Potential threat blocked?

[ABGB]

Hi,

I get frequent blocks by Malwarebytes as to websites from different IPs. I have exported log info as to one of the notes (of many) below. There's a new block like every quarter of an hour.

It's in Swedish, but I think you'll understand anyway because of the format the data is presented in.

Malwarebytes doesn't detect anything. I have run your AdwCleaner and ESET, which removed some threats but the blocks just keep going. I don't use Google sync.

What to do?

BR
Gunnar Bjorkdal

 

Malwarebytes
www.malwarebytes.com

-Logginformation-
Datum för skyddshändelse: 2022-09-16
Tid för skyddshändelse: 17:05
Loggfil: 05a9d562-35d1-11ed-a597-f46d04653d39.json

-Programvaruinformation-
Version: 4.5.14.210
Komponentversion: 1.0.1767
Uppdatera paketversionen: 1.0.60137
Licens: Premium

-Systeminformation-
OS: Windows 10 (Build 19044.2006)
CPU: x86
Filsystem: NTFS
Användare: System

-Information om blockerad webbplats-
Skadlig webbplats: 1
, C:\Windows\System32\svchost.exe, Blockerad, -1, -1, 0.0.0, , 

-Webbplatsdata-
Kategori: Komprometterat
Domän: 
IP-adress: 212.41.8.45
Port: 3389
Typ: Inkommande
Fil: C:\Windows\System32\svchost.exe

(end)

[Porthos]

If all of the blocks are incoming then Malwarebytes is doing its job.

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol. 

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

[AdvancedSetup]

Hello @ABGB

As @Porthos has said. These you've listed are INBOUND which normally goes away on their own within a few days. We can scan your computer and look for possible issues, but in general Malwarebytes Premium is doing it's job blocking them.

 

If you would like to run some scans though, please let us know.

Cheers

 

[ABGB]

Hello and thx both!

The attempts continue (mostly from Russian IPs). I'll wait some days and see if they stop.

Otherwise I'll be glad for some assistance with scans.

:-)

[AdvancedSetup]

I'm off for the next couple of days, but please run the following and I'll check it out once I get some free time. @ABGB

 

 

Let me have you run a different scanner to double-check.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

 

Then, restart the computer and get me the following logs

 

Please do the following so that we can get started and see what's going on.

The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

1. Download the Farbar Recovery Scan Tool
   Do not click on any Ads.
    
2. Locate the file you downloaded on your computer.
   Downloaded files are often saved to the Downloads folder.
    
3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.
   
   
    
4. A Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
   Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?
   
        a.  Click More info.
   
   
        b.  Click Run anyway.
   
   
5. When the User Account Control window appears, click Yes.
   
   
   
    
6. To accept the Disclaimer of warranty, click Yes.
   
   
   
    
7. Ensure only the boxes listed below are checked
   
   

   Registry  Services  Drivers
   Processes  Internet  One month
   Addition.txt
   
   
   
    

8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
   Please remember to re-enable any Antivirus software when we are finished running scans
   
   Click Scan. The scan may take a few minutes to complete.
   
   
    

9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

• Scan completed. FRST.txt is saved in the same directory FRST is located.
  
  

• Addition.txt is saved in the same directory FRST is located.
  
  
   

• Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

 

 

Thanks

 

 

[ABGB]

#AdvancedSetup

Thanks.

Like I said, I've run ESET before, which detected some applications, now deleted, so I went directly to Farbar. But trying to download it is stopped by Chrome - telling me FRST.exe is harmful and has been blocked...

BR

[AdvancedSetup]

It is not harmful. If anything is harmful it is Google Chrome itself. Please ignore and allow the download or use a different browser.

Without logs I won't be able to assist you. @ABGB

I'm off work until Thursday, but will try to check in on you before then.

Thanks

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks