Very frequent "Website blocked due to malware" pop-ups Windows 11

[Maurice Naggar]

20 hours ago, strateg0s said:

My Norton 360 is a paid subscription not a trial, I am afraid I am not familiar with Norton LifeLock, could you expand a little about that. My Norton is called Norton 360 Deluxe. I am performing full computer scan just now. 

I believe  that Norton Lifelock is the parent corporation of Norton softwares.  Here is a verbatim listing of how the program is reported by Windows

Norton 360 (HKLM-x32\...\NGC) (Version: 22.23.10.10 - NortonLifeLock Inc)

[strateg0s]

1 hour ago, Maurice Naggar said:

Tell me, are you ready to wrap this up ? Were there any website Block notice events Today by Malwarebytes ?

I am still receiving notifications, so far those two IP addresses as mentioned earlier. Communication is being blocked by Malwarebytes, but something keeps trying to communicate to those addresses. 

[Maurice Naggar]

First, recall that I have already had you run a fair number of scanners.

This next part is only just for one time.

First, do a Windows RESTART.

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Edited February 1 by Maurice Naggar

[strateg0s]

I have followed you guide. Please see attached log. 
I may sound like a broken record, but those popups are still showing up but they appear to be less frequent, and it is just one IP address now. I am honestly clueless here. Is there anything else I can do? 

Fixlog.txt

[Maurice Naggar]

The run is good.

I mentioned doing a Clean Boot arrangemenmt before. I urge you to be sure to do this Clean Boot.
Perform a Clean Boot in Windows 11 to Troubleshoot Software Conflicts
See this link

Alo, by the way, when the Block notice has happened, which of your programs where you using at that moment?
Were you reading Emails usng a Web Browser?

The other suggestion I have is, for at the End of the day, when you are all finished with pc, that you do a Power >> Logoff >> ands Shutdown.
That way your machine is completely powered off.
 

[strateg0s]

Those popups are showing up some time after computer restart, I started seeing them when I have installed Malwarebytes, before that Norton 360 notified me about blocked intrusion. I have attached screenshot of that report. This is the same IP which shows up on Malwarebytes popups. I have done clean boot I can still see those popups. 

[Maurice Naggar]

Norton says it BLOCKED the I.P. Norton says "no action required". At the moment of the alert, was there a Browser in use? Was there a game running ehn the alert showed up ?

I would like to have a new, fresh FRST report for review.

Go to where FRSTENGLISH was saved, Downloads folder.   RIGHT-click on FRSTENGLISH.exe and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

[strateg0s]

Here are those two files. 
 

Addition.txt FRST.txt

[AdvancedSetup]

Sorry for the delay. Looks like the system may not have alerted @Maurice Naggar

I'm sure he will respond tomorrow.

Thank you @strateg0s

[Maurice Naggar]

Hello @strateg0s My apology for the delay in getting back to you. As to the IP address block notice, it is the same one reported by both Norton and Malwarebytes. Note that Norton in the snapshot you provided did say "No action requited".  One or both applications Stop any connection to the IP.

The FRST you last provided did show a couple of scheduled tasks that need removal. Also, this Windows is missing the SENSE service.

First, do a Windows RESTART.

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

Please Close all open work before you actually do begin this run.

FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

[AdvancedSetup]

Hello @strateg0s

Are you still with us?

Please post a status update when you have a moment.

Thank you

[strateg0s]

Good evening, please see attached log. 
I was not checking on this topic in the last couple of day since there was a radio silence. Thank you for your continuous support Maurice. 

Fixlog.txt

[AdvancedSetup]

Overall the script ran well. Please go ahead and run the following @strateg0s

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

 

 

 

[strateg0s]

Here is the log. There was no threat detected during the scan. 

cureit1.log

[AdvancedSetup]

What issues are you still seeing, or experiencing? @strateg0s

 

[strateg0s]

There was an issue with the frequent Malwarebytes popup warning me about blocked outbound communication. However Malwarebytes free premium trial has finished now, and I am using free version, which do not offer 24/7 real time protection. The uploaded file is the example of such prompts. But as I said I cannot tell if this is still happening, since I am not a premium user.

Malwarebytes022024.txt

[AdvancedSetup]

Please go ahead and run the following

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

[strateg0s]

Hi, please see all the scans reports. 

FSS.txt SecurityCheck02_2024.txt Addition.txt FRST.txt

[AdvancedSetup]

Thank you for the logs, please run the following @strateg0s

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\sebas\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[AdvancedSetup]

After running the fix above...

Please uninstall, update, or otherwise address the following as appropriate for your system.

• AMD Software v.23.7.1 Warning! Download Update
• Discord v.1.0.9003 Warning! Download Update
• Microsoft 365 - en-us v.16.0.17029.20140 Warning! Download Update | How Install Office updates?
• Microsoft Teams classic v.1.6.00.33567 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130 v.14.38.33130.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33130 v.14.38.33130.0 Warning! Download Update
• Mozilla Firefox (x64 en-GB) v.122.0 Warning! Download Update
• Notepad++ (64-bit x64) v.8.6.1 Warning! Download Update
• Signal 6.44.0 v.6.44.0 Warning! Download Update

 

Then RESTART the computer and check for Windows Updates and install any Security Updates found.

 

[strateg0s]

Farbar finished repairs and I have updated all the listed programs. Windows found and downloaded updates. Farbar log attached. 

Fixlog.txt

[AdvancedSetup]

Great, that looks much better.

Please follow the directions from the following topic to now repair the broken services of Windows that the attack did.

 

Repair Install Windows 11 with an In-place Upgrade
https://www.elevenforum.com/t/repair-install-windows-11-with-an-in-place-upgrade.418/

 

 

[strateg0s]

Done, I have followed the guide and repaired Windows installation. In Windows update I still see one update which continuously fails to be installed. I have attached screenshot. 

[strateg0s]

I have resolved the issue from my previous post. by running this command:

 

cd %ProgramFiles%\Windows Defender
MpCmdRun.exe -removedefinitions -dynamicsignatures
MpCmdRun.exe -SignatureUpdate

 

[AdvancedSetup]

Excellent. Please run the following again but RESTART the computer one more time first.

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/