Jump to content

"Website Blocked Due to Riskware" Notifications Every Minute but No Malware


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi, 

I receive a "Website Blocked Due to Riskware" notification every minute (see log pasted below). However, I've not recieved any virus or malware detections when scanning with MalwareBytes, Adware, Mbar, Microsoft Safety Scanner, or Windows Defender. I've also tried limiting my startup apps and rebooting. However, I still get the notification every minute. Can you please help advise how I can stop these outbound attempts? Thank you 

-Log Details-
Protection Event Date: 9/12/21
Protection Event Time: 1:01 AM
Log File: 98726206-139f-11ec-881e-7085c2fb5c36.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.44884
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1165)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: ai.backend-chat.com
IP Address: 104.21.87.221
Port: 443
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

(end)

Link to post
Share on other sites

Hello  @ay000   :welcome:

My name is Maurice.  Let me know what name you prefer to go by.  I will guide you.

I need a report set for review.   This is a report only.

Please download MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The file at issue is tagged as PUP.optional.slimware.   The set of data from the report will provide much needed information.

Please always attach reports as we go along.

NOTE:  The block notices from Malwarebytes do mean that the pc is being kept safe from any potential harm.   It is STOPPED from a outbound attempt to ai.backend-chat.com

Link to post
Share on other sites

Thanks for the report-file.  That will be a big help.

First remarks.  Malwarebytes for Windows shows a bunch of exclusions for Chrome.   These are not a good idea.  and I would suggest you remove the exclusions from Malwarebytes.

C:\USERS\ARTHU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data                                   [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb               [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\001156.ldb               [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\001158.ldb               [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\001159.log               [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\001160.ldb               [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT                  [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK                     [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG                      [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old                  [file]
C:\Users\arthu\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001          [file]
C:\USERS\ARTHU\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB                          [folder]

Link to post
Share on other sites

Hi.

Its gonna take several rounds to get the issues squared away.  Remain cool and calm & without undue panic.  Your pc is protected.

These are first steps.   More to be done later.

Lets begin by focusing on Chrome browser & insuring to clear all cache & history & insure it does NOT start with reloading prior session + other measures to beef it up.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.9f59b1a99e5e32db2619eeab22b5a72f.png

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

[   6   ]

Let me know what instant-messgener apps are used or running on this machine.   Ones like Discord perhaps.

Link to post
Share on other sites

Hi Maurice,

I didn't have any of the apps running and I didn't see them running in the background in the task manager either. I'll be sure to not run those apps (or the web apps) until I hear back from you on next steps. 

Thanks 

Link to post
Share on other sites

Hi.

Here below is a custom run intended to do some cleanups.  Please take time to read carefully & apply all directions below.

If you have a question, stop and ask me first.

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

Your Downloads folder is C:\Users\arthu\Downloads

We will use FRSTENGLISH.exe   to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Ay000  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. 

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  • NOTE 3:  There is a sub-folder named ADC from which a javascript runs, which is the likely main pest here.  It will be removed.
  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Link to post
Share on other sites

Hi Maurice,

I think this fixed the problem. I haven't received a notification since 11am today. I'll let you know if anything else happens, but you can consider this issue resolved for now. Please see the attached fix log.  Since this is a public forum, can I delete the files that contain my personal information (I'm happy to keep the thread public so it can help others with the same problem)? 

Thanks for your help

Fixlog.txt

Link to post
Share on other sites

I am glad to read that things are more normal & better.

Kindly know that outsiders or people who are not forum support cannot get to your report files.  But anyhow, I am hiding the post with your reports.  No need to fret on that account.

I suggest this next scan to do a different check for potential viruses & malware.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. Any intermediate displays are information only.  It is the end results that count.

 

Let me know the result of this, along with the report.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply. 

Link to post
Share on other sites

Hi Maurice, 

I'm not sure what happened, but the exact same issue has returned ("Website Blocked Due to Riskware" notification every minute ). I have not yet run the Microsoft Safety Scanner and I've already deleted the previous files. Should I repeat the steps, or skip straight to Microsoft Safety Scanner? 

For reference, I've run a new MBST support log from today when the issue returned (attached). Please advise. 

Thanks

 

mbst-grab-results.zip

Link to post
Share on other sites

Hello.  It seems that you did not yet run the MS Safety Scanner.  So the first thing to do now, is, to run the Microsoft Safety Scanner.   Just like I listed before.   Then afterwards, I will guide you forward with other steps.

Edited by Maurice Naggar
Link to post
Share on other sites

Just some additional notes for information & guidance to relay to you.  And I do not intend to distract you from running the MS Safety scanner.

While this case is on-going, since I notice that Chrome is the default web browser, I would urge you stop using Chrome.  Instead, just use the EDGE browser.  and only for absolute needs.  That is to say, lets not do any free-wheeling web surfing, and no online games.  Only go to websites that are a must do.  Otherwise, keep all web browsers closed. My view is that Chrome or some other web browser is involved in these "outbound" attempts to reach some site "ai.backend-chat.com" at IP 104.21.87.221  ( which appears to be on the blocklist).  So one of the to do things, if the block notices re-appear, is to Close (exit) all web browsers.  Then wait & notice whether the block notices cease.  The other thing I notice is that your Chrome browser has a big list of websites that are allowed to auto-show notifications.  That is something you need to really & truly review & reduce those to only what is absolutely a must.  But again, stay out of Chrome as much as possible.

Link to post
Share on other sites

Hi Maurice, 

Thanks for the advice. I'm currently 5 hours into the full scan, but progress bar only seems to be 2/5s done. I'll respond once complete. 

I closed all browsers and used a different computer for work today. I did notice that the notifications still continued (approximately once a minute). 

Lastly, I reviewed the auto notification sites in Chrome too. Most seem reputable (Google.com, Verizon.com, BestBuy.com, Microsoft.com). However, I can remove them if you think it will help. 

Thanks 

Link to post
Share on other sites

When you get a chance, having a copy of the log from last scan would help me to help you.  Upload C:\Windows\debug\msert.log

>

This is a  different special tool to check your pc for viruses, trojans & other malware.

Download Sophos Free Virus Removal Tool   and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.

Link to post
Share on other sites

Alright. We are done with Sophos VRT tool.  Now to uninstall it.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Sophos Virus Removal".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features.

[    2     ]

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

For the Windows 10 EDGE browser, it can take the same one as for Chrome.

Note: If your pc has  Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).

I would like to see that each web browser here on this pc to have the appropos Malwarebytes Browser Guard.

[   3    ]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.