Jump to content

Possible issue as I'm getting Outbound blocked messages from uTorrent


Recommended Posts

Hello there!

I use uTorrent to exchange files with my office, as that is what they use to transfer enormous files with employes in smart working.

I don't know if I'm having an issue with my computer and I thought I was always OK, but after having spoken with a friend about the Malwarebytes messages regarding numerous Outbound connections I was getting while using uTorrent, I thought I'd do some research, and so here I am.

Making some research on the net I landed to a thread in this forum speaking about uTorrend and issues similar to mine.

So I have followed the instructions in the I'm infected - What do I do now? thread, and here in attach are my generated log files.

 

Ps: I some times get same Outbound messages from C:\Program Files\UrbanVPN\bin\urbanvpnserv.exe file also even if I'm not using the UrbanVPN app.

I get an Outbound message also when trying to connect with my TorGuard VPN (that is my main VPN app, and it happens only when trying to connect) on files C:\Program Files (x86)\VPNetwork LLC\TorGuard\stunnel.exe and C:\Program Files (x86)\VPNetwork LLC\TorGuard\openvpn.exe (and this last file here must whitelisted in Malwarebytes so to use TorGuard VPN, otherwise it does not connect).

Please let me know. Thank you.

Addition.txt FRST.txt Malwarebytes.txt

Link to post
Share on other sites

  • Root Admin

You're going to have conflicts with Kaspersky and Malwarebytes

You're also blocking our program from working correctly as well as many other vendor programs. Normally that much blocking is a sign of stealing software.

127.0.0.1 keystone.mwbsys.com
127.0.0.1 telemetry.malwarebytes.com

 

I'd suggest uninstalling the following

Bonjour
CCleaner

 

 

You either have some type of security software blocking access to some Scheduled Tasks or you have some bad, bogus scheduled tasks.

 

WOW - I am surprised Google Chrome even loads and runs. Normally once you get past about a dozen extensions it starts to slow down noticeably. You have like 70 extensions installed on different profiles.

 

Normally you would not have any files in the Parent root folders, yet you have a few.

 

2019-04-30 15:20 - 2019-04-30 15:24 - 000000008 _____ () C:\Users\pirat\AppData\Roaming\pecodec.dll
2021-05-13 20:44 - 2021-05-13 21:05 - 000081183 _____ () C:\Users\pirat\AppData\Roaming\WinUsbDisplay.dmp
2019-04-06 15:14 - 2022-08-02 11:13 - 000000391 _____ () C:\Users\pirat\AppData\Local\BFR6lastusedsettings.dpt6
2020-02-25 19:43 - 2020-09-05 00:48 - 001065984 _____ () C:\Users\pirat\AppData\Local\file__0.localstorage
2020-10-06 14:40 - 2020-10-06 14:40 - 000000001 _____ () C:\Users\pirat\AppData\Local\llftool.4.40.agreement
2019-01-15 00:55 - 2021-09-12 21:16 - 000000615 _____ () C:\Users\pirat\AppData\Local\oobelibMkey.log
2022-07-26 12:53 - 2022-07-26 12:57 - 000000128 _____ () C:\Users\pirat\AppData\Local\PUTTY.RND
2020-09-08 10:52 - 2020-09-08 10:52 - 000000001 _____ () C:\Users\pirat\AppData\Local\RawCopy.1.10.agreement
2020-09-08 10:57 - 2020-09-08 10:57 - 000000022 _____ () C:\Users\pirat\AppData\Local\RawCopy.savedialog.dir
2020-09-08 10:57 - 2020-09-08 10:57 - 000000001 _____ () C:\Users\pirat\AppData\Local\RawCopy.savedialog.filterindex
2020-09-08 10:56 - 2020-09-08 10:56 - 000000001 _____ () C:\Users\pirat\AppData\Local\RawCopy.sourcedisk.index
2019-02-11 01:21 - 2020-03-14 19:23 - 000007597 _____ () C:\Users\pirat\AppData\Local\Resmon.ResmonCfg
2021-11-21 22:58 - 2021-11-21 22:58 - 000017408 _____ () C:\Users\pirat\AppData\Local\WebpageIcons.db

 

Overall the computer could use a good cleaning

 

You can look and see if the following helps, but again, typically many customers say they have issues running Kaspersky with Malwarebytes and it take a lot of work trying to make them work together.

