mangowhite Posted March 17, 2021 ID:1445479 Share Posted March 17, 2021 Hello! I've just started using MalwareBytes Premium Trial. The Real Time protection sends me a new message in this style every 2~3 hours. I want to know if I can do something to stop these attacks or if this is somehow expected to happen. All of them, when clicked, are accused of being a Trojan attempt. Please, help if possible.Also, they all have the same port: 445. This is weird. The same IP is trying to wreck my system, it seems. I've also read an old post with the same issue, it made me download an app provided by a staff of the MalwareBytes team. It's called FRST and it seems to be able to identify the issue. i've sent the attachments created by it to provide all the necessary information for an expert. Thanks for reading my issue, I hope you're able to help me! Will anxiously wait for your return. FRST.txt Shortcut.txt Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445503 Share Posted March 18, 2021 Hi . My name is Maurice. I will be guiding you. The screen show 3 different I P addresses, Inbound. All were stopped. The potential threat is EXTERNAL. Not on your machine. At the moment of the BLOCK message,. ... Is any web browser Open ? 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445505 Share Posted March 18, 2021 Just now, Maurice Naggar said: Hi . My name is Maurice. I will be guiding you. The screen show 3 different I P addresses, Inbound. All were stopped. The potential threat is EXTERNAL. Not on your machine. At the moment of the BLOCK message,. ... Is any web browser Open ? Hello Maurice, I hope you're having an amazing night. Thanks for taking time to help me. I had Chrome open. I uninstalled it as a matter of fact. Sadly, minutes after uninstalling it, I received another notification from the same IP and port. I included in the attachments the full report. Sorry for the portuguese language, it's set in my OS. MalwarebytesReport.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445508 Share Posted March 18, 2021 Thanks for that Block event report. The Malwarebytes is keeping your PC safe. Any potential threat was Stopped. It was Blocked. I would suggest that you run a FULL option scan using the Microsoft Safety scanner. Use the directions from next link , with only difference being a FULL scan. Then when done attach the report. https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1440485 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445530 Share Posted March 18, 2021 3 hours ago, Maurice Naggar said: Thanks for that Block event report. The Malwarebytes is keeping your PC safe. Any potential threat was Stopped. It was Blocked. I would suggest that you run a FULL option scan using the Microsoft Safety scanner. Use the directions from next link , with only difference being a FULL scan. Then when done attach the report. https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1440485 Hello. This is the result. It was a long scan. There was 9 infected files. What's the next step? msert.log Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445531 Share Posted March 18, 2021 I guess this is relevant too. Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445532 Share Posted March 18, 2021 MalwarebytesReport.txt Right after finishing it, I receive another error. I had open: Email app, firefox which I JUST installed and these other applications: Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445535 Share Posted March 18, 2021 I realized I hmsert.logad to close it after giving you the report. Here it is Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445541 Share Posted March 18, 2021 (edited) Thank you for the MS Safety Scanner report. For FIREFOX browser, I suggest you add to it the Malwarebytes Browser Guard. That is on bottom half of this Support article. https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard Then, in Firefox, delete the Cache & History in that browser. Clear Everything under History. Leave cookies alone. See. This how to https://support.mozilla.org/en-US/kb/how-clear-firefox-cache? . Next, disregard the subject line & title, & the other posts, except for the one post linked here. Do the special scan with Malwarebytes for Windows like on this 1 answer https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1439941 Edited March 18, 2021 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445559 Share Posted March 18, 2021 3 hours ago, Maurice Naggar said: Thank you for the MS Safety Scanner report. For FIREFOX browser, I suggest you add to it the Malwarebytes Browser Guard. That is on bottom half of this Support article. https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard Then, in Firefox, delete the Cache & History in that browser. Clear Everything under History. Leave cookies alone. See. This how to https://support.mozilla.org/en-US/kb/how-clear-firefox-cache? . Next, disregard the subject line & title, & the other posts, except for the one post linked here. Do the special scan with Malwarebytes for Windows like on this 1 answer https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1439941 MalwarebytesReport.txt It seems like no issues were found. Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445575 Share Posted March 18, 2021 MalwareBytesReport.txt Hello Maurice. I'm starting to feel scared about this. I'd like to know if I should stay calm. It just wont stop. The same IP, the same port, once again. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445587 Share Posted March 18, 2021 Thanks for the MB scan report. I do not believe that your PC has a infection on the machine itself. If there is another Block then next time do not do a screen capture. But instead go to the Advanced section and select Exportar to a file. Your PC is a windows 10 PRO. I suggest you turn OFF the Remote Desktop option. See https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise Disregard the title. Please stay calm. No need to be over concerned. The Malwarebytes real-time protections are STOP ing any potential harm. It is BLOCKED ! 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445590 Share Posted March 18, 2021 One additional point. I suggest that you uninstall "Avast Free Antivirus" and then do one Windows RESTART. Then we should see the Microsoft Defender Antivirus from Windows 10 to be ON. It is a very strong antivirus that is built in with Windows 10. 