Gerardius Posted January 26, 2022 ID:1499276 Share Posted January 26, 2022 Hello, For days now, specifically since last January 7, I have been receiving continuous warnings from Malwarebytes in the Windows notification area indicating that the Omnatuor.com website has been blocked. I know I am protected but it is very annoying to be seeing those messages every minute. I have checked what programs I have installed on my computer since January 7, checked Microsoft Edge add-ons and have run a bunch of scans of my computer with both Malwarebytes and Microsoft Windows Defender and they have never found anything. I'd like to be able to remove that annoying message but I don't know what else I can do, so I'd appreciate any help in clearing my computer of that junk. Best regards, Gerardo Cabezon Barbera Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 26, 2022 ID:1499282 Share Posted January 26, 2022 (edited) Hello. My name is Maurice. I will guide you. I will guide you along on looking for potential malware. Lets keep these principles as we go along. Removing malware can be unpredictable ...things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear". Your topic will be closed if you haven't replied within 4 days!If I have not replied to your last post after 36 hours, please then send me a P M. The first thing I need is to get a set of reports & logs from the Malwarebytes for Windows application. That is the first step. I will then review and use that to guide us along. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply , like displayed here. To send ( upload) attachments please click the "ADD Files" link . Then browse to where your file is located and select it and click the Open button. The set of data from the report will provide much needed information. Please always attach reports as we go along. Cheers. Edited January 29, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Gerardius Posted January 26, 2022 Author ID:1499285 Share Posted January 26, 2022 Hi Maurice, Thanks for your quick answer. I've done all what you said and here is the zip file. Cheers. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 26, 2022 ID:1499329 Share Posted January 26, 2022 Hello Gerardius. Thank you for the report. There are several file rename oprations that Windows needs to do that need a Windows Restart. Plus this machine's Windows session has been on for over two days. At this point here, just please do a Windows Restart at your next chance. { I will make a new reply to follow-up soon. } 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 26, 2022 ID:1499342 Share Posted January 26, 2022 Next, a custom script to do checks & some cleanups. There is a Edge browser auto-start that needs removal. We will use FRSTENGLISH.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Gerardius only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . It will run the Windows DISM tool to check the system. It will rebuild the Winsock. It will attempt to update the Windows Defender antivirus and to run a quick scan in batch mode & to get a diagnostic readout of its status. It will attempt to remove 1 setting that makes Edge browser start a silent no-screen session. NOTE-2: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera & BRAVE caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the user Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. This here is not a one-shot-cure-all. There will be more to do later. Stick with me. 1 Link to post Share on other sites More sharing options...
Gerardius Posted January 27, 2022 Author ID:1499469 Share Posted January 27, 2022 Hi, Maurice, Thank you so much for your answers. I will do everything you indicate in your messages this weekend, as my work does not allow me to dedicate so much of my PC time on weekdays. On Saturday I will follow step by step all your indications and, as soon as I have finished, I will inform you and I will attach the FIXLOG.txt file. See you soon, Gerardo Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 27, 2022 ID:1499473 Share Posted January 27, 2022 That is fine. Work life first, after personal health. Computer stuff can wait. 2 Link to post Share on other sites More sharing options...
Gerardius Posted January 29, 2022 Author ID:1499793 Share Posted January 29, 2022 Hi, Maurice, I have done the job and here is the file FIXLOG.txt Thanks again for you assistance and have a great weekend. Gerardo Fixlog.txt Link to post Share on other sites More sharing options...
