Jump to content

Repetitive outgoing trojan being blocked and quarantined by Malwarebytes.


PaulL

Recommended Posts

I ran your support tool to let it gather the log zip file. The mbst-grab-results.zip file is attached hereto.

I also ran a Malwarebytes manual scan which showed nothing.

My premium account is a very old one dating back more than twenty years to the days of perpetual accounts.

I look forward to hearing from you.

Paul Lepkowski

 

mbst-grab-results.zip

Edited by AdvancedSetup
Removed PII
Link to post
Share on other sites

<<pardon the intrusion>> I expect Advancedsetup will help you.

These are some first steps just only for "notices" from Malwarebytes.
The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.
Malwarebytes web protection & real-time protections are keeping pc safe from potential harm.

In Malwarebytes, click tab Notifications
on second line,

Show all notifications In Windows notification area

slide the action button All the way to the LEFT side  ( OFF )

on 4th line,

Close non-critical notifications

, pick 3 seconds

Link to post
Share on other sites

  • Root Admin

The logs indicate you have a remote control service set to start even in Safe Mode

Is that there on purpose still?

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (ff44bc4d-9fa5-4c40-b811-f9c628ea8010) => ""="Service"

 

[ 1 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • CCleaner - (computer experts no longer recommend this program)

 

[ 2 ]

Please make the following change in Malwarebytes

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

image.png.ced4aa64af4718ab767f579cc39014

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

 

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

Then visit the following links on how to setup exclusions in Windows Defender

How to Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 10
https://www.tenforums.com/tutorials/5924-add-remove-microsoft-defender-antivirus-exclusions-windows-10-a.html

Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 11
https://www.elevenforum.com/t/add-or-remove-exclusions-for-microsoft-defender-antivirus-in-windows-11.8797/

 

We are not aware of any currently known issues between Windows Defender and Malwarebytes Premium

 

[ 3 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled for Firefox

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

[ 4 ]

You have multiple batch, PowerShell and cmd shell operations saved in the root of C:\Users\Public - did you create these? Just an FYI that no files should be in the root of that parent folder. It's possible that some security programs may potentially detect and remove them even if they are valid.

If you created them I would suggest you make a new folder in some other location to store them. If you did not create them then zip them up and attach here so I can review.

  • C:\x-bkDTFiles.CMD
  • C:\Users\Public\qqini.ps1
  • C:\Users\Public\qqReklamX.bat
  • C:\Users\Public\qqini.bat
  • C:\Users\Public\qqReklamX.ps1
  • C:\Users\Public\ReklamX.ps1
  • C:\Users\Public\ini.ps1
  • C:\Users\Public\ini.bat
  • C:\Users\Public\ReklamX.bat

 

[ 5 ]

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\PAJL\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

 

<<pardon the intrusion>> I expect Advancedsetup will help you.

These are some first steps just only for "notices" from Malwarebytes.
The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.
Malwarebytes web protection & real-time protections are keeping pc safe from potential harm.

In Malwarebytes, click tab Notifications
on second line,

Show all notifications In Windows notification area

slide the action button All the way to the LEFT side  ( OFF )

on 4th line,

Close non-critical notifications

, pick 3 seconds

 

>>>>> THANK YOU MAURICE. I MADE ALL THE CHANGES YOU SUGGESTED. I AM AWAITING OTHER SUGGESTIONS FROM ADVANCED SETTUP. PAUL LEPKOWSKI.

Edited by AdvancedSetup
Removed account profile detail
Link to post
Share on other sites

Hi Root Admin. I see that we have talked before back in 2014.

 
Is that there on purpose still?
 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (ff44bc4d-9fa5-4c40-b811-f9c628ea8010) => ""="Service"

>>>> I have no idea what this link points to. Should I eliminate it somehow.

[1 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

CCleaner - (computer experts no longer recommend this program)

>>>> DONE!! I have been running this program on a daily basis for decades. What program should I now use to avoid collecting large numbers of junk files?

[2 ]

Please make the following change in Malwarebytes

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer
It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions

between Malwarebytes and Windows Defender

>>>> DONE! I saw no interference between Malwarebytes and Windows Defender.

 

[3 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled for Firefox

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

 

>>>> DONE! I turned off all push notifications in Firefox and Chrome. I don't use Edge or IE.

 

[4 ]

You have multiple batch, PowerShell and cmd shell operations saved in the root of C:\Users\Public - did you create these? Just an FYI that no files should be in the root of that parent folder. It's possible that some security programs may potentially detect and remove them even if they are valid.

If you created them I would suggest you make a new folder in some other location to store them. If you did not create them then zip them up and attach here so I can review.

  • C:\x-bkDTFiles.CMD
  • C:\Users\Public\qqini.ps1
  • C:\Users\Public\qqReklamX.bat
  • C:\Users\Public\qqini.bat
  • C:\Users\Public\qqReklamX.ps1
  • C:\Users\Public\ReklamX.ps1
  • C:\Users\Public\ini.ps1
  • C:\Users\Public\ini.bat
  • C:\Users\Public\ReklamX.bat

>>>> The x-bkDTFiles.CMD is one of my backup batch files but I usually run in from the h:\SYNC\BKM directory. It has been moved. I don't know where the rest of these files came from. They are zipped and attched hereto. Please take a look at them. I don't know what they were intended to do.

Paul Lepkowski

1.Zip 2.Zip

Edited by AdvancedSetup
Removed account profile detail
Link to post
Share on other sites

  • Root Admin

For the replacement of CCleaner - please see the following

8 Simple Ways To Clean Up Your Windows 11/10 PC
https://www.online-tech-tips.com/windows-10/8-simple-ways-to-clean-up-your-windows-11-10-pc/

If you want or need more there are other methods available

 

Please delete all of those files. They are used as a threat

  • C:\Users\Public\qqini.ps1
  • C:\Users\Public\qqReklamX.bat
  • C:\Users\Public\qqini.bat
  • C:\Users\Public\qqReklamX.ps1
  • C:\Users\Public\ReklamX.ps1
  • C:\Users\Public\ini.ps1
  • C:\Users\Public\ini.bat
  • C:\Users\Public\ReklamX.bat

 

Next, please run the FIX I posted above @PaulL

 

 


 

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.