 

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows

 

 

 

Link to post
Share on other sites

On 1/7/2023 at 1:11 AM, AdvancedSetup said:

You're going to have conflicts with Kaspersky and Malwarebytes

You're also blocking our program from working correctly as well as many other vendor programs. Normally that much blocking is a sign of stealing software.

127.0.0.1 keystone.mwbsys.com
127.0.0.1 telemetry.malwarebytes.com

 

I'd suggest uninstalling the following

Bonjour
CCleaner

 

 

You either have some type of security software blocking access to some Scheduled Tasks or you have some bad, bogus scheduled tasks.

 

WOW - I am surprised Google Chrome even loads and runs. Normally once you get past about a dozen extensions it starts to slow down noticeably. You have like 70 extensions installed on different profiles.

 

Normally you would not have any files in the Parent root folders, yet you have a few.

 

2019-04-30 15:20 - 2019-04-30 15:24 - 000000008 _____ () C:\Users\pirat\AppData\Roaming\pecodec.dll
2021-05-13 20:44 - 2021-05-13 21:05 - 000081183 _____ () C:\Users\pirat\AppData\Roaming\WinUsbDisplay.dmp
2019-04-06 15:14 - 2022-08-02 11:13 - 000000391 _____ () C:\Users\pirat\AppData\Local\BFR6lastusedsettings.dpt6
2020-02-25 19:43 - 2020-09-05 00:48 - 001065984 _____ () C:\Users\pirat\AppData\Local\file__0.localstorage
2020-10-06 14:40 - 2020-10-06 14:40 - 000000001 _____ () C:\Users\pirat\AppData\Local\llftool.4.40.agreement
2019-01-15 00:55 - 2021-09-12 21:16 - 000000615 _____ () C:\Users\pirat\AppData\Local\oobelibMkey.log
2022-07-26 12:53 - 2022-07-26 12:57 - 000000128 _____ () C:\Users\pirat\AppData\Local\PUTTY.RND
2020-09-08 10:52 - 2020-09-08 10:52 - 000000001 _____ () C:\Users\pirat\AppData\Local\RawCopy.1.10.agreement
2020-09-08 10:57 - 2020-09-08 10:57 - 000000022 _____ () C:\Users\pirat\AppData\Local\RawCopy.savedialog.dir
2020-09-08 10:57 - 2020-09-08 10:57 - 000000001 _____ () C:\Users\pirat\AppData\Local\RawCopy.savedialog.filterindex
2020-09-08 10:56 - 2020-09-08 10:56 - 000000001 _____ () C:\Users\pirat\AppData\Local\RawCopy.sourcedisk.index
2019-02-11 01:21 - 2020-03-14 19:23 - 000007597 _____ () C:\Users\pirat\AppData\Local\Resmon.ResmonCfg
2021-11-21 22:58 - 2021-11-21 22:58 - 000017408 _____ () C:\Users\pirat\AppData\Local\WebpageIcons.db

 

Overall the computer could use a good cleaning

 

You can look and see if the following helps, but again, typically many customers say they have issues running Kaspersky with Malwarebytes and it take a lot of work trying to make them work together.

 

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows

 

 

 

Well, the story is quite complicated.

The computer is mine, but I have inherited (bought it) from my office when they were upgrading them, and employees could redeem them for a very low price and bring them home and use them as personal. As I was going to work from home, and they had quite nice hardware for the use that I had to do, I went for that solution, plus I ended with a computer that was already set up fine for working in remote as it had all the software required. Everything that is on here (meaning Windows and apps) were preinstalled, except for games and a few stuff that of course is my stuff. As now this is a personal computer, I can do whatever I want. Except for the required software needed for working from home with my office.

Those software are Kaspersky Total Security, Malwarebytes, CCleaner and TorGuard VPN. Don't ask me why, but I can't remove them as my office wants them always running when connected to the office.

I can't say what we do as for privacy policy, but there is nothing illegal. Just know that we use Torrent to transfer very large images (pictures) of several Gb each between different people and offices for study and research (medical).

Before this new Malwarebytes we had the two Malwarebytes software: Malwarebytes Anti-Malware Corporate and Malwarebytes Anti-Exploit Premium, both with Kaspersky Total Security. Everything was working fine (or at least I have never encountered any issues of strange messages like these I'm asking today).