Gerardius Posted January 29, 2022 Author ID:1499794 Share Posted January 29, 2022 Hi, Maurice, I have done the job and here is the file FIXLOG.txt Thanks again for you assistance and have a great weekend. EDIT: omnatuor.exe is still here 🙄 Gerardo Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 29, 2022 ID:1499813 Share Posted January 29, 2022 (edited) Good morning. I hope your weekend is going well. Your are saying that block notices still happen showing blocks on Omnatuor.com . This block is due to malvertising. {we will do more hunting later} Do you notice that EDGE browser is in use at those moments ? At that moment, are you perhaps reading online Email ?? or perhaps read a specific website ? maybe sports or news website ? Let me know about what you notice, please. ^ The custom fix ran as expected. It reported that Windows ' Microsoft Defender antivirus has these folders specifically excluded from being monitored for potential viruses. My question is this. Did you knowingly, willfully place these as folder exclusions ? "E:\SteamLibrary" "E:\Origin" "C:\REX Real Global Airport Textures" "F:\FS2020" "C:\Users\gcabe\AppData\Local\Packages\Microsoft.FlightSimulator_8wekyb3d8bbwe" "C:\Program Files\WindowsApps\Microsoft.FlightSimulator_1.21.13.0_x64__8wekyb3d8bbwe" "F:\FS2020\Packages\Community" "F:\FS2020\Packages\Official" "J:\SIMULACION\Microsoft Flight Simulator" and Did you yourself set this process ( application) as another exclusion ? "C:\Program Files\FreeFileSync\Bin\*" ^ For your action / to do list. Especially on the EDGE browser. See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". ^ For your information, the block notices are due to malvertising related at Omnatuor.com at IP address "139.45.197.253" The Malwarebytes real-time web protection is keeping this system safe from potential harm. We will be doing more steps, soon, after I hear back from you. Edited January 29, 2022 by Maurice Naggar added notes 1 Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted January 29, 2022 Solution ID:1499818 Share Posted January 29, 2022 More remarks in addition to those above in last reply ^ ^ ^ ^ ^ We need to be very sure that nothing on the settings of the EDGE browser allows any notification by Omnatuor.com Start EDGE browser ( if not already opened ) Click the three dots button in the top-right corner and select Settings. Scroll down and click on View advanced settings. Under Notifications, click on Manage. Look closely to see if anything at all mentions "Omnatuor" If present, we want that removed or turned off. ^ Related to potential sources of bad advertising or malvertising when you allow websites to push notifications to your web browser ( in this case EDGE) that opens the door for malvertising. These websites are listed as being allowed to push notifications onto your EDGE browser. hxxps://www.avsim.com; hxxp://forums.x-plane.org; hxxp://www.orbxsystems.com; hxxps://forums.chrisbelldesigns.com; hxxp://forum.aerosoft.com; hxxps://orbxsystems.com; hxxp://forums.x-pilot.com; hxxps://forums.x-plane.org; hxxps://www.youtube.com; hxxps://movistar.os.tc; hxxps://forum.simflight.com; hxxps://forum.thresholdx.net; hxxps://orbxdirect.com hxxp://forum.aerosoft.com; hxxp://forums.x-pilot.com; hxxp://forums.x-plane.org; hxxp://www.orbxsystems.com; hxxps://forum.simflight.com; hxxps://forum.thresholdx.net; hxxps://forums.chrisbelldesigns.com; hxxps://forums.x-plane.org; hxxps://modsfire.com; hxxps://orbxdirect.com; hxxps://orbxsystems.com; hxxps://twitter.com; hxxps://www.avsim.com; hxxps://www.youtube.com Can you consider removing most if not all of them ? 1 Link to post Share on other sites More sharing options...
Gerardius Posted January 31, 2022 Author ID:1500001 Share Posted January 31, 2022 Hello, Maurice, After reviewing everything you indicate in your last messages, all the exclusions are correct and I have been using them for a long time. I have deleted all Edge notification permissions and now I don't seem to get the message, at least I have had the PC running for a while and have not received any messages. If it comes up again I will let you know. In the meantime, thank you very much for your help, I have never needed the Malwarebytes service before and it has given me a very pleasant impression and the feeling that I am in very good hands and it is worth every euro I pay for my five licenses. Best regards and take care. Gerardo Link to post Share on other sites More sharing options...
Gerardius Posted January 31, 2022 Author ID:1500002 Share Posted January 31, 2022 By the way, there was nothing related to omnatour.com explicitly, so I imagine it must have been "camouflaged" in another URL that had permissions for notifications. Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 31, 2022 ID:1500007 Share Posted January 31, 2022 Good morning, Gerardius. I am happy to know that the block notices for "omnatuor" have ceased. It does make sense that once having removed all website-server notifications on the web browser ( in this case EDge) that the issue is done away with. In another case with a different customer, it was a browser extension on the web browser. Again, happy to know the good news. Before we wrap-up... Did you knowingly, willfully place these as folder exclusions on Microsoft Defender antivirus settings? "E:\SteamLibrary" "E:\Origin" "C:\REX Real Global Airport Textures" "F:\FS2020" "C:\Users\gcabe\AppData\Local\Packages\Microsoft.FlightSimulator_8wekyb3d8bbwe" "C:\Program Files\WindowsApps\Microsoft.FlightSimulator_1.21.13.0_x64__8wekyb3d8bbwe" "F:\FS2020\Packages\Community" "F:\FS2020\Packages\Official" "J:\SIMULACION\Microsoft Flight Simulator" and Did you yourself set this process ( application) as another exclusion ? "C:\Program Files\FreeFileSync\Bin\*" 1 Link to post Share on other sites More sharing options...
