Jump to content

Keep getting website blocked due to malware (outbound)


Recommended Posts

Hello  @Callsign_Hayley  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please attach all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

  • Please download the Malwarebytes Support Tool (MBST).
  • Run MBST and accept license agreement.
  • In the left navigation pane of MBST, click Advanced.
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.

 

 

Please attach the requested zip file in order to help you.

Thank you!

  • Like 1
Link to post
Share on other sites

@NicoNico

Unfortunately there are indications pirated software is on the system. Any and all programs requiring proper activation for which you do not have a valid product key will need to be removed before we can clean the system. If you are willing to uninstall such software please do so. If you are unable, or unwilling to remove the software I will be closing the topic:

Quote

"objectPath": "C:\\Grand Prix 4\\gp4_exe_patch.exe",
"threatName": "Malware.Heuristic.2047"

"resolvedPath": "C:\\Users\\schwe\\Desktop\\gp4tweaker_v1045_reloaded (3).rar",
"threatName": "Malware.AI.2564140197"

GPxPatch (GP4) (HKLM-x32\...\GPxPatch_GP4) (Version:  - )
Grand Prix 4 (HKLM-x32\...\{C7D27207-0F86-4B6F-859C-21800A2C592E}) (Version:  - )

 

 

Please see here:

 

I've noticed that you have already run ESET Online Scanner on your own.

I would like you to attach this logfile as well.

Edited by MKDB
Link to post
Share on other sites

Hello MKDB, I do not condone or use any pirated software. The patch that you refer to is a freeware add-on/tool for a video game. Which is a bit embarassing, because this is my work machine too that I use for video editing and graphic design. But I can assure you there is no pirated software on my machine.

If you say this is the source of the problem, I will remove it of course though! Should I do that?

Link to post
Share on other sites

@NicoNico

I would like you to remove this software. MBAM detected it as malicious. If you want to run it later again, that's up to you.

 

Furthermore, please attach the logfile from ESET Online Scanner. You have already run this tool on your own.

Thank you!

  • Like 1
Link to post
Share on other sites

Here is the ESET logfile esettxt.txt

I remember I deleted the exe and the rar last night because it was my suspicion too, but many people use the program without troubles for many years so at first I didn't think about it being an issue. 
For the Registry Key deletion, could you tell me what to search for?

Link to post
Share on other sites

I the exe and the rar in question are deleted, I searched for the registry key, its not there anymore so I assume it vanished together with the deletion. I wonder though why I then still had outbound connections today (1 to be precise, the one I linked above)

Link to post
Share on other sites

@NicoNico

Have you uninstalled "GPxPatch" via Start > Settings > Apps ?

If not, do so. If it's not installed anymore, just let me know.

 

Next, run KVRT and MBAM, please.

 

 

1️⃣

Download Kaspersky Virus Removal Tool (KVRT) and save it to your Desktop.

  • Select the Windows Key and R Key together, the Run box should open.
  • Copy and paste the following string into the line:

C:\Users\schwe\Desktop\KVRT.exe -dontencrypt

  • Select „Ok“ in the Run box.
  • If the „Windows protected your PC“ window opens, select „More info“. A new windows will open, select „Run anyway“.
  • An EULA window from KVRT will open, tick all confirmation boxes then select "Accept".
  • A window from KVRT will open, select "Change Parameters".
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.
  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

C:\KVRT2020_Data\Reports\report_<data>_<time>.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply.

 

 

2️⃣

 

 

 

Link to post
Share on other sites

Hello MKDB, I was about to reply to you. I went through the KVRT routine exactly as you described yesterday. It was a lengthy process. I got the "cure" option and 1 detection and continued, after which a reboot followed and it continued scanning for quite a while longer with 0 detections. Alongside, I also uninstalled GPxPatch as you instructed. I have not got an outbound request anymore since Tuesday. So it appears to me as you've helped me to solve the issue? :) If so, I'd like to express my grattitude - although I do not understand how it works that you spend time here helping people? But I am grateful you did.

Link to post
Share on other sites

  • Root Admin

Hello @NicoNico

I believe it's past midnight where @MKDB is located. He should reply to you again in the morning. In the meantime, please run the following and he can check them when he returns.

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thank you

 

  • Thanks 1
Link to post
Share on other sites

22 hours ago, NicoNico said:

@MKDB what can I do for you in return? Mark your answer as solution?

Sorry for the late response... i was very busy.

My help is free. I've been happy to help people who have problems with malware for 12 years now.

 

Yes, you can do mark a post as "solution" if you like that  @NicoNico.

I would be happy if you can attach the logfile from KVRT as as well as those from SecurityCheck and FRST as AdvancedSetup suggested in his last post.

Thank you!

Edited by MKDB
Link to post
Share on other sites

@NicoNico

Thats for your feedback and your kind words. 😃

 

How is your system running at the moment? Are there any open problems?

Let's run SecurityCheck and a fresh FRST scan for a final check, please.

 

 

1️⃣

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

2️⃣

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.
Link to post
Share on other sites

@NicoNico

I suggest to run a small FRST fix to remove some orphans and check windows system files.

 

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\schwe\Desktop\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the FIX button only once and wait.
  • Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

 

 

fixlist.txt

Link to post
Share on other sites

Due to the lack of feedback, I do not follow this topic any longer.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection.

Thank you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.