If you say that Kaspersky and Malwarebytes can't work together, that is what I asked at the beginning when I started using their computers, as I have always knew that two antivirus don't usually go together. The tech department told be that they don't care and that their presence is mandatory, and that I am stuck with those software, and that everyone at the office, even those that preferred to use their personal computers, had to install them.

I remember that they told me that the two software could be configured better to work together, but for what we needed, they are set good enough. Reading your post, I assume that it was far from enough. I of course asked for help to my tech department, and they told me to just ignore those messages as they were fine. Go figure why there are all those breaches in research facilities nowa days...

 

 

Regarding the hosts entries, I see what do you mean, even if I don't know much about those entries. I have spoken with our tech responsible guy today, and expressed my concerns, specially as I have to work with this computer and that I have it at my home, and he is moving for fixing things. Don't know what that means, but all I know is that I have to fix any eventual issues by my self, as far as I still use those mandatory software. Meaning that I have to find out how to let them work together.

Just for information, the computer I bought from them was composed of a motherboard + cpu (still in use) + shitty ram + ssd. I then upgraded ram and ssd with better ones (cloning ssd content to new ssd) and added a gpu for some gaming (personal use).

 

 

Speaking about what you mentioned in your reply, I am reading on the net now that Bonjour is a service that works with Apple software. I have iTunes installed for backing up my work iPhone (given by my office), but as far as it is not needed for that, I am OK in removing it. Should I just remove it from the Apps or remove programs in Windows Settings? Will everything work as before? Will it reinstall automatically at next iTunes update?

Regarding CCleaner, this is another software that is mandatory, but in the end it is only used for automatically cleaning cache and sensible content from browsers when closing them (or at least this is what I have been told and what I see that should automatically do). I expressly asked this a few time ago as I have a personal bad experience with CCleaner as in the past it had killed an old laptop of mine after a run of its integrated registry cleaning utility.

I personally use it for checking for new hardware drivers, but I don't use it for upgrading them. I then go to each hardware manufacture website to download proper driver packages. I never use it for registry cleaning as I know that it can damage things up.

As this is its usage, is it still necessary to uninstall? 

 

 

Regarding Chrome, I have a lot of extension, I know. But I don't use them all together. Most of them are disabled but still there, as I wanted to keep there what I once needed that I might need again. Do they slow down the browser even if they are deactivated? Regarding being slow, it is not slow. I have an extension to freeze not used tabs, and an extension to backup group tabs for future consultation. I always keep something like 50 tabs open and it is fine.

I have two profiles, one personal and one for work, so if you see extra profiles, they must be some test I made that are now corps that can be deleted. In case, how to identify them for deletion?

 

 

Regarding the Scheduled Task, I made a few, some are disabled, and some are still active, but they just run some scripts I created for popping up some messages reminding me to do some stuff before launching some apps (that will be run automatically by script instead that at Windows startup). One is for a chat app and the other one is for a sink app that syncs in between disks (work stuff as backup).

I also have a script that checks for the creation of .DMP files that may occur related to my audio drivers. It is a precaution that I have as my integrated sound card has some issues with its stock drivers. On a forum I have found this solution to understand if the device was working good or now, and for far as I know it works good, as every time I upgrade its driver with a faulty one, it detects the issue popping up a message advising me about it, so for me to understand that it is better to roll back drivers. It is a trick that works.

What do you mean that there could be something interfering or broken with my tasks? 

Here in attach my scripts. Just edit them to see its content. I have created the copying code from some good/legit Windows forums asking for help. If you think they are written wrong, please let me know. I don't know if they leave some threads or processes open that should not be like that.

 

 

What are those Parent root folders? I should not have nothing there? Should I simply delete all those files?

How to properly clean this system without reinstalling Windows? Reinstalling would mean bring my computer to my tech guys to configure it, as for full Windows installation that is the procedure, and I really would like to avoid that. If I can clean it, it would be enormously better.

 

 

In the end you link me the Exclude detections in Malwarebytes for Windows, but I don't want to exclude important thing to not be shown if they are needed to be taken care of. Do you refer to the messages I see? Should I whitelist uTorrent and my VPN?

 

 

Please let me understand.

Thank you.

My_Loader_Dialog_&_Checker.zip

Link to post
Share on other sites

Finally I was able to post!

I opened a ticket a few days ago with the Malwarebytes customer service and today they told me that they reported my issue to the Forums administrator who said my block has been removed.

And yes, I also added an exclusion for this forum the Exclude detections in Malwarebytes for Windows guide you linked me.

Now I don't know if it was my block or not having an exclusion in Malwarebytes for this forum that was preventing me to post here.

 

Ps: You can delete all my messages not related to the topic matter if you like, so to have a cleaner topic.

Thank you.

Link to post
Share on other sites

  • Root Admin

Our program WILL NOT run properly with this blocked. It must be removed or you might as well uninstall our software as it will not work correctly with it being blocked.    127.0.0.1 keystone.mwbsys.com
You can block this if you want to but there really isn't anything personal sent.  127.0.0.1 telemetry.malwarebytes.com

Apple Bonjour is typically not needed on the vast majority of Windows computers. It is a sharing network protocol that is very noisy and in some cases so noisy it causes network issues.
Yes, if you do a full update of iTunes it will reinstall Bonjour. It's up to you. If it's not causing an issue you can leave it.

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

 

If work wants you to have CCleaner all I can say is I'm glad I never had to work for a company like that. I see zero benefit from a company perspective for using such software. Leave it alone and move on.

 


If Chrome is not slow and works for you that's great. That is not my experience. My experience has been that the more extensions that are installed the slower the browser becomes as it has to read and monitor all those extensions, used or not. Again, if the browser is working well for you then don't change anything.


The Parent folder in these cases

C:\Users\pirat\AppData\Roaming\
C:\Users\pirat\AppData\Local\

If you were to install Windows Vista, Windows 8, Windows 10, Windows 11 none of them will create files in those parent folders. The sub-folders is where files are normally installed.
I'm not saying they're harmful, they just don't belong there is all.

 


I say that You're going to have conflicts with Kaspersky and Malwarebytes because that is a common complaint by many customers. However, there are some customers that say they don't have an issue.
Again, if you're not having an issue consider yourself lucky and move on. There is nothing to do.


I won't copy all of them, but if you look at the FRST.TXT log file you'll see many entries that say NO FILEPATH that is not normal. It could be Kaspersky or some other program or setting that is blocking normal reading of those entries, but it should not be that way.
The Tasks may be valid, but something blocked the Farbar program from reading them. It's also possible they are not there or are broken. You can manually check on them and see.


Task: {00ddfc9c-b553-4728-aac1-dc4cce1321bf} - no filepath
Task: {00F257BC-0044-405B-B480-5032F64E20AA} - System32\Tasks\iSCSIAgentAutoStartup => C:\Program Files (x86)\QNAP\Qfinder\iSCSIAgent.exe [1740816 2021-09-24] (QNAP Systems, Inc. -> )
Task: {00f3d22d-6039-4a11-b412-e5d07def8679} - no filepath
Task: {018f4124-c178-48e7-9206-615180ea5b70} - no filepath
Task: {01a9b1cc-3bdb-4494-9b97-9dd4bd51dc55} - no filepath
Task: {0224a3c6-60b7-4bf8-9a79-7e437779e06a} - no filepath
Task: {0282f85a-23c8-489e-ad4f-f9427facc138} - no filepath
Task: {0311235c-25a5-41ee-a67d-df0968004412} - no filepath
Task: {04a1a566-124e-4366-b0bb-90f9fc886190} - no filepath
Task: {05f5f8d5-9d47-4720-812c-33405f3c23d2} - no filepath
Task: {0600DD45-FAF2-4131-A006-0B17509B9F78} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\sc.exe start InventorySvc
Task: {062cda88-23c1-498a-be9a-73d12a8e8904} - no filepath

 


You say that Malwarebytes is blocking or alerting on your Torrenting. I provided this link in order to try to assist you in stopping that block alert.

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows

Thank you

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

2 hours ago, AdvancedSetup said:

Our program WILL NOT run properly with this blocked. It must be removed or you might as well uninstall our software as it will not work correctly with it being blocked.    127.0.0.1 keystone.mwbsys.com
You can block this if you want to but there really isn't anything personal sent.  127.0.0.1 telemetry.malwarebytes.com

Apple Bonjour is typically not needed on the vast majority of Windows computers. It is a sharing network protocol that is very noisy and in some cases so noisy it causes network issues.
Yes, if you do a full update of iTunes it will reinstall Bonjour. It's up to you. If it's not causing an issue you can leave it.

