Jump to content

Repeated Trojan outbound block to h.parrable.com when I visit the WAPO site


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

This here is only for "Jeremynpross". Any others ( who are not Jeremynpross )  should be on their own separate help threads.

@jeremynpross

There are about a half-dozen zero byte exe files on this Windows machine.
 

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide

This job will run exclusively and also at the end, it will do a Windows Restart ( reboot). This custom task-run is intended to run some system checks, selected cleanups, as well as run the Windows System File Checker.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the D:\Users on D\jerem\Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Jeremynpross machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   D:\Users on D\jerem\Downloads   folder

Fixlist.txt      <<< - - - - -

Then, Start the Windows Explorer and then, go  to the D:\Users on D\jerem\Downloads   folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Be sure to let me know, How is the system at that point.

This here is only for "Jeremynpross". Any others  should be on their own separate help threads.

Edited by Maurice Naggar
Link to post
Share on other sites

Alright. We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review

 

ALSO

Please do a manual update.

image.png.aae9bd5ccbb6e0b0a7be56b3ae4b2ab3.png

Do a Check for Update using the Malwarebytes Settings >> General tab.

Please also see  this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

 
Edited by Maurice Naggar
added Check for Updates for Malwarebytes
Link to post
Share on other sites

I ran ESET and attach the logs. It primarily found and deleted items in installers for CCleaner and Glary Utilities. However it did not delete these two installed applications, which I have used succesfully for many years.  Log attached.

I also manually updated Malwarebytes (it was already up-to-date).

ESET scan J Ross09-22-2022.txt

Link to post
Share on other sites

The Trojan pop-up from Malwarebytes still appears in Edge when  I go to the Washington Post home page and log in. It recurs when I navigate to any other link on the site. This is the original issue, unchanged by the repair attempts so far.

 

Thanks so much for your time and persistence going after this. I am sure we'll fix it sooner or later.

Link to post
Share on other sites

As far as MS Safety scanner, the only things that count are only what is posted in their log-file. period. Any on-screen display about suspects were strictly pre-liminary. At end of run, it checked with the MS Cloud definitions, and it truly only found ( & CURED )  1 minor part of MS Defender.
What does this classification mean ""VirTool:Win32/DefenderTamperingRestore and Removed!""
It means the "anti-spyware" of MS Defender was set to off. The MSERT cured that by updating anti-spyware setting status of Defender to ENABLED.
The 'anti-spyware' of MS Defender is the least important protection of the several that Windefend has.
We also see in the MSERT log report that NO actual trojan, virus, or Infection is reported. If there had been some, it would have listed each of them out specifically.
>

See about deleting ALL browser History & all Cache files / temporary files on MS Edge.
Then close / exit MS Edge
before you use it again.

https://www.lifewire.com/clear-cache-microsoft-edge-4156806

TIP: Clear EDGE cache & history on a regular basis. If you still see a Block notice, Close all apps & do a Windows RESTART.

>
 

I suggest you run this next one-time on-demand scan. 

Let's check your system with another ( different ) antivirus scan tool.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

  • How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

  • How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

  • How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
Link to post
Share on other sites

  • Root Admin

Pardon the intrusion here. Just an FYI that the h.parrable.com is a server-side attack and not a local attack in the normal sense. Having a shortcut, bookmark, cookie, javascript, etc that references any of their links can trigger this.

 


https://twitter.com/MBThreatIntel/status/1571949584943054848

https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/


Twitter:

Warning: this link may be unsafe
 

http://parrable.com

 

The link you are trying to access has been identified by Twitter or our partners as being potentially spammy or unsafe, in accordance with Twitter’s URL Policy. This link could fall into any of the below categories:

malicious links that could steal personal information or harm electronic devices
spammy links that mislead people or disrupt their experience
violent or misleading content that could lead to real-world harm
certain categories of content that, if posted directly on Twitter, are a violation of the Twitter Rules


Microsoft Defender SmartScreen:

This site has been reported as unsafe
Hosted by parrable.com
Microsoft recommends you don't continue to this site. It has been reported to Microsoft for containing harmful programs that may try to steal personal or financial information.

 

Edited by AdvancedSetup
Updated information
  • Like 1
Link to post
Share on other sites

I ran Kaspersky Virus Removal Tool. It took about 10 hours and found nothing. Report attached and pasted below:

 

<Report>
    <Metadata Version="1" PCID="{C27B0CCC-1C1D-96B0-4B9E-E90DC4F4573B}" LastModification="2022.09.22 23:48:51.542" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="3793886" Found="0" Neutralized="0">
            <Event0 Action="Scan" Time="133083573460136694" Object="" Info="Started" />
            <Event1 Action="Scan" Time="133083893315098443" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report> 

report_2022.09.22_14.53.55.zip

Link to post
Share on other sites

Regarding the welcome comments by AdvancedSetup Root Admin, I must admit that the descriptive links you sent are over my head. I wonder, how could I be getting this warning when navigating only to https://www.washingtonpost.com/ and only with Edge but not with Chrome (and only on one of two PCs with my Edge account synced to each other)?

Bottom line, are there any steps should I take to prevent the Malwarebytes pop up announcing it has blocked h.parrable.com or should I just be glad it is, in fact, blocked and ignore it?

Link to post
Share on other sites

Hello @jeremynpross The Kaspersky scan apparently found no threats.
As to the "block" notifications, you may consider turning off the visual message. The events would still be logged in the Malwarebytes logs. Which you can view as desired later.
Start Malwarebytes.
Go to Settings.
Click the Notifcations tab.
Disable ( click to the LEFT-side) Show all notifications in Windows notification area.
Apply the change / Exit the window

Link to post
Share on other sites

  • Solution

Hello @jeremynpross Additional tip to apply for this EDGE browser. 

You had mentioned more than once that this Edge browser ) on this machine) has the SYNC option ON.
I would suggest to you to insure (1) that the Reset Sync is enabled + ( 2) go ahead and delete the Sync Data on this EDGE browser
( 3) then Exit EDGE browser
( 4) Perhaps even Restart Windows

Way way later, if needed for a good purpose, you might then re-enable the Sync option.  {proviso: note that Edge browser code is based on Google Chrome code & that the Sync feautre is well known to cause weird friction / repetition of a problem.

Here is the link but IGNORE all repair ads there and the other added froo-froo.
https://winaero.com/reset-sync-in-microsoft-edge-and-delete-sync-data/

H T H

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Thanks for the reset sync tip, that finally seems to have eliminated the Trojan popup. I had cleared all data before but had not reset sync.

I will let you know if it recurs but I think I'm in the clear now.

Even though the Winaero post was out of date, the basic instruction was spot on. I just did not have to enable as an experimental feature. My Edge is Version 105.0.1343.50 (Official build) (64-bit) so Reset Sync is built-in and no longer experimental.

Kudos Maurice!

 

 

 

 

  • Like 1
Link to post
Share on other sites

  • 2 weeks later...

This system is good-to-go. This here is for tools cleanup.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe. 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.