Jump to content

Outbound connections being blocked (trojans), scans don't detect anything


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello!

I've been using Malwarebytes Premium on my desktops for a few months now and I'm quite happy with them.  However, I'm running into an issue now where Malwarebytes is blocking an outbound connection from my computer (mostly riskware, trojan, malvertising) starting on 3.11.21.  I've scanned my computer multiple times with Malwarebytes configure custom scan and checked the scan memory objects, scan registry and startup items, scan within archives, scan for rookits for all of my drives and Malwarebytes isn't detecting anything.  My Avira antivirus didn't find anything.  I have no idea what to do!!! Please help me :(.

I've scanned with the Farbar Recovery Scan Tool Download and the text files are hereFRST.txtAddition.txt

I've also copied and pasted the latest malwarebytes scan report below.  Scanned last night.

 

Malwarebytes

www.malwarebytes.com

-Log Details-
Scan Date: 3/20/21
Scan Time: 12:47 AM
Log File: 675b6ba6-8937-11eb-800c-7085c257e543.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1217
Update Package Version: 1.0.38415
License: Premium

-System Information-
OS: Windows 10 (Build 19041.867)
CPU: x64
File System: NTFS
User: Beemo\Ben

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 800585
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 7 hr, 9 min, 26 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Hello. My name is Maurice. I will be guiding you.

It is imperative to get the detection log from the last Block event.  Go to detection history.  2nd half of link.  Get the Advanced one from detection history.  And attach 

https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

 

Link to post
Share on other sites

Hey Maurice!

Thank you so much for your help!  Malwarebytes only blocks a connection when I am using a browser and when I look at Malwarebytes it says that the file that is the issue is the browser that I am currently using.  Like if I'm using Google Chrome Malwarebytes will say that the file in question is Google\Chrome\Application\chrome.exe and if I'm using Microsoft edge it'll say the issue is coming from Microsoft\Edge\Application\msedge.exe.

I've uninstalled chrome and cleared out the cache and paused the syncing.  However, there is still an outbound connection.  I used Microsoft Edge for a bit and there were more outbound connections (blocked by Malwarebytes).

Please see the attached exported files.  Here are few sample of incident reports.

Also please see the detection history image below.

image.thumb.png.99cc1df297f446753f303524c2d34995.png

image.thumb.png.a058439d8ff4522d318f1b9ec47f62f9.png

image.thumb.png.8d84305530b2235a5130674056205179.png

 

3.11.21 - Blocked Malvertising Outbound (chrome.ex) first blocked incident.txt3.19.21 - Blocked Trojan Outbound (msedge).txt3.19.21 - Blocked Riskware Outbound (msedge).txt3.19.21 - Blocked Riskware Outbound (msedge) another one.txt3.15.21 - Blocked Riskware Outbound (Chrome.ex).txt3.13.21 - Blocked Trojan Outbound (Chrome.ex).txt3.13.21 - Blocked Trojan Outbound (Chrome.ex) second blocked incident.txt

Link to post
Share on other sites

Good morning. Thanks for the Block report files. Screen grabs show basic summaries. The actual log files are best because they have more detail.

For this whole case duration, Remember, the Malwarebytes Premium real time protections are keeping the pc safe from any potential harm.  The Block notices are confirmations that the outbound attempt was STOPPED.  The site URL s  are obviously atypical of what are normal everyday ones.

Remember Malwarebytes is protecting your pc.  Plus it also has Avira too.

This here is only a basic first step.

Your MS EDGE browser can  support to having  Malwarebytes Browser Guard.   That same Guard can also be added to the Chrome browser.

I suggest you install the Malwarebytes Browser guard.

 

To get & install the Malwarebytes Browser Guard extension for Edge

 

Open this link with that   browser: 

 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee 

 

Then proceed with the setup.

That same Guard can be added to Google Chrome , & Brave browser.

.

I would also like for you to Delete the Cache and all history of each web browser.

These are only first basic steps.  We will do more later.

  • Thanks 1
Link to post
Share on other sites

  • Solution

After the last preceding steps are done. These are the next things to do.

The first is a custom script that we need to save to the Downloads folder on the F drive.

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

 

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

 

Run FRST64 and press the Fix button just once and wait.

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on  wherever you ran FRST from. Please attach or post it to your next reply.

 

Note: If the tool warned you about an outdated version please download and run the updated version.

 

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  Depending on the speed of your computer this fix may take 30 minutes or more.

 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

 

NOTE-3: This fix will also reset your entire network stack back to default settings including resetting the Firewall back to defaults

 

The following directories are emptied:

Windows Temp

Users Temp folders

Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies, and History

Recently opened files cache

Flash Player cache

Java cache

Steam HTML cache

Explorer thumbnail and icon cache

BITS transfer queue (qmgr*.dat files)

Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

 

The system will be rebooted after the fix has run.

 

Once that fix has completed please run the following ESET antivirus scan and post back the log

 

 .

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

 

I would suggest a free scan with the ESET Online Scanner

 

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started. 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes 

When prompted for scan type, Click on Full scan 

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Thank you

Fixlist.txt

  • Thanks 1
Link to post
Share on other sites

Oh wow thank you so much for the information and help Maurice!!

One thing before I proceed.  You mentioned that before I run FRST64, I should disable any real time antivirus or security software before running this script.  Does that include all the Malwarebytes Real Time Protections as well?

image.png.4a5a47ccd6beb9487704b8114d2c119d.png

Thank you again!

Link to post
Share on other sites

Good morning.  That is good to know.I am glad to have worked with you.  

We can proceed with cleanup of tools we used.

 

To remove the FRST  tool & its work files, do this.  Go to your F drive on  Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .

 

Then run that ( double click on it)  to begin the cleanup process.

Delete esetonlinescanner.exe

 

Any other download file we  had you download, you may delete.  

 

I wish you all the best.  Stay safe.   😎

Sincerely.

Maurice

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.