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

 

If work wants you to have CCleaner all I can say is I'm glad I never had to work for a company like that. I see zero benefit from a company perspective for using such software. Leave it alone and move on.

 


If Chrome is not slow and works for you that's great. That is not my experience. My experience has been that the more extensions that are installed the slower the browser becomes as it has to read and monitor all those extensions, used or not. Again, if the browser is working well for you then don't change anything.


The Parent folder in these cases

C:\Users\pirat\AppData\Roaming\
C:\Users\pirat\AppData\Local\

If you were to install Windows Vista, Windows 8, Windows 10, Windows 11 none of them will create files in those parent folders. The sub-folders is where files are normally installed.
I'm not saying they're harmful, they just don't belong there is all.

 


I say that You're going to have conflicts with Kaspersky and Malwarebytes because that is a common complaint by many customers. However, there are some customers that say they don't have an issue.
Again, if you're not having an issue consider yourself lucky and move on. There is nothing to do.


I won't copy all of them, but if you look at the FRST.TXT log file you'll see many entries that say NO FILEPATH that is not normal. It could be Kaspersky or some other program or setting that is blocking normal reading of those entries, but it should not be that way.
The Tasks may be valid, but something blocked the Farbar program from reading them. It's also possible they are not there or are broken. You can manually check on them and see.


Task: {00ddfc9c-b553-4728-aac1-dc4cce1321bf} - no filepath
Task: {00F257BC-0044-405B-B480-5032F64E20AA} - System32\Tasks\iSCSIAgentAutoStartup => C:\Program Files (x86)\QNAP\Qfinder\iSCSIAgent.exe [1740816 2021-09-24] (QNAP Systems, Inc. -> )
Task: {00f3d22d-6039-4a11-b412-e5d07def8679} - no filepath
Task: {018f4124-c178-48e7-9206-615180ea5b70} - no filepath
Task: {01a9b1cc-3bdb-4494-9b97-9dd4bd51dc55} - no filepath
Task: {0224a3c6-60b7-4bf8-9a79-7e437779e06a} - no filepath
Task: {0282f85a-23c8-489e-ad4f-f9427facc138} - no filepath
Task: {0311235c-25a5-41ee-a67d-df0968004412} - no filepath
Task: {04a1a566-124e-4366-b0bb-90f9fc886190} - no filepath
Task: {05f5f8d5-9d47-4720-812c-33405f3c23d2} - no filepath
Task: {0600DD45-FAF2-4131-A006-0B17509B9F78} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\sc.exe start InventorySvc
Task: {062cda88-23c1-498a-be9a-73d12a8e8904} - no filepath

 


You say that Malwarebytes is blocking or alerting on your Torrenting. I provided this link in order to try to assist you in stopping that block alert.

Exclude detections in Malwarebytes for Windows
https://support.malwarebytes.com/hc/en-us/articles/360038479234-Exclude-detections-in-Malwarebytes-for-Windows

Thank you

 

First of all, thank you. Then...

- I'm fixing the part about the 'hosts' thing. I reported to our tech guys that those entries should not be there, and they are telling me that they will fix my license.

 

- Bonjour is out of the way.

 

- About CCleaner, OK. I'll ask if I can remove it or use something else for clearing my browser cache/forms/saved passwords at exit.

 

- Chrome is OK. Now I have approximately 70 tabs opened and it's fast, and it's eating 1.3 Gb of ram. Will uninstall unused extensions tho as for lightening up.

 

- About the Parent folders, I have moved somewhere else those stray files. Let's see how it goes.

 

- I'll try to understand if using Kaspersky and Malwarebytes together will be an issue for me. In case, I'll focus in doing something about it. For the moment I'll keep things as is as for requirement from my job.

If you have some guide to point me about trying to configure them so to live together, it would me much appreciated.

 

- About all the NO FILEPATH tasks you mention, I have taken a look to the FRST.TXT and into registry. I have found this destination into it : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

In here I have I think dozens of empty folders. The tree folders is this :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree]

Boot, Logon, Maintenance and Plain are full of dozens of totally empty folders. Boot has less, Plain has really a lot.

Task is the exact copy of what you see in FRST.TXT , meaning that all that you see empty in FRST.TXT is empty also in my registry.

