Jump to content

Block notices -- poster positron

Positron

By Positron
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

@Positron

In malware-removal-help section, one poster only.  We do not do "me too" group participation. It is just the Original Poster and the authorized expert helper.

Please observe that.

OUTBOUNd means that some thing is attempting to reach a site that is flagged by Malwarebytes protection.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection.
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Web protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, or Discord app, or SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.

First action step: 

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

@Positron

After that, these are next action steps. 

[   1   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   2   ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
  • NOTE: This thread-topic is ONLY for "Positron".  All others needing help must have their own separate thread=topic.
  • Thanks
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

This here is only for "Positron". Any others ( who are not Positron)  should be on their own separate help threads.

@Positron

There are inbound & outbound type block notices.
I do wonder why this machine is still on Windows 7 ?
It appears that there are leftover references or traces, tasks that mention Norton A-V, Avast , Total A0V
There are present  some zero-byte EXE files ---these should not be so.
 

This job will run exclusively and also at the end, it will do a Windows Restart ( reboot). This is intended to run some system checks, selected cleanups, as well as run the Windows System File Checker.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  POSITRON machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTEnglish.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Be sure to let me know, How is the system at that point.

This here is only for "Positron". Any others ( who are not Positron)  should be on their own separate help threads.

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

Got the report. Windows System File Checker reported 

Quote

Windows Resource Protection found corrupt files but was unable to fix some of them.

I would like you to do some  new steps to research system logs. The following is the mechanism. It should not take a lot of time. And it will not involve any reboot. This does not make changes; just only reports.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  POSITRON machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTEnglish.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait. When all done, look for a ZIP file on your Desktop with a name like 2022-09-20 +local time (dot) ZIP

Attach that in next Reply.

Fixlist.txt

Link to post
Share on other sites
Positron

Positron

Posted
  • Author
Posted (edited)

I think I know what happened Maurice. I messed up big time. After uploading fixlog.txt,

I deleted fixlog.txt from my computer. When I re opened the FRST program again as you wanted

and attempted to run fix again, the program did not work and a message popped up.

So I re downloaded FRST again and started over.

My apology again Maurice.

pos

 

 

Edited by Positron
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The support-tool mb-support-1.8.7.918.exe is on the Downloads folder. We just want to run it again to get fresh report.

Start it. 

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Please attach  mbst-grab-results.zip    to your reply.  😉
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks. This is just a adjustment so that the protections of Windows Defender antivirus are on. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

[2]

The last 3 Block events were on IP addresses that are NOT the same as when you started out on this case. They are distinctly different. 

This job will run exclusively and also at the end, it will do a Windows Restart ( reboot). This is intended to run some system checks, selected cleanups, as well as run the Windows System File Checker.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  POSITRON machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt    <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTEnglish.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

[3]

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan  

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The last custom fix run succeeded ....except that it could not do the tweak (using Powershell) to place ( add rules) these IP addresses in the Block section of the Windows Firewall rules.
103.13.120.57
201.182.82.15
103.115.176.129

That is very unfortunate. This machine is running Windows 7 and simply highlights the drawback of staying on Windows 7. Had this been a Windows 10 it would have worked fine.
Now is a good time to consider upgrading ( it is free ) to Windows 10.
I can relay the how-to information.

Meanwhile, at least, for this Windows 7, you could select "Don't allow connections to this PC" to prevent remote desktop connections to your PC.
Go to Control Panel>System>Advanced System Settings
Then click the REMOTE tab

Scroll down to "Remote Desktop" section.
Be sure to click the selection ""Don't allow connections to this computer""

Click OK button ( at bottom) when all done.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

You should be able to start a "elevated" Command-prompt window on this Windows 7 machine.
Click Start Orb, and in the search box type 

cmd


Right-click cmd, and then choose "Run as Administrator".

Once there, you would copy and then paste ( one at a time ) each one of these WHOLE lines + tapping Enter-key for each individual line.

COPY all of this line and paste onto command-prompt-window

Quote

netsh advfirewall firewall add rule name="IP Blk-1" dir=in interface=any action=block remoteip=103.13.120.57

tap Enter-key on keyboard

 

COPY all of this line and paste onto command-prompt-window

Quote

netsh advfirewall firewall add rule name="IP Blk-2" dir=in interface=any action=block remoteip=201.182.82.15

tap Enter-key on keyboard

.

COPY all of this line and paste onto command-prompt-window

Quote

netsh advfirewall firewall add rule name="IP Blk-3" dir=in interface=any action=block remoteip=103.115.176.129

tap Enter-key on keyboard

Once all done, type EXIT and press Enter to close the command-prompt.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Alright. We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

ESET did find threats. and removed same. Now a different scan tool - - - this also is a one time on-demand run.

Let's check your system with another ( different ) antivirus scan tool.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

  • How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

  • How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

  • How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept