Website N/A Blocked - Category Trojan 443 and Malware RTP Detection

[Fletcher32]

I opened an attachment and now I keep getting blocked website requests every 10 seconds or so from different ports. The website continues to say N/A so it doesn't tell me where the IP address is trying to go. Attached is my last scan report.

C:\Windows\SysWOW64/explorer.exe is the File that's attempting the website.

Please help!

 

scan 9-15-22.txt

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply
• The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
• We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.

[Maurice Naggar]

Next basic step 

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

[Fletcher32]

Thank you for your help. Attached is my mbst-grab-results.zip file.mbst-grab-results.zip

[Fletcher32]

Attached are the Adwcleaner logs.

AdwCleaner[C00].txt AdwCleaner[S00].txt

[Maurice Naggar]

Alright. This is a intermediate step. We will be doing more, even after this. Patience is required. We will be doing several different tasks over a few different procedures.

This here is aimed to do 3 different goals.

• (1)To get Microsoft Defender real-time monitoring on.
• (2)To get Malwarebytes updated.
• (3) Do a new Malwarebytes scan.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Click On the General tab
look down to "Manual scan performance" impact
click the selection "Manual scans take less priority ( less performance impact"

 

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We will do more after this. Cheers. 😀

[Fletcher32]

I did all of the steps and attached is my report.

9-15-22 quarantine report.txt

[Maurice Naggar]

Please do not play any games of any sort on this machine for duration of the case.
No use of Discord nor any other instant messenger app for duration.
You can check Email as needed.
Just do not go about free-wheeling on social media sites, or on the general web.
Try to stop using Chrome browser for duration.
Instead use the EDGE browser that is built-into Windows.

This is another interim procedure. The goal is to NOT pre-load any apps that are not necessary.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows

Restart Windows one time after making those adjustments.

IF it is the case that someone installed a low-cost, or "so-called free program" crack or hacked or shared application [ like perhaps a Adobe app, or a popular game or perhaps a Microsoft product/program, or other commercial app] that was downloaded from a dodgy or pirate site ...say from August thru recent time....please be sure to Stop and let me know.
Any such programs we need to Uninstall.

[Fletcher32]

Maurice, no I do not play any games on this computer. Someone sent me a link which downloaded a zip file and had a password on it that I provided from their email. I then deleted both the zipped file and the extracted file within 5 minutes.

I just did the clean boot and malwarebytes premium seems to have stopped blocking IP addresses now... Does this mean the threat has been eliminated?

[Maurice Naggar]

Thank you. 😃 While that is good news, there are still some minor cleanups and other checks to be done. We will do this next procedure + likely do another independent check later. 

The custom script below is aimed to do some cleanups & housekeeping, and to run some scans with Microsoft Defender antivirus. This job will run exclusively and also at the end, it will do a Windows Restart ( reboot).

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRSTENGLISH.exe  on the C:\Users\owner\Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Fletcher32  only / for this machine only.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.

RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

•    If the tool warns you the version is outdated, please download and run the updated version.
• IF Windows prompts you about running this, select YES to allow it to proceed.
• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. 😉

[Fletcher32]

Ran the fix and attached is my report.

Thanks!

Fixlog.txt

[Maurice Naggar]

Alright, a beneficial run. Amongst other things, the run of Windows System File Checker / Windows Resource Protection found corrupt files and successfully repaired them.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review
• After all this, we will have more to do

Edited September 16, 2022 by Maurice Naggar

[Fletcher32]

Hello Maruice, 

Attached is our report.

eset-scan-9-16-22.txt

[Maurice Naggar]

Hello. Thank you. ESET has found & removed a element of "Tenorshare".  It classifies it as a potentially unwanted application". If there is any "Tenorshare" installed or that you use, I would advise to uninstall it ( if now present).
Are there any website "block notices" today ?

Do advise me, How is this system now?

F-Secure online scanner
https://www.f-secure.com/en/home/free-tools/online-scanner

Please run the F-Secure Online Scanner
Follow the Instruction here for installation.

Start / Launch F-secureOnkinescanner.exe

Accept the License Agreement ---Click on Accept and Scan

Click on YES button when prompted to start

Once the download completes, the scan will begin automatically.
It will display on-screen "Scanning and cleaning"

The scan will take some time to finish, so please be patient.
When the scan completes, IF it has reported detections, click the Automatic cleaning (recommended) button.

When all is complete, if it displays a screen "your pc is not safe"  and it has the ad-picture for their "F-Secure Safe" product, you can ignore that message.

[Fletcher32]

Ran the scan and it didn't find anything!

[Maurice Naggar]

Very good, then, Tell me, How is the original issue at this point, now? Are you ready to wrap this up ? 

I would recommend getting a readout report as to update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Edited September 19, 2022 by Maurice Naggar

[Maurice Naggar]

This system is good-to-go. This here is for tools cleanup.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe. 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you