Then Tree has everything that I see in Windows Task Scheduler plus some extra stuff related to some software (ASUS, CCleaner, Kaspersky, Mozilla, etc.) and drivers (Intel, NVidia, Realtek, etc.)

If you think that it is safe for me to share my full TaskCache tree from my registry (exporting it as I've done for taking a closer look at it) please let me know. Maybe I can omit the Tree folder if you think it might be too personal. Just let me know.

If you know what to do with so many empty folders in there, please do. I am searching the net and I can't find anything related to understanding if it is safe to just delete them all or just leave them there. I can't even understand if it's harmful to have so many!

 

- At last, you reminded me about my message I see from Malwarebytes that is blocking or alerting on the uTorrent app, and that the Exclude detections in Malwarebytes for Windows guide you provided should assist me in stopping that block alert.

The fact is that me asking for help here is all about understanding if :

  1. it's NOT OK that Malwarebytes advises me about those Outbounds connections with uTorrent and sometimes with TorGuard and UrbanVPN as those Outbounds connections are safe  >>>  meaning that I should exclude them from being intercepted by Malwarebytes following your guide
  2. OR if in my system there's something strange going on around those apps  >>>  meaning that it's OK that Malwarebytes advises me about those Outbounds connections as I should intervein in fixing some issues (and in case understand about the issues causing them!!)

 

Thank again.

 

Ps: I think our tech guys know what all this mess does, and I think they are even quite competent, but as they don't want to work that much, and that their income is safe no matter what as our company is half governmental, they opt for the easy mid-range-working-solution that still works even if it's crap. And as no one above them understand nothing about computers here, and that no one will even take them into discussion as long as everything works smoothly, they are confident in using whatever crappy solution might be useful, meaning also non properly licensed software (about which I'm working to fix this with them as this is my computer!!)

Link to post
Share on other sites

  • Root Admin
13 minutes ago, PIRATAS said:

- I'll try to understand if using Kaspersky and Malwarebytes together will be an issue for me. In case, I'll focus in doing something about it. For the moment I'll keep things as is as for requirement from my job.

If you have some guide to point me about trying to configure them so to live together, it would me much appreciated.

The following may help if needed.

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

13 minutes ago, PIRATAS said:

- About all the NO FILEPATH tasks you mention, I have taken a look to the FRST.TXT and into registry. I have found this destination into it : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

In here I have I think dozens of empty folders. The tree folders is this :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree]

Boot, Logon, Maintenance and Plain are full of dozens of totally empty folders. Boot has less, Plain has really a lot.

Task is the exact copy of what you see in FRST.TXT , meaning that all that you see empty in FRST.TXT is empty also in my registry.

Then Tree has everything that I see in Windows Task Scheduler plus some extra stuff related to some software (ASUS, CCleaner, Kaspersky, Mozilla, etc.) and drivers (Intel, NVidia, Realtek, etc.)

If you think that it is safe for me to share my full TaskCache tree from my registry (exporting it as I've done for taking a closer look at it) please let me know. Maybe I can omit the Tree folder if you think it might be too personal. Just let me know.

If you know what to do with so many empty folders in there, please do. I am searching the net and I can't find anything related to understanding if it is safe to just delete them all or just leave them there. I can't even understand if it's harmful to have so many!

 

You can manually delete those Scheduled Tasks from the Scheduled Task application

 

 

Link to post
Share on other sites

  • Root Admin
13 minutes ago, PIRATAS said:

First of all, thank you. Then...

- I'm fixing the part about the 'hosts' thing. I reported to our tech guys that those entries should not be there, and they are telling me that they will fix my license.

 

 

There is nothing to fix for the license. If your IT Dept put that entry in themselves they know very well that is used for stealing software. It has no other purpose. Properly purchased and licensed software will work simply be removing that entry in the hosts file.

 

Link to post
Share on other sites

3 hours ago, AdvancedSetup said:

The following may help if needed.

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

You can manually delete those Scheduled Tasks from the Scheduled Task application

For the first thing, thank you. I'll exclude that in Kaspersky and see how it goes.

 

About the tasks, in my Windows Tasks Scheduler I don't see any of those dozens empty tasks I see in my registry!!

All I se in WindowsWindows Tasks Scheduler are the non empty ones.

So the only way I find possible is to delete all them manually in the registry!!

But some are double as I can find same task names across some of the subfolders of TaskCache... 

What should I do??