Gerardius Posted January 31, 2022 Author ID:1500030 Share Posted January 31, 2022 2 hours ago, Maurice Naggar said: Did you knowingly, willfully place these as folder exclusions on Microsoft Defender antivirus settings? "E:\SteamLibrary" "E:\Origin" "C:\REX Real Global Airport Textures" "F:\FS2020" "C:\Users\gcabe\AppData\Local\Packages\Microsoft.FlightSimulator_8wekyb3d8bbwe" "C:\Program Files\WindowsApps\Microsoft.FlightSimulator_1.21.13.0_x64__8wekyb3d8bbwe" "F:\FS2020\Packages\Community" "F:\FS2020\Packages\Official" "J:\SIMULACION\Microsoft Flight Simulator" and Did you yourself set this process ( application) as another exclusion ? "C:\Program Files\FreeFileSync\Bin\*" Hello again, Maurice, Thanks for your reply. Yes, of course, these are folders that contain software that require the maximum amount of PC resources possible, especially those related to Microsoft Flight Simulator, and in the official forums they recommend that option to avoid an antivirus scan interfering with those files while flying. They have been like that for years and I am very scrupulous about the content I add to those folders, apart from the official Microsoft/Asobo content which is highly protected and verified. Best regards and best wishes. Link to post Share on other sites More sharing options...
Gerardius Posted January 31, 2022 Author ID:1500031 Share Posted January 31, 2022 Oooops!!! I forgot to mention the last exclusion, the one you specifically ask about and that corresponds to FreeFileSync. It's a reliable software that I've been using for a long time and Malwarebytes was blocking it as a PUP, if I remember correctly, so I had no choice but to add the exclusion. But I've never had any problems, in fact, until Omnatuor, I've never had any kind of infection. Cheers Link to post Share on other sites More sharing options...
Maurice Naggar Posted January 31, 2022 ID:1500045 Share Posted January 31, 2022 (edited) Hi. Thank you. Alright, we are on the home stretch now. I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Edited January 31, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Gerardius Posted February 1, 2022 Author ID:1500109 Share Posted February 1, 2022 Hi. Done! Here is the file. Thanks for your instructions. Uninstalled Bonjour and Skype Web Plugin. GerardoSecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 1, 2022 ID:1500158 Share Posted February 1, 2022 These are what need your attention & follow-up actions. The elevation prompt for administrators disabled^It is recommended to enable (default): Win+R typing UserAccountControlSettings and press Enter-key ^ PC Tools File Recover 9.0 v.9.0 Warning! This software is no longer supported. Please uninstall it and use another software. Notepad++ (64-bit x64) v.8.1.9.3 Warning! Download Update TeamViewer v.15.17.6 Warning! Download Update 7-Zip 19.00 (x64) v.19.00 Warning! Download UpdateUninstall old version and install new one. WinRAR 6.02 (64-bit) v.6.02.0 Warning! Download Update IrfanView 4.58 (64-bit) v.4.58 Warning! Download Update Discord v.0.0.309 Warning! Download Update Zoom v.4.6 Warning! Download Update Skype versión 8.71 v.8.71 Warning! Download Update -------------------------------- [ Java ] --------------------------------- Java 8 Update 141 v.8.0.1410.15 Warning! Download UpdateUninstall old version and install new one (jre-8u321-windows-i586.exe). Java 8 Update 321 v.8.0.3210.7 -------------------------------- [ Media ] -------------------------------- Audacity 3.0.5 v.3.0.5 Warning! Download Update 1 Link to post Share on other sites More sharing options...
Gerardius Posted February 1, 2022 Author ID:1500163 Share Posted February 1, 2022 Hi Thanks again for your instructions, Maurice. Gerardo Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 1, 2022 ID:1500165 Share Posted February 1, 2022 You are welcome. When you get caught-up / when you have quiet time: This next part is to do a tools cleanup. Before we close the case. Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) 1 Link to post Share on other sites More sharing options...
Gerardius Posted February 1, 2022 Author ID:1500231 Share Posted February 1, 2022 Hi I have done it and here is the kprm...txt file. Thank you very much for your help, Maurice. Gerardo kprm-20220201231137.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 1, 2022 ID:1500234 Share Posted February 1, 2022 I am glad to have worked with you. There is perhaps 3 other tools to delete. To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete mb-support-1.8.n.nnn.exe Delete mbst-grab-results.zip on the Desktop. I am marking this case for closure. I wish you all the best. Stay safe. Sincerely. Maurice 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 1, 2022 ID:1500235 Share Posted February 1, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts