reboot took longer than usual, Windows Defender was disabled and a Windows Update had failed.

The attempts keep occuring, but to a lesser degree during the weekend. Two so far today though.

Thanks again for all your help and speedy replies!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.