hf82kfy7 Posted February 2, 2022 ID:1500307 Share Posted February 2, 2022 Hi team, Possibly not a malware removal question, and instead more of a malware prevention question, but here goes: Last week or so (23rd Jan) I had my antivirus (Bitdefender Free edition) catch and prevent a DoublePulsar backdoor attempt via some SMB port. I think when it occured SMB 1.0 was active as I use it occasionally for a specific retro gaming setup. I immediately installed MB to doublecheck that everything is okay; however, since installing it, I've had repeated 'blocked website' 'compromised' notifications - 1-5 a day, inbound connections, all from different IP addresses, targeting SMB ports 135 and 445, and occasionally specifically also targeting svchost.exe and system.exe. I've not noticed any other suspicious activity. I've since reset my laptop, so details of the initial DoublePulsar notification is missing along with MB's and other malware scan reports from 23-28th - all scans were clean. Since the reset, I've run ADWCleaner, ESET Online Scanner, Microsoft Safety Scanner, and Malwarebytes/Avira/Defender's own scans, to nothing. (Tried looking through FRST's output too, but didn't understand it!) I understand that these notifcations mean that MB is working and that I can continue to browse safely, however, I have a couple of questions about the fact I'm getting the notifications in the first place: 1) Is this sort of inbound connection common to the majority of general internet users; or is this targeted, based on my computer/IP address being logged somewhere malicious? Would a VPN help? No other devices on the home network have had any issues lately - it's just my personal laptop. 2) Part of the reason that I ask 1) is that I'm actually still getting these notifications when I've established an internet connection, but am not using a web browser, so the blocked websites doesn't appear to be related to the websites I'm accessing or browser with which I'm doing so. Today's first blocked website was when I was only running the Xbox app (and possibly Discord in the background) - a whois on the IP address brought up nothing specific other than that it was allocated to Latin America's internet registry. All the IP addresses I've checked are similar in detail but for other countries. Is this anything to be concerned about? 3) I'm aware Windows Firewall blocks all incoming traffic by default, but I added explicit firewall rules to block all incoming traffic at 135 and 445, for peace of mind. However, checking netstat on the command line indicates that the ports are still open, and the foreign address is listed at 0.0.0.0. The PIDs listening on the ports are system.exe and svchost.exe (the specific service attached to the svchost PID is RPC Endpoint Mapper), so I don't really want to mess with those without explicit instruction to. Is this also anything to be concerned about? Attached are the relevant initial reports. Let me know if you need anything else. Cheers S FRST.txt Addition.txt MB Threat Scan 02-02-2022.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 2, 2022 ID:1500311 Share Posted February 2, 2022 Hi To briefly answer your # 1 question: No, your particular machine is not a specific target. This pc runs Windows 10 Pro. So first thing, turn off { disable} Remote Desktop feature. Then read all of what follows. The issue ( of block notices) that started out this case were due to attempted probes from the outside. The real-time protection of Malwarebytes for Windows is keeping the pc safe. They will continue to do so, given that you have Malwarebytes Premium. Here are some general conclusions & some tips. The blocks are on addresses that are attempting to do a forced attempt to exploit remote-desktop-protocol. The Real Time Protection of Malwarebytes for Windows is actively doing it's job to protect the system. I would recommend that if you have a internet-connection-router hardware at home, that you look over this article "How to Enable Your Wireless Router's Built-in Firewall"https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668 In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period. If you wish to do so, here is one how-to guide for the Windows software firewallhttps://www.interserver.net/tips/kb/add-ip-address-windows-firewall/ Additionally or alternatively, if this is on Windows 10 PRO and if you do not need or use Remote Desktop, you can turn that off.https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html This Windows version is a PRO edition. IF you do not use remote desktop access to other outside machines, then I suggest you turn R D P to Off. The probers look for PRO or Enterprise editions as a prime potential target for exploitation. . Here is how to block a port number in Windows https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/ How to Change the port number for RDP https://tunecomp.net/change-remote-desktop-port-windows-10/ ALSO see this Malwarebytes support articlehttps://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 2, 2022 ID:1500312 Share Posted February 2, 2022 The FRST report shows the current resident antivirus is Avira. Your writeup mentions Bitdefender. I would caution to not be switching or flipping from one antivirus to another. Switching antivirus requires a good plan that includes cleaning up traces of the Old app. Some antivirus apps do not remove completely when uninstalled. Having traces of old applications can cause unforseen conflicts. Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 2, 2022 Author ID:1500319 Share Posted February 2, 2022 Hi Maurice - Remote Desktop's completely disabled. I've looked at both the settings and registry keys to double check. I don't need Remote Desktop at all so this is fine, although I do note that I haven't had a blocked probe targeting RDP's port, 3389, as noted in the guide. Are SMB and RDP probes interchangable? - Router's inbuilt firewall appears to be on (there are 'on' buttons labelled 'enable ipv6 firewall' and 'enable ipv6 ipsec firewall'), but I'll look around for more specific assistance with my make/provider. - Regarding Bitdefender vs Avira - Bitdefender recently discontinued their free edition, so after I reset the laptop and reinstalled Windows, I could not redownload and continue to use Bitdefender. Avira was my chosen replacement. I don't think there should be any traces of Bitdefender left after a total reinstall. Apologies for the confusion. - Regarding the Malwarebytes support article (https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise), it indicates that these probes can last up to a week and that I should add the IP address to my