 

3 hours ago, AdvancedSetup said:

There is nothing to fix for the license. If your IT Dept put that entry in themselves they know very well that is used for stealing software. It has no other purpose. Properly purchased and licensed software will work simply be removing that entry in the hosts file.

That is exactly what I was saying. They didn't raised much of an eyebrow when I asked about the presence of non properly licensed software on office computers..

I asked them to solve this issue demanding proper licences for all the per-installed software they left on the computer that I bought from there office as it was supposed to be that way all along.

I could have gone upstairs mentioning this to our administration, but I preferred not to make a scene and opted for a quick end with a fully licensed computer... And maybe have some spare leverage to use with them for the future, just in case ;)

I'm now waiting for a call from them telling me that they are ready to connect remotely to my computer to fix this aspect. In the meantime they told me to do nothing as they would have handled it.

 

 

Thank you for everything for now. I'll update you when I'll test the exclusions in Kaspersky.

Please let me understand on how to act with all those empty tasks.

Link to post
Share on other sites

17 hours ago, AdvancedSetup said:

We can use the Farbar program to remove all of those broken Tasks and not do the other cleaning. If you want to do so, let me know.

 

Ah! Yes, I'd like to do so, if that would not harm my system. 

In case, please let me know if I have to make some sort of backup of the registry and if creaing a system restore point would help.

 

 

Regarding my first request of help here, I repost my final question in one of my last posts up here :

 

Quote

 

The fact is that me asking for help here is all about understanding if :

  1. it's NOT OK that Malwarebytes advises me about those Outbounds connections with uTorrent and sometimes with TorGuard and UrbanVPN as those Outbounds connections are safe  >>>  meaning that I should exclude them from being intercepted by Malwarebytes following your guide
  2. OR if in my system there's something strange going on around those apps  >>>  meaning that it's OK that Malwarebytes advises me about those Outbounds connections as I should intervein in fixing some issues (and in case understand about the issues causing them!!)

 

I still don't understand if it's OK to see all those Outbound messages while using uTorrent. Right now I am having something like 20 of them in the last minute...

Link to post
Share on other sites

9 minutes ago, PIRATAS said:

Ah! Yes, I'd like to do so, if that would not harm my system. 

In case, please let me know if I have to make some sort of backup of the registry and if creaing a system restore point would help.

 

 

Regarding my first request of help here, I repost my final question in one of my last posts up here :

 

I still don't understand if it's OK to see all those Outbound messages while using uTorrent. Right now I am having something like 20 of them in the last minute...

Could you provide one the logs from one of those blocks.

Link to post
Share on other sites

2 minutes ago, PIRATAS said:

Which exactly?

The utorrent web blocks.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

Edited by Porthos
Link to post
Share on other sites

27 minutes ago, Porthos said:

The utorrent web blocks.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

Thank you

I have extracted a few different one from the other, from different apps and with different event details.

RTP-Logs.zip

Link to post
Share on other sites

The VPN block is due to the VPN using compromised IP's to route traffic. Most bad actors use some kind/brand of VPN to hide their activities.

You can test any IP at the following site to see why an IP is blocked.https://www.abuseipdb.com/check/185.232.21.210

As for Utorrent and utorrent only. If you trust the connections,

As for why Malwarebytes blocked uTorrent, this is because uTorrent, and all Bittorrent software, are what are known as Peer-to-Peer (P2P) applications meaning it connects to many different servers/IP addresses (this is how files are downloaded through uTorrent) and because of this, sometimes uTorrent will connect to a server that is also known for hosting malicious content.  This is because servers/IP addresses are often shared by multiple sites, so while what you are downloading through uTorrent may be perfectly safe, some of the sites hosted on some of the IP addresses that uTorrent connects to may be malicious.  Such connections are not a threat however, and you may exclude uTorrent from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content).  To do so, add uTorrent.exe to your exclusions using the method described under the Exclude an Application that Connects to the Internet section of this support article.

Link to post
Share on other sites

7 minutes ago, Porthos said:

The VPN block is due to the VPN using compromised IP's to route traffic. Most bad actors use some kind/brand of VPN to hide their activities.

You can test any IP at the following site to see why an IP is blocked.https://www.abuseipdb.com/check/185.232.21.210

As for Utorrent and utorrent only. If you trust the connections,

As for why Malwarebytes blocked uTorrent, this is because uTorrent, and all Bittorrent software, are what are known as Peer-to-Peer (P2P) applications meaning it connects to many different servers/IP addresses (this is how files are downloaded through uTorrent) and because of this, sometimes uTorrent will connect to a server that is also known for hosting malicious content.  This is because servers/IP addresses are often shared by multiple sites, so while what you are downloading through uTorrent may be perfectly safe, some of the sites hosted on some of the IP addresses that uTorrent connects to may be malicious.  Such connections are not a threat however, and you may exclude uTorrent from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content).  To do so, add uTorrent.exe to your exclusions using the method described under the Exclude an Application that Connects to the Internet section of this support article.

 

Thank you for the explanation. 

Now I have 2 doubts: 

  1. I have legal VPNs installed in my system, one is free (UrbanVPN -- very rarely used, and only when sending/receiving files with some countries from north Europe as they are faster than my other VPN) and the other is a paid subscription (TorGuard -- used for most of worldwide connections). Those VPNs, specially TorGUard, that should be a super safe VPN, and should not use compromised IPs... OR is it like it is with uTorrent, where sometimes some IPs are from a server that is also known for hosting malicious content, meaning that the VPN it self does not have any fault, but the connection still uses those same servers that should be instead replaced with some more free from malicious content??
  2. if I'll whitelist uTorrent in Malwarebytes, could it happen that some malware/trojan will find their way into my system? I understand that the app it self might not have any issue (like for my VPN apps), and that the issues might resede into the simple act of connecting to some servers that are known for hosting malicious content...but still, as for my VPNs, what are the risks for using a uTorrent app (with no limitation set into Malwarebytes) that connects through so many compromised IPs??  

Thanks.

Link to post
Share on other sites

  • Root Admin

Save the attached file to the same folder location where you have the Farbar FRST program. This fix will not work if both files are not in the same folder.

Run the Farbar program with Admin rights. Then click on the FIX button

The computer should restart and those Scheduled Tasks should now be removed.

fixlist.txt

Post back the new FIXLOG.txt file that it will create.

 

Link to post
Share on other sites

3 minutes ago, PIRATAS said:

if I'll whitelist uTorrent in Malwarebytes, could it happen that some malware/trojan will find their way into my system?

If you are truly using this for business sharing, then it is not a problem excluding.

 

4 minutes ago, PIRATAS said:

I have legal VPNs installed in my system

Not saying the VPN's are not Legal. Bad users use the same legal VPN's to attack others. So the IP's that the VPN's use to route traffic end up on block lists for abuse. Thus why Malwarebytes is blocking them to keep Malwarebytes users safe from the attacks. Many users of VPN's are having the same blocks and are coming here to find out why.

Now back to Advanced Setups instructions. After he is finished and closes this topic if you have any more questions/issues please create another topic in the general section.

Link to post
Share on other sites

20 hours ago, AdvancedSetup said:

Save the attached file to the same folder location where you have the Farbar FRST program. This fix will not work if both files are not in the same folder.

Run the Farbar program with Admin rights. Then click on the FIX button

The computer should restart and those Scheduled Tasks should now be removed.

fixlist.txt 25.79 kB · 1 download

Post back the new FIXLOG.txt file that it will create.

 

Thank you.

But is it OK to remove all those from the registry? I mean...could they be dependant for other keys in the registry?

20 hours ago, Porthos said:

If you are truly using this for business sharing, then it is not a problem excluding.

 

Not saying the VPN's are not Legal. Bad users use the same legal VPN's to attack others. So the IP's that the VPN's use to route traffic end up on block lists for abuse. Thus why Malwarebytes is blocking them to keep Malwarebytes users safe from the attacks. Many users of VPN's are having the same blocks and are coming here to find out why.

Now back to Advanced Setups instructions. After he is finished and closes this topic if you have any more questions/issues please create another topic in the general section.

Ok. Let me handle last few things with AdvancedSetup about my system.

 

Regarding the uTorrent and VPNs messages, I then assume that my issues are related to the fact that, while using those apps, my connection passes through servers that are in use from those apps that have been flagged for being involved in malicious activities as both Torrenting and VPN apps are commonly used for that. Malwarebytes works then good in my system, and the only way to not being bothered by those messages or connection interrupted, is to whitelist those apps entirely, as long as I still am fully protected from malicious websites and other malicious content.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.