Jump to content

MalwareBytes keep blocking explorer.exe to 193.105.135.135


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

I need some help please. I have an infection. 

Every minute I get an alert from Malwarebytes (trial pro version) with the details below:

Website blocked due to malware

IP Address: 193.105.135.135

Port: 443

Type: Outbound

File: C:\Windows\explorer.exe

 

Finding this extra C:\Windows\explorer.exe running in task manager and stopping it

temporarily stops the MB alerts until a reboot.

Any help to remove this would be of great help.

Thanks,

 

I have attached a report (mbst-grab-results.zip) from mb-support-1.9.2.982.exe

image.png

mbst-grab-results.zip

Link to post
Share on other sites

Hello @Starone This is to make notice to any other reader, that this case / this thread, is ONLY for the original poster, Starone.

@starone

Hello. :welcome: My name is Maurice. I will guide you.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    1. Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    2. Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

3. Next,  some housekeeping, and then one Scan.  There will be more later after all this.
Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes

(  2   )

 

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

NOTE: IF Adwcleaner in the results shows "no items" flagged, then please click on the button marked "Run Basic Repair"

adwcleaner-basic-repair.png.b6454e1c53e6ff2c6d0b97103375d6b7.png

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites

PS. Note to @Starone Do NOT use Task Manager to do any changes of any sort. And leave any entry for Explorer alone.  The Block event is for a I P address.  It does not involve the Explorer component of Windows. Leave Explorer alone. I am going to guide you and it is going to take several ( many guided passes). There is not a single-shot cure.

Link to post
Share on other sites

When you get a moment, be real sure to Uninstall Microsoft Silverlight. It is insecure and way ancient, old technology.

You are URGED to remove hxxps://thepiratebay.org & www.torrenting.com & pirate-bays.net & torrentgalaxy.to from the startup link URL on Chrome browser.

Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/

Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

Link to post
Share on other sites

  • Solution

NEXT steps

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will attempt to run a quick scan with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

 

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

Hello,

Thanks again for your kind assistance.

I followed your instructions.

After FRSTENGLISH had run and done its job and a reboot the issue seems to be resolved.

After the restart MB has stopped notifying of RTP detection 193.105.135.135 

The extra Windows Explorer [SYSTEM] is now not in Task Manager and idle CPU is normal.

If possible would you be able to show me how the trojan was loading on boot please.

Interesting to note that none of the following programs could detect or do a thing about this trojan.

Malwarebytes

 

Fixlog.txt

Link to post
Share on other sites

Glad to read the good news. The fact of having the IP Block itself did mean that any potential harm was Stopped. The mechanism was a scheduled task set to load an executable.

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.