firewall - it's been a little over a week, and each IP address probe is different from the last. It feels moot adding 10+ addresses to the firewall because they're not repeating at all. If this keeps happening after another week, is that where I do start to get worried? - Regarding blocking the port numbers (https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/), that guide is exactly how I've set up the firewall rules for ports 135 and 445, but as noted cmd netstat does still show them as open. I'm unsure if they're really blocked or not? - Regarding the tunecomp guide about changing the RDP port (https://tunecomp.net/change-remote-desktop-port-windows-10/) - then, would it be worth looking into changing SMB port numbers 135 and 445 to something else, as those are the targeted areas? Is this possible? Thanks for your help S Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 2, 2022 ID:1500327 Share Posted February 2, 2022 There is a lot of different factors / aspects that you have listed. One of the next things I'd like to get is a data-history collection about the Malwarebytes block history. Let me make some remarks. Dont be using netstat to hunt all over the place, please. Dont make any changes on SMB port. { we will be doing a few different scans later just to insure there is nothing on your system itself}. As we go along, I need to know if blocks are still happening, if they are INBOUND, if they are tagged as "compromised". See if you can do without any instant messenger apps, like Discord, etc Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. Patience & persistance are needed. Please stick with me until I give you the "all clear". Your topic will be closed if you haven't replied within 4 days!If I have not replied to your last post after 36 hours, please then send me a P M. The next thing I need is to get a set of reports & logs from the Malwarebytes for Windows application. That is the first step. I will then review and use that to guide us along. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply . Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 2, 2022 Author ID:1500338 Share Posted February 2, 2022 Hi Maurice Thanks for your help and sorry about all the different questions, this just seems a little bit unusual and I don't want to risk anything! I will follow your instructions re limiting app and web use. Please find the MBST results as asked for. I am sure the reports and logs included in the zip file will show this, but in the time since posting my initial request there was one more 'blocked website', inbound, port 445, tagged as 'compromised'. Please let me know if you need any further identifying information for this. Many thanks S mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 2, 2022 ID:1500343 Share Posted February 2, 2022 Thank you. I will be digging thru that report set. The initial FRST you sent do not show signs of malware. Next, a custom script to do checks & some cleanups. There is a Edge browser auto-start that needs removal. We will use FRST64.exe on the \Downloads\Security folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Hf82kfy7 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . It will run the Windows DISM tool to check the system. It will rebuild the Winsock. NOTE-2: As part of run it will remove a few dead/ "no file" tasks. It will also remove the auto-starts of Discord & Steam. You do not need those autostarted. One of them may be a contributor that leads to the IP block events. NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera & BRAVE caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the user \Downloads\Security folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the \Downloads\Security folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. This here is not a one-shot-cure-all. There will be more to do later. Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 2, 2022 Author ID:1500348 Share Posted February 2, 2022 Hi Maurice, Please find attached fixlog. Thank you for the autostart fixes also - I thought I turned off most of them in the task manager, but they were still going through! Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 2, 2022 ID:1500367 Share Posted February 2, 2022 (edited) Cool. Thank you. This next round is a follow-up, a special one. Please first Delete the file " Fixlist.txt " now on the \Downloads\Security folder. Next, a new custom script. NOTE-1: This script will attempt to make specific adjustments to the Windows firewall rules. It will attempt to block the 11 IP addresses from any Inbound traffic, on any protocol, on any port. It will block port 445 from any Inbound on any protocol. Note that these are for Inbound. Hopefully this will be a help to alleviate the main issue. We will use FRST64.exe on the \Downloads\Security folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Hf82kfy7 only / for this machine only. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the user \Downloads\Security folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the \Downloads\Security folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. This here is not a one-shot-cure-all. There will be more to do later. Edited February 2, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 3, 2022 Author ID:1500419 Share Posted February 3, 2022 Morning, Please find attached new fixlog. Have checked Firewall and new IP block rule is in place and enabled, can't see the port rule though - possible conflict with my existing rule? Have had no further detection notifications from MB so far, however may just be because of lowered internet use. Will continue to monitor. S Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 3, 2022 ID:1500428 Share Posted February 3, 2022 Ok, Thank you. Just to do a scan to check, please plan & do one scan with the resident antiviurs, { which is Avira antivirus}. Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 3, 2022 Author ID:1500441 Share Posted February 3, 2022 Avira scan came up clean - log attached if you wish to view. AVSCAN-20220203-133052-13E0AC0F.LOG Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 3, 2022 ID:1500452 Share Posted February 3, 2022 (edited) Thank you. Avira result indicates no virus, no trojan, or malware on the system. This next round is a follow-up, a special one. Please first Delete the file " Fixlist.txt " now on the \Downloads\Security folder. Next, a new custom script. NOTE-1: This is a new attempt to block port 445 from any Inbound on any TCP protocol. Note that these are for Inbound. Hopefully this will be a help to alleviate the main issue. We will use FRST64.exe on the \Downloads\Security folder to run a custom script. This run should be very quick. and without a restart. This custom script is for Hf82kfy7 only / for this machine only. