Jump to content

Omnatuor.com


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

For days now, specifically since last January 7, I have been receiving continuous warnings from Malwarebytes in the Windows notification area indicating that the Omnatuor.com website has been blocked.

I know I am protected but it is very annoying to be seeing those messages every minute.

I have checked what programs I have installed on my computer since January 7, checked Microsoft Edge add-ons and have run a bunch of scans of my computer with both Malwarebytes and Microsoft Windows Defender and they have never found anything.

I'd like to be able to remove that annoying message but I don't know what else I can do, so I'd appreciate any help in clearing my computer of that junk.

Best regards,

 

Gerardo Cabezon Barbera

Omnatuor.jpg

Link to post
Share on other sites

Hello.      :welcome:

My name is Maurice.  I will guide you.  

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • ...things can go very wrong!
  • Backup
  • any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

The first thing I need is to get a set of reports & logs from the Malwarebytes for Windows application.

 

That is the first step.  I will then review and use that to guide us along.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 [   2    ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.

To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along.

Cheers.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Hello Gerardius.   Thank you for the report.  There are several file rename oprations that Windows needs to do that need a Windows Restart.  Plus this machine's Windows session has been on for over two days. At this point here, just please do a Windows Restart at your next chance.  { I will make a new reply to follow-up soon. }

  • Like 1
Link to post
Share on other sites

Next, a custom script to do  checks & some  cleanups. There is a Edge browser auto-start that needs removal.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Gerardius  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system.  It will rebuild the Winsock.  It will attempt to update the Windows Defender antivirus and to run a quick scan in batch mode & to get a diagnostic readout of its status. It will attempt to remove 1 setting that makes Edge browser start a silent no-screen session.

NOTE-2: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder

Fixlist.txt                 <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.  This here is not a one-shot-cure-all.  There will be more to do later.  Stick with me.

  • Like 1
Link to post
Share on other sites

Hi, Maurice,

Thank you so much for your answers. 

I will do everything you indicate in your messages this weekend, as my work does not allow me to dedicate so much of my PC time on weekdays. On Saturday I will follow step by step all your indications and, as soon as I have finished, I will inform you and I will attach the FIXLOG.txt file.

See you soon,

 

Gerardo

Link to post
Share on other sites

Good morning. I hope your weekend is going well. Your are saying that block notices still happen showing blocks on Omnatuor.com . This block is due to malvertising. {we will do more hunting later} Do you notice that EDGE browser is in use at those moments ? At that moment, are you perhaps reading online Email ?? or perhaps read a specific website ? maybe sports or news website ? Let me know about what you notice, please.
^
The custom fix ran as expected. It reported that Windows ' Microsoft Defender antivirus has these folders specifically excluded from being monitored for potential viruses. My question is this. Did you knowingly, willfully place these as folder exclusions ?

"E:\SteamLibrary"
"E:\Origin"
"C:\REX Real Global Airport Textures"
"F:\FS2020"
"C:\Users\gcabe\AppData\Local\Packages\Microsoft.FlightSimulator_8wekyb3d8bbwe"
"C:\Program Files\WindowsApps\Microsoft.FlightSimulator_1.21.13.0_x64__8wekyb3d8bbwe"
"F:\FS2020\Packages\Community"
"F:\FS2020\Packages\Official"
"J:\SIMULACION\Microsoft Flight Simulator"
and Did you yourself set this process ( application) as another exclusion ?
"C:\Program Files\FreeFileSync\Bin\*"

^

For your action / to do list.   Especially on the EDGE browser.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

^

For your information, the block notices are due to malvertising related at Omnatuor.com  at IP address "139.45.197.253"

The Malwarebytes real-time web protection is keeping this system safe from potential harm.   We will be doing more steps, soon, after I hear back from you.

Edited by Maurice Naggar
added notes
  • Like 1
Link to post
Share on other sites

  • Solution

More remarks in addition to those above in last reply  ^ ^ ^ ^ ^

We need to be very sure that nothing on the settings of the EDGE browser allows any notification by Omnatuor.com
Start EDGE browser  ( if not already opened )
Click the three dots button in the top-right corner and select Settings.
Scroll down and click on View advanced settings.
Under Notifications, click on Manage.

Look closely to see if anything at all mentions "Omnatuor"
If present, we want that removed or turned off.
^
Related to potential sources of bad advertising or malvertising
when you allow websites to push notifications to your web browser ( in this case EDGE) that opens the door for malvertising.
These websites are listed as being allowed to push notifications onto your EDGE browser.
hxxps://www.avsim.com; hxxp://forums.x-plane.org; hxxp://www.orbxsystems.com; hxxps://forums.chrisbelldesigns.com; hxxp://forum.aerosoft.com; hxxps://orbxsystems.com; hxxp://forums.x-pilot.com; hxxps://forums.x-plane.org; hxxps://www.youtube.com; hxxps://movistar.os.tc; hxxps://forum.simflight.com; hxxps://forum.thresholdx.net; hxxps://orbxdirect.com

hxxp://forum.aerosoft.com; hxxp://forums.x-pilot.com; hxxp://forums.x-plane.org; hxxp://www.orbxsystems.com; hxxps://forum.simflight.com; hxxps://forum.thresholdx.net; hxxps://forums.chrisbelldesigns.com; hxxps://forums.x-plane.org; hxxps://modsfire.com; hxxps://orbxdirect.com; hxxps://orbxsystems.com; hxxps://twitter.com; hxxps://www.avsim.com; hxxps://www.youtube.com

Can you consider removing most if not all of them ?

