Jump to content

Detection of an outbound compromised site by Malwarebytes


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hi there!

I have an issue with a pop-up that keeps coming up, but only if I open a site that essentially is an online store or subscription service such as Envato Marketplace which I have an account.

You can see a screenshot here. Could I please get help removing whatever is on my PC that is causing it as it is very annoying?

image.png.9a742a557e1d17a9f8f9bd98493f7b1e.png

I have run a scan and it didn't pick anything up, I also did a scan with adwcleaner that picked up some things that I quarantined, but the pop-up is still happening.

Please help!

Thanks in advance.

Craig

Link to post
Share on other sites

@Craig83

Please do the following so that we may take a closer look at your system for any possible infections.

Please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

     

Thank you

Link to post
Share on other sites

  • Root Admin

Hello @Craig83

Please do the following steps (PLEASE SEE STEP 6 which should really be done first so we can verify what's going on.)

[ 1 ]

ATTENTION: System Restore is disabled (Total:910.35 GB) (Free:109.23 GB) (12%)

Please create a NEW System Restore Point before we proceed.

Turn On or Off System Protection for Drives in Windows 11
https://www.elevenforum.com/t/turn-on-or-off-system-protection-for-drives-in-windows-11.3598/

Create System Restore Point in Windows 11
https://www.elevenforum.com/t/create-system-restore-point-in-windows-11.3602/

 

[ 2 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Bonjour
     

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

[ 3 ]

Your current DNS Servers:  192.168.0.1

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 4 ]

You have multiple errors from the VSS service. Let's try a fix for that.

Application errors:
==================

Error: (08/28/2023 05:32:08 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {65bac55b-fc79-414c-ab97-1ca0e6e8cbd9}

 

Please download and run the following  Volume Shadow Copy Service (VSS), Diagnostic Tool, from Acronis

Acronis VSS Doctor

Free tool for diagnosing and repairing Volume Shadow Copy Service issues. Download link on the bottom of the page.
Download - Acronis VSS Doctor

In many cases, it can correct the issues on its own. If not, then it will give details on what may be causing the issues. Please save the report in text format and post back that log on your next reply.


You can also try the tool from Macrium Reflect if the Acronis tool did not work.

Macrium Reflect Volume Shadow Copy Service (VSS) Repair Tool

 

[ 5 ]

Your Dell Alienware Center also faulted. Not sure why at this time. It could have just been a fluke. We'll see if the error comes back or not after some general cleaning.

Error: (08/28/2023 10:21:52 AM) (Source: Application Error) (EventID: 1000) (User: DUDEBANDIT)
Description: Faulting application name: AWCC.exe, version: 5.5.49.0, time stamp: 0x6489dd39
Faulting module name: twinapi.appcore.dll, version: 10.0.22621.2134, time stamp: 0x63a7bf48
Exception code: 0xc000027b
Fault offset: 0x00000000000c08d3
Faulting process id: 0x0x15e4
Faulting application start time: 0x0x1d9d988b0fdce71
Faulting application path: C:\Program Files\WindowsApps\DellInc.AlienwareCommandCenter_5.5.49.0_x64__htrsf667h5kn2\AWCC.exe
Faulting module path: C:\WINDOWS\SYSTEM32\twinapi.appcore.dll
Report Id: 99b02711-697a-4f84-9e44-6cb1cd1724e8
Faulting package full name: DellInc.AlienwareCommandCenter_5.5.49.0_x64__htrsf667h5kn2
Faulting package-relative application ID: App

 

[ 6 ]

Okay, this can potentially be significant. Let's determine for sure which drive is Drive number 3

System errors:
=============
Error: (08/28/2023 06:22:03 PM) (Source: disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR3.

Please extract the batch file from the attached zip file and run with Admin rights. Then post back the results

DiskParInfo.zip

 

[ 7 ]

We'll hold off on any cleaning in case the Disk error is the drive that Windows is installed on.

 

 

 

 

 

 

 

 

Link to post
Share on other sites

  • Root Admin

The drive that has a controller error is your USB drive.  That should have no effect on what we're doing in the STEPS above. You can continue and run those steps.

You should however back up the data on this drive to another drive as it's possible this drive may be failing.

 

Disk 3 is now the selected disk.

WD My Passport 2665 USB Device
Disk ID: {3F956D1B-82B0-4386-B277-FF3323A1C90B}
Type   : USB
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

 

I have save the other VSS tool for you. Please download and unzip and run with Admin rights.

Here is the VirsusTotal link showing the file is safe to run

https://www.virustotal.com/gui/file/5e664c94c44b1993939be7013c0e0f3750cef64db2ef3e269ee3525ea49ed2b5?nocache=1

 

 

vssfixx64.zip

 

Then once that has completed go ahead and run the steps above

 

Link to post
Share on other sites

Hi,

So ran all the steps and the pop-up is still happening.

Thanks for seeing the drive might be failing which is weird as it's a pretty new drive, but I know these things can happen.

Anyway, let's not worry about that now, I will need to get a backup drive.

For now, I really need to get rid of that pop-up I showed you. It's happening now even when I am not on Envato, not often, but it happens.

Thanks.

Link to post
Share on other sites

  • Root Admin

[ 7 ]

We'll hold off on any cleaning in case the Disk error is the drive that Windows is installed on.

 

 

Please go ahead and get me a new fresh set of Farbar logs to review and I'll check back on you again tomorrow. It's almost 1AM for me now.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin
On 8/28/2023 at 11:32 AM, AdvancedSetup said:

[ 2 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Bonjour
     

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

 

The logs indicate that Bonjour is still installed. Please uninstall it.

 

Did you run the VSS tool I attached above? Where is the log from that one?

The Event Logs still indicate that VSS is having an issue.

 

Application errors:
==================

Error: (08/30/2023 06:31:00 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {c8755ddc-2a86-4511-9a11-efeceb55cd6e}

Error: (08/30/2023 06:29:46 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {c8755ddc-2a86-4511-9a11-efeceb55cd6e}

 

 

NOTE: You have the Farbar program running from a OneDrive folder. That folder is not accessible from Safe Mode

C:\Users\craig\OneDrive\Desktop\AntiVirus Stuff\FRST64.exe

Please make a NEW folder on the C: drive named FIX and copy the FRST64.EXE program there.

You should then have C:\FIX\FRST64.EXE

 

Next run the following

Start in Safe mode:

  • Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
  • Choose Update and Security.
  • From the menu at the left, choose Recovery.
  • Under the title Advanced startup at the right, choose Restart now.
  • From the window that will appear choose Troubleshoot and then Advanced options.
  • Choose Startup Settings and then Restart.
  • Press number 5, for choosing Safe mode with networking.
  • You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.


After that:

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

 

Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction
HKU\S-1-5-21-306594201-3425360562-2853846325-1002\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-306594201-3425360562-2853846325-1002\...\Policies\Explorer\DisallowRun: [9] mrt.exe
End::

 

  • Right-click on C:\FIX\FRST64 , to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
 
Thanks
 
Link to post
Share on other sites

  • Root Admin

It probably stores it in your Temp folder.

Here is an article on troubleshooting VSS errors

KNOW-TroubleshootingMicrosoftVSSerrors-300823-1952-99134.pdf

 

Go ahead and restart the computer. Then run the Farbar scanner again and click on SCAN and make sure you have a check mark in the ADDITION.TXT check box

Then attach back both new logs

FRST.TXT
ADDITION.TXT

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Please run the following @Craig83

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Hello @Craig83

We should check a few other things to make sure.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.