HOW TO REMOVE A MALWARE FROM A COMPUTER

[FJCZ 0]

Hi, i have a computer that is trying to connect to hxxps://www.winchatsupport.com from firefox and also from msedge (Edge). I run malwarebytes, Eset and Fortinet and none of these detect or remove that malware. I do not have any extension or add on.

I also uninstall firefox manually because i just thought that the problem was only with firefox but then i realized that the same happened when i use Edge.

I know that the computer is trying to connect to that url because Eset Endpoint is showing me logs in filtered websites and i did not open that web site right now. May be in the past i opened by mistake.

 

Is there any way i can clean the computer?

 

 

[itman 1,659]

It appears the domain only has one IP address associated with it - 166.62.102.174 35.209.108.216

Create an Eset firewall rule to block all inbound/outbound network traffic to the IP address. Set the logging to warning level. Move the rule to the top of the existing firewall rule set.

You can then view in Eset Network log all apps trying to connect to this IP address.

Edited July 17, 2022 by itman

[itman 1,659]

Upon further review, the IP address to be blocked is 35.209.108.216.

Note this address resolves to Google.

Edited July 17, 2022 by itman

[FJCZ 0]

Hi, I though that after i did:

safe mode delete temp, erase firefox, run sfc , run dism the virus were gone but today again tried to connect and now with msedge.

What can i do.

[FJCZ 0]

First able was with firefox and now that firefox is gone it is trying to use msedge too.

[itman 1,659]

Eset blocks access to this domain via its anti-Phishing blacklist:

Time;URL;Status;Detection;Application;User;IP address;Hash
7/16/2022 7:40:05 PM;http://www.winchatsupport.com;Blocked;Anti-Phishing blacklist;C:\Program Files\mozilla firefox\firefox.exe;xxxxxxx;35.209.108.216;2E0048BC0143E8586DC2D7B84C252875AB9E0E4F

One reason I wanted you to create an Eset firewall rule to block all inbound/outbound access to the above IP address is to determine which processes are connecting to it. Does Edge attempt to connect to this address without you manually opening Edge?

 

[FJCZ 0]

When he tried to connect Edge is open because i am using it. I delete Edge completely from Windows and 1 week later the same issue. Please help. I think i will have to format the computer.

Time;URL;Status;Detection;Application;User;IP address;Hash
7/30/2022 8:58:12 AM;hxxps://www.winchatsupport.com;Blocked;Anti-Phishing blacklist;C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe;FIT-WKS-FRN-00\FRANCISCO;35.209.108.216;66CAAFFB188BF3AFAAD4815A6FBFE2A1A7CED721
 

[itman 1,659]

5 hours ago, FJCZ said:

When he tried to connect Edge is open because i am using it. I delete Edge completely from Windows and 1 week later the same issue. Please help. I think i will have to format the computer.

Win 10 will reinstall Edge if you delete it. So that is not an issue.

My best guess here is something was downloaded from www.winchatsupport.com previously and was installed. In Win Control Panel -> Programs check if anything exists that is related to this web site; i.e. Publisher is Winchatsupport, etc.. If something does exist, uninstall it.

[FJCZ 0]

I checked in control panel and there is nothing install for winchatsupport in programs and features. EDGE was not installed after i uninstalled. I installed again from Microsoft store since i deleted it and not browser were installed.

[Jessk2 0]

Along with MalwareBytes, I keep SuperAntiSpyware in my arsenal. It's possible that it's redundant with the other apps already mentioned. (I've never used Combofix; I'll keep it in mind for the 'next time.')