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the user \Downloads\Security folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the \Downloads\Security folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. You will see a green progress bar start. It should run very fast. This should not require a restart. Watch for a visual on-screen display about Completion. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Edited February 3, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 3, 2022 Author ID:1500454 Share Posted February 3, 2022 Fixlog attached. The new rule is now visible and enabled in Windows firewall. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 3, 2022 ID:1500456 Share Posted February 3, 2022 Thanks. Very well. Let's keep an eye out for ( if) any new Inbound block events from Malwarebytes over the next one, two, three days. Should they happen, always keep in mind that the Block action means that Malwarebytes is keeping the system safe from potential harm. Question for you: Did you run the ESET Online scanner tool on or about 28 January ? You had mentioned having run it & that it reported no malware. You also reported having run the MS Safety Scanner & it too found no infection. Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 3, 2022 Author ID:1500460 Share Posted February 3, 2022 Alright, I'll keep an eye out. There's been one new inbound block event from Malwarebytes today - new IP address, aiming for port 5040. I've attached the txt file that MB generates for these events. The only online-enabled app I have used is Firefox, which I am using to post to this thread. I have not done any other web searches or opened anything except default programs like File Explorer or Notepad since yesterday. I believe I ran ESET on the 26th (before computer reset) and again on the 2nd (after reset), and MS Safety Scanner on the 2nd - no infection reported by either. latest block event.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted February 3, 2022 Solution ID:1500484 Share Posted February 3, 2022 This next round is a follow-up, a special one. Please first Delete the file " Fixlist.txt " now on the \Downloads\Security folder. Next, a new custom script. NOTE-1: This is a new attempt to block IP 45.155.205.39 from any Inbound We will use FRST64.exe on the \Downloads\Security folder to run a custom script. This run should be very quick. and without a restart. This custom script is for Hf82kfy7 only / for this machine only. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the user \Downloads\Security folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the \Downloads\Security folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. You will see a green progress bar start. It should run very fast. This should not require a restart. Watch for a visual on-screen display about Completion. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. The Malwarebytes real-time protections are keeping pc safe. You should consider getting Premium Malwarebytes with enough seats on the license to cover all your devices. Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 3, 2022 Author ID:1500500 Share Posted February 3, 2022 Fixlog attached, thank you. I also did another ESET scan which came up clean. I'll continue to monitor Malwarebytes for any new blocks going forward and see if the inbound connections show any signs of stopping. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 3, 2022 ID:1500504 Share Posted February 3, 2022 Keep in mind, that the ESET Online scanner should be redownloaded if the download is several days old. That is to say, they release new versions on some periodic basis. I belive this machine is not infected. But it looks more like, it keeps being "pinged". You should consider to trim back on how many hours this machine is powered up with Windows. When you reach point in day when you do not need to use it, do a Windows SHUTDOWN. Like from the main menu, a Shutdown that includes the power off. Which then makes your machine disappear, which might lead to the "outsiders" to abandon the attempted probes. Maybe even, shift for a while to using other devices instead. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 4, 2022 ID:1500631 Share Posted February 4, 2022 Hello. I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Also, be sure to make a run to Microsoft Windows Update to be sure this system is all up-to-date with security & critical updates & latest Cumulative updates. Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 4, 2022 Author ID:1500636 Share Posted February 4, 2022 Please find attached securitycheck.txt. It brings attention to an Avira 'speedup' program at the bottom of the file - it's just some extra thing that came bundled with the free AV. I've not run it nor do I have any intent to use it - aware of the risks of registry 'cleaners'. Happy to uninstall. I'll also shift to a different device for a while and keep this one powered off as much as possible. I only use it for hobbies and general browsing so this will not cause any day-to-day problems. Windows Update is saying I'm up to date, but also that feature update v.21h2 is available. Will download. SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 4, 2022 ID:1500638 Share Posted February 4, 2022 On Microsoft Windows update, indeed do get the build update for the 21H2. That is a very important update. Be sure to Restart the system after that has completed. I will answer later about the SecurityCheck report. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 13, 2022 ID:1502306 Share Posted February 13, 2022 Hello. How are you doing ? Ready to wrap-this-up ? Link to post Share on other sites More sharing options...
hf82kfy7 Posted February 15, 2022 Author ID:1502691 Share Posted February 15, 2022 Hi - sorry for the delay in replying! Happy to close the thread as I think my issue has been resolved through patience. Final update - I used a different laptop for a week or so, and came back to the one recieving the compromise notifs on the 10th, which was the last day before my MB trial expired. On the 10th I got 3 more block notifs. I bought MB Premium, got another notif on the 11th, but I haven't had anything since, despite going back to regular use. So it looks like whatever it was might have stopped now? Thanks for your assistance in the matter! Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 15, 2022 ID:1502708 Share Posted February 15, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts