Jump to content

Recommended Posts

We installed the free trial of Malwarebytes because of suspicious behavior when browsing the internet. We'd be on a trusted site like Google.com but would get redirected to incorrect websites.

After installing Malwarebytes, we ran the scan twice and quarantined every PUP or risk identified. However, even after doing that, we still got alerts periodically when connected to WIFI and browsing the internet on safe sites.

The notifications (screenshots attached) say that Trojans or RiskWare are attempting to make an outbound connection to sketchy websites we have never used, including r.sassts .com and garuq .com.

We ran the scan again but it didn't identify any Trojans or viruses that may be causing this unexpected activity. How do we:

1. Determine what is causing these suspicious attempts, and

2. Remove them?

 

We ran the Malwarebytes Support Scan and have attached the zip file of those logging results. What should we do now?

Blocked4.PNG

Blocked3.PNG

Blocked2.PNG

Blocked1.PNG

mbst-grab-results.zip

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Close any other applications ( programs ) that may be now open or running. 

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

For AFTER the completion of the Microsoft Safety Scanner tool. This here is the next procedure.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-window.
2. Type

appwiz.cpl


and tap Enter.
The Programs and Features window will appear.   Locate on the list "Adobe Flash Player 32 PPAPI".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features, when done.

Malwarebytes is keeping the pc safe from potential threats. It appears that the Google' Chrome browser at times gets attempted links to what look like malvertising or bad links. 

The tool FRSTENGLISH.exe tool  is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt<-- - - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will reset the Winsock file. It will also attempt to  run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. We will do more, later.

Link to post
Share on other sites

First, wait until after the Safety scanner has finished. and be sure to post the MSERT.log at that point.

The script uses the Windows SFC & DISM system applets to check the integrity of the system. The script attempt to run scans with Microsoft Defender antivirus as another check. The script cleans up cache for web browsers. The script will also attempt to put the IP addresses of the suspect sites into the block list of the windows firewall. It is all intended and designed to help. The blocks seemed to happen when Chrome was up. My hunch is that it is bad advertising links.

Link to post
Share on other sites

@Maurice Naggar Thank you for your response! I have completed the Microsoft Safety Scanner. After scanning 9 million files, it said no viruses detected. I was unable to find the MSERT.log file. I followed your file path but didn't see the file - see attached image.

I also ran the fixlist and have attached the fixlog. Let me know what it illustrates for you.

This evening, we received more notifications of blocked outbound connections, including one for music-editor.net, which had a file installed which Malwarebytes removed/quarantined earlier today. How do we ensure we actually remove these unwanted files instead of simply blocking the outbound connections?

debug.PNG

New Notifications.PNG

Fixlog.txt

Link to post
Share on other sites

First, do keep in mind that we will be doing a few more different scans with trusted scanners. Know that the last steps were only first "starters". Second, the run is good.
The MSERT.log file is the fourth item listed on your screen grab of File Explorer at c:\windows\debug
You need to adjust the File Explorer "VIEW" options to show all extensions ( of file-names).
On the File Explorer menu bar, pick "VIEW". Then be sure to "tick" the box "File name extensions".
Also double check to see that "Hiden files" is ticked.

I will have you do a few things on this round. We will do much more later.
(by the way rather than screen grabs, it is much more helpful to have the full actual logs from Malwarebytes.)

1, Please close all Chrome browser windows. Exit out of it. From here forward, please only use EDGE browser. My hunch is that Chrome has some sort of condition that affects or triggers the block notices. It may even be a odd "browser extension".
For example, the newest extension listed for Chrome is reported as having been added on 28th May, and is "Adobe Acrobat: PDF edit, convert, sign tools". Depending on who publishes that or where the extension came from, it may be the source of friction.
So, only using EDGE ntowser should be helpful at this time.
The Chrome browser on this system has many browser extensions. It truly has a lot. It only takes one dodgy extension to cause problems.

2. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

3. Do a new scan with Malwarebytes.

4. Next do a scan with ESET Onlinescanner

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.
Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

@Maurice Naggar I've attached the msert.log file, as well as logs from Malwarebytes for three of the blocked outbound connection notifications I've received. The image is to show you that we appear to be getting Captcha Wizard Top malvertising: Captcha Wizard Top Pop-ups - Virus Removal Guide (malwaretips.com)

I have taken the step to uninstall Google Chrome from the device for now, since the unwanted pop-up ads were being sent via Chrome.

I will get started on the additional scans today (steps 2-4). Thank you.

Fake Notification.PNG

msert.log Notification3.txt Notification2.txt Notification1.txt

Link to post
Share on other sites

Thank you. Be sure you finish all of my prior suggestions.
Further notes and advice.
Obvisouly this last screen grab-display that 'mentions' captchawizard(.)top is a total scam!

Upon re-reviewing your reports-collection, the Chrome browser did enable Notifications by the browser.
Specifically this is the reported setting
CHR Notifications: Profile 3 -> hxxps://captchawizard(.)top

There are good reasons to insure to NOT have notifications enabled.
See this article on the Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads" (notifications ).  That means Chrome, Firefox, or Edge browser (on Windows 10 / 11), or on Opera.

Scroll down to the tips section "How do I disable them".

Edited by Maurice Naggar
Link to post
Share on other sites

Hello. Thank you. As expected, the removal of Chrome results in the cessation of the rogue / pesky outbound attempts. More specifically, the "not having" site Notifications is what is the key element. Unless I am mistaken, the antivirus-security application on this system is Norton Security / Norton Lifelock. Could you please do a scan with it, and advise me of the result.

Link to post
Share on other sites

@Maurice NaggarThanks for all your help thus far. Norton is still installed on the computer but is no longer active, so we cannot use that scan.

At this point, it seems to me that we should simply monitor for a while and confirm the suspicious notifications do not re-appear now that Chrome was uninstalled.

If that's the case, then we seem to be in good shape. We may potentially re-install Chrome but ensure site notifications are disabled.

Does this sound appropriate to you?

Link to post
Share on other sites

@Maurice Naggar Following up. I downloaded a PDF from an email while browsing in Edge. However, the default was to open the PDF in Chromium. When that happened, I immediately got the same suspicious notifications as before (see attached).

We don't recall ever installing Chromium. It doesn't appear in Control Panel > Programs > Programs and Features. This is where we uninstalled Chrome, but Chromium doesn't appear there. It appears under: AppData > Local > chromium

C:\Users\[name]\AppData\Local\chromium\Application\chrome.exe


How do we uninstall this? When I right click, I only see options to delete, not uninstall. Is that what to do? I've scanned the chromium folder with Malwarebytes and it says no viruses detected, but we clearly see the blocked activity happening the moment Chromium is opened inadvertently.

image.thumb.png.aac62e679a76b646ef479b91eaae9a79.png

Notification5.txt Notification4.txt

Link to post
Share on other sites

Based on additional blog posts, I went ahead and deleted this Chromium folder. I had to end the task running in the background, which is a hint to me that something malicious was running in the background. It's now deleted and removed from the recycle bin. I'm pretty confident that we've solved the issue. A malicious version of Chromium was likely installed when some other rogue software was installed onto this computer previously.

Link to post
Share on other sites

Re-check to see that the program is installed or not. 

Select Start  > Settings  > Apps.

Apps can also be found on Start . The most used apps are at the top, followed by an alphabetical list.

Next, do this scan for potential malware   ( later you can do a new scan with Malwarebytes).

Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\Sarah\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\Sarah\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230613_123000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.