MB real-time IP blocks

[mangowhite]

Hello!
 I've just started using MalwareBytes Premium Trial. The Real Time protection sends me a new message in this style every 2~3 hours. I want to know if I can do something to stop these attacks or if this is somehow expected to happen. All of them, when clicked, are accused of being a Trojan attempt. Please, help if possible.


Also, they all have the same port: 445. This is weird. The same IP is trying to wreck my system, it seems.

I've also read an old post with the same issue, it made me download an app provided by a staff of the MalwareBytes team. It's called FRST and it seems to be able to identify the issue. i've sent the attachments created by it to provide all the necessary information for an expert. Thanks for reading my issue, I hope you're able to help me! Will anxiously wait for your return.

 

FRST.txt Shortcut.txt Addition.txt

[Maurice Naggar]

Hi . My name is Maurice. I will be guiding you.

The screen show 3 different I P addresses, Inbound. All were stopped. The potential threat is EXTERNAL.  Not on your machine.

At the moment of the BLOCK message,. ... Is any web browser Open ?

[mangowhite]

Just now, Maurice Naggar said:

Hi . My name is Maurice. I will be guiding you.

The screen show 3 different I P addresses, Inbound. All were stopped. The potential threat is EXTERNAL.  Not on your machine.

At the moment of the BLOCK message,. ... Is any web browser Open ?

Hello Maurice, I hope you're having an amazing night. Thanks for taking time to help me.

I had Chrome open. I uninstalled it as a matter of fact. Sadly, minutes after uninstalling it, I received another notification from the same IP and port.



I included in the attachments the full report. Sorry for the portuguese language, it's set in my OS.

MalwarebytesReport.txt

[Maurice Naggar]

Thanks for that Block event report. The Malwarebytes is keeping your PC safe.  Any potential threat was Stopped.  It was Blocked.

 

I would suggest that you run a FULL  option scan using the Microsoft Safety scanner. Use the directions from next link , with only difference being a FULL scan.

 

Then when done attach the report.

 

https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1440485

 

 

[mangowhite]

3 hours ago, Maurice Naggar said:

Thanks for that Block event report. The Malwarebytes is keeping your PC safe.  Any potential threat was Stopped.  It was Blocked.

 

I would suggest that you run a FULL  option scan using the Microsoft Safety scanner. Use the directions from next link , with only difference being a FULL scan.

 

Then when done attach the report.

 

https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1440485

 

 

Hello. This is the result. It was a long scan. There was 9 infected files. What's the next step?



 

msert.log

[mangowhite]

I guess this is relevant too.

[mangowhite]

MalwarebytesReport.txt Right after finishing it, I receive another error.

I had open: Email app, firefox which I JUST installed and these other applications:

[mangowhite]

I realized I hmsert.logad to close it after giving you the report. Here it is

[Maurice Naggar]

Thank you for the MS Safety Scanner report.

For FIREFOX browser, I suggest you add to it the Malwarebytes Browser Guard. That is on bottom half of this Support article.

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

Then, in Firefox, delete the Cache & History in that browser.  Clear Everything under History.  Leave cookies alone.  See. This how to 

https://support.mozilla.org/en-US/kb/how-clear-firefox-cache?

.

Next, disregard the subject line & title, & the other posts, except for the one post linked here.  Do the special scan with Malwarebytes for Windows like on this 1 answer 

https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1439941

 

Edited March 18, 2021 by Maurice Naggar

[mangowhite]

3 hours ago, Maurice Naggar said:

Thank you for the MS Safety Scanner report.

For FIREFOX browser, I suggest you add to it the Malwarebytes Browser Guard. That is on bottom half of this Support article.

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

Then, in Firefox, delete the Cache & History in that browser.  Clear Everything under History.  Leave cookies alone.  See. This how to 

https://support.mozilla.org/en-US/kb/how-clear-firefox-cache?

.

Next, disregard the subject line & title, & the other posts, except for the one post linked here.  Do the special scan with Malwarebytes for Windows like on this 1 answer 

https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1439941

 

MalwarebytesReport.txt

It seems like no issues were found.

[mangowhite]

MalwareBytesReport.txt

Hello Maurice. I'm starting to feel scared about this. I'd like to know if I should stay calm. It just wont stop. The same IP, the same port, once again.

[Maurice Naggar]

Thanks for the MB scan report. I do not believe that your PC has a infection on the machine itself.

If there is another Block then next time do not do a screen capture. But instead go to the Advanced section and select Exportar to a file.

Your PC is a windows 10 PRO.  I suggest you turn OFF the Remote Desktop option.

See https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

Disregard the title.

Please stay calm. No need to be over concerned. The Malwarebytes real-time protections are STOP ing any potential harm.  It is BLOCKED !

 

[Maurice Naggar]

One additional point. I suggest that you uninstall "Avast Free Antivirus" and then do one Windows RESTART.   Then we should see the Microsoft Defender Antivirus from Windows 10 to be ON.  It is a very strong antivirus that is built in with Windows 10.

