Jump to content

Random incoming connections detected?


Recommended Posts

Hello,

Since a few days I have the following problem, and that is that Malwarebytes always blocks compromised websites/connections at startup.

But I do not go to any websites.

I have attached the Malwarebytes logs along with the Farbar logs.

However, since I can't attach JSON files, I copied the contents of the files to a .txt file.

What I noticed in the newer logs is that the ProcessPath has changed from "Firefox" to "System"?
According to MBAM these are incoming connections?

I hope someone here can help me understand what these blocked connections are about

Thanks in advance!

 

FRST.txt Addition.txt 19e9bfd0-6046-11ec-b356-18c04d3625a0.txt dd765df4-60e2-11ec-86b2-18c04d3625a0.txt 36438490-634d-11ec-a746-18c04d3625a0.txt

Link to post
Share on other sites

Hello @KingRoan    :welcome:

My name is Maurice.  I will guide you.

Did you document what program or app is in use at the moment of the block notice ?   were you perhaps reading email ?  was Firefox or some other web browser in use ?  which other browser do you use ?

This next is simply one basic first step.  There will be more. This is not a one-shot-cure-all.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

Hi there Maurice,

Firefox was open at the time and so was gmail, however I did not read any email.
Other browsers are installed too but i didnt use them in ages. Only use Firefox really.

After I wrote the post here, after some time I pressed the refresh button ( to see if there was already a reply) and right  after that another connection was blocked. I also put that one again in the attachment. Now i can spam the refresh button but nothing happens🤨.

Also, the scan with the program did not find anything.

 

AdwCleaner[S00].txt 61dfe2aa-6353-11ec-b97c-18c04d3625a0.txt

Link to post
Share on other sites

Please try only just using EDGE browser for the next day or two.  Close Firefox.  I will be making a new reply after I study your reports in more depth. Know that the Block notices by the web protection of Malwarebytes means that it is protecting your machine.

Link to post
Share on other sites

Next steps I would recommend.

if you do not need or use Remote Desktop,  you should turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

 

The blocks are on I P  addresses that are likely attempting to do a forced  attempt to exploit remote-desktop-protocol.

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article
"How to Enable Your Wireless Router's Built-in Firewall"
https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

Link to post
Share on other sites

Okay, thanks!

So i did step four from that tutorial, "To Force Disable Remote Desktop Connections to this Computer in Local Group Policy Editor".

I checked my router, the firewall there is already enabled.

Now another question, how do these attacks happen?
Are there people who just randomly target IP addresses and try to connect to them?
Or do I have something on my PC that tells the attackers to "connect"?

 

Link to post
Share on other sites

There are bad-guys that seek systems that have Remote Desktop capability and would attempt tries to get connected.  Thats why I encouraged that RDP be turned off.

We can do some different scans to insure that your pc has no onboard malware. I will also guide you to checking if this pc has insecure or outdated app versions. It is always best to keep the Operating System as well as all apps up-to-date with security patches.

>

Next steps.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[  2  ]

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL  scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

Thanks. That is actually a good report. No actual virus or malware.

Allow me to suggest using ( one time) a different tool.

This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.

get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

 

Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.

Link to post
Share on other sites

Thank you.    

would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications.   ( P U A  or  P U P ).

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.     ^_^

Link to post
Share on other sites

Good day, to you.

We are done with esetonlinescanner. You should delete esetonlinescanner.exe

What the ESET found and removed were in the Recycle bin.

You should also delete msert.exe

Delete mbar.exe

Delete the sub-folder \mbar

>

Have there been any new block notices in the past 24 - 36 hours ?

see this Malwarebytes support article
https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

>

This here is a different scan for viruses or malware, by Sophos..

Download Sophos Free Virus Removal Tool   and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.   

Be sure you advise me if there are new Block notices from the Malwarebytes for Windows today, or in the past 24 hours.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi again,

So the Sophos scan was clean.
I have attached the only file that was created. It only says that some things could not be opened.

-

To come back to the connections:
After I blocked the RDP sessions in the settings, I accidentally went back into Firefox and it was blocked again.  That was 2 days ago.

After that I didn't open Firefox again and no more connections have been blocked since then. ( But I didnt use my pc much either)

So does this mean that there is something in Firefox?

 

 

 

 

SophosVirusRemovalTool.log

Link to post
Share on other sites

Good morning.  Thank you for the Sophos scan report.

We are done with Sophos VRT tool.  Now to uninstall it.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-window.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Sophos Virus Removal".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features, when done.

>

3.  Now do a Windows Restart.

>

You indicate that it has been at least 2 days since the last "Block nootice" from the Malwarebytes app.

Not sure whether or not Firefox has some issue.  What I would suggest follows:

Troubleshoot Mode is a special Firefox mode that can be used to diagnose and fix problems. (Troubleshoot Mode was known as Safe Mode in previous versions of Firefox.)

I would like you to start FF in Troubleshoot mode.    

How to start Firefox in Troubleshoot Mode

Click the menu button Fx57menu, click Help, select Troubleshoot Mode… and click Restart in the Restart Firefox in Troubleshoot Mode? dialog.
Note: You can also start Firefox in Troubleshoot Mode by holding down the shift key while starting Firefox.

Troubleshoot Mode window

Fx89TroubleshootModeWin10
 
Click the Open button to proceed.  Then I would suggest to insure to Delete browsing history and Cache files on FF.
https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
 
Then do a EXIT out of FF.   Then restart FF  and do a test run to https://forums.malwarebytes.com
See if FF is working normal.  Then do a test run to a site that you trust and typically visit.
Edited by Maurice Naggar
Link to post
Share on other sites

Good morning. Hello. Please do keep in mind it is quite important to have the logs of these most recent Block notice events.

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
Link to post
Share on other sites

Thank you for the report collection. It does help to have the full logs on the block eents, as well as a overall readout on Malwarebytes and important info on pc.

Again, we need to re-emphasize that the Premium real-time web protection is keeping the pc safe from potential harm. If there comes a point for need to "silence" the block notices, I can guide you. Looking at the 5 block events of 27 DEC since around 00:39 hours, 1 was a outbound block. That one seems to be associated to a Steamlibrary game named teeworlds

D:\SteamLibrary\steamapps\\common\Teeworlds\tw\teeworlds.exe

What doe you know about it ? Do you need it ?  Perhaps consider to remove it.

The other block evnts were inbound ones. Various different IP addresses. 3 of the 4 inbound do mention port 445. 

I would suggest you go about blocking Inbound acess to port 445

Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

Link to post
Share on other sites

Hi,

yeah im very greatful for that protection!
Is it actually possible to predict what can happen if such a connection is succesfully established?

Teeworlds is a game i play, I was wondering already why I couldn't get on a specific server until I saw that it was blocked by MB. I will just stay away from the server.

However, the incoming connections do not come from the game.

I have the rule in place now that all incoming connections are blocked on port 445.

So now this means that these connections are blocked before MB detects them?

And many thanks already at this point for all the help^^

Link to post
Share on other sites

Is it actually possible to predict what can happen if such a connection is succesfully established?

A

uhmm, not so much since we cannot guess as to what the immediate goal is of the bad-guys.  Though port 445 is a old way of dealing with printer & file sharing..

Q

So now this means that these connections are blocked before MB detects them?

A.  Hopefully.   But if there are future block events, remember, the real-time web protection is keeping the pc safe.

Note that I have presumed that you are a home-based personal pc type.  That you are not on a business or organization network.

You are welcome.  I will guide you to tools cleanup when ready for case closure.

<

I would recommend getting a readout report as to update status of some key apps.

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

Was the blocked event Inbound, or, was it Outbound ?   What ( if any) was the IP address ?  port if any ?  was there a link or app involved ??

Look at this support article https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

Look at the second half.  Find & export out & attach a text-file-copy of the last Block event.  Also, keep in mind that blocks might still occur & that there is little that can be done about those  ( excepting any actual on-board malware  [which in that event, I will help you to remove].  That is to say, what is out on the internet & not on your box ....there is little that can be done.

Link to post
Share on other sites

Keeping applications up to date with the latest releases is a very important component of security.

Note that the Opera browser 'may' need a update. Open the Opera web browser.

  1. Click the Opera icon Menu button in Opera. in the top-left corner of the window.

In the drop-down menu, move your mouse cursor over the Help selector, and select About Opera

>

Notepad++ (64-bit x64) v.8.1.9.2   Warning! Download Update

Oracle VM VirtualBox 6.1.26 v.6.1.26   Warning! Download Update

TeamViewer v.15.23.9 Warning! Download Update

7-Zip 21.00 alpha (x64) v.21.00 alpha   Warning! Download Update
Uninstall old version and install new one.

Discord v.0.0.309   Warning! Download Update

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.