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445616 Share Posted March 18, 2021 malwarebytesreport.txtHi Maurice. I have no Remote Acess on. I'll uninstall avast now then. I attached a new report here. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445619 Share Posted March 18, 2021 I would like to be very sure that Remote DESKTOP option is all Off. (disabled) Also, after you Restart Windows, after you have removed AVAST, we need to have you go into Windows Settings >> Virus & Threat protection >>> Windows Security To be sure all of Microsoft Defender is ON And that the Windows Firewall is all ON. 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445688 Share Posted March 18, 2021 3 hours ago, Maurice Naggar said: I would like to be very sure that Remote DESKTOP option is all Off. (disabled) Also, after you Restart Windows, after you have removed AVAST, we need to have you go into Windows Settings >> Virus & Threat protection >>> Windows Security To be sure all of Microsoft Defender is ON And that the Windows Firewall is all ON. This is what I get when I follow the path you directed me to. It says "The Remote Desktop allows you to connect and control this computer from a remote device using a client of the Remote Desktop (Available for Windows, Android, IOS and MACOS). You will be able to work in another device as you'd be working directly in this computer. And then, in yellow, we have:Your edition Home of Windows 10 has no support to the Remote Desktop Feature. Finally, we go to the second path. Everything is now enabled, but not the "real time protection" which has been replaced by malware bytes. Anything else for me to do? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445711 Share Posted March 18, 2021 Ok. Thank you. Yes yours is a Home edition. I am listing like 3 different steps. please do all. [ 1 ] On this next step, just only take a few seconds and then proceed with all the rest. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } Close Malwarebytes when done. [ 2 ] This next custom run should execute very quickly and then Restart the system. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. The custom Fix script is going to be used by the FRST64.exe tool which you have on your sub-folder Nova Pasta of the Desktop. Please save the (attached file named) FIXLIST.txt to the Nova pasta Start the Windows Explorer and then, to the Nova Pasta folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. [ 3. ] After all this is done, you should be able to do a manual scan with Windows Defender using the normal Windows GUI interface thru Settings. You can do a manual Check for Update for Windows Defender by using the Windows Settings menu. From the Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security . Now, click on the shield Virus and threat protection By the way, when you see a green check-mark on your display, it means a good status and that protection is on. On the next display, look at all the options. Look down the list and see "Check for Updates" . You can click on that to have the system check for updates for Windows Defender. Please also note that the Scan options (all) can be displayed by clicking on Scan options. ( You can do Quick, Full, or Custom). Sincerely. Fixlist.txt 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 18, 2021 Author ID:1445730 Share Posted March 18, 2021 Hello Maurice. Good afternoon. I followed your instructions and everything that yFixlog.txtou said happened. I'll include in my attachments the file you requested. Thanks for having patience with me. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 18, 2021 ID:1445748 Share Posted March 18, 2021 Thanks for the log-file report. Have you looked thru Windows Security settings ? How do they look ? Now just a different readout report. Download Farbar's Service Scanner utility http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and Save to your Desktop. Right-Click on fss.exe and select Run As Admisnitrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Kindly FSS.txt into your reply. 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 19, 2021 Author ID:1445827 Share Posted March 19, 2021 Good Morning Maurice. I've looked in Windows Security Systems and they seem to look fine. All of them are enabled and I have a green checkmark in the desktop bar icon. I've downloaded the application you provided and will attach the file you asked along with an image of my windows security screen. FSS.txt Link to post Share on other sites More sharing options...
Solution mangowhite Posted March 19, 2021 Author Solution ID:1445828 Share Posted March 19, 2021 I don't know if this one is relevant, but I did a full scan with malwarebytes tonight and got this following result: MalwarebytesReport.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 19, 2021 ID:1445838 Share Posted March 19, 2021 Thanks for the info on Windows Security & for the FSS report. That is all good. Bravo for running this last Malwarebytes scan. That is a fortunate catch. Files with double extensions are threats. As a follow-up, look at the contents of the sub-folder. If any other files there, then dele them & then dele the sub-folder. This one C:\USERS\MANGOWHITE\APPDATA\ROAMING\DXPIALBEQTOVDGYYL 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 19, 2021 Author ID:1445839 Share Posted March 19, 2021 I've done what you said Maurice. The sub-folder and all its contents are gone. There was a file named pie in there and the word "ANSIOSA" (name of the threat) stands for anxious in english. Seems like I was dealing with some kind of brazilian malware as well. wtf. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 19, 2021 ID:1445841 Share Posted March 19, 2021 As a next step, to checkout your system a bit more, a scan with Sophos. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 1 Link to post Share on other sites More sharing options...
mangowhite Posted March 20, 2021 Author ID:1445955 Share Posted March 20, 2021 I couldn't find any log files. This is the result after an indeed long post Link to post Share on other sites More sharing options...
Recommended Posts