[mangowhite]

malwarebytesreport.txtHi Maurice. I have no Remote Acess on. I'll uninstall avast now then. I attached a new report here.

[Maurice Naggar]

I would like to be very sure that Remote DESKTOP option is all Off. (disabled)

Also, after you Restart Windows, after you have removed AVAST, we need to have you go into Windows Settings >>  Virus & Threat protection >>> Windows Security 

To be sure all of Microsoft Defender is ON 

And that the Windows Firewall is all ON.

 

[mangowhite]

3 hours ago, Maurice Naggar said:

I would like to be very sure that Remote DESKTOP option is all Off. (disabled)

Also, after you Restart Windows, after you have removed AVAST, we need to have you go into Windows Settings >>  Virus & Threat protection >>> Windows Security 

To be sure all of Microsoft Defender is ON 

And that the Windows Firewall is all ON.

 

This is what I get when I follow the path you directed me to. It says "The Remote Desktop allows you to connect and control this computer from a remote device using a client of the Remote Desktop (Available for Windows, Android, IOS and MACOS). You will be able to work in another device as you'd be working directly in this computer.

And then, in yellow, we have:

Your edition Home of Windows 10 has no support to the Remote Desktop Feature.


Finally, we go to the second path.

Everything is now enabled, but not the "real time protection" which has been replaced by malware bytes. Anything else for me to do?

[Maurice Naggar]

Ok. Thank you. Yes yours is a Home edition.  I am listing like 3 different steps. please do all.

[ 1 ]

On this next step, just only take a few seconds  and then proceed with all the rest.

 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

Close Malwarebytes when done.

[     2     ]

 

This next custom run should execute very quickly and then Restart the system.

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The  custom Fix script is going to be used by the FRST64.exe   tool   which you have on your sub-folder Nova Pasta of the Desktop.

 

Please save the (attached file named) FIXLIST.txt   to the  Nova pasta

 

Start the Windows Explorer and then, to the Nova Pasta   folder.

 

RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Please know this will do a Windows Restart.   Just let it do its thing.  

 

[  3. ]

After all this is done, you should be able to do a manual scan with Windows Defender using the normal Windows GUI interface thru Settings.

 

You can do a manual Check for Update for Windows Defender by using the Windows Settings menu.

 

From the Start menu, select Settings, then select Update and Security.

 

Next, look at the left-side menu & select Windows Security

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

.

Now, click on the shield Virus and threat protection

 

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

 On the next display,  look at all the options.   Look down the list and see "Check for Updates" .

 

You can click on that to have the system check for updates for Windows Defender.

 

Please also note that the Scan options (all) can be displayed by clicking on Scan options.  ( You can do Quick, Full, or Custom).

Sincerely.

Fixlist.txt

[mangowhite]

Hello Maurice. Good afternoon. I followed your instructions and everything that yFixlog.txtou said happened. I'll include in my attachments the file you requested. Thanks for having patience with me.

 

[Maurice Naggar]

Thanks for the log-file report.  Have you looked thru Windows Security settings ?

How do they look ?

Now just a different readout report.

Download   Farbar's Service Scanner utility

http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

and Save to your Desktop.

Right-Click on fss.exe and select Run As Admisnitrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

 

Once FSS is on-screen, be sure the following items are check-marked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Kindly FSS.txt into your reply. 

[mangowhite]

Good Morning Maurice. I've looked in Windows Security Systems and they seem to look fine. All of them are enabled and I have a green checkmark in the desktop bar icon. I've downloaded the application you provided and will attach the file you asked along with an image of my windows security screen.

FSS.txt

[mangowhite]

I don't know if this one is relevant, but I did a full scan with malwarebytes tonight and got this following result:
 

MalwarebytesReport.txt

[Maurice Naggar]

Thanks for the info on Windows Security & for the FSS report.  That is all good.

Bravo for running this last Malwarebytes scan.  That is a fortunate catch. Files with double extensions are threats. As a follow-up, look at the contents of the sub-folder.  If any other files there, then dele them & then dele the sub-folder.

This one   C:\USERS\MANGOWHITE\APPDATA\ROAMING\DXPIALBEQTOVDGYYL

[mangowhite]

I've done what you said Maurice. The sub-folder and all its contents are gone. There was a file named pie in there and the word "ANSIOSA" (name of the threat) stands for anxious in english. Seems like I was dealing with some kind of brazilian malware as well. wtf.

[Maurice Naggar]

  As a next step, to checkout your system a bit more, a scan with Sophos.

 

Download Sophos Free Virus Removal Tool and save it to your desktop.

 

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

 

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

Copy and paste the results in your reply

Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

If no threats were found please confirm that result....

 

The Virus Removal Tool scans the following areas of your computer:

 

Memory, including system memory on 32-bit (x86) versions of Windows

The Windows registry

All local hard drives, fixed and removable

Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

[mangowhite]

I couldn't find any log files. This is the result after an indeed long post