Jump to content

Detection of an outbound compromised site by Malwarebytes


Recommended Posts

Hello, again, and sorry for coming back so soon. The other day when navigating online I got a message from Malwarebytes indicating a connection or website had been blocked. The description it had mentions that the type of event was "Compromised" and it was "Outbound" (Saliente in spanish), done by Chrome in chrome.exe if I recall correctly (apologies, I am not simply putting a screenshot because I deleted the detection by accident with a misclick).

Initially I didn't pay much attention to it, it's the first detection I've gotten in several months and simply assumed that Malwarebytes was doing it's job and that coming across fishy connections was unavoidable at some point. But I was told I should be careful with it, as "outbound" means that my PC is the one trying to connect instead of someone breaking in and it may indicate undesired stuff in iside the computer. Now, I made a scan with Malwarebytes (quick, full and full with Rootkits), Windows Defender, McAfee, Microsoft Security Scanner, Kaspersky and Eset and nothing was found.

To be fair, my PC doesn't have any weird behaviour or issues and I only got a single detection that never repeated and nothing else after that, unlike other people with a similar issue whom get repeated detections in short periods of time or legitimate malfunctions in their computers, from what I could gather. I insisted that it may just what I mentioned above, but was told to better be safe than sorry and came to ask for a hand.

I ran the Malwarebytes Support Tool. I'll attach the logs. Thanks in advance and apologies if this is making a storm in a teacup.

mbst-grab-results.zip

Link to post
Share on other sites

Well, followed the instructions. I don't store passwords, payments or anything in Chrome, nor I actually sync any accounts, so that wasn't an issue. Though I did follow the instructions to reset everything, after which I reinstalled Malwarebytes Browser Guard, McAfee Web Advisor and installed uBlock replacing Ad-Block.

Chrome isn't working strange or anything and there hasn't been any issues fortunately, so worst case scenario it cleaned up things. The detection was a single instance that never really repeated. Now there was another case of the same type of detection yesterday, but this time it didn't happen by itself, I legitimately came across a site that made a fishy connection in it when looking for a comic online. I actually verified it this time, the first time I got the notification, I cleared the history in chrome, entered the site again and got the same notification. 

All this makes me think that the first notification (the one I made this topic for) could have really been just an iffy connection on a website when I was browsing, rather than my PC having Malware or something, as the only other case was indeed because of that and all cases of other people having something in their PCs that causes outbound connections causes the warnings to pop up repeatedly, which hasn't happened to me fortunately, and neither there has been any weird behaviour or malfuctions either.

Link to post
Share on other sites

  • Root Admin

Yes, it very well could be a connection issue in Chrome or any other browser for that matter. Using uBlock Orgin and Malwarebytes Browser Guard though should stop the vast majority of "strange, fishy" types of scripts that kick off.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Alrighto, here are the logs. Ran this last cleaning and everything in order it seems. Just to make sure of it (and to let know over here to the person who asked me to make this thread, so they can also be at ease) the logs are fine, right? No corrupted or strange files or anything? All programs are up to date, I updated them with your help the last time I received help over here, so no issues there. The closest thing I can think to a "strange" behaviour was when I ran Eset and the program close by itself when changing whether I wanted to send data or not, but all I had to do was to open it again and it ran normally, so I wouldn't call it a problem or anything.

Sorry for this stubborness, BTW, but it's only to let the others know the full picture. If everything is indeed fine, then we're good and we can close this thread. Everything is working fine at least.

EDIT: Unrelated, but... how do I remove the Kaspersky Virus Removal Tool folder from the PC? Kprm only deleted the Exe file, but a folder remains in C: which I can't just delete because it mentions being in use. It doesn't seem Kaspersky is still installed as Remove Programs doesn't list it.

mbst-grab-results.zip kprm-20230214224155.txt

Link to post
Share on other sites

  • Root Admin

Hello @Dis-ApplePear

The logs look good overall.

Please download and run the following tool to remove the Kaspersky software completely.

 

Removal tool for Kaspersky applications (kavremover)
https://support.kaspersky.com/common/uninstall/1464

 

Let me know if there are any issues after that.

Thanks

 

Link to post
Share on other sites

Alright, everything good in the PC overall. No worries regarding the original issue, so that is all well. Thanks, AdvancedSetup, for all the help, once again.

The only thing left is to delete the KVRT folder. The Kaspsersky Removal Tool doesn't seem to work, it doesn't detect the Kaspersky Virus Removal Tool and then tells me no programs were found and gives me the option to manually look for the program I want to remove from a list, but the Virus Removal Tool doesn't appear in it. I tried deleting the files individually in the KVRT folder. Fortunately, all files could be deleted, with the sole exception of a system file called klupd_ad761127a_arkmon.sys, which constantly tells me that's in use so I can't get rid of it.

EDIT: Looking at klupd_ad761127a_arkmon.sys' properties, it's a Kaspersky's Lab Anti Rootkit Monitor Driver.

Edited by Dis-ApplePear
Link to post
Share on other sites

  • Root Admin

Okay, please get me a new set of Farbar logs and we'll look at manually removing it. @Dis-ApplePear

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Done, sorry for the late reply. Attaching the logs.

I actually managed to delete the file, surprisingly. To complete some Windows updates my PC restarted, so when I tried again to delete the KVRT folder with the file, this time I actually could get rid of it. My guess is that when you run the Kaspersky Virus Removal Tool the file activates and remains active, and given I hadn't restarted or turned off my PC since then, simply suspended it, it remained active, thus when the PC restarted on its own for the updates, since Kaspersky hadn't been used this time around, the file wasn't being used and could be deleted.

Still, attaching the logs just in case to see if there's anything left. If not I'd only have to use KpRm to remove the remaining tools and we'd be done, right?

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Yes, that is correct about the KpRm tool.

I only see these two from Kaspersky now which you can delete as they should not be needed now.

C:\Users\diroj\Downloads\KVRT.exe
C:\Users\diroj\Downloads\kavremvr.exe

 

Unless there is something else, you look to be good to go now @Dis-ApplePear

Link to post
Share on other sites

Alright, done so. Ran KPRM which made its cleanup and attached the logs as well. The only thing it didn't delete was the Kaspersky Removal Tool (the one to remove Kaspersky Programs, not the Antivirus one) and the Txt files it created when it was ran, but I could simply delete those manually.

Everything is looking good now. so I'd say we're finally done. Thanks again for all the help and patience, AdvancedSetup. Granted there was never really an issue, but it was good to make sure and I kinda dragged on this quite a bit, so again, thanks big time, man.

kprm-20230217025554.txt

Edited by Dis-ApplePear
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.