Weird detection that solved Chrome ERR_INVALID_ADDRESS on all websites

[Surreteip]

So, in Chrome I would get ERR_INVALID_ADDRESS on everything I tried to connect to. I checked DNS, network adapters and protocols, pinging and resolving and everything looked OK. Edge worked fine, but chrome would block everything. So on a wild hunch I installed Malwarebytes to see if there was anything malicious on the system. Before I could even scan, it popped up with this (I logged it in TXT):

 

Quote

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/31/23
Protection Event Time: 11:41 AM
Log File: 82801406-47e2-11ee-bf23-7824af8a9c9f.json

-Software Information-
Version: 4.6.1.280
Components Version: 1.0.2117
Update Package Version: 1.0.74691
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3031)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 185.81.68.174
Port: 3389
Type: Inbound
File: C:\Windows\System32\svchost.exe

(end)

 

 

Now all of a sudden everything came alive in Chrome, I could visit any website I wanted again.

The IP above is of Russian origin, but even if they were attacking the RDP port (3389), why would that halt Chrome working? And only chrome, no other browser.

And what does it mean -Blocked Website Details- ? How is a connection attempt to 3389 defined as anything website related?

 

Thanks.

[Surreteip]

Strangest thing. When I uninstalled MBAM again, I'm back to ERR_INVALID_ADDRESS to any website I attempt in chrome.

[1PW]

Hello @Surreteip and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

[Maurice Naggar]

Hello  @Surreteip My name is Maurice. I will guide you. Let me know what nickname you prefer to go by. IF you have a full 

Lets keep these principles as we go along.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Your system runs Windows 10. If there are issues with Chrome, see about just using only EDGE browser for the time being.
The Block notice you provided is about a block on a INBOUND attempt from I P Address: 185.81.68.174. That IP is flagged by Malwarebytes as "Compromised".
Study this particular post https://forums.malwarebytes.com/topic/293002-multiple-rtp-detection-over-last-few-days/?do=findComment&comment=1545741

Take actions to have Windows show all folders, plus Turn Off Windows Fast start option.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Do generate and attach the support-report as per 1PW post above.

Edited August 31, 2023 by Maurice Naggar

[Surreteip]

I'll repeat my question for clarity together with the log:

Why does/makes Malwarebytes temporarily fix Chrome while it's installed?

mbst-grab-results.zip

[Surreteip]

Additional information, I tried uninstalling malwarebytes yet again and now Chrome works all the time again. PrivadoVPN also had problems connecting before without malwarebytes installed. I have no idea what made things come loose... But now it all suddenly works again, no reboot or anything. 

Thanks for giving the issue attention, but I don't think there's anything more to do here. If it happens again I'll try to do scans and reports in a more linear fashion for you to analyze. 

[Maurice Naggar]

Glad to know that all is good now. That being so, we will not do any changes or such. Just see about running this inquiry report.

I would recommend getting a readout report as to status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Edited September 4, 2023 by Maurice Naggar

[Surreteip]

SecurityCheck.txt

[Maurice Naggar]

Here are what are highlighted by SecurityCheck.
PuTTY release 0.76 (64-bit) v.0.76.0.0  Warning! Download Update
 
Python 3.8.10 (64-bit) v.3.8.10150.0  Warning! Download Update

FileZilla Client 3.59.0 v.3.59.0  Warning! Download Update

Notepad++ (32-bit x86) v.8.3.3  Warning! Download Update

7-Zip 21.07 (x64) v.21.07  Warning! Download Update
Uninstall old version and install new one.

K-Lite Codec Pack 17.2.0 Standard v.17.2.0  Warning! Download Update

Glary Utilities 5.186 v.5.186.0.215 Advisory! Do you really need it ? It is not truly needed

Registry cleaners range from the non-effective snake-oil to the ok ones --- but they can lead to causing more harm than good.
Some can even lead to removing actually needed entries.
I rarely suggest that folks use these "tools".

Please see Ed Bott's blogpost "Why I don’t use registry cleaners"
http://www.edbott.com/weblog/2005/04/why-i-dont-use-registry-cleaners/

In the context of the notion of a registry cleaner, I would refer you to  Mark Russinovich's ( at Microsoft ) statement (from Registry Junk: A Windows Fact of Life ).   http://blogs.technet.com/b/markrussinovich/archive/2005/10/02/registry-junk-a-windows-fact-of-life.aspx

Quote

I haven't and never will implement a Registry cleaner since it's of little practical use on anything other than Win2K terminal servers and developing one that's both safe and effective requires a huge amount of application-specific knowledge.

There has not been a real need for registry cleaners ever since Win XP and later o.s. came out.
Also see http://miekiemoes.blogspot.ca/2008/02/registry-cleaners-and-system-tweaking_13.html

[Surreteip]

Thank you for the analysis.

[Surreteip]

I'm aware of the dangers of blindly "cleaning" registry, but Glary comes with multiple useful tools I sometimes use. It has no network filters and I have never actually done a registry clean with it.

[Surreteip]

As there's no more issues right now, I'd like to just end this thread here with no obvious solution and I should perhaps spent more time evaluating the issue.

Thanks for all the followups and analytics and references, I appreciate it.

[Maurice Naggar]

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_2-15.exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)
• Delete mb-support-1.9.n.nnn.exe if still present
• Delete mbst-grab-results.zip on the Desktop if still present.

The system is good-to-go.

 I am marking the case for closure. 

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.

Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Stay safe.

Sincerely.

[Surreteip]

Thanks, I've already cleaned up.

Quote

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.

I'm not sure how automated these replies are... But there was no infections, there was connection attempts on a port exposed to the Internet which will happen regardless of user being used. It most likely seems to have been a DNS caching or temporary routing issue which likely solved itself after some protocol resets and flushes. 

I'll avoid commenting on the other parts as I guess it's good generic advice for the average user and since this thread is coming to an end.

Thanks again for the followup.

[Maurice Naggar]

None of my replies are automated, just for the record. I wish you well.