Jump to content

Malwarebytes Keeps Detecting Outbound Connections Via Opera

hollowsbest
 Share
Go to solution Solved by hollowsbest,

Recommended Posts

hollowsbest

hollowsbest

Posted
Posted

I've run a full file scan about three times now, and it only picked up stuff on the first scan which I thought was the end of it. It wasn't. Malwarebytes keeps detecting (usually in around 2-3 bursts every few hours) outbound connections for various sites that are labelled as either PUPs, Malicious, or Trojans emanating from Opera's executable. But every time I scan it can't find anything and it's started to get frustrating. It's source was a copy of uTorrent which has now been deleted (and what was detected in the original scan). (I've now uninstalled it entirely.)

I'm guessing I'll need to do a fresh reinstall of Opera? I've held off for now with hope I won't need to as it'll be a pain to get everything properly sorted on it again, but if that's what it takes to fix this. 
I've attached the most recent scan of all my files (currently doing another but it takes a while and I'm impatient, I'll attach it in a later comment), and the logs from Farbar.

FRST.txt Addition.txt Malwarebytes Scan 04-02-21 3-10PM.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Hi,     :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 4 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

Because this seems to be about "block" events we have to have the full set of history reports from the Malwarebytes.  Just be aware that a "block" event typically is just a advisory  & that the premium protections are keeping the system safe from potential harm.

I would appreciate  getting some key details from this machine in order to help you forward.

 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool

   

    Once the file is downloaded, open your Downloads folder/location of the downloaded file

    Double-click mb-support-1.8.3.885.exe  to run the report

 

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

 

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.

       

    Place a checkmark next to Accept License Agreement and click Next

Now click the left-hand side pane "I do not have an open support ticket"

 

    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

 

    Click the Advanced tab on the left column

   

    Click the Gather Logs button

   

    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.

  

    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

 

    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

 

Thank you,

Sincerely.

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the ZIP file.  Looking at the top most recent Block notices:  those were outbound I P  blocks related to some specific URL links.   One of which is looking like a possible search hijack.   Here are some details.

I P    212.83.190.17    /   URL   "admidanew1.fastsearch.me"

I P    172.67.192.91    /    URL   "followclick.pro"

NOTE:   The block notices mean that the real-time protections are keeping the system safe from potential harm.

The block notices can be turned off  ....which can help do away with frustrating repeats.  The blocks will still happen and be recorded in History & in the notices section module.   To turn off:   Start Malwarebytes.  Click the Settings ( gear icon).  Click on the tab named "Notifications"  and look at the line Show all notifications in Windows notification area"  and then click it to the LEFT side.   That would set it to off  and provide you some relief from the many repeats.

Again, the protections of the program will still be all ON.

.

Now, to take more pro-active actions to scan / adjust the system.   The first steps are to go into OPERA browser & to clear all Cache files & History.

Plus to double check real close the options for Search engine selection.

You just want to clear / delete  2 areas

Cached images and files 

Browsing history 

In OPERA

  1. Go to Settings.
  2. Click Advanced in the left sidebar, and click Privacy & security.
  3. Under Privacy and security, click Clear browsing data.
  4. Select a time range and the types of data you wish to clear, and click Clear data.

.

Default search engine

Opera’s default search engine is Google, but you may prefer to search using DuckDuckGo, Amazon, or Wikipedia. To change the default search engine:

  1. Go to Settings.
  2. Under Search engine, select your preferred search engine from the dropdown menu

 

NEXT

I suggest a  check with a tool, an anti-adware tool from Malwarebytes.

Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

NOTE:  We will do more after this round.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks, that is a fine report from Adwcleaner.

I would suggest that you do a scan with a scan tool from ESET  to just only scan the C drive.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

 

When prompted for scan type, Click on Custom scan    ( the choice on far-right side)

We want just the C drive to be scanned.

 

In the display "Select custom scan targets"  keep the top 3 lines ticked,  plus the one for the C drive   ( which should be your Windows drive)

UN-tick the other drives   ( D, E, F,   etc...)

 

Then click on the blue button "Save and continue"

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.  

 

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.  Look for it on the bottom left, in blue.

 

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

The goal here is to see if there are suspicious or actual threats on the C drive.   Attach the log with your next reply.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

This is a next step.     You can check this system using another free tool at Microsoft.  For another opinion.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Select " FULL "  from the Scan options.

take a minute to locate & then send the log that it made, named msert.log

It should be at C:\Windows\debug\msert.log

 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. If there are still outbound or inbound "block " notices  ....as stated before, the real-time protections of Malwarebytes are keeping the system safe from harm.

You did not, by the way, provide the URL  address if the blocked site  & which web browser program was involved.

.

TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

It looks as if you got this set of information from the summary notification area of the program.  That does not provide full details, such as what program may be involved, the IP address, the actual Date & time of the block notices.  At a later point, I will need a new report-collection using the MB Support tool.

For now, we can run a custom script.

The script on this post is ONLY for this machine and NO other.   This custom script is for  Hollowsbest     only / for this machine only.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The system will be rebooted after the script has run.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

.

.

The  custom Fix script is going to be used by the FRSTENGLISH  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.   And wait for me to guide you on how to do a clean new setup of Malwarebytes for Windows.  Just do not make any changes on your own.  There is more work to do here.

[   NEXT     ]

Now a new GATER LOGS run with Support tool.

Open File Explorer to the Downloads folder

Double-click mb-support-1.8.3.885.exe  to start the tool.

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

 

You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.

       

    Place a checkmark next to Accept License Agreement and click Next

Now click the left-hand side pane "I do not have an open support ticket"

 

    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

 

    Click the Advanced tab on the left column

   

    Click the Gather Logs button

   

    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.

  

    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

 

    Please attach the ZIP file in your next reply.

 

Fixlist.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. Thank you for the log and the report zip file. I' ve experienced loss of electric power & internet twice over 2 different days.  Caused due to heavy weather.  Hence delay.

Can you cease using Opera n just use EDGE browser for now.  Then let's see if things are better.

 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept