Jump to content

Recommended Posts

So I was chatting on Discord, looking for groups to play games with. One of the people sent a discord link that looked legitimate but was not. In my trusting haste, I clicked the link. I know what a discord link should do, so when it opened Firefox, I closed it immediately and purged the browser cache. Unable to quantify the danger, I got Malwarebytes to do a system scan to ensure that the attacker only saw my IP and did not get into the system. But immediately, Malwarebytes kicked into action and started blocking outbound connections labeling them malware. I went ahead and manually made firewall rules to block the IPs that were caught by Malwarebytes. So far, I have only gotten one other report of an outbound connection since the initial mistake on my part, but I want to make sure the system is clean, and my data is safe. I have scanned all my drives using Malwarebytes, HitmanPro free edition, and Microsoft Defender, but nothing malicious has been found. I scanned my bios using a Kaspersky tool as well so I'm splitting hairs trying to find anything. I doubt that some script kiddy on Discord is using such advanced techniques that they cannot be caught in this wide net I have cast, so now I'm writing this to get a sanity check on my efforts and hopefully get a couple of next steps.

 

From my limited understanding, outbound connections being detected means that something on my PC could be attempting to communicate with bad actors. Is this correct? How can I smoke out the offending program when just the raw IP is noted by Malwarebytes and no programs are being reported? The attacks started using an IP Malwarebytes themselves have an article on: https://www.malwarebytes.com/blog/detections/37-46-115-24, so I've already taken the steps mentioned in the article. RPD is disabled since I have Windows 10 home edition, and I rechecked the computer registry and can confirm it is disabled. I want to shake this bad actor off my back and not just rely on Malwarebytes blocking connections to stop him in the future

.MalwarebytesHistory.PNG.e501180fea5e12d7c3e269936c9f450d.PNG

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Firstly, have much patience. There is not a single-step solution. Second, stay off social media & no web surfing while case is on-going.
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only. Reports are a absolute must. Screen grabs simply do not have all details. We must see the details in the Malwarebytes logs!

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

  • Like 1
Link to post
Share on other sites

 I have sent the results in a direct message to you. I performed this test after closing Discord and all other application except this thread in a Chrome tab. 

I have no pirated content on the computer, nor do I attach drives with pirated content. I need this PC to work, but I will open no other programs until I'm forced to work tomorrow morning.

Thanks for the assistance.

Link to post
Share on other sites

You noted above 

Quote

 I have sent the results in a direct message to you

I did not get any such personal message. Gotta have that ZIP report in order to help you along.  ( i have to wonder just where it was you sent the file ? )

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

I am listing below your next actions to take.


Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

(  2  )


Next action step:
Disable ( turn OFF ) Fast Startup
https://www.windowscentral.com/how-disable-windows-10-fast-startup

Then restart the computer

(  3  )


This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows

(  4  )

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review

(  5 )

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

  • Like 1
Link to post
Share on other sites

  • Solution

Thanks for the reports. 

I would note that in the opening paragraph for this case, you noted,

I have scanned all my drives using Malwarebytes, HitmanPro free edition, and Microsoft Defender, but nothing malicious has been found.


Indeed, the Malwarebytes scan of 27 May 06:32:37 hours reported no malware detected.
One has to keep in mind, that the "block" notices have prevented any potential harm.
I am somewhat curious if you do some sort of software testing or development ?
The ESET Onlinescanner found 1 threat among a folder that looks like it is for Python work.
I:\D&D\Python33\hotmail.py    Python/HackTool.BruteForce.D trojan    cleaned by deleting

Housekeeping matter & also to reduce friction, Take a moment and Uninstall the add-on program named "Bonjour". Your system does not need it, and it will avoid some load failures.
Restart Windows after doing that.

Just a few mentions about the "block events". The screen-image grab on the first post just did not have full details and matter of fact, was showing older events. As a counter example, a block event on 16th may involved "I:\SteamLibrary\steamapps\common\Rust\RustClient.exe".
Whereas, 2 more recent block events on the 26th May involved Chrome browser.
Suggest you just use EDGE browser for a while.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera + Brave caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

  • Like 1
Link to post
Share on other sites

2 hours ago, Maurice Naggar said:

Suggest you just use EDGE browser for a while.

Would Firefox be an adequate substitute?

Also, I can delete "I:\SteamLibrary\steamapps\common\Rust\RustClient.exe". After this experience, I just don't want to play that game again.

 

I code a bit on my spare time, but mainly work with Unity2021. Those Python scripts were part of an old project, although im pretty sure I never created that specific file.



Before running the FRSTENGLISH app, I should note that due to using old drives from previous builds the computer's (i): drive and (g): drive also have windows installed on them I never deleted it because I always had space. I wanted to make sure those files would not interupt the process. I do not care if it clears every cache.

Again thank you for your time and effort.

Link to post
Share on other sites

The custom-script run is good. Previsously, I had you run ESET Onlinescanner, plus Adwcleaner.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

  • Like 1
Link to post
Share on other sites

Hello Maurice Naggar, Here is the log from the latest tool. As you said, it found threats, but in the end, it reported no issues. Does that mean that the computer is most likely clean at this point?

Regardless I will be deleting Chrome and using Firefox to browse once you tell me it is safe to do so. I will also be deleting Rust from my computer, it was the cause of the whole mess in the first place, so I really don't have any interest in playing it, again, I will do so when you tell me it is safe to do so.

Gratefully,

SteveR12

msert.log

Link to post
Share on other sites

Thank you. The MS Safety Scanner result is perfect. No virus. No trojan. No malware.

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Tue May 30 03:48:29 2023

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

  • Like 1
Link to post
Share on other sites

Excellent. 👍 We are nearly ready to wrap-up. Just one other report. Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

  • Like 1
Link to post
Share on other sites

Hi. Thanks. 

GitHub Desktop v.3.2.2  Warning! Download Update 

Discord v.1.0.9003  Warning! Download Update

iTunes v.12.12.8.2  Warning! Download Update
^Please use Apple Software Update tool.^

CCleaner v.6.12  Warning!  Computer experts no longer recommend this program.
You may instead use the built-in-Windows "Disk cleanup"

cleanmgr.exe

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop. 

  • Thanks 1
Link to post
Share on other sites

You are most welcome. I am very happy I could help. 💢

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.