  • Like 1
Link to post
Share on other sites

Hello, Maurice,

After reviewing everything you indicate in your last messages, all the exclusions are correct and I have been using them for a long time.

I have deleted all Edge notification permissions and now I don't seem to get the message, at least I have had the PC running for a while and have not received any messages.

If it comes up again I will let you know.

In the meantime, thank you very much for your help, I have never needed the Malwarebytes service before and it has given me a very pleasant impression and the feeling that I am in very good hands and it is worth every euro I pay for my five licenses.

Best regards and take care.

Gerardo

Link to post
Share on other sites

Good morning, Gerardius.  I am happy to know that the block notices for "omnatuor" have ceased. It does make sense that once having removed all website-server notifications on the web browser ( in this case EDge) that the issue is done away with. In another case with a different customer, it was a browser extension on the web browser.  Again, happy to know the good news.  Before we wrap-up...

Did you knowingly, willfully place these as folder exclusions on Microsoft Defender antivirus settings?

"E:\SteamLibrary"
"E:\Origin"
"C:\REX Real Global Airport Textures"
"F:\FS2020"
"C:\Users\gcabe\AppData\Local\Packages\Microsoft.FlightSimulator_8wekyb3d8bbwe"
"C:\Program Files\WindowsApps\Microsoft.FlightSimulator_1.21.13.0_x64__8wekyb3d8bbwe"
"F:\FS2020\Packages\Community"
"F:\FS2020\Packages\Official"
"J:\SIMULACION\Microsoft Flight Simulator"
and Did you yourself set this process ( application) as another exclusion ?
"C:\Program Files\FreeFileSync\Bin\*"

  • Like 1
Link to post
Share on other sites

2 hours ago, Maurice Naggar said:

Did you knowingly, willfully place these as folder exclusions on Microsoft Defender antivirus settings?

"E:\SteamLibrary"
"E:\Origin"
"C:\REX Real Global Airport Textures"
"F:\FS2020"
"C:\Users\gcabe\AppData\Local\Packages\Microsoft.FlightSimulator_8wekyb3d8bbwe"
"C:\Program Files\WindowsApps\Microsoft.FlightSimulator_1.21.13.0_x64__8wekyb3d8bbwe"
"F:\FS2020\Packages\Community"
"F:\FS2020\Packages\Official"
"J:\SIMULACION\Microsoft Flight Simulator"
and Did you yourself set this process ( application) as another exclusion ?
"C:\Program Files\FreeFileSync\Bin\*"

Hello again, Maurice,

Thanks for your reply.

Yes, of course, these are folders that contain software that require the maximum amount of PC resources possible, especially those related to Microsoft Flight Simulator, and in the official forums they recommend that option to avoid an antivirus scan interfering with those files while flying. They have been like that for years and I am very scrupulous about the content I add to those folders, apart from the official Microsoft/Asobo content which is highly protected and verified.

Best regards and best wishes.

Link to post
Share on other sites

Oooops!!! I forgot to mention the last exclusion, the one you specifically ask about and that corresponds to FreeFileSync. It's a reliable software that I've been using for a long time and Malwarebytes was blocking it as a PUP, if I remember correctly, so I had no choice but to add the exclusion. But I've never had any problems, in fact, until Omnatuor, I've never had any kind of infection.

Cheers
 

Link to post
Share on other sites

Hi.  Thank you. Alright, we are on the home stretch now.  

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Edited by Maurice Naggar
Link to post
Share on other sites

These are what need your attention & follow-up actions.
The elevation prompt for administrators disabled
^It is recommended to enable (default): Win+R typing

UserAccountControlSettings

and press Enter-key

^

PC Tools File Recover 9.0 v.9.0  Warning! This software is no longer supported. Please uninstall it and use another software.

Notepad++ (64-bit x64) v.8.1.9.3  Warning! Download Update

TeamViewer v.15.17.6  Warning! Download Update

7-Zip 19.00 (x64) v.19.00  Warning! Download Update
Uninstall old version and install new one.

WinRAR 6.02 (64-bit) v.6.02.0  Warning! Download Update

IrfanView 4.58 (64-bit) v.4.58  Warning! Download Update

Discord v.0.0.309  Warning! Download Update

Zoom v.4.6  Warning! Download Update

Skype versión 8.71 v.8.71  Warning! Download Update

-------------------------------- [ Java ] ---------------------------------
Java 8 Update 141 v.8.0.1410.15  Warning! Download Update
Uninstall old version and install new one (jre-8u321-windows-i586.exe).
Java 8 Update 321 v.8.0.3210.7

-------------------------------- [ Media ] --------------------------------
Audacity 3.0.5 v.3.0.5  Warning! Download Update

  • Like 1
Link to post
Share on other sites

You are welcome.   When you get caught-up / when you have quiet time:  This next part is to do a tools cleanup.   Before we close the case.    
Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)
  • Like 1
Link to post
Share on other sites

I am glad to have worked with you.  There is perhaps 3 other tools to delete.

To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete mb-support-1.8.n.nnn.exe
Delete mbst-grab-results.zip on the Desktop.

I am marking this case for closure.  I wish you all the best. Stay safe.
Sincerely.

Maurice

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.